From 307582d9d193f282fc20182468a02ed0c55b4f99 Mon Sep 17 00:00:00 2001
From: "kali kaneko (leap communications)" <kali@leap.se>
Date: Fri, 24 Jan 2020 23:09:50 -0600
Subject: sip authenticator

---
 pkg/auth/middleware.go | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

(limited to 'pkg/auth/middleware.go')

diff --git a/pkg/auth/middleware.go b/pkg/auth/middleware.go
index a183c1b..9b42fa9 100644
--- a/pkg/auth/middleware.go
+++ b/pkg/auth/middleware.go
@@ -1,6 +1,8 @@
 package auth
 
 import (
+	"0xacab.org/leap/vpnweb/pkg/auth/sip2"
+	"0xacab.org/leap/vpnweb/pkg/config"
 	"0xacab.org/leap/vpnweb/pkg/web"
 	"github.com/auth0/go-jwt-middleware"
 	jwt "github.com/dgrijalva/jwt-go"
@@ -12,20 +14,33 @@ const anonAuth string = "anon"
 const sipAuth string = "sip"
 
 /* FIXME -- get this from configuration variables */
-var jwtSecret = []byte("somethingverysecret")
 
-func Authenticator(auth string) {
+var jwtSigningSecret = []byte("thesingingkey")
+
+func bailOnBadAuthModule(module string) {
+	log.Fatal("Unknown auth module: '", module, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".")
+}
+
+func Authenticator(opts *config.Opts) http.HandlerFunc {
+	switch opts.Auth {
+	case anonAuth:
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			http.Error(w, "no authentication in anon mode", http.StatusBadRequest)
+		})
+	case sipAuth:
+		return sip2.SipAuthenticator(opts)
+	default:
+		bailOnBadAuthModule(opts.Auth)
+	}
+	return nil
 }
 
 func RestrictedMiddleware(auth string, ch web.CertHandler) http.Handler {
 
 	jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{
 		ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
-			return jwtSecret, nil
+			return jwtSigningSecret, nil
 		},
-		// When set, the middleware verifies that tokens are signed with the specific signing algorithm
-		// If the signing method is not constant the ValidationKeyGetter callback can be used to implement additional checks
-		// Important to avoid security issues described here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
 		SigningMethod: jwt.SigningMethodHS256,
 	})
 
@@ -35,8 +50,7 @@ func RestrictedMiddleware(auth string, ch web.CertHandler) http.Handler {
 	case sipAuth:
 		return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder))
 	default:
-		log.Fatal("Unknown auth module: '", auth, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".")
+		bailOnBadAuthModule(auth)
 	}
-	// should not get here
 	return nil
 }
-- 
cgit v1.2.3