2019-04-25 04:52:08 +07:00
|
|
|
package middlewares
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
2021-05-05 05:06:05 +07:00
|
|
|
"net/url"
|
2021-08-10 07:31:08 +07:00
|
|
|
"path"
|
2019-04-25 04:52:08 +07:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/asaskevich/govalidator"
|
2020-04-05 19:37:21 +07:00
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
"github.com/valyala/fasthttp"
|
|
|
|
|
2019-12-24 09:14:52 +07:00
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
|
|
|
"github.com/authelia/authelia/internal/session"
|
2020-01-18 05:48:48 +07:00
|
|
|
"github.com/authelia/authelia/internal/utils"
|
2019-04-25 04:52:08 +07:00
|
|
|
)
|
|
|
|
|
2019-12-11 14:52:02 +07:00
|
|
|
// NewRequestLogger create a new request logger for the given request.
|
|
|
|
func NewRequestLogger(ctx *AutheliaCtx) *logrus.Entry {
|
|
|
|
return logrus.WithFields(logrus.Fields{
|
|
|
|
"method": string(ctx.Method()),
|
|
|
|
"path": string(ctx.Path()),
|
|
|
|
"remote_ip": ctx.RemoteIP().String(),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
// NewAutheliaCtx instantiate an AutheliaCtx out of a RequestCtx.
|
|
|
|
func NewAutheliaCtx(ctx *fasthttp.RequestCtx, configuration schema.Configuration, providers Providers) (*AutheliaCtx, error) {
|
|
|
|
autheliaCtx := new(AutheliaCtx)
|
|
|
|
autheliaCtx.RequestCtx = ctx
|
|
|
|
autheliaCtx.Providers = providers
|
|
|
|
autheliaCtx.Configuration = configuration
|
2019-12-11 14:52:02 +07:00
|
|
|
autheliaCtx.Logger = NewRequestLogger(autheliaCtx)
|
2020-01-18 05:48:48 +07:00
|
|
|
autheliaCtx.Clock = utils.RealClock{}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return autheliaCtx, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// AutheliaMiddleware is wrapping the RequestCtx into an AutheliaCtx providing Authelia related objects.
|
2021-05-05 05:06:05 +07:00
|
|
|
func AutheliaMiddleware(configuration schema.Configuration, providers Providers) RequestHandlerBridge {
|
2019-04-25 04:52:08 +07:00
|
|
|
return func(next RequestHandler) fasthttp.RequestHandler {
|
|
|
|
return func(ctx *fasthttp.RequestCtx) {
|
|
|
|
autheliaCtx, err := NewAutheliaCtx(ctx, configuration, providers)
|
|
|
|
if err != nil {
|
2021-07-22 10:52:37 +07:00
|
|
|
autheliaCtx.Error(err, messageOperationFailed)
|
2019-04-25 04:52:08 +07:00
|
|
|
return
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
next(autheliaCtx)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-17 02:50:58 +07:00
|
|
|
// Error reply with an error and display the stack trace in the logs.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) Error(err error, message string) {
|
2019-11-17 08:05:46 +07:00
|
|
|
b, marshalErr := json.Marshal(ErrorResponse{Status: "KO", Message: message})
|
|
|
|
|
|
|
|
if marshalErr != nil {
|
|
|
|
c.Logger.Error(marshalErr)
|
|
|
|
}
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
c.SetContentType(contentTypeApplicationJSON)
|
2019-04-25 04:52:08 +07:00
|
|
|
c.SetBody(b)
|
|
|
|
c.Logger.Error(err)
|
|
|
|
}
|
|
|
|
|
2020-05-02 12:06:39 +07:00
|
|
|
// ReplyError reply with an error but does not display any stack trace in the logs.
|
2019-11-17 02:50:58 +07:00
|
|
|
func (c *AutheliaCtx) ReplyError(err error, message string) {
|
2019-11-17 08:05:46 +07:00
|
|
|
b, marshalErr := json.Marshal(ErrorResponse{Status: "KO", Message: message})
|
|
|
|
|
|
|
|
if marshalErr != nil {
|
|
|
|
c.Logger.Error(marshalErr)
|
|
|
|
}
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
c.SetContentType(contentTypeApplicationJSON)
|
2019-11-17 02:50:58 +07:00
|
|
|
c.SetBody(b)
|
|
|
|
c.Logger.Debug(err)
|
|
|
|
}
|
|
|
|
|
2020-05-02 12:06:39 +07:00
|
|
|
// ReplyUnauthorized response sent when user is unauthorized.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) ReplyUnauthorized() {
|
|
|
|
c.RequestCtx.Error(fasthttp.StatusMessage(fasthttp.StatusUnauthorized), fasthttp.StatusUnauthorized)
|
|
|
|
}
|
|
|
|
|
2020-05-02 12:06:39 +07:00
|
|
|
// ReplyForbidden response sent when access is forbidden to user.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) ReplyForbidden() {
|
|
|
|
c.RequestCtx.Error(fasthttp.StatusMessage(fasthttp.StatusForbidden), fasthttp.StatusForbidden)
|
|
|
|
}
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
// ReplyBadRequest response sent when bad request has been sent.
|
|
|
|
func (c *AutheliaCtx) ReplyBadRequest() {
|
|
|
|
c.RequestCtx.Error(fasthttp.StatusMessage(fasthttp.StatusBadRequest), fasthttp.StatusBadRequest)
|
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
// XForwardedProto return the content of the X-Forwarded-Proto header.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) XForwardedProto() []byte {
|
2021-07-22 10:52:37 +07:00
|
|
|
return c.RequestCtx.Request.Header.Peek(headerXForwardedProto)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
// XForwardedMethod return the content of the X-Forwarded-Method header.
|
|
|
|
func (c *AutheliaCtx) XForwardedMethod() []byte {
|
2021-07-22 10:52:37 +07:00
|
|
|
return c.RequestCtx.Request.Header.Peek(headerXForwardedMethod)
|
2021-03-05 11:18:31 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
// XForwardedHost return the content of the X-Forwarded-Host header.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) XForwardedHost() []byte {
|
2021-07-22 10:52:37 +07:00
|
|
|
return c.RequestCtx.Request.Header.Peek(headerXForwardedHost)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
// XForwardedURI return the content of the X-Forwarded-URI header.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) XForwardedURI() []byte {
|
2021-07-22 10:52:37 +07:00
|
|
|
return c.RequestCtx.Request.Header.Peek(headerXForwardedURI)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
2021-08-10 07:31:08 +07:00
|
|
|
// BasePath returns the base_url as per the path visited by the client.
|
|
|
|
func (c *AutheliaCtx) BasePath() (base string) {
|
|
|
|
if baseURL := c.UserValue("base_url"); baseURL != nil {
|
|
|
|
return baseURL.(string)
|
|
|
|
}
|
|
|
|
|
|
|
|
return base
|
|
|
|
}
|
2021-05-05 05:06:05 +07:00
|
|
|
|
2021-08-10 07:31:08 +07:00
|
|
|
// ExternalRootURL gets the X-Forwarded-Proto, X-Forwarded-Host headers and the BasePath and forms them into a URL.
|
|
|
|
func (c *AutheliaCtx) ExternalRootURL() (string, error) {
|
|
|
|
protocol := c.XForwardedProto()
|
|
|
|
if protocol == nil {
|
2021-05-05 05:06:05 +07:00
|
|
|
return "", errMissingXForwardedProto
|
|
|
|
}
|
|
|
|
|
2021-08-10 07:31:08 +07:00
|
|
|
host := c.XForwardedHost()
|
|
|
|
if host == nil {
|
2021-05-05 05:06:05 +07:00
|
|
|
return "", errMissingXForwardedHost
|
|
|
|
}
|
|
|
|
|
2021-08-10 07:31:08 +07:00
|
|
|
externalRootURL := fmt.Sprintf("%s://%s", protocol, host)
|
|
|
|
|
|
|
|
if base := c.BasePath(); base != "" {
|
|
|
|
externalBaseURL, err := url.Parse(externalRootURL)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
externalBaseURL.Path = path.Join(externalBaseURL.Path, base)
|
|
|
|
|
|
|
|
return externalBaseURL.String(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return externalRootURL, nil
|
2021-05-05 05:06:05 +07:00
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
// XOriginalURL return the content of the X-Original-URL header.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) XOriginalURL() []byte {
|
2021-07-22 10:52:37 +07:00
|
|
|
return c.RequestCtx.Request.Header.Peek(headerXOriginalURL)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetSession return the user session. Any update will be saved in cache.
|
|
|
|
func (c *AutheliaCtx) GetSession() session.UserSession {
|
2020-01-18 05:48:48 +07:00
|
|
|
userSession, err := c.Providers.SessionProvider.GetSession(c.RequestCtx)
|
|
|
|
if err != nil {
|
|
|
|
c.Logger.Error("Unable to retrieve user session")
|
|
|
|
return session.NewDefaultUserSession()
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-01-18 05:48:48 +07:00
|
|
|
return userSession
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
// SaveSession save the content of the session.
|
|
|
|
func (c *AutheliaCtx) SaveSession(userSession session.UserSession) error {
|
|
|
|
return c.Providers.SessionProvider.SaveSession(c.RequestCtx, userSession)
|
|
|
|
}
|
|
|
|
|
2020-05-02 12:06:39 +07:00
|
|
|
// ReplyOK is a helper method to reply ok.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) ReplyOK() {
|
2021-07-22 10:52:37 +07:00
|
|
|
c.SetContentType(contentTypeApplicationJSON)
|
2019-04-25 04:52:08 +07:00
|
|
|
c.SetBody(okMessageBytes)
|
|
|
|
}
|
|
|
|
|
2020-05-02 12:06:39 +07:00
|
|
|
// ParseBody parse the request body into the type of value.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) ParseBody(value interface{}) error {
|
|
|
|
err := json.Unmarshal(c.PostBody(), &value)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to parse body: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
valid, err := govalidator.ValidateStruct(value)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to validate body: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !valid {
|
|
|
|
return fmt.Errorf("Body is not valid")
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-02 12:06:39 +07:00
|
|
|
// SetJSONBody Set json body.
|
2019-04-25 04:52:08 +07:00
|
|
|
func (c *AutheliaCtx) SetJSONBody(value interface{}) error {
|
|
|
|
b, err := json.Marshal(OKResponse{Status: "OK", Data: value})
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to marshal JSON body")
|
|
|
|
}
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
c.SetContentType(contentTypeApplicationJSON)
|
2019-04-25 04:52:08 +07:00
|
|
|
c.SetBody(b)
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// RemoteIP return the remote IP taking X-Forwarded-For header into account if provided.
|
|
|
|
func (c *AutheliaCtx) RemoteIP() net.IP {
|
2019-12-11 14:52:02 +07:00
|
|
|
XForwardedFor := c.Request.Header.Peek("X-Forwarded-For")
|
2019-04-25 04:52:08 +07:00
|
|
|
if XForwardedFor != nil {
|
|
|
|
ips := strings.Split(string(XForwardedFor), ",")
|
|
|
|
|
|
|
|
if len(ips) > 0 {
|
2019-12-11 14:29:32 +07:00
|
|
|
return net.ParseIP(strings.Trim(ips[0], " "))
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return c.RequestCtx.RemoteIP()
|
|
|
|
}
|
2021-05-05 05:06:05 +07:00
|
|
|
|
|
|
|
// GetOriginalURL extract the URL from the request headers (X-Original-URI or X-Forwarded-* headers).
|
|
|
|
func (c *AutheliaCtx) GetOriginalURL() (*url.URL, error) {
|
|
|
|
originalURL := c.XOriginalURL()
|
|
|
|
if originalURL != nil {
|
|
|
|
parsedURL, err := url.ParseRequestURI(string(originalURL))
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Unable to parse URL extracted from X-Original-URL header: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.Logger.Trace("Using X-Original-URL header content as targeted site URL")
|
|
|
|
|
|
|
|
return parsedURL, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
forwardedProto := c.XForwardedProto()
|
|
|
|
forwardedHost := c.XForwardedHost()
|
|
|
|
forwardedURI := c.XForwardedURI()
|
|
|
|
|
|
|
|
if forwardedProto == nil {
|
|
|
|
return nil, errMissingXForwardedProto
|
|
|
|
}
|
|
|
|
|
|
|
|
if forwardedHost == nil {
|
|
|
|
return nil, errMissingXForwardedHost
|
|
|
|
}
|
|
|
|
|
|
|
|
var requestURI string
|
|
|
|
|
2021-06-11 07:30:53 +07:00
|
|
|
scheme := forwardedProto
|
|
|
|
scheme = append(scheme, protoHostSeparator...)
|
2021-05-05 05:06:05 +07:00
|
|
|
requestURI = string(append(scheme,
|
|
|
|
append(forwardedHost, forwardedURI...)...))
|
|
|
|
|
|
|
|
parsedURL, err := url.ParseRequestURI(requestURI)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Unable to parse URL %s: %v", requestURI, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.Logger.Tracef("Using X-Fowarded-Proto, X-Forwarded-Host and X-Forwarded-URI headers " +
|
|
|
|
"to construct targeted site URL")
|
|
|
|
|
|
|
|
return parsedURL, nil
|
|
|
|
}
|
2021-07-22 10:52:37 +07:00
|
|
|
|
|
|
|
// IsXHR returns true if the request is a XMLHttpRequest.
|
|
|
|
func (c AutheliaCtx) IsXHR() (xhr bool) {
|
|
|
|
requestedWith := c.Request.Header.Peek(headerXRequestedWith)
|
|
|
|
|
|
|
|
return requestedWith != nil && string(requestedWith) == headerValueXRequestedWithXHR
|
|
|
|
}
|
|
|
|
|
|
|
|
// AcceptsMIME takes a mime type and returns true if the request accepts that type or the wildcard type.
|
|
|
|
func (c AutheliaCtx) AcceptsMIME(mime string) (acceptsMime bool) {
|
|
|
|
accepts := strings.Split(string(c.Request.Header.Peek("Accept")), ",")
|
|
|
|
|
|
|
|
for i, accept := range accepts {
|
|
|
|
mimeType := strings.Trim(strings.SplitN(accept, ";", 2)[0], " ")
|
|
|
|
if mimeType == mime || (i == 0 && mimeType == "*/*") {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// SpecialRedirect performs a redirect similar to fasthttp.RequestCtx except it allows statusCode 401 and includes body
|
|
|
|
// content in the form of a link to the location.
|
|
|
|
func (c *AutheliaCtx) SpecialRedirect(uri string, statusCode int) {
|
|
|
|
if statusCode < fasthttp.StatusMovedPermanently || (statusCode > fasthttp.StatusSeeOther && statusCode != fasthttp.StatusTemporaryRedirect && statusCode != fasthttp.StatusPermanentRedirect && statusCode != fasthttp.StatusUnauthorized) {
|
|
|
|
statusCode = fasthttp.StatusFound
|
|
|
|
}
|
|
|
|
|
|
|
|
c.SetContentType(contentTypeTextHTML)
|
|
|
|
c.SetStatusCode(statusCode)
|
|
|
|
|
|
|
|
u := fasthttp.AcquireURI()
|
|
|
|
|
|
|
|
c.URI().CopyTo(u)
|
|
|
|
u.Update(uri)
|
|
|
|
|
|
|
|
c.Response.Header.SetBytesV("Location", u.FullURI())
|
|
|
|
|
|
|
|
c.SetBodyString(fmt.Sprintf("<a href=\"%s\">%s</a>", utils.StringHTMLEscape(string(u.FullURI())), fasthttp.StatusMessage(statusCode)))
|
|
|
|
|
|
|
|
fasthttp.ReleaseURI(u)
|
|
|
|
}
|