-
Notifications
You must be signed in to change notification settings - Fork 1
/
auth.go
155 lines (136 loc) · 3.57 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"golang.org/x/crypto/ssh"
)
type AuthRequest struct {
Method string `json:"method"`
PublicKey string `json:"public_key,omitempty"`
Payload map[string]string `json:"payload"`
}
type AuthResponse struct {
Challenges []AuthChallenge `json:"challenges,omitempty"`
Failure *AuthFailure `json:"failure,omitempty"`
Upstream *AuthUpstream `json:"upstream,omitempty"`
Proxy *AuthProxy `json:"proxy,omitempty"`
}
type AuthChallenge struct {
Instruction string `json:"instruction"`
Fields []AuthChallengeField `json:"fields"`
}
type AuthChallengeField struct {
Key string `json:"key"`
Prompt string `json:"prompt"`
Secret bool `json:"secret"`
}
type AuthFailure struct {
Message string `json:"message"`
Disconnect bool `json:"disconnect,omitempty"`
Reason uint32 `json:"reason,omitempty"`
}
type AuthUpstream struct {
Host string `json:"host"`
Port uint16 `json:"port,omitempty"`
PrivateKey string `json:"private_key,omitempty"`
Certificate string `json:"certificate,omitempty"`
Password *string `json:"password,omitempty"`
}
type AuthProxy struct {
Host string `json:"host,omitempty"`
Port uint16 `json:"port,omitempty"`
Protocol *string `json:"protocol,omitempty"`
}
type Authenticator interface {
Auth(request AuthRequest, username string) (int, *AuthResponse, error)
}
func makeAuthenticator(auth AuthConfig) (Authenticator, error) {
if auth.Version == "" {
auth.Version = "v1"
}
headers := http.Header{}
for _, header := range auth.Headers {
headers.Add(header.Name, header.Value)
}
auth_url, err := url.Parse(auth.Endpoint)
if err != nil {
return nil, err
}
authenticator := RESTfulAuthenticator{
Endpoint: auth_url,
Version: auth.Version,
Headers: headers,
}
return &authenticator, nil
}
type RESTfulAuthenticator struct {
Endpoint *url.URL
Version string
Headers http.Header
}
func (auth *RESTfulAuthenticator) Auth(request AuthRequest, username string) (int, *AuthResponse, error) {
if auth.Version != "v1" {
return 500, nil, fmt.Errorf("unsupported API version: %s", auth.Version)
}
auth_url := auth.Endpoint.JoinPath("v1", "auth", username).String()
payload := new(bytes.Buffer)
if err := json.NewEncoder(payload).Encode(request); err != nil {
return 0, nil, err
}
req, err := http.NewRequest("POST", auth_url, payload)
if err != nil {
return 0, nil, err
}
req.Header = auth.Headers.Clone()
req.Header.Set("accept", "application/json")
req.Header.Set("content-type", "application/json")
res, err := http.DefaultClient.Do(req)
if err != nil {
return 0, nil, err
}
defer res.Body.Close()
body, err := io.ReadAll(res.Body)
if err != nil {
return res.StatusCode, nil, err
}
var response AuthResponse
err = json.Unmarshal(body, &response)
if err != nil {
return res.StatusCode, nil, err
}
return res.StatusCode, &response, nil
}
func removePublicKeyMethod(methods []string) []string {
res := make([]string, 0, len(methods))
for _, s := range methods {
if s != "publickey" {
res = append(res, s)
}
}
return res
}
func parsePrivateKey(key string, cert string) ssh.Signer {
if key == "" {
return nil
}
signer, err := ssh.ParsePrivateKey([]byte(key))
if err != nil {
return nil
}
if cert == "" {
return signer
}
pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(cert))
if err != nil {
return signer
}
certSigner, err := ssh.NewCertSigner(pk.(*ssh.Certificate), signer)
if err != nil {
return signer
}
return certSigner
}