Merge pull request #128 from SenseUnit/redis_auth

Redis Auth

Author: Snawoot

README.md

@@ -15,6 +15,7 @@ Simple, scriptable, secure forward proxy.
   * Via auto-reloaded NCSA httpd-style passwords file
   * Via static login and password
   * Via HMAC signatures provisioned by central authority (e.g. some webservice)
+  * Via Redis or Redis Cluster database
 * Supports TLS operation mode (HTTP(S) proxy over TLS)
   * Supports client authentication with client TLS certificates
   * Native ACME support (can issue TLS certificates automatically using Let's Encrypt or BuyPass)
@@ -226,14 +227,22 @@ Authentication parameters are passed as URI via `-auth` parameter. Scheme of URI
   * `hidden_domain` - if specified and is not an empty string, proxy will respond with "407 Proxy Authentication Required" only on specified domain. All unauthenticated clients will receive "400 Bad Request" status. This option is useful to prevent DPI active probing from discovering that service is a proxy, hiding proxy authentication prompt when no valid auth header was provided. Hidden domain is used for generating 407 response code to trigger browser authorization request in cases when browser has no prior knowledge proxy authentication is required. In such cases user has to navigate to any hidden domain page via plaintext HTTP, authenticate themselves and then browser will remember authentication.
 * `basicfile` - use htpasswd-like file with login and password pairs for authentication. Such file can be created/updated with command like this: `dumbproxy -passwd /etc/dumbproxy.htpasswd username password` or with `htpasswd` utility from Apache HTTPD utils. `path` parameter in URL for this provider must point to a local file with login and bcrypt-hashed password lines. Example: `basicfile://?path=/etc/dumbproxy.htpasswd`. Parameters:
   * `path` - location of file with login and password pairs. File format is similar to htpasswd files. Each line must be in form `<username>:<bcrypt hash of password>`. Empty lines and lines starting with `#` are ignored.
-  * `hidden_domain` - same as in `static` provider
+  * `hidden_domain` - same as in `static` provider.
   * `reload` - interval for conditional password file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: `15s`.
 * `hmac` - authentication with HMAC-signatures passed as username and password via basic authentication scheme. In that scheme username represents user login as usual and password should be constructed as follows: *password := urlsafe\_base64\_without\_padding(expire\_timestamp || hmac\_sha256(secret, "dumbproxy grant token v1" || username || expire\_timestamp))*, where *expire_timestamp* is 64-bit big-endian UNIX timestamp and *||* is a concatenation operator. [This Python script](https://gist.github.com/Snawoot/2b5acc232680d830f0f308f14e540f1d) can be used as a reference implementation of signing. Dumbproxy itself also provides built-in signer: `dumbproxy -hmac-sign <HMAC key> <username> <validity duration>`. Parameters of this auth scheme are:
   * `secret` - hex-encoded HMAC secret key. Alternatively it can be specified by `DUMBPROXY_HMAC_SECRET` environment variable. Secret key can be generated with command like this: `openssl rand -hex 32` or `dumbproxy -hmac-genkey`.
-  * `hidden_domain` - same as in `static` provider
+  * `hidden_domain` - same as in `static` provider.
 * `cert` - use mutual TLS authentication with client certificates. In order to use this auth provider server must listen sockert in TLS mode (`-cert` and `-key` options) and client CA file must be specified (`-cacert`). Example: `cert://`. Parameters of this scheme are:
   * `blacklist` - location of file with list of serial numbers of blocked certificates, one per each line in form of hex-encoded colon-separated bytes. Example: `ab:01:02:03`. Empty lines and comments starting with `#` are ignored.
   * `reload` - interval for certificate blacklist file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: `15s`.
+* `redis` - use external Redis database to lookup password verifiers for users. The password format is similar to `basicfile` mode or `htpasswd` encoding except username goes into Redis key name, colon is skipped and the rest goes to value of this key. For example, login-password pair `test` / `123456` can be encoded as Redis key `test` with value `$2y$05$zs1EJayCIyYtG.NQVzu9SeNvMP0XYWa42fQv.XNDx33wwbg98SnUq`. Example of auth parameter: `-auth 'redis://?url=redis%3A//default%3A123456Y%40redis-14623.c531.europe-west3-1.gce.redns.redis-cloud.com%3A17954/0&key_prefix=auth_'`. Parameters:
+  * `url` - URL specifying Redis instance to connect to. See [ParseURL](https://pkg.go.dev/github.com/redis/go-redis/v9#ParseURL) documentation for the complete specification of Redis URL format.
+  * `key_prefix' - prefix to prepend to each key before lookup. Helps isolate keys under common prefix. Default is empty string (`""`).
+  * `hidden\_domain` - same as in `static provider.
+* `redis-cluster` - same as Redis, but uses Redis Cluster client instead.
+  * `url` - URL specifying Redis instance to connect to. See [ParseClusterURL](https://pkg.go.dev/github.com/redis/go-redis/v9#ParseClusterURL) documentation for the complete specification of Redis URL format.
+  * `key_prefix' - prefix to prepend to each key before lookup. Helps isolate keys under common prefix. Default is empty string (`""`).
+  * `hidden\_domain` - same as in `static provider.
 
 ## Scripting
 

auth/auth.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"errors"
 	"net/http"
 	"net/url"
@@ -10,7 +11,7 @@ import (
 )
 
 type Auth interface {
-	Validate(wr http.ResponseWriter, req *http.Request) (string, bool)
+	Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool)
 	Stop()
 }
 
@@ -29,6 +30,10 @@ func NewAuth(paramstr string, logger *clog.CondLogger) (Auth, error) {
 		return NewHMACAuth(url, logger)
 	case "cert":
 		return NewCertAuth(url, logger)
+	case "redis":
+		return NewRedisAuth(url, false, logger)
+	case "redis-cluster":
+		return NewRedisAuth(url, true, logger)
 	case "none":
 		return NoAuth{}, nil
 	default:

auth/basic.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -114,7 +115,7 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
 	}
 }
 
-func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *BasicAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
 		requireBasicAuth(wr, req, auth.hiddenDomain)

auth/cert.go

@@ -3,6 +3,7 @@ package auth
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -65,7 +66,7 @@ func NewCertAuth(param_url *url.URL, logger *clog.CondLogger) (*CertAuth, error)
 	return auth, nil
 }
 
-func (auth *CertAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *CertAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
 		return "", false

auth/common.go

@@ -2,10 +2,13 @@ package auth
 
 import (
 	"crypto/subtle"
+	"errors"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
+
+	"github.com/tg123/go-htpasswd"
 )
 
 func matchHiddenDomain(host, hidden_domain string) bool {
@@ -28,3 +31,16 @@ func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain s
 		wr.Write([]byte(AUTH_REQUIRED_MSG))
 	}
 }
+
+func makePasswdMatcher(encoded string) (htpasswd.EncodedPasswd, error) {
+	for _, p := range htpasswd.DefaultSystems {
+		matcher, err := p(encoded)
+		if err != nil {
+			return nil, err
+		}
+		if matcher != nil {
+			return matcher, nil
+		}
+	}
+	return nil, errors.New("no suitable password encoding system found")
+}

auth/hmac.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
@@ -83,7 +84,7 @@ func VerifyHMACLoginAndPassword(secret []byte, login, password string) bool {
 	return hmac.Equal(token.Signature[:], expectedMAC)
 }
 
-func (auth *HMACAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *HMACAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
 		requireBasicAuth(wr, req, auth.hiddenDomain)

auth/noauth.go

@@ -1,10 +1,13 @@
 package auth
 
-import "net/http"
+import (
+	"context"
+	"net/http"
+)
 
 type NoAuth struct{}
 
-func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (_ NoAuth) Validate(_ context.Context, _ http.ResponseWriter, _ *http.Request) (string, bool) {
 	return "", true
 }
 

auth/redis.go

@@ -0,0 +1,110 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	clog "github.com/SenseUnit/dumbproxy/log"
+
+	"github.com/redis/go-redis/v9"
+)
+
+type RedisAuth struct {
+	logger       *clog.CondLogger
+	hiddenDomain string
+	r            redis.Cmdable
+	keyPrefix    string
+}
+
+func NewRedisAuth(param_url *url.URL, cluster bool, logger *clog.CondLogger) (*RedisAuth, error) {
+	values, err := url.ParseQuery(param_url.RawQuery)
+	if err != nil {
+		return nil, err
+	}
+	auth := &RedisAuth{
+		logger:       logger,
+		hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
+		keyPrefix:    values.Get("key_prefix"),
+	}
+	if cluster {
+		opts, err := redis.ParseClusterURL(values.Get("url"))
+		if err != nil {
+			return nil, err
+		}
+		auth.r = redis.NewClusterClient(opts)
+	} else {
+		opts, err := redis.ParseURL(values.Get("url"))
+		if err != nil {
+			return nil, err
+		}
+		auth.r = redis.NewClient(opts)
+	}
+	return auth, nil
+}
+
+func (auth *RedisAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+	hdr := req.Header.Get("Proxy-Authorization")
+	if hdr == "" {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+	hdr_parts := strings.SplitN(hdr, " ", 2)
+	if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	token := hdr_parts[1]
+	data, err := base64.StdEncoding.DecodeString(token)
+	if err != nil {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	pair := strings.SplitN(string(data), ":", 2)
+	if len(pair) != 2 {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	login := pair[0]
+	password := pair[1]
+
+	encodedPasswd, err := auth.r.Get(ctx, auth.keyPrefix+login).Result()
+	if err != nil {
+		auth.logger.Debug("error fetching key %q from Redis: %v", auth.keyPrefix+login, err)
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+	matcher, err := makePasswdMatcher(encodedPasswd)
+	if err != nil {
+		auth.logger.Debug("can't create password matcher from Redis key %q: %v", auth.keyPrefix+login, err)
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	if matcher.MatchesPassword(password) {
+		if auth.hiddenDomain != "" &&
+			(req.Host == auth.hiddenDomain || req.URL.Host == auth.hiddenDomain) {
+			wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_TRIGGERED_MSG))))
+			wr.Header().Set("Pragma", "no-cache")
+			wr.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+			wr.Header().Set("Expires", EPOCH_EXPIRE)
+			wr.Header()["Date"] = nil
+			wr.WriteHeader(http.StatusOK)
+			wr.Write([]byte(AUTH_TRIGGERED_MSG))
+			return "", false
+		} else {
+			return login, true
+		}
+	}
+	requireBasicAuth(wr, req, auth.hiddenDomain)
+	return "", false
+}
+
+func (auth *RedisAuth) Stop() {
+}

handler/handler.go

@@ -192,7 +192,8 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	username, ok := s.auth.Validate(wr, req)
+	ctx := req.Context()
+	username, ok := s.auth.Validate(ctx, wr, req)
 	localAddr := getLocalAddr(req.Context())
 	s.logger.Info("Request: %v => %v %q %v %v %v", req.RemoteAddr, localAddr, username, req.Proto, req.Method, req.URL)
 
@@ -208,7 +209,6 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 			ipHints = &hintValues[0]
 		}
 	}
-	ctx := req.Context()
 	ctx = ddto.BoundDialerParamsToContext(ctx, ipHints, trimAddrPort(localAddr))
 	ctx = ddto.FilterParamsToContext(ctx, req, username)
 	req = req.WithContext(ctx)