github.com/greenpau/go-authcrunch@v1.1.4/pkg/authn/authproxy_basic_auth.go (about) 1 // Copyright 2022 Paul Greenberg greenpau@outlook.com 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package authn 16 17 import ( 18 "context" 19 "encoding/base64" 20 "strings" 21 "time" 22 23 "github.com/greenpau/go-authcrunch/pkg/authn/enums/operator" 24 "github.com/greenpau/go-authcrunch/pkg/authproxy" 25 "github.com/greenpau/go-authcrunch/pkg/errors" 26 "github.com/greenpau/go-authcrunch/pkg/requests" 27 "github.com/greenpau/go-authcrunch/pkg/user" 28 "go.uber.org/zap" 29 ) 30 31 // BasicAuth performs API key authentication. 32 func (p *Portal) BasicAuth(r *authproxy.Request) error { 33 if r.Realm == "" { 34 r.Realm = "local" 35 } 36 37 rr := requests.NewRequest() 38 rr.Logger = p.logger 39 rr.Response.Authenticated = false 40 rr.Upstream.Realm = r.Realm 41 42 arr, err := base64.StdEncoding.DecodeString(r.Secret) 43 if err != nil { 44 p.logger.Warn( 45 "failed to decode credentials", 46 zap.String("source_address", r.Address), 47 zap.String("custom_auth", "basicauth"), 48 zap.String("realm", r.Realm), 49 zap.Error(err), 50 ) 51 return errors.ErrBasicAuthFailed 52 } 53 54 creds := strings.SplitN(string(arr), ":", 2) 55 rr.User.Username = creds[0] 56 rr.User.Password = creds[1] 57 58 backend := p.getIdentityStoreByRealm(r.Realm) 59 if backend == nil { 60 p.logger.Warn( 61 "realm backend not found", 62 zap.String("source_address", r.Address), 63 zap.String("custom_auth", "basicauth"), 64 zap.String("realm", r.Realm), 65 ) 66 return errors.ErrBasicAuthFailed 67 } 68 69 /* 70 if err := backend.Request(operator.LookupBasic, rr); err != nil { 71 p.logger.Warn( 72 "api key lookup failed", 73 zap.String("source_address", r.Address), 74 zap.String("custom_auth", "basicauth"), 75 zap.String("realm", r.Realm), 76 zap.Error(err), 77 ) 78 return errors.ErrBasicAuthFailed 79 } 80 */ 81 82 if err := backend.Request(operator.IdentifyUser, rr); err != nil { 83 p.logger.Warn( 84 "user lookup failed", 85 zap.String("source_address", r.Address), 86 zap.String("custom_auth", "basicauth"), 87 zap.String("realm", r.Realm), 88 zap.Error(err), 89 ) 90 return errors.ErrBasicAuthFailed 91 } 92 93 if len(rr.User.Challenges) != 1 { 94 p.logger.Warn( 95 "user lookup failed", 96 zap.String("source_address", r.Address), 97 zap.String("custom_auth", "basicauth"), 98 zap.String("realm", r.Realm), 99 zap.String("error", "detected too many auth challenges"), 100 ) 101 return errors.ErrBasicAuthFailed 102 } 103 104 if rr.User.Challenges[0] != "password" { 105 p.logger.Warn( 106 "user lookup failed", 107 zap.String("source_address", r.Address), 108 zap.String("custom_auth", "basicauth"), 109 zap.String("realm", r.Realm), 110 zap.String("error", "detected unsupported auth challenges"), 111 ) 112 return errors.ErrBasicAuthFailed 113 } 114 115 if err := backend.Request(operator.Authenticate, rr); err != nil { 116 p.logger.Warn( 117 "user authentication failed", 118 zap.String("source_address", r.Address), 119 zap.String("custom_auth", "basicauth"), 120 zap.String("realm", r.Realm), 121 zap.Error(err), 122 ) 123 return errors.ErrBasicAuthFailed 124 } 125 126 m := make(map[string]interface{}) 127 m["sub"] = rr.User.Username 128 m["email"] = rr.User.Email 129 if rr.User.FullName != "" { 130 m["name"] = rr.User.FullName 131 } 132 if len(rr.User.Roles) > 0 { 133 m["roles"] = rr.User.Roles 134 } 135 136 // m["jti"] = rr.Upstream.SessionID 137 m["exp"] = time.Now().Add(time.Duration(p.keystore.GetTokenLifetime(nil, nil)) * time.Second).UTC().Unix() 138 m["iat"] = time.Now().UTC().Unix() 139 m["nbf"] = time.Now().Add(time.Duration(60) * time.Second * -1).UTC().Unix() 140 if _, exists := m["origin"]; !exists { 141 m["origin"] = r.Realm 142 } 143 m["iss"] = "authp" 144 m["addr"] = r.Address 145 146 // Perform user claim transformation if necessary. 147 if err := p.transformUser(context.Background(), rr, m); err != nil { 148 return err 149 } 150 151 // Inject portal specific roles 152 injectPortalRoles(m, p.config) 153 154 // Create a new user and sign the token. 155 usr, err := user.NewUser(m) 156 if err != nil { 157 p.logger.Warn( 158 "user build following user lookup failed", 159 zap.String("source_address", r.Address), 160 zap.String("custom_auth", "basicauth"), 161 zap.String("realm", r.Realm), 162 zap.Error(err), 163 ) 164 return errors.ErrBasicAuthFailed 165 } 166 if err := p.keystore.SignToken(nil, nil, usr); err != nil { 167 p.logger.Warn( 168 "user token signing failed", 169 zap.String("source_address", r.Address), 170 zap.String("custom_auth", "basicauth"), 171 zap.String("realm", r.Realm), 172 zap.Error(err), 173 ) 174 return errors.ErrBasicAuthFailed 175 } 176 177 r.Response.Payload = usr.Token 178 r.Response.Name = usr.TokenName 179 return nil 180 }