mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-14 19:51:23 +01:00
Add handler to handle redirect via authproxy
This commit add a handler to handle the request to "/c/authproxy/redirect". Harbor is configured to authenticate against an authproxy, if a request with query string `?token=xxxx` is sent to this URI, the handler will do tokenreview according to the setting of authproxy and simulate a `login` workflow based on the result of token review. Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
parent
53c8ad8228
commit
7321e3547d
@ -145,6 +145,8 @@ const (
|
||||
OIDCCallbackPath = "/c/oidc/callback"
|
||||
OIDCLoginPath = "/c/oidc/login"
|
||||
|
||||
AuthProxyRediretPath = "/c/authproxy/redirect"
|
||||
|
||||
ChartUploadCtxKey = contextKey("chart_upload_event")
|
||||
ChartDownloadCtxKey = contextKey("chart_download_event")
|
||||
|
||||
|
@ -147,7 +147,6 @@ func (b *BaseController) SendPermissionError() {
|
||||
} else {
|
||||
b.SendForbiddenError(errors.New(b.SecurityCtx.GetUsername()))
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// WriteJSONData writes the JSON data to the client.
|
||||
|
@ -123,6 +123,14 @@ func (a *Auth) tokenReview(sessionID string) (*models.User, error) {
|
||||
return u, nil
|
||||
}
|
||||
|
||||
// VerifyToken reviews the token to generate the user model
|
||||
func (a *Auth) VerifyToken(token string) (*models.User, error) {
|
||||
if err := a.ensure(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return a.tokenReview(token)
|
||||
}
|
||||
|
||||
// OnBoardUser delegates to dao pkg to insert/update data in DB.
|
||||
func (a *Auth) OnBoardUser(u *models.User) error {
|
||||
return dao.OnBoardUser(u)
|
||||
|
65
src/core/controllers/authproxy_redirect.go
Normal file
65
src/core/controllers/authproxy_redirect.go
Normal file
@ -0,0 +1,65 @@
|
||||
package controllers
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"github.com/goharbor/harbor/src/common"
|
||||
"github.com/goharbor/harbor/src/core/api"
|
||||
"github.com/goharbor/harbor/src/core/auth/authproxy"
|
||||
"github.com/goharbor/harbor/src/core/config"
|
||||
"github.com/goharbor/harbor/src/lib/log"
|
||||
)
|
||||
|
||||
const (
|
||||
authproxyTokenKey = "token"
|
||||
postURIKey = "postURI"
|
||||
)
|
||||
|
||||
var helper = &authproxy.Auth{}
|
||||
|
||||
// AuthProxyController handles requests with token that can be reviewed by authproxy.
|
||||
type AuthProxyController struct {
|
||||
api.BaseController
|
||||
}
|
||||
|
||||
// Prepare checks the auth mode and fail early
|
||||
func (apc *AuthProxyController) Prepare() {
|
||||
am, err := config.AuthMode()
|
||||
if err != nil {
|
||||
apc.SendInternalServerError(err)
|
||||
return
|
||||
}
|
||||
if am != common.HTTPAuth {
|
||||
apc.SendPreconditionFailedError(fmt.Errorf("the auth mode %s does not support this flow", am))
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// HandleRedirect reviews the token and login the user based on the review status.
|
||||
func (apc *AuthProxyController) HandleRedirect() {
|
||||
token := apc.Ctx.Request.URL.Query().Get(authproxyTokenKey)
|
||||
if token == "" {
|
||||
log.Errorf("No token found in request.")
|
||||
apc.Ctx.Redirect(http.StatusMovedPermanently, "/")
|
||||
return
|
||||
}
|
||||
u, err := helper.VerifyToken(token)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to verify token, error: %v", err)
|
||||
apc.Ctx.Redirect(http.StatusMovedPermanently, "/")
|
||||
return
|
||||
}
|
||||
if err := helper.PostAuthenticate(u); err != nil {
|
||||
log.Errorf("Failed to onboard user, error: %v", err)
|
||||
apc.Ctx.Redirect(http.StatusMovedPermanently, "/")
|
||||
return
|
||||
}
|
||||
apc.PopulateUserSession(*u)
|
||||
uri := apc.Ctx.Request.URL.Query().Get(postURIKey)
|
||||
if uri == "" {
|
||||
uri = "/"
|
||||
}
|
||||
apc.Ctx.Redirect(http.StatusMovedPermanently, uri)
|
||||
return
|
||||
}
|
@ -40,6 +40,7 @@ func registerRoutes() {
|
||||
beego.Router(common.OIDCLoginPath, &controllers.OIDCController{}, "get:RedirectLogin")
|
||||
beego.Router("/c/oidc/onboard", &controllers.OIDCController{}, "post:Onboard")
|
||||
beego.Router(common.OIDCCallbackPath, &controllers.OIDCController{}, "get:Callback")
|
||||
beego.Router(common.AuthProxyRediretPath, &controllers.AuthProxyController{}, "get:HandleRedirect")
|
||||
|
||||
beego.Router("/api/internal/configurations", &api.ConfigAPI{}, "get:GetInternalConfig;put:Put")
|
||||
beego.Router("/api/internal/renameadmin", &api.InternalAPI{}, "post:RenameAdmin")
|
||||
|
Loading…
Reference in New Issue
Block a user