Add simple auth (#186)

2026-02-20 04:03:36 +01:00 · 2022-06-13 18:13:31 +02:00
parent 4883646f39
commit 9f1041d7ef
43 changed files with 1304 additions and 622 deletions
--- a/cmd/catalyst-dev/main.go
+++ b/cmd/catalyst-dev/main.go
@@ -2,9 +2,9 @@ package main

 import (
 	"context"
+	"fmt"
 	"log"
 	"net/http"
-	"strings"

 	"github.com/arangodb/go-driver"

@@ -41,37 +41,34 @@ func main() {
 		log.Fatal(err)
 	}

-	_, _ = theCatalyst.DB.UserCreate(context.Background(), &model.UserForm{ID: "eve", Roles: []string{"admin"}})
+	_, _ = theCatalyst.DB.UserCreate(context.Background(), &model.UserForm{ID: "eve", Roles: []string{"admin"}, Password: pointer.String("eve")})
 	_ = theCatalyst.DB.UserDataCreate(context.Background(), "eve", &model.UserData{
 		Name:  pointer.String("Eve"),
 		Email: pointer.String("eve@example.com"),
 		Image: &avatarEve,
 	})
-	_, _ = theCatalyst.DB.UserCreate(context.Background(), &model.UserForm{ID: "kevin", Roles: []string{"admin"}})
+	_, _ = theCatalyst.DB.UserCreate(context.Background(), &model.UserForm{ID: "kevin", Roles: []string{"admin"}, Password: pointer.String("kevin")})
 	_ = theCatalyst.DB.UserDataCreate(context.Background(), "kevin", &model.UserData{
 		Name:  pointer.String("Kevin"),
 		Email: pointer.String("kevin@example.com"),
 		Image: &avatarKevin,
 	})

-	// proxy static requests
-	middlewares := []func(next http.Handler) http.Handler{
-		catalyst.Authenticate(theCatalyst.DB, config.Auth),
-		catalyst.AuthorizeBlockedUser(),
-	}
-	theCatalyst.Server.With(middlewares...).NotFound(func(writer http.ResponseWriter, request *http.Request) {
-		var handler http.Handler = http.HandlerFunc(api.Proxy("http://localhost:8080/static/"))
-
-		if strings.HasPrefix(request.URL.Path, "/static/") {
-			handler = http.StripPrefix("/static/", handler)
-		} else {
-			request.URL.Path = "/"
-		}
-
-		handler.ServeHTTP(writer, request)
+	_, _ = theCatalyst.DB.UserCreate(context.Background(), &model.UserForm{ID: "tom", Roles: []string{"admin"}, Password: pointer.String("tom")})
+	_ = theCatalyst.DB.UserDataCreate(context.Background(), "tom", &model.UserData{
+		Name:  pointer.String("tom"),
+		Email: pointer.String("tom@example.com"),
+		Image: &avatarKevin,
 	})

-	if err := http.ListenAndServe(":8000", theCatalyst.Server); err != nil {
+	// proxy static requests
+	theCatalyst.Server.Get("/ui/*", func(writer http.ResponseWriter, request *http.Request) {
+		log.Println("proxy request", request.URL.Path)
+
+		api.Proxy("http://localhost:8080/")(writer, request)
+	})
+
+	if err := http.ListenAndServe(fmt.Sprintf(":%d", config.Port), theCatalyst.Server); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/cmd/catalyst/main.go
+++ b/cmd/catalyst/main.go
@@ -1,12 +1,16 @@
 package main

 import (
+	"fmt"
+	"io/fs"
 	"log"
 	"net/http"

 	"github.com/SecurityBrewery/catalyst"
 	"github.com/SecurityBrewery/catalyst/cmd"
+	"github.com/SecurityBrewery/catalyst/generated/api"
 	"github.com/SecurityBrewery/catalyst/hooks"
+	"github.com/SecurityBrewery/catalyst/ui"
 )

 func main() {
@@ -22,7 +26,10 @@ func main() {
 		log.Fatal(err)
 	}

-	if err := http.ListenAndServe(":8000", theCatalyst.Server); err != nil {
+	fsys, _ := fs.Sub(ui.UI, "dist")
+	theCatalyst.Server.Get("/ui/*", api.Static(fsys))
+
+	if err := http.ListenAndServe(fmt.Sprintf(":%d", config.Port), theCatalyst.Server); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -8,6 +8,7 @@ import (
 	"golang.org/x/oauth2"

 	"github.com/SecurityBrewery/catalyst"
+	"github.com/SecurityBrewery/catalyst/auth"
 	"github.com/SecurityBrewery/catalyst/database"
 	"github.com/SecurityBrewery/catalyst/role"
 	"github.com/SecurityBrewery/catalyst/storage"
@@ -18,7 +19,17 @@ type CLI struct {
 	ExternalAddress string `env:"EXTERNAL_ADDRESS" required:""`
 	CatalystAddress string `env:"CATALYST_ADDRESS" default:"http://catalyst:8000"`
 	Network         string `env:"CATALYST_NETWORK" default:"catalyst"`
+	Port            int    `env:"PORT"             default:"8000"`

+	AuthBlockNew     bool     `env:"AUTH_BLOCK_NEW"     default:"true" help:"Block newly created users"`
+	AuthDefaultRoles []string `env:"AUTH_DEFAULT_ROLES"               help:"Default roles for new users"`
+	AuthAdminUsers   []string `env:"AUTH_ADMIN_USERS"                 help:"Username of admins"`
+	InitialAPIKey    string   `env:"INITIAL_API_KEY"`
+
+	SimpleAuthEnable bool `env:"SIMPLE_AUTH_ENABLE" default:"true"`
+	APIKeyAuthEnable bool `env:"API_KEY_AUTH_ENABLE" default:"true"`
+
+	OIDCEnable        bool     `env:"OIDC_ENABLE"         default:"false"`
 	OIDCIssuer        string   `env:"OIDC_ISSUER"         required:""`
 	OIDCClientID      string   `env:"OIDC_CLIENT_ID"      default:"catalyst"`
 	OIDCClientSecret  string   `env:"OIDC_CLIENT_SECRET"  required:""`
@@ -26,9 +37,6 @@ type CLI struct {
 	OIDCClaimUsername string   `env:"OIDC_CLAIM_USERNAME" default:"preferred_username" help:"username field in the OIDC claim"`
 	OIDCClaimEmail    string   `env:"OIDC_CLAIM_EMAIL"    default:"email"              help:"email field in the OIDC claim"`
 	OIDCClaimName     string   `env:"OIDC_CLAIM_NAME"     default:"name"               help:"name field in the OIDC claim"`
-	AuthBlockNew      bool     `env:"AUTH_BLOCK_NEW"      default:"true"               help:"Block newly created users"`
-	AuthDefaultRoles  []string `env:"AUTH_DEFAULT_ROLES"                               help:"Default roles for new users"`
-	AuthAdminUsers    []string `env:"AUTH_ADMIN_USERS"                                 help:"Username of admins"`

 	IndexPath string `env:"INDEX_PATH" default:"index.bleve" help:"Path for the bleve index"`

@@ -39,8 +47,6 @@ type CLI struct {
 	S3Host     string `env:"S3_HOST"     default:"http://minio:9000" name:"s3-host"`
 	S3User     string `env:"S3_USER"     default:"minio"             name:"s3-user"`
 	S3Password string `env:"S3_PASSWORD" required:""                 name:"s3-password"`
-
-	InitialAPIKey string `env:"INITIAL_API_KEY"`
 }

 func ParseCatalystConfig() (*catalyst.Config, error) {
@@ -61,22 +67,37 @@ func MapConfig(cli CLI) (*catalyst.Config, error) {

 	scopes := slices.Compact(append([]string{oidc.ScopeOpenID, "profile", "email"}, cli.OIDCScopes...))
 	config := &catalyst.Config{
-		IndexPath:       cli.IndexPath,
-		Network:         cli.Network,
-		DB:              &database.Config{Host: cli.ArangoDBHost, User: cli.ArangoDBUser, Password: cli.ArangoDBPassword},
+		IndexPath: cli.IndexPath,
+		Network:   cli.Network,
+		DB: &database.Config{
+			Host:     cli.ArangoDBHost,
+			User:     cli.ArangoDBUser,
+			Password: cli.ArangoDBPassword,
+		},
 		Storage:         &storage.Config{Host: cli.S3Host, User: cli.S3User, Password: cli.S3Password},
 		Secret:          []byte(cli.Secret),
 		ExternalAddress: cli.ExternalAddress,
 		InternalAddress: cli.CatalystAddress,
-		Auth: &catalyst.AuthConfig{
-			OIDCIssuer:        cli.OIDCIssuer,
-			OAuth2:            &oauth2.Config{ClientID: cli.OIDCClientID, ClientSecret: cli.OIDCClientSecret, RedirectURL: cli.ExternalAddress + "/callback", Scopes: scopes},
-			OIDCClaimUsername: cli.OIDCClaimUsername,
-			OIDCClaimEmail:    cli.OIDCClaimEmail,
-			OIDCClaimName:     cli.OIDCClaimName,
-			AuthBlockNew:      cli.AuthBlockNew,
-			AuthDefaultRoles:  roles,
-			AuthAdminUsers:    cli.AuthAdminUsers,
+		Port:            cli.Port,
+		Auth: &auth.Config{
+			SimpleAuthEnable: cli.SimpleAuthEnable,
+			APIKeyAuthEnable: cli.APIKeyAuthEnable,
+			OIDCAuthEnable:   cli.OIDCEnable,
+			OIDCIssuer:       cli.OIDCIssuer,
+			OAuth2: &oauth2.Config{
+				ClientID:     cli.OIDCClientID,
+				ClientSecret: cli.OIDCClientSecret,
+				RedirectURL:  cli.ExternalAddress + "/auth/callback",
+				Scopes:       scopes,
+			},
+			UserCreateConfig: &auth.UserCreateConfig{
+				AuthBlockNew:      cli.AuthBlockNew,
+				AuthDefaultRoles:  roles,
+				AuthAdminUsers:    cli.AuthAdminUsers,
+				OIDCClaimUsername: cli.OIDCClaimUsername,
+				OIDCClaimEmail:    cli.OIDCClaimEmail,
+				OIDCClaimName:     cli.OIDCClaimName,
+			},
 		},
 		InitialAPIKey: cli.InitialAPIKey,
 	}