-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
317 lines (275 loc) · 9.8 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
package main
import (
"bytes"
"flag"
"fmt"
"io/ioutil"
"net/http"
"net/http/httputil"
"net/url"
"path"
"strings"
"github.com/Sirupsen/logrus"
"github.com/gorilla/mux"
"github.com/gorilla/sessions"
"github.com/pkg/errors"
"github.com/yhat/wsutil"
)
var log = logrus.WithFields(logrus.Fields{
"service": "cas-proxy",
"art-id": "cas-proxy",
"group": "org.cyverse",
})
func init() {
logrus.SetFormatter(&logrus.JSONFormatter{})
}
const sessionName = "proxy-session"
const sessionKey = "proxy-session-key"
// CASProxy contains the application logic that handles authentication, session
// validations, ticket validation, and request proxying.
type CASProxy struct {
casBase string // base URL for the CAS server
casValidate string // The path to the validation endpoint on the CAS server.
frontendURL string // The URL placed into service query param for CAS.
backendURL string // The backend URL to forward to.
wsbackendURL string
cookies *sessions.CookieStore
maxAge int
}
// NewCASProxy returns a newly instantiated *CASProxy.
func NewCASProxy(casBase, casValidate, frontendURL, backendURL, wsbackendURL string, maxAge int) *CASProxy {
return &CASProxy{
casBase: casBase,
casValidate: casValidate,
frontendURL: frontendURL,
backendURL: backendURL,
wsbackendURL: wsbackendURL,
maxAge: maxAge,
cookies: sessions.NewCookieStore([]byte("omgsekretz")), // TODO: replace
}
}
// ValidateTicket will validate a CAS ticket against the configured CAS server.
func (c *CASProxy) ValidateTicket(w http.ResponseWriter, r *http.Request) {
casURL, err := url.Parse(c.casBase)
if err != nil {
err = errors.Wrapf(err, "failed to parse CAS base URL %s", c.casBase)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Make sure the path in the CAS params is the same as the one that was
// requested.
svcURL, err := url.Parse(c.frontendURL)
if err != nil {
err = errors.Wrapf(err, "failed to parse the frontend URL %s", c.frontendURL)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Make sure the serivce path and the query params are set to the incoming
// requests values for those fields.
svcURL.Path = r.URL.Path
sq := r.URL.Query()
sq.Del("ticket") // Remove the ticket from the service URL. Redirection loops occur otherwise.
svcURL.RawQuery = sq.Encode()
// The request URL for cas validation needs to have the service and ticket in
// it.
casURL.Path = path.Join(casURL.Path, c.casValidate)
q := casURL.Query()
q.Add("service", svcURL.String())
q.Add("ticket", r.URL.Query().Get("ticket"))
casURL.RawQuery = q.Encode()
// Actually validate the ticket.
resp, err := http.Get(casURL.String())
if err != nil {
err = errors.Wrap(err, "ticket validation error")
http.Error(w, err.Error(), http.StatusForbidden)
return
}
// If this happens then something went wrong on the CAS side of things. Doesn't
// mean the ticket is invalid, just that the CAS server is in a state where
// we can't trust the response.
if resp.StatusCode < 200 || resp.StatusCode > 299 {
err = errors.Wrapf(err, "ticket validation status code was %d", resp.StatusCode)
http.Error(w, err.Error(), http.StatusForbidden)
return
}
b, err := ioutil.ReadAll(resp.Body)
if err != nil {
err = errors.Wrap(err, "error reading body of CAS response")
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
defer resp.Body.Close()
// This is where the actual ticket validation happens. If the CAS server
// returns 'no\n\n' in the body, then the validation was not successful. The
// HTTP status code will be in the 200 range regardless if the validation
// status.
if bytes.Equal(b, []byte("no\n\n")) {
err = fmt.Errorf("ticket validation response body was %s", b)
http.Error(w, err.Error(), http.StatusForbidden)
return
}
// Store a session, hopefully to short circuit the CAS redirect dance in later
// requests. The max age of the cookie should be less than the lifetime of
// the CAS ticket, which is around 10+ hours. This means that we'll be hitting
// the CAS server fairly often, but it shouldn't be an issue.
session, err := c.cookies.Get(r, sessionName)
if err != nil {
err = errors.Wrapf(err, "failed get session %s", sessionName)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
session.Values[sessionKey] = 1
session.Options.MaxAge = c.maxAge
c.cookies.Save(r, w, session)
http.Redirect(w, r, svcURL.String(), http.StatusTemporaryRedirect)
}
// Session implements the mux.Matcher interface so that requests can be routed
// based on cookie existence.
func (c *CASProxy) Session(r *http.Request, m *mux.RouteMatch) bool {
var (
val interface{}
ok bool
)
session, err := c.cookies.Get(r, sessionName)
if err != nil {
return true
}
if val, ok = session.Values[sessionKey]; !ok {
log.Infof("key %s was not in the session", sessionKey)
return true
}
if val.(int) != 1 {
log.Infof("session value was %d instead of 1", val.(int))
return true
}
return false
}
// RedirectToCAS redirects the request to CAS, setting the service query
// parameter to the value in frontendURL.
func (c *CASProxy) RedirectToCAS(w http.ResponseWriter, r *http.Request) {
casURL, err := url.Parse(c.casBase)
if err != nil {
err = errors.Wrapf(err, "failed to parse CAS base URL %s", c.casBase)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Make sure the path in the CAS params is the same as the one that was
// requested.
svcURL, err := url.Parse(c.frontendURL)
if err != nil {
err = errors.Wrapf(err, "failed to parse the frontend URL %s", c.frontendURL)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Make sure the serivce path and the query params are set to the incoming
// requests values for those fields.
svcURL.Path = r.URL.Path
svcURL.RawQuery = r.URL.RawQuery
//set the service query param in the casURL.
q := casURL.Query()
q.Add("service", svcURL.String())
casURL.RawQuery = q.Encode()
casURL.Path = path.Join(casURL.Path, "login")
// perform the redirect
http.Redirect(w, r, casURL.String(), http.StatusTemporaryRedirect)
}
// ReverseProxy returns a proxy that forwards requests to the configured
// backend URL. It can act as a http.Handler.
func (c *CASProxy) ReverseProxy() (*httputil.ReverseProxy, error) {
backend, err := url.Parse(c.backendURL)
if err != nil {
return nil, errors.Wrapf(err, "failed to parse %s", c.backendURL)
}
return httputil.NewSingleHostReverseProxy(backend), nil
}
// WSReverseProxy returns a proxy that forwards websocket request to the
// configured backend URL. It can act as a http.Handler.
func (c *CASProxy) WSReverseProxy() (*wsutil.ReverseProxy, error) {
w, err := url.Parse(c.wsbackendURL)
if err != nil {
return nil, errors.Wrapf(err, "failed to parse the websocket backend URL %s", c.wsbackendURL)
}
return wsutil.NewSingleHostReverseProxy(w), nil
}
// isWebsocket returns true if the connection is a websocket request. Adapted
// from the code at https://groups.google.com/d/msg/golang-nuts/KBx9pDlvFOc/0tR1gBRfFVMJ.
func (c *CASProxy) isWebsocket(r *http.Request) bool {
connectionHeader := ""
allHeaders := r.Header["Connection"]
if len(allHeaders) > 0 {
connectionHeader = allHeaders[0]
}
upgrade := false
if strings.ToLower(connectionHeader) == "upgrade" {
if len(r.Header["Upgrade"]) > 0 {
upgrade = (strings.ToLower(r.Header["Upgrade"][0]) == "websocket")
}
}
return upgrade
}
// Proxy returns a handler that can support both websockets and http requests.
func (c *CASProxy) Proxy() (http.Handler, error) {
ws, err := c.WSReverseProxy()
if err != nil {
return nil, err
}
rp, err := c.ReverseProxy()
if err != nil {
return nil, err
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if c.isWebsocket(r) {
ws.ServeHTTP(w, r)
return
}
rp.ServeHTTP(w, r)
}), nil
}
func main() {
var (
backendURL = flag.String("backend-url", "http://localhost:60000", "The hostname and port to proxy requests to.")
wsbackendURL = flag.String("ws-backend-url", "", "The backend URL for the handling websocket requests. Defaults to the value of --backend-url with a scheme of ws://")
frontendURL = flag.String("frontend-url", "", "The URL for the frontend server. Might be different from the hostname and listen port.")
listenAddr = flag.String("listen-addr", "0.0.0.0:8080", "The listen port number.")
casBase = flag.String("cas-base-url", "", "The base URL to the CAS host.")
casValidate = flag.String("cas-validate", "validate", "The CAS URL endpoint for validating tickets.")
maxAge = flag.Int("max-age", 30, "The number of seconds that the session cookie is valid for.")
)
flag.Parse()
if *casBase == "" {
log.Fatal("--cas-base-url must be set.")
}
if *frontendURL == "" {
log.Fatal("--frontend-url must be set.")
}
if *wsbackendURL == "" {
w, err := url.Parse(*backendURL)
if err != nil {
log.Fatal(err)
}
w.Scheme = "ws"
*wsbackendURL = w.String()
}
log.Infof("backend URL is %s", *backendURL)
log.Infof("websocket backend URL is %s", *wsbackendURL)
log.Infof("frontend URL is %s", *frontendURL)
log.Infof("listen address is %s", *listenAddr)
log.Infof("CAS base URL is %s", *casBase)
log.Infof("CAS ticket validator endpoint is %s", *casValidate)
p := NewCASProxy(*casBase, *casValidate, *frontendURL, *backendURL, *wsbackendURL, *maxAge)
proxy, err := p.Proxy()
if err != nil {
log.Fatal(err)
}
r := mux.NewRouter()
// If the query containes a ticket in the query params, then it needs to be
// validated.
r.PathPrefix("/").Queries("ticket", "").Handler(http.HandlerFunc(p.ValidateTicket))
r.PathPrefix("/").MatcherFunc(p.Session).Handler(http.HandlerFunc(p.RedirectToCAS))
r.PathPrefix("/").Handler(proxy)
server := &http.Server{
Handler: r,
Addr: *listenAddr,
}
log.Fatal(server.ListenAndServe())
}