grassrootseconomics/cic-auth-helper
5
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Merge branch 'lash/reverse-proxy-revisited' into 'master'

Browse Source 
feat: Add optional reverse proxy

See merge request grassrootseconomics/cic-auth-helper!2
This commit is contained in:
Mohamed Sohail 2021-11-23 14:10:59 +00:00
commit 54ee61efa8
4 changed files with 90 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG Normal file
View File

@ -0,0 +1,6 @@
- 0.0.2
* Optional reverse proxy
* Header merge with reverse proxy, with option to selectively exclude which headers get overwritten
- 0.0.1
* Implement HOBA PGP and bearer token issuance
* Return 200 OK and bearer token on successful authentication

1
VERSION Normal file
View File

@ -0,0 +1 @@
0.2.0

61
cic_auth_helper/proxy.py Normal file
View File

@ -0,0 +1,61 @@
# standard imports
import re
import urllib.request
import os
import logging
logg = logging.getLogger(__name__)
re_x = r'^HTTP_(X_.+)$'
def add_x_headers(env, header_f):
for x in env:
m = re.match(re_x, x)
if m != None:
header_orig = m[1].replace('_', '-')
header_f(header_orig, env[x])
class ReverseProxy:
def __init__(self, base_url, ignore_proxy_headers=[]):
self.base_url = base_url
if not isinstance(ignore_proxy_headers, list):
raise ValueError('ignore_proxy_headers parameter must be a list of header keys')
self.ignore_proxy_headers = []
for h in ignore_proxy_headers:
self.ignore_proxy_headers.append(h.lower())
def proxy_pass(self, env, headers=[]):
url = os.path.join(self.base_url, env['REQUEST_URI'][1:])
logg.debug('access ok -> {}'.format(url))
req = urllib.request.Request(url, method=env['REQUEST_METHOD'])
add_x_headers(env, req.add_header)
req.add_header('Content-Type', env.get('CONTENT_TYPE', 'application/octet-stream'))
req.data = env.get('wsgi.input')
res = urllib.request.urlopen(req)
logg.debug('headers before reverse proxy {}'.format(headers))
header_keys = {}
for i, pair in enumerate(headers):
header_keys[pair[0].lower()] = i
for h in res.getheaders():
k = h[0].lower()
if k in self.ignore_proxy_headers:
continue
try:
i = header_keys[k]
headers[i] = h
except KeyError:
headers.append(h)
logg.debug('headers after reverse proxy {}'.format(headers))
status = '{} {}'.format(res.status, res.reason)
content = res.read()
return (status, headers, content)

24
cic_auth_helper/runnable/server.py
View File

@ -5,13 +5,12 @@ import datetime
import base64 import base64
import sys import sys
import argparse import argparse
import urllib.parse
# external imports # external imports
from http_hoba_auth import hoba_auth_request_string from http_hoba_auth import hoba_auth_request_string
from http_token_auth import SessionStore from http_token_auth import SessionStore
import confini import confini
# local imports
from usumbufu.challenge import Challenger from usumbufu.challenge import Challenger
#from usumbufu.filter.sha256 import SHA256Filter #from usumbufu.filter.sha256 import SHA256Filter
from usumbufu.filter.hoba import HobaFilter from usumbufu.filter.hoba import HobaFilter
@ -32,6 +31,7 @@ data_dir = os.path.join(script_dir, '..', 'data')
config_dir = os.path.join(data_dir, 'config') config_dir = os.path.join(data_dir, 'config')
argparser = argparse.ArgumentParser('Authentication helper for ingress routers') argparser = argparse.ArgumentParser('Authentication helper for ingress routers')
argparser.add_argument('--forward-to', type=str, dest='forward_to', help='server to forward request to')
argparser.add_argument('-c', type=str, help='configuration override directory') argparser.add_argument('-c', type=str, help='configuration override directory')
argparser.add_argument('--env-prefix', default=os.environ.get('CONFINI_ENV_PREFIX'), dest='env_prefix', type=str, help='environment prefix for variables to overwrite configuration') argparser.add_argument('--env-prefix', default=os.environ.get('CONFINI_ENV_PREFIX'), dest='env_prefix', type=str, help='environment prefix for variables to overwrite configuration')
argparser.add_argument('-v', action='store_true', help='be verbose') argparser.add_argument('-v', action='store_true', help='be verbose')
@ -47,6 +47,17 @@ config = confini.Config(config_dir, args.env_prefix, override_dirs=args.c)
config.process() config.process()
logg.debug('config loaded:\n' + str(config)) logg.debug('config loaded:\n' + str(config))
reverse_proxy = None
if args.forward_to:
from cic_auth_helper.proxy import ReverseProxy
forward_to = urllib.parse.urlsplit(args.forward_to)
forward_to = urllib.parse.urlunsplit(forward_to)
reverse_proxy = ReverseProxy(forward_to, ignore_proxy_headers=[
'access-control-allow-origin',
])
logg.info('will forward requests to {}'.format(forward_to))
# The Retriever is at the heart of the setup. # The Retriever is at the heart of the setup.
# It will run all the decoding steps from all the filters, ultimately resolving to a auth resource (typically ACL) and an identity # It will run all the decoding steps from all the filters, ultimately resolving to a auth resource (typically ACL) and an identity
challenger = Challenger() challenger = Challenger()
@ -142,5 +153,12 @@ def application(env, start_response):
elif session.auth != auth_string: elif session.auth != auth_string:
headers.append(('Token', base64.b64encode(session.auth).decode('utf-8'),)) headers.append(('Token', base64.b64encode(session.auth).decode('utf-8'),))
response_status = '200 OK'
content = b''
if reverse_proxy != None:
(response_status, headers, content) = reverse_proxy.proxy_pass(env, headers)
else:
content = str(auth_resource).encode('utf-8')
start_response('200 OK', headers) start_response('200 OK', headers)
return [str(auth_resource).encode('utf-8')] return [content]