github.com/greenpau/go-authcrunch@v1.0.50/pkg/authn/authproxy_basic_auth.go (about) 1 // Copyright 2022 Paul Greenberg greenpau@outlook.com 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package authn 16 17 import ( 18 "context" 19 "encoding/base64" 20 "github.com/greenpau/go-authcrunch/pkg/authn/enums/operator" 21 "github.com/greenpau/go-authcrunch/pkg/authproxy" 22 "github.com/greenpau/go-authcrunch/pkg/errors" 23 "github.com/greenpau/go-authcrunch/pkg/requests" 24 "github.com/greenpau/go-authcrunch/pkg/user" 25 "go.uber.org/zap" 26 "strings" 27 "time" 28 ) 29 30 // BasicAuth performs API key authentication. 31 func (p *Portal) BasicAuth(r *authproxy.Request) error { 32 if r.Realm == "" { 33 r.Realm = "local" 34 } 35 36 rr := requests.NewRequest() 37 rr.Logger = p.logger 38 rr.Response.Authenticated = false 39 rr.Upstream.Realm = r.Realm 40 41 arr, err := base64.StdEncoding.DecodeString(r.Secret) 42 if err != nil { 43 p.logger.Warn( 44 "failed to decode credentials", 45 zap.String("source_address", r.Address), 46 zap.String("custom_auth", "basicauth"), 47 zap.String("realm", r.Realm), 48 zap.Error(err), 49 ) 50 return errors.ErrBasicAuthFailed 51 } 52 53 creds := strings.SplitN(string(arr), ":", 2) 54 rr.User.Username = creds[0] 55 rr.User.Password = creds[1] 56 57 backend := p.getIdentityStoreByRealm(r.Realm) 58 if backend == nil { 59 p.logger.Warn( 60 "realm backend not found", 61 zap.String("source_address", r.Address), 62 zap.String("custom_auth", "basicauth"), 63 zap.String("realm", r.Realm), 64 ) 65 return errors.ErrBasicAuthFailed 66 } 67 68 /* 69 if err := backend.Request(operator.LookupBasic, rr); err != nil { 70 p.logger.Warn( 71 "api key lookup failed", 72 zap.String("source_address", r.Address), 73 zap.String("custom_auth", "basicauth"), 74 zap.String("realm", r.Realm), 75 zap.Error(err), 76 ) 77 return errors.ErrBasicAuthFailed 78 } 79 */ 80 81 if err := backend.Request(operator.IdentifyUser, rr); err != nil { 82 p.logger.Warn( 83 "user lookup failed", 84 zap.String("source_address", r.Address), 85 zap.String("custom_auth", "basicauth"), 86 zap.String("realm", r.Realm), 87 zap.Error(err), 88 ) 89 return errors.ErrBasicAuthFailed 90 } 91 92 if len(rr.User.Challenges) != 1 { 93 p.logger.Warn( 94 "user lookup failed", 95 zap.String("source_address", r.Address), 96 zap.String("custom_auth", "basicauth"), 97 zap.String("realm", r.Realm), 98 zap.String("error", "detected too many auth challenges"), 99 ) 100 return errors.ErrBasicAuthFailed 101 } 102 103 if rr.User.Challenges[0] != "password" { 104 p.logger.Warn( 105 "user lookup failed", 106 zap.String("source_address", r.Address), 107 zap.String("custom_auth", "basicauth"), 108 zap.String("realm", r.Realm), 109 zap.String("error", "detected unsupported auth challenges"), 110 ) 111 return errors.ErrBasicAuthFailed 112 } 113 114 if err := backend.Request(operator.Authenticate, rr); err != nil { 115 p.logger.Warn( 116 "user authentication failed", 117 zap.String("source_address", r.Address), 118 zap.String("custom_auth", "basicauth"), 119 zap.String("realm", r.Realm), 120 zap.Error(err), 121 ) 122 return errors.ErrBasicAuthFailed 123 } 124 125 m := make(map[string]interface{}) 126 m["sub"] = rr.User.Username 127 m["email"] = rr.User.Email 128 if rr.User.FullName != "" { 129 m["name"] = rr.User.FullName 130 } 131 if len(rr.User.Roles) > 0 { 132 m["roles"] = rr.User.Roles 133 } 134 135 // m["jti"] = rr.Upstream.SessionID 136 m["exp"] = time.Now().Add(time.Duration(p.keystore.GetTokenLifetime(nil, nil)) * time.Second).UTC().Unix() 137 m["iat"] = time.Now().UTC().Unix() 138 m["nbf"] = time.Now().Add(time.Duration(60) * time.Second * -1).UTC().Unix() 139 if _, exists := m["origin"]; !exists { 140 m["origin"] = r.Realm 141 } 142 m["iss"] = "authp" 143 m["addr"] = r.Address 144 145 // Perform user claim transformation if necessary. 146 if err := p.transformUser(context.Background(), rr, m); err != nil { 147 return err 148 } 149 150 // Inject portal specific roles 151 injectPortalRoles(m) 152 153 // Create a new user and sign the token. 154 usr, err := user.NewUser(m) 155 if err != nil { 156 p.logger.Warn( 157 "user build following user lookup failed", 158 zap.String("source_address", r.Address), 159 zap.String("custom_auth", "basicauth"), 160 zap.String("realm", r.Realm), 161 zap.Error(err), 162 ) 163 return errors.ErrBasicAuthFailed 164 } 165 if err := p.keystore.SignToken(nil, nil, usr); err != nil { 166 p.logger.Warn( 167 "user token signing failed", 168 zap.String("source_address", r.Address), 169 zap.String("custom_auth", "basicauth"), 170 zap.String("realm", r.Realm), 171 zap.Error(err), 172 ) 173 return errors.ErrBasicAuthFailed 174 } 175 176 r.Response.Payload = usr.Token 177 r.Response.Name = usr.TokenName 178 return nil 179 }