pass sip authentication variables as env vars

author: kali kaneko (leap communications) <kali@leap.se> 2020-01-25 15:54:54 -0600
committer: kali kaneko (leap communications) <kali@leap.se> 2020-01-25 15:54:54 -0600
commit: 5bb198c1a5da3132945915947b88ad4a59dc7fcb (patch)
tree: f45dd66d22649b556308f419a9dae93b28f02da6 /pkg/auth
parent: 307582d9d193f282fc20182468a02ed0c55b4f99 (diff)
2 files changed, 46 insertions, 28 deletions
diff --git a/pkg/auth/middleware.go b/pkg/auth/middleware.go
index 9b42fa9..37c204e 100644
--- a/pkg/auth/middleware.go
+++ b/pkg/auth/middleware.go
@@ -11,23 +11,29 @@ import (
 )
 
 const anonAuth string = "anon"
-const sipAuth string = "sip"
-
-/* FIXME -- get this from configuration variables */
-
-var jwtSigningSecret = []byte("thesingingkey")
+const sip2Auth string = "sip"
 
 func bailOnBadAuthModule(module string) {
 	log.Fatal("Unknown auth module: '", module, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".")
 }
 
-func Authenticator(opts *config.Opts) http.HandlerFunc {
+func checkForAuthSecret(opts *config.Opts) {
+	if opts.AuthSecret == "" {
+		log.Fatal("Need to provide a AuthSecret value for SIP Authentication")
+	}
+	if len(opts.AuthSecret) < 20 {
+		log.Fatal("Please provider an AuthSecret longer than 20 chars")
+	}
+}
+
+func AuthenticatorMiddleware(opts *config.Opts) http.HandlerFunc {
 	switch opts.Auth {
 	case anonAuth:
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "no authentication in anon mode", http.StatusBadRequest)
 		})
-	case sipAuth:
+	case sip2Auth:
+		checkForAuthSecret(opts)
 		return sip2.SipAuthenticator(opts)
 	default:
 		bailOnBadAuthModule(opts.Auth)
@@ -35,22 +41,23 @@ func Authenticator(opts *config.Opts) http.HandlerFunc {
 	return nil
 }
 
-func RestrictedMiddleware(auth string, ch web.CertHandler) http.Handler {
+func RestrictedMiddleware(opts *config.Opts, ch web.CertHandler) http.Handler {
 
 	jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{
 		ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
-			return jwtSigningSecret, nil
+			return []byte(opts.AuthSecret), nil
 		},
 		SigningMethod: jwt.SigningMethodHS256,
 	})
 
-	switch auth {
+	switch opts.Auth {
 	case anonAuth:
 		return http.HandlerFunc(ch.CertResponder)
-	case sipAuth:
+	case sip2Auth:
+		checkForAuthSecret(opts)
 		return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder))
 	default:
-		bailOnBadAuthModule(auth)
+		bailOnBadAuthModule(opts.Auth)
 	}
 	return nil
 }
diff --git a/pkg/auth/sip2/auth.go b/pkg/auth/sip2/auth.go
index 1d3f309..f5ad0a4 100644
--- a/pkg/auth/sip2/auth.go
+++ b/pkg/auth/sip2/auth.go
@@ -5,38 +5,51 @@ import (
 	jwt "github.com/dgrijalva/jwt-go"
 	"log"
 	"net/http"
+	"os"
 	"time"
 
 	"0xacab.org/leap/vpnweb/pkg/config"
 )
 
-const LibraryLocation string = "testlibrary"
-const SipUser string = "leap"
-const SipPasswd string = "Kohapassword1!"
-
-// XXX duplicated, pass in opts
-var jwtSigningSecret = []byte("thesingingkey")
+const SipUserVar string = "VPNWEB_SIP_USER"
+const SipPassVar string = "VPNWEB_SIP_PASS"
+const SipPortVar string = "VPNWEB_SIP_PORT"
+const SipHostVar string = "VPNWEB_SIP_HOST"
+const SipLibrLocVar string = "VPNWEB_SIP_LIBR_LOCATION"
 
 type Credentials struct {
 	User     string
 	Password string
 }
 
-func SipAuthenticator(opts *config.Opts) http.HandlerFunc {
-	log.Println("Initializing sip2 authenticator...")
+func getConfigFromEnv(envVar string) string {
+	val, exists := os.LookupEnv(envVar)
+	if !exists {
+		log.Fatal("Need to set required env var:", envVar)
+	}
+	return val
+}
 
-	/* TODO -- should pass specific SIP options as a secondary struct */
+func SipAuthenticator(opts *config.Opts) http.HandlerFunc {
 	/* TODO -- catch connection errors */
 
-	sip := NewClient("localhost", "6001", LibraryLocation)
+	log.Println("Initializing sip2 authenticator")
+
+	SipUser := getConfigFromEnv(SipUserVar)
+	SipPass := getConfigFromEnv(SipPassVar)
+	SipHost := getConfigFromEnv(SipHostVar)
+	SipPort := getConfigFromEnv(SipPortVar)
+	SipLibrLoc := getConfigFromEnv(SipLibrLocVar)
+
+	sip := NewClient(SipHost, SipPort, SipLibrLoc)
 
 	ok, err := sip.Connect()
 	if err != nil {
-		log.Fatal("cannot connect sip client")
+		log.Fatal("Cannot connect sip client")
 	}
-	ok = sip.Login(SipUser, SipPasswd)
+	ok = sip.Login(SipUser, SipPass)
 	if !ok {
-		log.Println("Error on SIP login")
+		log.Fatal("Error on SIP login")
 	} else {
 		log.Println("SIP login ok")
 	}
@@ -67,10 +80,8 @@ func SipAuthenticator(opts *config.Opts) http.HandlerFunc {
 		log.Println("Valid auth for user", c.User)
 		token := jwt.New(jwt.SigningMethodHS256)
 		claims := token.Claims.(jwt.MapClaims)
-		/* maybe no uid at all */
-		claims["uid"] = "user"
 		claims["exp"] = time.Now().Add(time.Hour * 24).Unix()
-		tokenString, _ := token.SignedString(jwtSigningSecret)
+		tokenString, _ := token.SignedString([]byte(opts.AuthSecret))
 		w.Write([]byte(tokenString))
 	})
 	return authTokenHandler
author	kali kaneko (leap communications) <kali@leap.se>	2020-01-25 15:54:54 -0600
committer	kali kaneko (leap communications) <kali@leap.se>	2020-01-25 15:54:54 -0600
commit	5bb198c1a5da3132945915947b88ad4a59dc7fcb (patch)
tree	f45dd66d22649b556308f419a9dae93b28f02da6 /pkg/auth
parent	307582d9d193f282fc20182468a02ed0c55b4f99 (diff)