mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-02-01 18:01:23 -05:00
118 lines
2.7 KiB
Go
118 lines
2.7 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/sha1"
|
|
"fmt"
|
|
"github.com/owncloud/ocis/proxy/pkg/cache"
|
|
"net/http"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
|
|
"github.com/owncloud/ocis/ocis-pkg/log"
|
|
"github.com/owncloud/ocis/ocis-pkg/oidc"
|
|
)
|
|
|
|
const publicFilesEndpoint = "/remote.php/dav/public-files/"
|
|
|
|
// BasicAuth provides a middleware to check if BasicAuth is provided
|
|
func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
|
|
options := newOptions(optionSetters...)
|
|
logger := options.Logger
|
|
oidcIss := options.OIDCIss
|
|
accountsCache := cache.NewCache(cache.Size(5000))
|
|
if options.EnableBasicAuth {
|
|
options.Logger.Warn().Msg("basic auth enabled, use only for testing or development")
|
|
}
|
|
|
|
h := basicAuth{
|
|
logger: logger,
|
|
enabled: options.EnableBasicAuth,
|
|
accountsClient: options.AccountsClient,
|
|
accountsCache: &accountsCache,
|
|
}
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(
|
|
func(w http.ResponseWriter, req *http.Request) {
|
|
if h.isPublicLink(req) || !h.isBasicAuth(req) {
|
|
next.ServeHTTP(w, req)
|
|
return
|
|
}
|
|
|
|
account, ok := h.getAccount(req)
|
|
|
|
if !ok {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
claims := &oidc.StandardClaims{
|
|
OcisID: account.Id,
|
|
Iss: oidcIss,
|
|
}
|
|
|
|
next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims)))
|
|
},
|
|
)
|
|
}
|
|
}
|
|
|
|
type basicAuth struct {
|
|
logger log.Logger
|
|
enabled bool
|
|
accountsClient accounts.AccountsService
|
|
accountsCache *cache.Cache
|
|
m sync.Mutex
|
|
}
|
|
|
|
func (m *basicAuth) isPublicLink(req *http.Request) bool {
|
|
login, _, ok := req.BasicAuth()
|
|
|
|
return ok && login == "public" && strings.HasPrefix(req.URL.Path, publicFilesEndpoint)
|
|
}
|
|
|
|
func (m *basicAuth) isBasicAuth(req *http.Request) bool {
|
|
login, password, ok := req.BasicAuth()
|
|
|
|
return m.enabled && ok && login != "" && password != ""
|
|
}
|
|
|
|
func (m *basicAuth) getAccount(req *http.Request) (*accounts.Account, bool) {
|
|
var ok bool
|
|
var hit *cache.Entry
|
|
|
|
login, password, _ := req.BasicAuth()
|
|
|
|
h := sha1.New()
|
|
h.Write([]byte(login))
|
|
|
|
lookup := fmt.Sprintf("%x", h.Sum([]byte(password)))
|
|
|
|
m.m.Lock()
|
|
defer m.m.Unlock()
|
|
|
|
if hit = m.accountsCache.Get(lookup); hit == nil {
|
|
account, status := getAccount(
|
|
m.logger,
|
|
m.accountsClient,
|
|
fmt.Sprintf(
|
|
"login eq '%s' and password eq '%s'",
|
|
strings.ReplaceAll(login, "'", "''"),
|
|
strings.ReplaceAll(password, "'", "''"),
|
|
),
|
|
)
|
|
|
|
if ok = status == 0; ok {
|
|
m.accountsCache.Set(lookup, account, time.Now().Add(10*time.Minute))
|
|
}
|
|
|
|
return account, ok
|
|
}
|
|
|
|
account, ok := hit.V.(*accounts.Account)
|
|
|
|
return account, ok
|
|
}
|