nicoeri/filebrowser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #471

Browse Source
This commit is contained in:
Marvin Weck 2018-07-31 17:51:44 +02:00
parent 01362f34ee
commit 5e8c4d4d45
4 changed files with 72 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cmd/filebrowser/main.go
View File

@ -9,11 +9,8 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/asdine/storm" "github.com/asdine/storm"
"gopkg.in/natefinch/lumberjack.v2" "gopkg.in/natefinch/lumberjack.v2"
"github.com/filebrowser/filebrowser" "github.com/filebrowser/filebrowser"
"github.com/filebrowser/filebrowser/bolt" "github.com/filebrowser/filebrowser/bolt"
h "github.com/filebrowser/filebrowser/http" h "github.com/filebrowser/filebrowser/http"
@ -38,6 +35,10 @@ var (
recaptchakey string recaptchakey string
recaptchasecret string recaptchasecret string
port int port int
auth struct {
method string
loginHeader string
}
noAuth bool noAuth bool
allowCommands bool allowCommands bool
allowEdit bool allowEdit bool
@ -63,6 +64,8 @@ func init() {
flag.BoolVar(&allowCommands, "allow-commands", true, "Default allow commands option for new users") flag.BoolVar(&allowCommands, "allow-commands", true, "Default allow commands option for new users")
flag.BoolVar(&allowEdit, "allow-edit", true, "Default allow edit option for new users") flag.BoolVar(&allowEdit, "allow-edit", true, "Default allow edit option for new users")
flag.BoolVar(&allowPublish, "allow-publish", true, "Default allow publish option for new users") flag.BoolVar(&allowPublish, "allow-publish", true, "Default allow publish option for new users")
flag.StringVar(&auth.method, "auth.method", "default", "Switch between 'default' and 'proxy' authentication.")
flag.StringVar(&auth.loginHeader, "auth.login-header", "X-Forwarded-User", "The header name used for proxy authentication.")
flag.BoolVar(&allowNew, "allow-new", true, "Default allow new option for new users") flag.BoolVar(&allowNew, "allow-new", true, "Default allow new option for new users")
flag.BoolVar(&noAuth, "no-auth", false, "Disables authentication") flag.BoolVar(&noAuth, "no-auth", false, "Disables authentication")
flag.BoolVar(&alterRecaptcha, "alternative-recaptcha", false, "Use recaptcha.net for serving and handling, useful in China") flag.BoolVar(&alterRecaptcha, "alternative-recaptcha", false, "Use recaptcha.net for serving and handling, useful in China")
@ -84,6 +87,8 @@ func setupViper() {
viper.SetDefault("AllowPublish", true) viper.SetDefault("AllowPublish", true)
viper.SetDefault("StaticGen", "") viper.SetDefault("StaticGen", "")
viper.SetDefault("Locale", "") viper.SetDefault("Locale", "")
viper.SetDefault("AuthMethod", "default")
viper.SetDefault("LoginHeader", "X-Fowarded-User");
viper.SetDefault("NoAuth", false) viper.SetDefault("NoAuth", false)
viper.SetDefault("BaseURL", "") viper.SetDefault("BaseURL", "")
viper.SetDefault("PrefixURL", "") viper.SetDefault("PrefixURL", "")
@ -104,6 +109,8 @@ func setupViper() {
viper.BindPFlag("AllowPublish", flag.Lookup("allow-publish")) viper.BindPFlag("AllowPublish", flag.Lookup("allow-publish"))
viper.BindPFlag("Locale", flag.Lookup("locale")) viper.BindPFlag("Locale", flag.Lookup("locale"))
viper.BindPFlag("StaticGen", flag.Lookup("staticgen")) viper.BindPFlag("StaticGen", flag.Lookup("staticgen"))
viper.BindPFlag("AuthMethod", flag.Lookup("auth.method"))
viper.BindPFlag("LoginHeader", flag.Lookup("auth.login-header"))
viper.BindPFlag("NoAuth", flag.Lookup("no-auth")) viper.BindPFlag("NoAuth", flag.Lookup("no-auth"))
viper.BindPFlag("BaseURL", flag.Lookup("baseurl")) viper.BindPFlag("BaseURL", flag.Lookup("baseurl"))
viper.BindPFlag("PrefixURL", flag.Lookup("prefixurl")) viper.BindPFlag("PrefixURL", flag.Lookup("prefixurl"))
@ -168,6 +175,18 @@ func main() {
}) })
} }
// Validate the provided config before moving forward
if(viper.GetString("AuthMethod") != "default" && viper.GetString("AuthMethod") != "proxy") {
log.Fatal("The property 'auth.method' needs to be set to 'default' or 'proxy'.")
}
if (viper.GetString("AuthMethod") == "proxy") {
if(viper.GetString("LoginHeader") == "") {
log.Fatal("The 'login-header' needs to be specified when 'proxy' authentication is used.")
}
log.Println("[WARN] Filebrowser authentication is configured to 'proxy' authentication. This can cause a huge security issue if the infrastructure is not configured correctly.")
}
// Builds the address and a listener. // Builds the address and a listener.
laddr := viper.GetString("Address") + ":" + viper.GetString("Port") laddr := viper.GetString("Address") + ":" + viper.GetString("Port")
listener, err := net.Listen("tcp", laddr) listener, err := net.Listen("tcp", laddr)
@ -196,6 +215,8 @@ func handler() http.Handler {
} }
fm := &filebrowser.FileBrowser{ fm := &filebrowser.FileBrowser{
AuthMethod: viper.GetString("AuthMethod"),
LoginHeader: viper.GetString("LoginHeader"),
NoAuth: viper.GetBool("NoAuth"), NoAuth: viper.GetBool("NoAuth"),
BaseURL: viper.GetString("BaseURL"), BaseURL: viper.GetString("BaseURL"),
PrefixURL: viper.GetString("PrefixURL"), PrefixURL: viper.GetString("PrefixURL"),

4
doc.go
View File

@ -16,6 +16,10 @@ to import "github.com/filebrowser/filebrowser/bolt".
m := &fm.FileBrowser{ m := &fm.FileBrowser{
NoAuth: false, NoAuth: false,
Auth: {
Type: "default",
LoginHeader: "X-Fowarded-User"
},
DefaultUser: &fm.User{ DefaultUser: &fm.User{
AllowCommands: true, AllowCommands: true,
AllowEdit: true, AllowEdit: true,

8
filebrowser.go
View File

@ -71,6 +71,14 @@ type FileBrowser struct {
// there will only exist one user, called "admin". // there will only exist one user, called "admin".
NoAuth bool NoAuth bool
// Define if either, the common authentication mechansim or 'proxy' authentication should be used.
// 'proxy' authentication enables a mechanism that authenticates a user based on forwarded
// headers.
AuthMethod string
// When 'AuthMethod' is set to 'proxy' the header configured below is used to identify the user.
LoginHeader string
// ReCaptcha host, key and secret. // ReCaptcha host, key and secret.
ReCaptchaHost string ReCaptchaHost string
ReCaptchaKey string ReCaptchaKey string

25
http/auth.go
View File

@ -51,20 +51,21 @@ func reCaptcha(host, secret, response string) (bool, error) {
// authHandler processes the authentication for the user. // authHandler processes the authentication for the user.
func authHandler(c *fb.Context, w http.ResponseWriter, r *http.Request) (int, error) { func authHandler(c *fb.Context, w http.ResponseWriter, r *http.Request) (int, error) {
// NoAuth instances shouldn't call this method.
if c.NoAuth { if c.NoAuth {
// NoAuth instances shouldn't call this method.
return 0, nil return 0, nil
} } else if c.AuthMethod == "proxy" {
// Receive the Username from the Header.
cred.Username = r.Header.Get(c.LoginHeader)
} else {
// Receive the credentials from the request and unmarshal them. // Receive the credentials from the request and unmarshal them.
var cred cred
if r.Body == nil { if r.Body == nil {
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
err := json.NewDecoder(r.Body).Decode(&cred) err := json.NewDecoder(r.Body).Decode(&cred)
if err != nil { if err != nil {
return http.StatusForbidden, nil return http.StatusForbidden, err
} }
// If ReCaptcha is enabled, check the code. // If ReCaptcha is enabled, check the code.
@ -78,6 +79,7 @@ func authHandler(c *fb.Context, w http.ResponseWriter, r *http.Request) (int, er
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
} }
}
// Checks if the user exists. // Checks if the user exists.
u, err := c.Store.Users.GetByUsername(cred.Username, c.NewFS) u, err := c.Store.Users.GetByUsername(cred.Username, c.NewFS)
@ -85,10 +87,12 @@ func authHandler(c *fb.Context, w http.ResponseWriter, r *http.Request) (int, er
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
if c.AuthMethod != "proxy" {
// Checks if the password is correct. // Checks if the password is correct.
if !fb.CheckPasswordHash(cred.Password, u.Password) { if !fb.CheckPasswordHash(cred.Password, u.Password) {
return http.StatusForbidden, nil return http.StatusForbidden, nil
} }
}
c.User = u c.User = u
return printToken(c, w) return printToken(c, w)
@ -171,6 +175,16 @@ func validateAuth(c *fb.Context, r *http.Request) (bool, *fb.User) {
return true, c.User return true, c.User
} }
// If proxy auth is used do not verify the JWT token if the header is provided.
if c.AuthMethod == "proxy" {
u, err := c.Store.Users.GetByUsername(r.Header.Get(c.LoginHeader), c.NewFS)
if err != nil {
return false, nil
}
c.User = u;
return true, c.User
}
keyFunc := func(token *jwt.Token) (interface{}, error) { keyFunc := func(token *jwt.Token) (interface{}, error) {
return c.Key, nil return c.Key, nil
} }
@ -194,3 +208,4 @@ func validateAuth(c *fb.Context, r *http.Request) (bool, *fb.User) {
c.User = u c.User = u
return true, u return true, u
} }