EdgeNode/internal/nodes/http_request_auth.go

// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.

package nodes

import (
	"bytes"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
	"io"
	"net/http"
)

// 执行认证
func (this *HTTPRequest) doAuth() (shouldStop bool) {
	if this.web.Auth == nil || !this.web.Auth.IsOn {
		return
	}

	for _, ref := range this.web.Auth.PolicyRefs {
		if !ref.IsOn || ref.AuthPolicy == nil || !ref.AuthPolicy.IsOn {
			continue
		}
		if !ref.AuthPolicy.MatchRequest(this.RawReq) {
			continue
		}
		ok, newURI, uriChanged, err := ref.AuthPolicy.Filter(this.RawReq, func(subReq *http.Request) (status int, err error) {
			subReq.TLS = this.RawReq.TLS
			subReq.RemoteAddr = this.RawReq.RemoteAddr
			subReq.Host = this.RawReq.Host
			subReq.Proto = this.RawReq.Proto
			subReq.ProtoMinor = this.RawReq.ProtoMinor
			subReq.ProtoMajor = this.RawReq.ProtoMajor
			subReq.Body = io.NopCloser(bytes.NewReader([]byte{}))
			subReq.Header.Set("Referer", this.URL())
			var writer = NewEmptyResponseWriter(this.writer)
			this.doSubRequest(writer, subReq)
			return writer.StatusCode(), nil
		}, this.Format)
		if err != nil {
			this.write50x(err, http.StatusInternalServerError, "Failed to execute the AuthPolicy", "认证策略执行失败", false)
			return
		}
		if ok {
			if uriChanged {
				this.uri = newURI
			}
			this.tags = append(this.tags, ref.AuthPolicy.Type)
			return
		} else {
			// Basic Auth比较特殊
			if ref.AuthPolicy.Type == serverconfigs.HTTPAuthTypeBasicAuth {
				method, ok := ref.AuthPolicy.Method().(*serverconfigs.HTTPAuthBasicMethod)
				if ok {
					var headerValue = "Basic realm=\""
					if len(method.Realm) > 0 {
						headerValue += method.Realm
					} else {
						headerValue += this.ReqHost
					}
					headerValue += "\""
					if len(method.Charset) > 0 {
						headerValue += ", charset=\"" + method.Charset + "\""
					}
					this.writer.Header()["WWW-Authenticate"] = []string{headerValue}
				}
			}
			this.writer.WriteHeader(http.StatusUnauthorized)
			this.tags = append(this.tags, ref.AuthPolicy.Type)
			return true
		}
	}
	return
}
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.`

			`package nodes`

			`import (`
			`"bytes"`
			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"`
优化代码 2022-08-04 11:34:06 +08:00			`"io"`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`"net/http"`
			`)`

			`// 执行认证`
			`func (this *HTTPRequest) doAuth() (shouldStop bool) {`
			`if this.web.Auth == nil \|\| !this.web.Auth.IsOn {`
			`return`
			`}`

			`for _, ref := range this.web.Auth.PolicyRefs {`
			`if !ref.IsOn \|\| ref.AuthPolicy == nil \|\| !ref.AuthPolicy.IsOn {`
			`continue`
			`}`
优化鉴权 2022-08-30 11:24:23 +08:00			`if !ref.AuthPolicy.MatchRequest(this.RawReq) {`
			`continue`
			`}`
			`ok, newURI, uriChanged, err := ref.AuthPolicy.Filter(this.RawReq, func(subReq *http.Request) (status int, err error) {`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`subReq.TLS = this.RawReq.TLS`
			`subReq.RemoteAddr = this.RawReq.RemoteAddr`
			`subReq.Host = this.RawReq.Host`
			`subReq.Proto = this.RawReq.Proto`
			`subReq.ProtoMinor = this.RawReq.ProtoMinor`
			`subReq.ProtoMajor = this.RawReq.ProtoMajor`
优化代码 2022-08-04 11:34:06 +08:00			`subReq.Body = io.NopCloser(bytes.NewReader([]byte{}))`
将请求的一些方法改为可exported，方便以后扩展 2021-12-30 11:19:11 +08:00			`subReq.Header.Set("Referer", this.URL())`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`var writer = NewEmptyResponseWriter(this.writer)`
			`this.doSubRequest(writer, subReq)`
			`return writer.StatusCode(), nil`
			`}, this.Format)`
			`if err != nil {`
40x, 50x提示默认使用HTML；50x提示增加原因信息 2022-07-30 10:48:41 +08:00			`this.write50x(err, http.StatusInternalServerError, "Failed to execute the AuthPolicy", "认证策略执行失败", false)`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`return`
			`}`
优化鉴权 2022-08-30 11:24:23 +08:00			`if ok {`
			`if uriChanged {`
			`this.uri = newURI`
			`}`
鉴权成功时也在访问日志中记录鉴权类型 2022-08-30 17:28:58 +08:00			`this.tags = append(this.tags, ref.AuthPolicy.Type)`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`return`
			`} else {`
优化鉴权 2022-08-30 11:24:23 +08:00			`// Basic Auth比较特殊`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`if ref.AuthPolicy.Type == serverconfigs.HTTPAuthTypeBasicAuth {`
优化鉴权 2022-08-30 11:24:23 +08:00			`method, ok := ref.AuthPolicy.Method().(*serverconfigs.HTTPAuthBasicMethod)`
			`if ok {`
			`var headerValue = "Basic realm=\""`
			`if len(method.Realm) > 0 {`
			`headerValue += method.Realm`
			`} else {`
			`headerValue += this.ReqHost`
			`}`
			`headerValue += "\""`
			`if len(method.Charset) > 0 {`
			`headerValue += ", charset=\"" + method.Charset + "\""`
			`}`
			`this.writer.Header()["WWW-Authenticate"] = []string{headerValue}`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`}`
			`}`
			`this.writer.WriteHeader(http.StatusUnauthorized)`
优化鉴权 2022-08-30 11:24:23 +08:00			`this.tags = append(this.tags, ref.AuthPolicy.Type)`
访问控制支持基本认证和子请求认证 2021-06-19 21:35:57 +08:00			`return true`
			`}`
			`}`
			`return`
			`}`