From dd673e0e82e21e2344bd97fbfe512da0728da2a6 Mon Sep 17 00:00:00 2001 From: RPJosh Date: Sat, 24 Jun 2023 14:08:18 +0200 Subject: [PATCH] Change from basic auth to header authentication --- internal/handlers/handler_authz_grpc.go | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/internal/handlers/handler_authz_grpc.go b/internal/handlers/handler_authz_grpc.go index dc5103896..3048d433d 100644 --- a/internal/handlers/handler_authz_grpc.go +++ b/internal/handlers/handler_authz_grpc.go @@ -5,6 +5,7 @@ import ( "fmt" "net" "net/url" + "strings" "github.com/authelia/authelia/v4/internal/authorization" "github.com/authelia/authelia/v4/internal/configuration/schema" @@ -37,7 +38,7 @@ func NewAuthzGRCP(config *schema.Configuration, providers middlewares.Providers) authBuilder := NewAuthzBuilder().WithConfig(config) // Only the following strategies are supported. These are hardcoded at the moment and won't be taken from the configuration - strategies := []AuthnStrategy{NewHeaderAuthorizationAuthnStrategy(), NewCookieSessionAuthnStrategy(authBuilder.config.RefreshInterval)} + strategies := []AuthnStrategy{NewHeaderProxyAuthorizationAuthnStrategy() /* NewHeaderAuthorizationAuthnStrategy(), */, NewCookieSessionAuthnStrategy(authBuilder.config.RefreshInterval)} return &AuthzGRCP{ Config: config, @@ -260,11 +261,10 @@ func (authz *AuthzGRCP) GetHttpCtxFromGRPC(req *autha.CheckRequest) (*fasthttp.R rtc.Request.Header.Set(fasthttp.HeaderXForwardedFor, data.RemoteHost) // Needed for NewHeaderProxyAuthorizationAuthnStrategy and NewHeaderAuthorizationAuthnStrategy - if val, isSet := headers["authorization"]; isSet { - rtc.Request.Header.Set(fasthttp.HeaderAuthorization, val) - } - rtc.Request.Header.Set(fasthttp.HeaderProxyAuthorization, headers[fasthttp.HeaderProxyAuthorization]) - rtc.Request.Header.Set(fasthttp.HeaderWWWAuthenticate, headers[fasthttp.HeaderWWWAuthenticate]) + authz.setHeaderIfSet(fasthttp.HeaderAuthorization, rtc, &headers) + authz.setHeaderIfSet(fasthttp.HeaderProxyAuthorization, rtc, &headers) + authz.setHeaderIfSet(fasthttp.HeaderWWWAuthenticate, rtc, &headers) + authz.setHeaderIfSet(fasthttp.HeaderProxyAuthenticate, rtc, &headers) // Needed for CookieSesseionauthnStrategy rtc.Request.Header.Set("cookie", headers["cookie"]) @@ -272,6 +272,17 @@ func (authz *AuthzGRCP) GetHttpCtxFromGRPC(req *autha.CheckRequest) (*fasthttp.R return rtc, data } +// setHeaderIfSet sets the header in the given fastHttp request if the header from the envoy authentication +// request was also set +func (authz *AuthzGRCP) setHeaderIfSet(headerKeyFast string, rtc *fasthttp.RequestCtx, envoyHeaders *map[string]string) { + // Envoys provided header keys are always lower case + envoyHeaderKey := strings.ToLower(headerKeyFast) + + if val, isSet := (*envoyHeaders)[envoyHeaderKey]; isSet { + rtc.Request.Header.Set(headerKeyFast, val) + } +} + // ErrAuthResponse returns an authentication error for envoy with the given status code // and the given text body func (authz *AuthzGRCP) ErrAuthResponse(statuscode envoy_type.StatusCode, body string) *autha.CheckResponse {