diff options
author | kali kaneko (leap communications) <kali@leap.se> | 2020-01-25 15:54:54 -0600 |
---|---|---|
committer | kali kaneko (leap communications) <kali@leap.se> | 2020-01-25 15:54:54 -0600 |
commit | 5bb198c1a5da3132945915947b88ad4a59dc7fcb (patch) | |
tree | f45dd66d22649b556308f419a9dae93b28f02da6 /pkg/auth | |
parent | 307582d9d193f282fc20182468a02ed0c55b4f99 (diff) |
pass sip authentication variables as env vars
Diffstat (limited to 'pkg/auth')
-rw-r--r-- | pkg/auth/middleware.go | 31 | ||||
-rw-r--r-- | pkg/auth/sip2/auth.go | 43 |
2 files changed, 46 insertions, 28 deletions
diff --git a/pkg/auth/middleware.go b/pkg/auth/middleware.go index 9b42fa9..37c204e 100644 --- a/pkg/auth/middleware.go +++ b/pkg/auth/middleware.go @@ -11,23 +11,29 @@ import ( ) const anonAuth string = "anon" -const sipAuth string = "sip" - -/* FIXME -- get this from configuration variables */ - -var jwtSigningSecret = []byte("thesingingkey") +const sip2Auth string = "sip" func bailOnBadAuthModule(module string) { log.Fatal("Unknown auth module: '", module, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".") } -func Authenticator(opts *config.Opts) http.HandlerFunc { +func checkForAuthSecret(opts *config.Opts) { + if opts.AuthSecret == "" { + log.Fatal("Need to provide a AuthSecret value for SIP Authentication") + } + if len(opts.AuthSecret) < 20 { + log.Fatal("Please provider an AuthSecret longer than 20 chars") + } +} + +func AuthenticatorMiddleware(opts *config.Opts) http.HandlerFunc { switch opts.Auth { case anonAuth: return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { http.Error(w, "no authentication in anon mode", http.StatusBadRequest) }) - case sipAuth: + case sip2Auth: + checkForAuthSecret(opts) return sip2.SipAuthenticator(opts) default: bailOnBadAuthModule(opts.Auth) @@ -35,22 +41,23 @@ func Authenticator(opts *config.Opts) http.HandlerFunc { return nil } -func RestrictedMiddleware(auth string, ch web.CertHandler) http.Handler { +func RestrictedMiddleware(opts *config.Opts, ch web.CertHandler) http.Handler { jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{ ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) { - return jwtSigningSecret, nil + return []byte(opts.AuthSecret), nil }, SigningMethod: jwt.SigningMethodHS256, }) - switch auth { + switch opts.Auth { case anonAuth: return http.HandlerFunc(ch.CertResponder) - case sipAuth: + case sip2Auth: + checkForAuthSecret(opts) return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder)) default: - bailOnBadAuthModule(auth) + bailOnBadAuthModule(opts.Auth) } return nil } diff --git a/pkg/auth/sip2/auth.go b/pkg/auth/sip2/auth.go index 1d3f309..f5ad0a4 100644 --- a/pkg/auth/sip2/auth.go +++ b/pkg/auth/sip2/auth.go @@ -5,38 +5,51 @@ import ( jwt "github.com/dgrijalva/jwt-go" "log" "net/http" + "os" "time" "0xacab.org/leap/vpnweb/pkg/config" ) -const LibraryLocation string = "testlibrary" -const SipUser string = "leap" -const SipPasswd string = "Kohapassword1!" - -// XXX duplicated, pass in opts -var jwtSigningSecret = []byte("thesingingkey") +const SipUserVar string = "VPNWEB_SIP_USER" +const SipPassVar string = "VPNWEB_SIP_PASS" +const SipPortVar string = "VPNWEB_SIP_PORT" +const SipHostVar string = "VPNWEB_SIP_HOST" +const SipLibrLocVar string = "VPNWEB_SIP_LIBR_LOCATION" type Credentials struct { User string Password string } -func SipAuthenticator(opts *config.Opts) http.HandlerFunc { - log.Println("Initializing sip2 authenticator...") +func getConfigFromEnv(envVar string) string { + val, exists := os.LookupEnv(envVar) + if !exists { + log.Fatal("Need to set required env var:", envVar) + } + return val +} - /* TODO -- should pass specific SIP options as a secondary struct */ +func SipAuthenticator(opts *config.Opts) http.HandlerFunc { /* TODO -- catch connection errors */ - sip := NewClient("localhost", "6001", LibraryLocation) + log.Println("Initializing sip2 authenticator") + + SipUser := getConfigFromEnv(SipUserVar) + SipPass := getConfigFromEnv(SipPassVar) + SipHost := getConfigFromEnv(SipHostVar) + SipPort := getConfigFromEnv(SipPortVar) + SipLibrLoc := getConfigFromEnv(SipLibrLocVar) + + sip := NewClient(SipHost, SipPort, SipLibrLoc) ok, err := sip.Connect() if err != nil { - log.Fatal("cannot connect sip client") + log.Fatal("Cannot connect sip client") } - ok = sip.Login(SipUser, SipPasswd) + ok = sip.Login(SipUser, SipPass) if !ok { - log.Println("Error on SIP login") + log.Fatal("Error on SIP login") } else { log.Println("SIP login ok") } @@ -67,10 +80,8 @@ func SipAuthenticator(opts *config.Opts) http.HandlerFunc { log.Println("Valid auth for user", c.User) token := jwt.New(jwt.SigningMethodHS256) claims := token.Claims.(jwt.MapClaims) - /* maybe no uid at all */ - claims["uid"] = "user" claims["exp"] = time.Now().Add(time.Hour * 24).Unix() - tokenString, _ := token.SignedString(jwtSigningSecret) + tokenString, _ := token.SignedString([]byte(opts.AuthSecret)) w.Write([]byte(tokenString)) }) return authTokenHandler |