add roles & login btn.

Author: m1k1o

Dockerfile

@@ -4,20 +4,24 @@
 FROM golang:1.18-bullseye as builder
 WORKDIR /app
 
+ARG VERSION
+ARG GIT_COMMIT
+ARG GIT_BRANCH
+
 COPY . .
-RUN go get -v -t -d .
-RUN /app/build
+RUN ./build
 
 #
 # STAGE 2: build a small image
 #
 FROM scratch
 WORKDIR /app
 
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /app/bin /usr/bin/email-auth
 COPY tmpl tmpl
 
-ENTRYPOINT [ "email-auth" ]
+ENTRYPOINT [ "/usr/bin/email-auth" ]
 
 EXPOSE 8080
 

cmd/root.go

@@ -1,4 +1,4 @@
-// go-base version 2.2.2
+// go-base version 2.3.0
 package cmd
 
 import (
@@ -190,6 +190,11 @@ func initConfiguration(cfgFile string, defCfgPath string, envPrefix string) []st
 		}
 	}
 
+	// expand environment variables
+	for _, k := range viper.AllKeys() {
+		viper.Set(k, expandStringValues(viper.Get(k)))
+	}
+
 	return configs
 }
 
@@ -417,3 +422,37 @@ func initLogging(config logConfig) {
 		Int("maxbackups", config.MaxBackups).
 		Msg("logging configured")
 }
+
+func expandStringValues(value interface{}) interface{} {
+	switch v := value.(type) {
+	case string:
+		return expandEnv(v)
+	case []interface{}:
+		nslice := make([]interface{}, 0, len(v))
+		for _, vint := range v {
+			nslice = append(nslice, expandStringValues(vint))
+		}
+		return nslice
+	case map[string]interface{}:
+		nmap := map[string]interface{}{}
+		for mk, mv := range v {
+			nmap[mk] = expandStringValues(mv)
+		}
+		return nmap
+	default:
+		return v
+	}
+}
+
+func expandEnv(s string) string {
+	return os.Expand(s, func(str string) string {
+		// This allows escaping environment variable substitution via $$, e.g.
+		// - $FOO will be substituted with env var FOO
+		// - $$FOO will be replaced with $FOO
+		// - $$$FOO will be replaced with $ + substituted env var FOO
+		if str == "$" {
+			return "$"
+		}
+		return os.Getenv(str)
+	})
+}

config.yaml

@@ -18,12 +18,20 @@ app:
 
   # Users authentication using HTTP Basic Auth, with bcrypt hashes.
   # Generate entires using `htpasswd -Bbn username password`.
+  # Use $$ to escape $ in password.
   users:
   - "username:$2y$05$jB7JXurhAS37c45mUwmvIO0vdLlzRVVlwJiQUY8eP2GL74TA5C0c2"
   # Path to a file, where additional users are stored, deparated by newline.
   # Generate file using `htpasswd -Bbn username password >> usersfile`.
   users_file: ""
 
+  # Users or email addresses that are administrators.
+  roles:
+  - "admin@test.com=admin" # user = role
+  - "admin=admin"
+  # Path to a file, where additional roles are stored, deparated by newline.
+  roles_file: ""
+
   # Allowed redirect URLs.
   redirect_allowlist:
   # Allow all HTTPs URLS.
@@ -37,11 +45,16 @@ app:
   # Allow host + path prefix.
   - "//test.com/foo"
 
+  # If login button should be shown, otherwise user is logged in automatically on visit.
+  login_btn: true
+
   header:
     # If authentication header should be enabled.
     enabled: true
     # Authentication header name.
     name: "X-Auth-User"
+    # Authentication header role.
+    role: "X-Auth-Role"
 
   expiration:
     # Login link expiration in seconds. (default 5 min)

go.sum

@@ -2,8 +2,8 @@ package config
 
 import (
 	"fmt"
-	"io/ioutil"
 	"net/url"
+	"os"
 	"strings"
 	"time"
 
@@ -19,6 +19,7 @@ import (
 type Header struct {
 	Enabled bool
 	Name    string
+	Role    string
 }
 
 type Expiration struct {
@@ -32,11 +33,14 @@ type App struct {
 	Target string
 	Bind   string
 	Proxy  bool
-	Users  map[string]string
-	Emails []string
+	Users  map[string]string // username:password
+	Emails []string          // list of emails or @domains
+	Roles  map[string]string // username/email:role
 
 	RedirectAllowlist []url.URL
 
+	LoginBtn bool // do not login automatically but show login button instead
+
 	Header     Header
 	Expiration Expiration
 }
@@ -124,7 +128,7 @@ func (App) Init(cmd *cobra.Command) error {
 		return err
 	}
 
-	cmd.PersistentFlags().StringSlice("app.users", []string{}, "Users authentication using HTTP Basic Auth, with bcrypt hashes.")
+	cmd.PersistentFlags().StringSlice("app.users", []string{}, "Users authentication using HTTP Basic Auth, with bcrypt hashes, in format user:hash.")
 	if err := viper.BindPFlag("app.users", cmd.PersistentFlags().Lookup("app.users")); err != nil {
 		return err
 	}
@@ -134,11 +138,26 @@ func (App) Init(cmd *cobra.Command) error {
 		return err
 	}
 
+	cmd.PersistentFlags().StringSlice("app.roles", []string{}, "Roles for users and emails, in format key=value.")
+	if err := viper.BindPFlag("app.roles", cmd.PersistentFlags().Lookup("app.roles")); err != nil {
+		return err
+	}
+
+	cmd.PersistentFlags().String("app.roles_file", "", "Path to a file, where additional roles are stored, deparated by newline.")
+	if err := viper.BindPFlag("app.roles_file", cmd.PersistentFlags().Lookup("app.roles_file")); err != nil {
+		return err
+	}
+
 	cmd.PersistentFlags().StringSlice("app.redirect_allowlist", []string{}, "Allowed redirect URLs.")
 	if err := viper.BindPFlag("app.redirect_allowlist", cmd.PersistentFlags().Lookup("app.redirect_allowlist")); err != nil {
 		return err
 	}
 
+	cmd.PersistentFlags().Bool("app.login_btn", false, "Show login button instead of automatic login.")
+	if err := viper.BindPFlag("app.login_btn", cmd.PersistentFlags().Lookup("app.login_btn")); err != nil {
+		return err
+	}
+
 	//
 	// header
 	//
@@ -153,6 +172,11 @@ func (App) Init(cmd *cobra.Command) error {
 		return err
 	}
 
+	cmd.PersistentFlags().String("app.header.role", "X-Auth-Role", "Authentication header role.")
+	if err := viper.BindPFlag("app.header.role", cmd.PersistentFlags().Lookup("app.header.role")); err != nil {
+		return err
+	}
+
 	//
 	// expiration
 	//
@@ -183,7 +207,7 @@ func (c *App) Set() {
 	// load emails from a file
 	emailsFile := viper.GetString("app.emails_file")
 	if emailsFile != "" {
-		emailsBytes, err := ioutil.ReadFile(emailsFile)
+		emailsBytes, err := os.ReadFile(emailsFile)
 		if err != nil {
 			log.Panic().Err(err).Msgf("error opening emails file")
 		}
@@ -198,7 +222,7 @@ func (c *App) Set() {
 	// load users from a file
 	usersFile := viper.GetString("app.users_file")
 	if usersFile != "" {
-		usersBytes, err := ioutil.ReadFile(usersFile)
+		usersBytes, err := os.ReadFile(usersFile)
 		if err != nil {
 			log.Panic().Err(err).Msgf("error opening users file")
 		}
@@ -207,6 +231,21 @@ func (c *App) Set() {
 			strings.Split(string(usersBytes), "\n")...)
 	}
 
+	// get roles from config
+	roles := viper.GetStringSlice("app.roles")
+
+	// load roles from a file
+	rolesFile := viper.GetString("app.roles_file")
+	if rolesFile != "" {
+		rolesBytes, err := os.ReadFile(rolesFile)
+		if err != nil {
+			log.Panic().Err(err).Msgf("error opening roles file")
+		}
+
+		roles = append(roles,
+			strings.Split(string(rolesBytes), "\n")...)
+	}
+
 	// clean up emails
 	c.Emails = []string{}
 	for _, email := range emails {
@@ -235,10 +274,29 @@ func (c *App) Set() {
 		c.Users[username] = secret
 	}
 
+	// convert roles to a map
+	c.Roles = map[string]string{}
+	for _, row := range roles {
+		row := strings.TrimSpace(row)
+		if row == "" {
+			continue
+		}
+
+		split := strings.Split(row, "=")
+		if len(split) != 2 {
+			log.Panic().Msgf("error parsing role: %v", row)
+		}
+
+		user, role := strings.TrimSpace(split[0]), strings.TrimSpace(split[1])
+		user = strings.ToLower(user)
+		c.Roles[user] = role
+	}
+
 	log.Info().
 		Int("emails", len(c.Emails)).
 		Int("users", len(c.Users)).
-		Msgf("loaded emails and users")
+		Int("roles", len(c.Roles)).
+		Msgf("loaded emails, users and roles")
 
 	urls := viper.GetStringSlice("app.redirect_allowlist")
 	c.RedirectAllowlist = []url.URL{}
@@ -256,8 +314,11 @@ func (c *App) Set() {
 		c.RedirectAllowlist = append(c.RedirectAllowlist, *parsed)
 	}
 
+	c.LoginBtn = viper.GetBool("app.login_btn")
+
 	c.Header.Enabled = viper.GetBool("app.header.enabled")
 	c.Header.Name = viper.GetString("app.header.name")
+	c.Header.Role = viper.GetString("app.header.role")
 
 	c.Expiration.LoginLink = time.Duration(viper.GetInt64("app.expiration.link")) * time.Second
 	c.Expiration.Session = time.Duration(viper.GetInt64("app.expiration.session")) * time.Second

internal/config/config.go

@@ -157,7 +157,7 @@ func (l *login) linkAction(next http.HandlerFunc) http.HandlerFunc {
 		logger := l.newLogger(r)
 
 		token := r.URL.Query().Get("token")
-		if token == "" || r.Method != "GET" {
+		if token == "" {
 			next.ServeHTTP(w, r)
 			return
 		}
@@ -181,22 +181,35 @@ func (l *login) linkAction(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		newToken, err := l.auth.Login(token)
-		if err != nil {
-			logger.Err(err).Str("email", session.Email()).Msg("unable to login")
-			l.page.Error(w, r, "Error while logging in, please contact your system administrator.", http.StatusInternalServerError)
+		// log me in page
+		if l.app.LoginBtn && r.Method == "GET" {
+			l.page.LoginBtn(w, r)
 			return
 		}
 
-		l.setCookie(w, newToken)
+		// login action
+		if (l.app.LoginBtn && r.Method == "POST") || (!l.app.LoginBtn && r.Method == "GET") {
+			newToken, err := l.auth.Login(token)
+			if err != nil {
+				logger.Err(err).Str("email", session.Email()).Msg("unable to login")
+				l.page.Error(w, r, "Error while logging in, please contact your system administrator.", http.StatusInternalServerError)
+				return
+			}
+
+			l.setCookie(w, newToken)
+
+			to := r.URL.Query().Get("to")
+			if !l.verifyRedirectLink(to) {
+				to = l.app.Url
+			}
 
-		to := r.URL.Query().Get("to")
-		if !l.verifyRedirectLink(to) {
-			to = l.app.Url
+			logger.Info().Str("email", session.Email()).Str("to", to).Msg("login verified")
+			http.Redirect(w, r, to, http.StatusTemporaryRedirect)
+			return
 		}
 
-		logger.Info().Str("email", session.Email()).Str("to", to).Msg("login verified")
-		http.Redirect(w, r, to, http.StatusTemporaryRedirect)
+		// invalid method
+		next.ServeHTTP(w, r)
 	}
 }
 

internal/login.go

@@ -5,7 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"html/template"
-	"io/ioutil"
+	"os"
 
 	"gopkg.in/mail.v2"
 
@@ -19,7 +19,7 @@ type Manager struct {
 }
 
 func New(templatePath string, app config.App, email config.Email) (*Manager, error) {
-	html, err := ioutil.ReadFile(templatePath)
+	html, err := os.ReadFile(templatePath)
 	if err != nil {
 		return nil, err
 	}