Manage Headers for the Authentication forwarding.

middlewares/auth/authenticator.go

@@ -0,0 +1,107 @@
+package auth
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	goauth "github.com/abbot/go-http-auth"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/types"
+	"github.com/urfave/negroni"
+)
+
+// Authenticator is a middleware that provides HTTP basic and digest authentication
+type Authenticator struct {
+	handler negroni.Handler
+	users   map[string]string
+}
+
+// NewAuthenticator builds a new Autenticator given a config
+func NewAuthenticator(authConfig *types.Auth) (*Authenticator, error) {
+	if authConfig == nil {
+		return nil, fmt.Errorf("Error creating Authenticator: auth is nil")
+	}
+	var err error
+	authenticator := Authenticator{}
+	if authConfig.Basic != nil {
+		authenticator.users, err = parserBasicUsers(authConfig.Basic)
+		if err != nil {
+			return nil, err
+		}
+		basicAuth := goauth.NewBasicAuthenticator("traefik", authenticator.secretBasic)
+		authenticator.handler = negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+			if username := basicAuth.CheckAuth(r); username == "" {
+				log.Debug("Basic auth failed...")
+				basicAuth.RequireAuth(w, r)
+			} else {
+				log.Debug("Basic auth success...")
+				if authConfig.HeaderField != "" {
+					r.Header[authConfig.HeaderField] = []string{username}
+				}
+				next.ServeHTTP(w, r)
+			}
+		})
+	} else if authConfig.Digest != nil {
+		authenticator.users, err = parserDigestUsers(authConfig.Digest)
+		if err != nil {
+			return nil, err
+		}
+		digestAuth := goauth.NewDigestAuthenticator("traefik", authenticator.secretDigest)
+		authenticator.handler = negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+			if username, _ := digestAuth.CheckAuth(r); username == "" {
+				log.Debug("Digest auth failed...")
+				digestAuth.RequireAuth(w, r)
+			} else {
+				log.Debug("Digest auth success...")
+				if authConfig.HeaderField != "" {
+					r.Header[authConfig.HeaderField] = []string{username}
+				}
+				next.ServeHTTP(w, r)
+			}
+		})
+	} else if authConfig.Forward != nil {
+		authenticator.handler = negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+			Forward(authConfig.Forward, w, r, next)
+		})
+	}
+	return &authenticator, nil
+}
+
+func getLinesFromFile(filename string) ([]string, error) {
+	dat, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	// Trim lines and filter out blanks
+	rawLines := strings.Split(string(dat), "\n")
+	var filteredLines []string
+	for _, rawLine := range rawLines {
+		line := strings.TrimSpace(rawLine)
+		if line != "" {
+			filteredLines = append(filteredLines, line)
+		}
+	}
+	return filteredLines, nil
+}
+
+func (a *Authenticator) secretBasic(user, realm string) string {
+	if secret, ok := a.users[user]; ok {
+		return secret
+	}
+	log.Debugf("User not found: %s", user)
+	return ""
+}
+
+func (a *Authenticator) secretDigest(user, realm string) string {
+	if secret, ok := a.users[user+":"+realm]; ok {
+		return secret
+	}
+	log.Debugf("User not found: %s:%s", user, realm)
+	return ""
+}
+
+func (a *Authenticator) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	a.handler.ServeHTTP(rw, r, next)
+}

middlewares/auth/authenticator_test.go

@@ -0,0 +1,188 @@
+package auth
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/containous/traefik/testhelpers"
+	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/negroni"
+)
+
+func TestAuthUsersFromFile(t *testing.T) {
+	tests := []struct {
+		authType   string
+		usersStr   string
+		userKeys   []string
+		parserFunc func(fileName string) (map[string]string, error)
+	}{
+		{
+			authType: "basic",
+			usersStr: "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\ntest2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0\n",
+			userKeys: []string{"test", "test2"},
+			parserFunc: func(fileName string) (map[string]string, error) {
+				basic := &types.Basic{
+					UsersFile: fileName,
+				}
+				return parserBasicUsers(basic)
+			},
+		},
+		{
+			authType: "digest",
+			usersStr: "test:traefik:a2688e031edb4be6a3797f3882655c05 \ntest2:traefik:518845800f9e2bfb1f1f740ec24f074e\n",
+			userKeys: []string{"test:traefik", "test2:traefik"},
+			parserFunc: func(fileName string) (map[string]string, error) {
+				digest := &types.Digest{
+					UsersFile: fileName,
+				}
+				return parserDigestUsers(digest)
+			},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.authType, func(t *testing.T) {
+			t.Parallel()
+			usersFile, err := ioutil.TempFile("", "auth-users")
+			assert.NoError(t, err, "there should be no error")
+			defer os.Remove(usersFile.Name())
+			_, err = usersFile.Write([]byte(test.usersStr))
+			assert.NoError(t, err, "there should be no error")
+			users, err := test.parserFunc(usersFile.Name())
+			assert.NoError(t, err, "there should be no error")
+			assert.Equal(t, 2, len(users), "they should be equal")
+			_, ok := users[test.userKeys[0]]
+			assert.True(t, ok, "user test should be found")
+			_, ok = users[test.userKeys[1]]
+			assert.True(t, ok, "user test2 should be found")
+		})
+	}
+}
+
+func TestBasicAuthFail(t *testing.T) {
+	_, err := NewAuthenticator(&types.Auth{
+		Basic: &types.Basic{
+			Users: []string{"test"},
+		},
+	})
+	assert.Contains(t, err.Error(), "Error parsing Authenticator user", "should contains")
+
+	authMiddleware, err := NewAuthenticator(&types.Auth{
+		Basic: &types.Basic{
+			Users: []string{"test:test"},
+		},
+	})
+	assert.NoError(t, err, "there should be no error")
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "traefik")
+	})
+	n := negroni.New(authMiddleware)
+	n.UseHandler(handler)
+	ts := httptest.NewServer(n)
+	defer ts.Close()
+
+	client := &http.Client{}
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.SetBasicAuth("test", "test")
+	res, err := client.Do(req)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "they should be equal")
+}
+
+func TestBasicAuthSuccess(t *testing.T) {
+	authMiddleware, err := NewAuthenticator(&types.Auth{
+		Basic: &types.Basic{
+			Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"},
+		},
+	})
+	assert.NoError(t, err, "there should be no error")
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "traefik")
+	})
+	n := negroni.New(authMiddleware)
+	n.UseHandler(handler)
+	ts := httptest.NewServer(n)
+	defer ts.Close()
+
+	client := &http.Client{}
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.SetBasicAuth("test", "test")
+	res, err := client.Do(req)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, http.StatusOK, res.StatusCode, "they should be equal")
+
+	body, err := ioutil.ReadAll(res.Body)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, "traefik\n", string(body), "they should be equal")
+}
+
+func TestDigestAuthFail(t *testing.T) {
+	_, err := NewAuthenticator(&types.Auth{
+		Digest: &types.Digest{
+			Users: []string{"test"},
+		},
+	})
+	assert.Contains(t, err.Error(), "Error parsing Authenticator user", "should contains")
+
+	authMiddleware, err := NewAuthenticator(&types.Auth{
+		Digest: &types.Digest{
+			Users: []string{"test:traefik:test"},
+		},
+	})
+	assert.NoError(t, err, "there should be no error")
+	assert.NotNil(t, authMiddleware, "this should not be nil")
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "traefik")
+	})
+	n := negroni.New(authMiddleware)
+	n.UseHandler(handler)
+	ts := httptest.NewServer(n)
+	defer ts.Close()
+
+	client := &http.Client{}
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.SetBasicAuth("test", "test")
+	res, err := client.Do(req)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "they should be equal")
+}
+
+func TestBasicAuthUserHeader(t *testing.T) {
+	middleware, err := NewAuthenticator(&types.Auth{
+		Basic: &types.Basic{
+			Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"},
+		},
+		HeaderField: "X-Webauth-User",
+	})
+	assert.NoError(t, err, "there should be no error")
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "test", r.Header["X-Webauth-User"][0], "auth user should be set")
+		fmt.Fprintln(w, "traefik")
+	})
+	n := negroni.New(middleware)
+	n.UseHandler(handler)
+	ts := httptest.NewServer(n)
+	defer ts.Close()
+
+	client := &http.Client{}
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.SetBasicAuth("test", "test")
+	res, err := client.Do(req)
+	assert.NoError(t, err, "there should be no error")
+
+	assert.Equal(t, http.StatusOK, res.StatusCode, "they should be equal")
+
+	body, err := ioutil.ReadAll(res.Body)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, "traefik\n", string(body), "they should be equal")
+}

middlewares/auth/forward.go

@@ -0,0 +1,97 @@
+package auth
+
+import (
+	"io/ioutil"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/types"
+	"github.com/vulcand/oxy/forward"
+	"github.com/vulcand/oxy/utils"
+)
+
+// Forward the authentication to a external server
+func Forward(config *types.Forward, w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	httpClient := http.Client{}
+
+	if config.TLS != nil {
+		tlsConfig, err := config.TLS.CreateTLSConfig()
+		if err != nil {
+			log.Debugf("Impossible to configure TLS to call %s. Cause %s", config.Address, err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		httpClient.Transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+	}
+
+	forwardReq, err := http.NewRequest(http.MethodGet, config.Address, nil)
+	if err != nil {
+		log.Debugf("Error calling %s. Cause %s", config.Address, err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	writeHeader(r, forwardReq, config.TrustForwardHeader)
+
+	forwardResponse, forwardErr := httpClient.Do(forwardReq)
+	if forwardErr != nil {
+		log.Debugf("Error calling %s. Cause: %s", config.Address, forwardErr)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	body, readError := ioutil.ReadAll(forwardResponse.Body)
+	if readError != nil {
+		log.Debugf("Error reading body %s. Cause: %s", config.Address, readError)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	defer forwardResponse.Body.Close()
+
+	if forwardResponse.StatusCode < http.StatusOK || forwardResponse.StatusCode >= http.StatusMultipleChoices {
+		log.Debugf("Remote error %s. StatusCode: %d", config.Address, forwardResponse.StatusCode)
+		w.WriteHeader(forwardResponse.StatusCode)
+		w.Write(body)
+		return
+	}
+
+	r.RequestURI = r.URL.RequestURI()
+	next(w, r)
+}
+
+func writeHeader(req *http.Request, forwardReq *http.Request, trustForwardHeader bool) {
+	utils.CopyHeaders(forwardReq.Header, req.Header)
+
+	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+		if trustForwardHeader {
+			if prior, ok := req.Header[forward.XForwardedFor]; ok {
+				clientIP = strings.Join(prior, ", ") + ", " + clientIP
+			}
+		}
+		forwardReq.Header.Set(forward.XForwardedFor, clientIP)
+	}
+
+	if xfp := req.Header.Get(forward.XForwardedProto); xfp != "" && trustForwardHeader {
+		forwardReq.Header.Set(forward.XForwardedProto, xfp)
+	} else if req.TLS != nil {
+		forwardReq.Header.Set(forward.XForwardedProto, "https")
+	} else {
+		forwardReq.Header.Set(forward.XForwardedProto, "http")
+	}
+
+	if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {
+		forwardReq.Header.Set(forward.XForwardedPort, xfp)
+	}
+
+	if xfh := req.Header.Get(forward.XForwardedHost); xfh != "" && trustForwardHeader {
+		forwardReq.Header.Set(forward.XForwardedHost, xfh)
+	} else if req.Host != "" {
+		forwardReq.Header.Set(forward.XForwardedHost, req.Host)
+	} else {
+		forwardReq.Header.Del(forward.XForwardedHost)
+	}
+}

middlewares/auth/forward_test.go

@@ -0,0 +1,162 @@
+package auth
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/containous/traefik/testhelpers"
+	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/negroni"
+)
+
+func TestForwardAuthFail(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+	}))
+	defer server.Close()
+
+	middleware, err := NewAuthenticator(&types.Auth{
+		Forward: &types.Forward{
+			Address: server.URL,
+		},
+	})
+	assert.NoError(t, err, "there should be no error")
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "traefik")
+	})
+	n := negroni.New(middleware)
+	n.UseHandler(handler)
+	ts := httptest.NewServer(n)
+	defer ts.Close()
+
+	client := &http.Client{}
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	res, err := client.Do(req)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, http.StatusForbidden, res.StatusCode, "they should be equal")
+
+	body, err := ioutil.ReadAll(res.Body)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, "Forbidden\n", string(body), "they should be equal")
+}
+
+func TestForwardAuthSuccess(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "Success")
+	}))
+	defer server.Close()
+
+	middleware, err := NewAuthenticator(&types.Auth{
+		Forward: &types.Forward{
+			Address: server.URL,
+		},
+	})
+	assert.NoError(t, err, "there should be no error")
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "traefik")
+	})
+	n := negroni.New(middleware)
+	n.UseHandler(handler)
+	ts := httptest.NewServer(n)
+	defer ts.Close()
+
+	client := &http.Client{}
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	res, err := client.Do(req)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, http.StatusOK, res.StatusCode, "they should be equal")
+
+	body, err := ioutil.ReadAll(res.Body)
+	assert.NoError(t, err, "there should be no error")
+	assert.Equal(t, "traefik\n", string(body), "they should be equal")
+}
+
+func Test_writeHeader(t *testing.T) {
+
+	testCases := []struct {
+		name               string
+		headers            map[string]string
+		trustForwardHeader bool
+		emptyHost          bool
+		expectedHeaders    map[string]string
+	}{
+		{
+			name: "trust Forward Header",
+			headers: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "fii.bir",
+			},
+			trustForwardHeader: true,
+			expectedHeaders: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "fii.bir",
+			},
+		},
+		{
+			name: "not trust Forward Header",
+			headers: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "fii.bir",
+			},
+			trustForwardHeader: false,
+			expectedHeaders: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "foo.bar",
+			},
+		},
+		{
+			name: "trust Forward Header with empty Host",
+			headers: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "fii.bir",
+			},
+			trustForwardHeader: true,
+			emptyHost:          true,
+			expectedHeaders: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "fii.bir",
+			},
+		},
+		{
+			name: "not trust Forward Header with empty Host",
+			headers: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "fii.bir",
+			},
+			trustForwardHeader: false,
+			emptyHost:          true,
+			expectedHeaders: map[string]string{
+				"Accept":           "application/json",
+				"X-Forwarded-Host": "",
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.name, func(t *testing.T) {
+
+			req := testhelpers.MustNewRequest(http.MethodGet, "http://foo.bar", nil)
+			for key, value := range test.headers {
+				req.Header.Set(key, value)
+			}
+
+			if test.emptyHost {
+				req.Host = ""
+			}
+
+			forwardReq := testhelpers.MustNewRequest(http.MethodGet, "http://foo.bar", nil)
+
+			writeHeader(req, forwardReq, test.trustForwardHeader)
+
+			for key, value := range test.expectedHeaders {
+				assert.Equal(t, value, forwardReq.Header.Get(key))
+			}
+		})
+	}
+}

middlewares/auth/parser.go

@@ -0,0 +1,48 @@
+package auth
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/containous/traefik/types"
+)
+
+func parserBasicUsers(basic *types.Basic) (map[string]string, error) {
+	var userStrs []string
+	if basic.UsersFile != "" {
+		var err error
+		if userStrs, err = getLinesFromFile(basic.UsersFile); err != nil {
+			return nil, err
+		}
+	}
+	userStrs = append(basic.Users, userStrs...)
+	userMap := make(map[string]string)
+	for _, user := range userStrs {
+		split := strings.Split(user, ":")
+		if len(split) != 2 {
+			return nil, fmt.Errorf("Error parsing Authenticator user: %v", user)
+		}
+		userMap[split[0]] = split[1]
+	}
+	return userMap, nil
+}
+
+func parserDigestUsers(digest *types.Digest) (map[string]string, error) {
+	var userStrs []string
+	if digest.UsersFile != "" {
+		var err error
+		if userStrs, err = getLinesFromFile(digest.UsersFile); err != nil {
+			return nil, err
+		}
+	}
+	userStrs = append(digest.Users, userStrs...)
+	userMap := make(map[string]string)
+	for _, user := range userStrs {
+		split := strings.Split(user, ":")
+		if len(split) != 3 {
+			return nil, fmt.Errorf("Error parsing Authenticator user: %v", user)
+		}
+		userMap[split[0]+":"+split[1]] = split[2]
+	}
+	return userMap, nil
+}