Merge pull request #155 from SenseUnit/combined_auth

Snawoot · web-flow · commit d3ff2c4cfb11 · 2025-10-18T17:08:48.000+03:00
Combined Auth
diff --git a/README.md b/README.md
@@ -264,6 +264,7 @@ Authentication parameters are passed as URI via `-auth` parameter. Scheme of URI
 * `cert` - use mutual TLS authentication with client certificates. In order to use this auth provider server must listen sockert in TLS mode (`-cert` and `-key` options) and client CA file must be specified (`-cacert`). Example: `cert://`. Parameters of this scheme are:
   * `blacklist` - location of file with list of serial numbers of blocked certificates, one per each line in form of hex-encoded colon-separated bytes. Example: `ab:01:02:03`. Empty lines and comments starting with `#` are ignored.
   * `reload` - interval for certificate blacklist file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: `15s`.
+  * `next` - optional URL specifying the next auth provider to chain to, if cert authentication succeeded. Example: `-auth 'cert://?next=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'`.
 * `redis` - use external Redis database to lookup password verifiers for users. The password format is similar to `basicfile` mode or `htpasswd` encoding except username goes into Redis key name, colon is skipped and the rest goes to value of this key. For example, login-password pair `test` / `123456` can be encoded as Redis key `test` with value `$2y$05$zs1EJayCIyYtG.NQVzu9SeNvMP0XYWa42fQv.XNDx33wwbg98SnUq`. Example of auth parameter: `-auth 'redis://?url=redis%3A//default%3A123456Y%40redis-14623.c531.europe-west3-1.gce.redns.redis-cloud.com%3A17954/0&key_prefix=auth_'`. Parameters:
   * `url` - URL specifying Redis instance to connect to. See [ParseURL](https://pkg.go.dev/github.com/redis/go-redis/v9#ParseURL) documentation for the complete specification of Redis URL format.
   * `key_prefix` - prefix to prepend to each key before lookup. Helps isolate keys under common prefix. Default is empty string (`""`).
diff --git a/auth/cert.go b/auth/cert.go
@@ -31,6 +31,7 @@ type CertAuth struct {
 	logger            *clog.CondLogger
 	stopOnce          sync.Once
 	stopChan          chan struct{}
+	next              Auth
 }
 
 func NewCertAuth(param_url *url.URL, logger *clog.CondLogger) (*CertAuth, error) {
@@ -62,11 +63,18 @@ func NewCertAuth(param_url *url.URL, logger *clog.CondLogger) (*CertAuth, error)
 			go auth.reloadLoop(reloadInterval)
 		}
 	}
+	if nextAuth := values.Get("next"); nextAuth != "" {
+		nap, err := NewAuth(nextAuth, logger)
+		if err != nil {
+			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
+		}
+		auth.next = nap
+	}
 
 	return auth, nil
 }
 
-func (auth *CertAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *CertAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
 		return "", false
@@ -76,6 +84,9 @@ func (auth *CertAuth) Validate(_ context.Context, wr http.ResponseWriter, req *h
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
 		return "", false
 	}
+	if auth.next != nil {
+		return auth.next.Validate(ctx, wr, req)
+	}
 	return fmt.Sprintf(
 		"Subject: %s, Serial Number: %s",
 		eeCert.Subject.String(),
