-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcardea.go
92 lines (77 loc) · 2.05 KB
/
cardea.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package cardea
import "errors"
import "log"
import "net/http"
import "strings"
var (
DEFAULT_COOKIE_NAME = "ca"
DEFAULT_EXPIRATION_SEC = uint64(36 * 3600)
)
type Config struct {
Secret []byte
Cookie string
ExpirationSec uint64
}
func NewConfig(secret string) *Config {
return &Config{[]byte(secret),
DEFAULT_COOKIE_NAME,
DEFAULT_EXPIRATION_SEC,
}
}
func (c *Config) CheckToken(t *Token, hmac_extra string) (err error) {
if uint64(t.Age().Seconds()) > c.ExpirationSec {
return errors.New("Expired cookie")
}
return nil
}
func (c *Config) CheckCookie(cookie string, hmac_extra string) (t *Token, err error) {
t, err = ParseCookie(c.Secret, hmac_extra, cookie)
if err != nil {
return
}
err = c.CheckToken(t, hmac_extra)
return
}
func (c *Config) CheckAuthorization(auth string, hmac_extra string) (t *Token, err error) {
t, err = ParseAuthorization(c.Secret, hmac_extra, auth)
if err != nil {
return
}
err = c.CheckToken(t, hmac_extra)
return
}
func (c *Config) CheckRequest(r *http.Request) (t *Token, err error) {
switch cookie, err := r.Cookie(c.Cookie); err {
case nil:
return c.CheckCookie(cookie.Value,
strings.Join(r.Header["X-Cardea-Hmac-Extra"], "\n"))
case http.ErrNoCookie:
// Try to parse basic auth
auth := r.Header["Authorization"]
switch len(auth) {
case 0:
return nil, err
case 1: // we're good
default:
return nil, errors.New("More than one Authorization: headers")
}
return c.CheckAuthorization(string(auth[0]),
strings.Join(r.Header["X-Cardea-Hmac-Extra"], "\n"))
default:
return nil, err
}
}
func (c *Config) ServeHTTP(w http.ResponseWriter, r *http.Request) {
hdr := w.Header()
if t, err := c.CheckRequest(r); err != nil {
log.Printf("%v DENY %s (%s)", r.Header["X-Cardea-Requestinfo"], t, err)
w.WriteHeader(http.StatusForbidden)
w.Write([]byte("Denied\n"))
} else {
log.Printf("%v ALLOW %s", r.Header["X-Cardea-Requestinfo"], t)
hdr["X-Cardea-User"] = []string{t.User}
hdr["X-Cardea-Groups"] = t.Groups
w.WriteHeader(http.StatusOK)
w.Write([]byte("OK\n"))
}
}