Merge pull request #163 from SenseUnit/auth_enhancements

Auth enhancements

Author: Snawoot

README.md

@@ -17,6 +17,7 @@ Simple, scriptable, secure HTTP/SOCKS5 forward proxy.
   * Via static login and password
   * Via HMAC signatures provisioned by central authority (e.g. some webservice)
   * Via Redis or Redis Cluster database
+  * Chaining of all above in order to lookup multiple sources or provide custom rejection response.
 * Supports TLS operation mode (HTTP(S) proxy over TLS)
   * Supports client authentication with client TLS certificates
   * Native ACME support (can issue TLS certificates automatically using Let's Encrypt or BuyPass)
@@ -255,13 +256,16 @@ Authentication parameters are passed as URI via `-auth` parameter. Scheme of URI
   * `username` - login.
   * `password` - password.
   * `hidden_domain` - if specified and is not an empty string, proxy will respond with "407 Proxy Authentication Required" only on specified domain. All unauthenticated clients will receive "400 Bad Request" status. This option is useful to prevent DPI active probing from discovering that service is a proxy, hiding proxy authentication prompt when no valid auth header was provided. Hidden domain is used for generating 407 response code to trigger browser authorization request in cases when browser has no prior knowledge proxy authentication is required. In such cases user has to navigate to any hidden domain page via plaintext HTTP, authenticate themselves and then browser will remember authentication.
+  * `else` - optional URL specifying the next auth provider to chain to, if authentication failed. Example: `-auth 'static://?username=root&password=mycoolpass&else=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'`.
 * `basicfile` - use htpasswd-like file with login and password pairs for authentication. Such file can be created/updated with command like this: `dumbproxy -passwd /etc/dumbproxy.htpasswd username password` or with `htpasswd` utility from Apache HTTPD utils. `path` parameter in URL for this provider must point to a local file with login and bcrypt-hashed password lines. Example: `basicfile://?path=/etc/dumbproxy.htpasswd`. Parameters:
   * `path` - location of file with login and password pairs. File format is similar to htpasswd files. Each line must be in form `<username>:<bcrypt hash of password>`. Empty lines and lines starting with `#` are ignored.
   * `hidden_domain` - same as in `static` provider.
   * `reload` - interval for conditional password file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: `15s`.
+  * `else` - optional URL specifying the next auth provider to chain to, if authentication failed. Example: `-auth 'basicfile://?path=/etc/dumbproxy.htpasswd&else=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'`.
 * `hmac` - authentication with HMAC-signatures passed as username and password via basic authentication scheme. In that scheme username represents user login as usual and password should be constructed as follows: *password := urlsafe\_base64\_without\_padding(expire\_timestamp || hmac\_sha256(secret, "dumbproxy grant token v1" || username || expire\_timestamp))*, where *expire_timestamp* is 64-bit big-endian UNIX timestamp and *||* is a concatenation operator. [This Python script](https://gist.github.com/Snawoot/2b5acc232680d830f0f308f14e540f1d) can be used as a reference implementation of signing. Dumbproxy itself also provides built-in signer: `dumbproxy -hmac-sign <HMAC key> <username> <validity duration>`. Parameters of this auth scheme are:
   * `secret` - hex-encoded HMAC secret key. Alternatively it can be specified by `DUMBPROXY_HMAC_SECRET` environment variable. Secret key can be generated with command like this: `openssl rand -hex 32` or `dumbproxy -hmac-genkey`.
   * `hidden_domain` - same as in `static` provider.
+  * `else` - optional URL specifying the next auth provider to chain to, if authentication failed.
 * `cert` - use mutual TLS authentication with client certificates. In order to use this auth provider server must listen sockert in TLS mode (`-cert` and `-key` options) and client CA file must be specified (`-cacert`). Example: `cert://`. Parameters of this scheme are:
   * `blacklist` - location of file with list of serial numbers of blocked certificates, one per each line in form of hex-encoded colon-separated bytes. Example: `ab:01:02:03`. Empty lines and comments starting with `#` are ignored.
   * `reload` - interval for certificate blacklist file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: `15s`.
@@ -270,10 +274,16 @@ Authentication parameters are passed as URI via `-auth` parameter. Scheme of URI
   * `url` - URL specifying Redis instance to connect to. See [ParseURL](https://pkg.go.dev/github.com/redis/go-redis/v9#ParseURL) documentation for the complete specification of Redis URL format.
   * `key_prefix` - prefix to prepend to each key before lookup. Helps isolate keys under common prefix. Default is empty string (`""`).
   * `hidden_domain` - same as in `static` provider.
+  * `else` - optional URL specifying the next auth provider to chain to, if authentication failed.
 * `redis-cluster` - same as Redis, but uses Redis Cluster client instead.
   * `url` - URL specifying Redis instance to connect to. See [ParseClusterURL](https://pkg.go.dev/github.com/redis/go-redis/v9#ParseClusterURL) documentation for the complete specification of Redis URL format.
   * `key_prefix` - prefix to prepend to each key before lookup. Helps isolate keys under common prefix. Default is empty string (`""`).
   * `hidden_domain` - same as in `static` provider.
+  * `else` - optional URL specifying the next auth provider to chain to, if authentication failed.
+* `reject-http`, `reject-https` - auth provider which always rejects auth and returns response fetched from specified URL. Useful as a last auth chain element with other providers in order to masquerade proxy endpoint or return custom rejection response from another webserver. Example: `-auth reject-https://www.google.com`. Parameters:
+  * `method` - override HTTP request method.
+  * `qs` - provide query string to the URL in request.
+  * `x-forwarded` - boolean parameter specifying if X-Forwarded headers should be populated.
 
 ## Scripting
 

auth/auth.go

@@ -36,6 +36,8 @@ func NewAuth(paramstr string, logger *clog.CondLogger) (Auth, error) {
 		return NewRedisAuth(url, true, logger)
 	case "none":
 		return NoAuth{}, nil
+	case "reject-http", "reject-https":
+		return NewRejectHTTPAuth(url, logger)
 	default:
 		return nil, errors.New("Unknown auth scheme")
 	}

auth/basic.go

@@ -29,6 +29,7 @@ type BasicAuth struct {
 	hiddenDomain string
 	stopOnce     sync.Once
 	stopChan     chan struct{}
+	next         Auth
 }
 
 func NewBasicFileAuth(param_url *url.URL, logger *clog.CondLogger) (*BasicAuth, error) {
@@ -64,6 +65,14 @@ func NewBasicFileAuth(param_url *url.URL, logger *clog.CondLogger) (*BasicAuth,
 		go auth.reloadLoop(reloadInterval)
 	}
 
+	if nextAuth := values.Get("else"); nextAuth != "" {
+		nap, err := NewAuth(nextAuth, logger)
+		if err != nil {
+			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
+		}
+		auth.next = nap
+	}
+
 	return auth, nil
 }
 
@@ -117,32 +126,28 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
 
 func (auth *BasicAuth) Valid(user, password, userAddr string) bool {
 	pwFile := auth.pw.Load().file
-	return pwFile.Match(user, password)
+	return pwFile.Match(user, password) || tryValid(auth.next, auth.logger, user, password, userAddr)
 }
 
-func (auth *BasicAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *BasicAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 	hdr_parts := strings.SplitN(hdr, " ", 2)
 	if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 
 	token := hdr_parts[1]
 	data, err := base64.StdEncoding.DecodeString(token)
 	if err != nil {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 
 	pair := strings.SplitN(string(data), ":", 2)
 	if len(pair) != 2 {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 
 	login := pair[0]
@@ -165,12 +170,14 @@ func (auth *BasicAuth) Validate(_ context.Context, wr http.ResponseWriter, req *
 			return login, true
 		}
 	}
-	requireBasicAuth(wr, req, auth.hiddenDomain)
-	return "", false
+	return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 }
 
 func (auth *BasicAuth) Stop() {
 	auth.stopOnce.Do(func() {
+		if auth.next != nil {
+			auth.next.Stop()
+		}
 		close(auth.stopChan)
 	})
 }

auth/cert.go

@@ -96,6 +96,9 @@ func (auth *CertAuth) Validate(ctx context.Context, wr http.ResponseWriter, req
 
 func (auth *CertAuth) Stop() {
 	auth.stopOnce.Do(func() {
+		if auth.next != nil {
+			auth.next.Stop()
+		}
 		close(auth.stopChan)
 	})
 }

auth/common.go

@@ -1,13 +1,15 @@
 package auth
 
 import (
+	"context"
 	"crypto/subtle"
 	"errors"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 
+	clog "github.com/SenseUnit/dumbproxy/log"
 	"github.com/tg123/go-htpasswd"
 )
 
@@ -19,7 +21,10 @@ func matchHiddenDomain(host, hidden_domain string) bool {
 	return subtle.ConstantTimeCompare([]byte(host), []byte(hidden_domain)) == 1
 }
 
-func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain string) {
+func requireBasicAuth(ctx context.Context, wr http.ResponseWriter, req *http.Request, hidden_domain string, next Auth) (string, bool) {
+	if next != nil {
+		return next.Validate(ctx, wr, req)
+	}
 	if hidden_domain != "" &&
 		!matchHiddenDomain(req.URL.Host, hidden_domain) &&
 		!matchHiddenDomain(req.Host, hidden_domain) {
@@ -30,6 +35,17 @@ func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain s
 		wr.WriteHeader(407)
 		wr.Write([]byte(AUTH_REQUIRED_MSG))
 	}
+	return "", false
+}
+
+func tryValid(auth Auth, logger *clog.CondLogger, user, password, userAddr string) bool {
+	if validator, ok := auth.(interface {
+		Valid(string, string, string) bool
+	}); ok {
+		return validator.Valid(user, password, userAddr)
+	}
+	logger.Warning("chained auth provider does not have Valid() method!")
+	return false
 }
 
 func makePasswdMatcher(encoded string) (htpasswd.EncodedPasswd, error) {

auth/hmac.go

@@ -14,6 +14,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	clog "github.com/SenseUnit/dumbproxy/log"
@@ -30,6 +31,8 @@ type HMACAuth struct {
 	secret       []byte
 	hiddenDomain string
 	logger       *clog.CondLogger
+	stopOnce     sync.Once
+	next         Auth
 }
 
 func NewHMACAuth(param_url *url.URL, logger *clog.CondLogger) (*HMACAuth, error) {
@@ -52,11 +55,21 @@ func NewHMACAuth(param_url *url.URL, logger *clog.CondLogger) (*HMACAuth, error)
 		return nil, fmt.Errorf("can't hex-decode HMAC secret: %w", err)
 	}
 
-	return &HMACAuth{
+	auth := &HMACAuth{
 		secret:       secret,
 		logger:       logger,
 		hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
-	}, nil
+	}
+
+	if nextAuth := values.Get("else"); nextAuth != "" {
+		nap, err := NewAuth(nextAuth, logger)
+		if err != nil {
+			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
+		}
+		auth.next = nap
+	}
+
+	return auth, nil
 }
 
 type HMACToken struct {
@@ -85,32 +98,28 @@ func VerifyHMACLoginAndPassword(secret []byte, login, password string) bool {
 }
 
 func (auth *HMACAuth) Valid(user, password, userAddr string) bool {
-	return VerifyHMACLoginAndPassword(auth.secret, user, password)
+	return VerifyHMACLoginAndPassword(auth.secret, user, password) || tryValid(auth.next, auth.logger, user, password, userAddr)
 }
 
-func (auth *HMACAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *HMACAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 	hdr_parts := strings.SplitN(hdr, " ", 2)
 	if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 
 	token := hdr_parts[1]
 	data, err := base64.StdEncoding.DecodeString(token)
 	if err != nil {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 
 	pair := strings.SplitN(string(data), ":", 2)
 	if len(pair) != 2 {
-		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return "", false
+		return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 	}
 
 	login := pair[0]
@@ -131,11 +140,15 @@ func (auth *HMACAuth) Validate(_ context.Context, wr http.ResponseWriter, req *h
 			return login, true
 		}
 	}
-	requireBasicAuth(wr, req, auth.hiddenDomain)
-	return "", false
+	return requireBasicAuth(ctx, wr, req, auth.hiddenDomain, auth.next)
 }
 
 func (auth *HMACAuth) Stop() {
+	auth.stopOnce.Do(func() {
+		if auth.next != nil {
+			auth.next.Stop()
+		}
+	})
 }
 
 func CalculateHMACSignature(secret []byte, username string, expire int64) []byte {