first commit
This commit is contained in:
57
files/haproxy-spoe-auth.in
Normal file
57
files/haproxy-spoe-auth.in
Normal file
@ -0,0 +1,57 @@
|
||||
#!/bin/sh
|
||||
|
||||
# PROVIDE: haproxy-spoe-auth
|
||||
# REQUIRE: LOGIN
|
||||
# KEYWORD: shutdown
|
||||
#
|
||||
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
|
||||
# to enable this service:
|
||||
#
|
||||
# haproxy_spoe_auth_enable (bool): Set to NO by default.
|
||||
# Set it to YES to enable haproxy-spoe-auth.
|
||||
# haproxy_spoe_auth_user (string): Set user that haproxy-spoe-auth will run under
|
||||
# Default is "haproxy".
|
||||
# haproxy_spoe_auth_group (string): Set group that haproxy-spoe-auth will run under
|
||||
# Default is "haproxy".
|
||||
# haproxy_spoe_auth_config (string): Set config file
|
||||
# Default is "/usr/local/etc/haproxy/haproxy-spoe-auth.yml".
|
||||
# haproxy_spoe_auth_log (string): Set log file
|
||||
# Default is "/var/log/haproxy-spoe-auth.log".
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name=haproxy_spoe_auth
|
||||
rcvar=haproxy_spoe_auth_enable
|
||||
|
||||
load_rc_config $name
|
||||
|
||||
: ${haproxy_spoe_auth_enable:="NO"}
|
||||
: ${haproxy_spoe_auth_user:="haproxy"}
|
||||
: ${haproxy_spoe_auth_group:="haproxy"}
|
||||
: ${haproxy_spoe_auth_config:="/usr/local/etc/haproxy/haproxy-spoe-auth.yml"}
|
||||
: ${haproxy_spoe_auth_log:="/var/log/haproxy-spoe-auth.log"}
|
||||
: ${haproxy_spoe_auth_restart_delay:="5"}
|
||||
|
||||
|
||||
pidfile=/var/run/haproxy-spoe-auth.pid
|
||||
command="/usr/sbin/daemon"
|
||||
haproxy_spoe_auth_command="%%PREFIX%%/bin/haproxy-spoe-auth"
|
||||
command_args="-rP ${pidfile} -S -R ${haproxy_spoe_auth_restart_delay} -T haproxy-spoe-auth \
|
||||
-o ${haproxy_spoe_auth_log} \
|
||||
${haproxy_spoe_auth_command} -config ${haproxy_spoe_auth_config}"
|
||||
|
||||
required_files="${haproxy_spoe_auth_config}"
|
||||
|
||||
start_precmd=haproxy_spoe_auth_startprecmd
|
||||
|
||||
haproxy_spoe_auth_startprecmd()
|
||||
{
|
||||
if [ ! -e ${pidfile} ]; then
|
||||
install -o ${haproxy_spoe_auth_user} -g ${haproxy_spoe_auth_group} /dev/null ${pidfile};
|
||||
fi
|
||||
touch ${haproxy_spoe_auth_log}
|
||||
chown ${haproxy_spoe_auth_user} ${haproxy_spoe_auth_log}
|
||||
}
|
||||
|
||||
run_rc_command "$1"
|
||||
|
||||
52
files/haproxy-spoe-auth.yml.sample
Normal file
52
files/haproxy-spoe-auth.yml.sample
Normal file
@ -0,0 +1,52 @@
|
||||
server:
|
||||
# The address the server will listen on
|
||||
addr: 127.0.0.1:8081
|
||||
# The verbosity of the logs: info or debug
|
||||
log_level: info
|
||||
|
||||
# If set, the LDAP authenticator is enabled
|
||||
ldap:
|
||||
# The hostname an port to the ldap server
|
||||
hostname: ldap
|
||||
port: 389
|
||||
# The DN and password of the user to bind with in order to perform the search query to find the user
|
||||
user_dn: cn=admin,dc=example,dc=com
|
||||
password: password
|
||||
# The base DN used for the search queries
|
||||
base_dn: dc=example,dc=com
|
||||
# The filter for the query searching for the user provided
|
||||
user_filter: "(cn={login})"
|
||||
|
||||
# If set, the OpenID Connect authenticator is enabled
|
||||
oidc:
|
||||
# The URL to the OpenID Connect provider. This is the URL hosting the discovery endpoint
|
||||
provider_url: http://dex.example.com:9080/dex
|
||||
# The client_id and client_secret of the app representing the SPOE agent
|
||||
# The callback the OIDC server will redirect the user to once authentication is done
|
||||
oauth2_callback_path: /oauth2/callback
|
||||
# The path to the logout endpoint to redirect the user to.
|
||||
oauth2_logout_path: /oauth2/logout
|
||||
# The path the oidc client uses for a healthcheck
|
||||
oauth2_healthcheck_path: /health
|
||||
# The SPOE agent will open a dedicated port for the HTTP server handling the callback. This is the address the server listens on
|
||||
callback_addr: ":5000"
|
||||
|
||||
# Various properties of the cookie holding the ID Token of the user
|
||||
cookie_name: authsession
|
||||
cookie_secure: false
|
||||
cookie_ttl_seconds: 3600
|
||||
# The secret used to sign the state parameter
|
||||
signature_secret: myunsecuresecret
|
||||
# The secret used to encrypt the cookie in order to guarantee the privacy of the data in case of leak
|
||||
encryption_secret: anotherunsecuresecret
|
||||
|
||||
# A mapping of client credentials per protected domain
|
||||
clients:
|
||||
app2.example.com:
|
||||
client_id: app2-client
|
||||
client_secret: app2-secret
|
||||
redirect_url: http://app2.example.com:9080/oauth2/callback
|
||||
app3.example.com:
|
||||
client_id: app3-client
|
||||
client_secret: app3-secret
|
||||
redirect_url: http://app3.example.com:9080/oauth2/callback
|
||||
14
files/patch-internal__auth__authenticator_ldap.go
Normal file
14
files/patch-internal__auth__authenticator_ldap.go
Normal file
@ -0,0 +1,14 @@
|
||||
diff --git internal/auth/authenticator_ldap.go internal/auth/authenticator_ldap.go
|
||||
index b42c0f6..147dca0 100644
|
||||
--- internal/auth/authenticator_ldap.go
|
||||
+++ internal/auth/authenticator_ldap.go
|
||||
@@ -137,6 +137,6 @@ func (la *LDAPAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Actio
|
||||
return false, nil, err
|
||||
}
|
||||
|
||||
- logrus.Debug("User is authenticated")
|
||||
- return true, nil, nil
|
||||
+ logrus.Debugf("User %s is authenticated", username)
|
||||
+ return true, []spoe.Action{SetAuthenticatedUsernameMessage(username)}, nil
|
||||
}
|
||||
|
||||
19
files/patch-internal__auth__messages.go
Normal file
19
files/patch-internal__auth__messages.go
Normal file
@ -0,0 +1,19 @@
|
||||
diff --git internal/auth/messages.go internal/auth/messages.go
|
||||
index 1ca6706..bdf8cb3 100644
|
||||
--- internal/auth/messages.go
|
||||
+++ internal/auth/messages.go
|
||||
@@ -19,3 +19,13 @@ func BuildHasErrorMessage() spoe.ActionSetVar {
|
||||
Value: true,
|
||||
}
|
||||
}
|
||||
+
|
||||
+// SetAuthenticatedUsername build a message containing the authenticated username
|
||||
+func SetAuthenticatedUsernameMessage(username string) spoe.ActionSetVar {
|
||||
+ return spoe.ActionSetVar{
|
||||
+ Name: "auth_username",
|
||||
+ Scope: spoe.VarScopeSession,
|
||||
+ Value: username,
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
|
||||
20
files/spoe-auth.conf.sample
Normal file
20
files/spoe-auth.conf.sample
Normal file
@ -0,0 +1,20 @@
|
||||
[spoe-auth]
|
||||
spoe-agent auth-agents
|
||||
messages try-auth-ldap
|
||||
messages try-auth-oidc
|
||||
|
||||
option var-prefix auth
|
||||
|
||||
timeout hello 2s
|
||||
timeout idle 2m
|
||||
timeout processing 1s
|
||||
|
||||
use-backend backend_spoe-agent
|
||||
|
||||
spoe-message try-auth-ldap
|
||||
args authorization=req.hdr(Authorization)
|
||||
event on-frontend-http-request if { hdr_beg(host) -i app1.example.com } || { hdr_beg(host) -i app2.example.com } || { hdr_beg(host) -i app3.example.com }
|
||||
|
||||
spoe-message try-auth-oidc
|
||||
args arg_ssl=ssl_fc arg_host=req.hdr(Host) arg_pathq=pathq arg_cookie=req.cook(authsession)
|
||||
event on-frontend-http-request if { hdr_beg(host) -i app1.example.com } || { hdr_beg(host) -i app2.example.com } || { hdr_beg(host) -i app3.example.com }
|
||||
Reference in New Issue
Block a user