Initial commit

2fbbb37f · ale · 2fbbb37f · 2fbbb37f · 2fbbb37f · 2fbbb37f
Commit 2fbbb37f authored 5 months ago by ale
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+include: "https://git.autistici.org/pipelines/debian/raw/master/common.yml"
--- a/auth.go
+++ b/auth.go
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"flag"
+	"log"
+	"net/http"
+	"os"
+
+	"git.autistici.org/ai3/go-common/pwhash"
+)
+
+var (
+	passwordFile = flag.String("passwords", "/etc/nginx-authenticator/users.json", "JSON file with usernames/passwords")
+
+	passwords map[string]string
+)
+
+func authenticate(username, password string) bool {
+	encPw, ok := passwords[username]
+	if !ok {
+		return false
+	}
+	return pwhash.ComparePassword(encPw, password)
+}
+
+func handleAuthenticate(w http.ResponseWriter, req *http.Request) {
+	status := http.StatusForbidden
+
+	username, password, ok := req.BasicAuth()
+	if ok && authenticate(username, password) {
+		status = http.StatusOK
+	}
+
+	w.WriteHeader(status)
+}
+
+func loadUsers(path string) error {
+	var users []struct {
+		Name     string `json:"name"`
+		Password string `json:"password"`
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return err
+	}
+	if err := json.Unmarshal(data, &users); err != nil {
+		return err
+	}
+	for _, u := range users {
+		passwords[u.Name] = u.Password
+	}
+	return nil
+}
+
+func main() {
+	flag.Parse()
+
+	if err := loadUsers(*passwordFile); err != nil {
+		log.Fatalf("error loading password file: %v", err)
+	}
+
+	l, err := newListener()
+	if err != nil {
+		log.Fatalf("error: %v", err)
+	}
+
+	err = http.Serve(l, http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if req.URL.Path != "/__auth" {
+			http.NotFound(w, req)
+			return
+		}
+		handleAuthenticate(w, req)
+	}))
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		log.Fatalf("error: %v", err)
+	}
+}
--- a/debian/changelog
+++ b/debian/changelog
+ula-nginx-authenticator (0.1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Autistici/Inventati <info@autistici.org>  Wed, 26 Jun 2024 12:21:15 +0000
--- a/debian/control
+++ b/debian/control
+Source: ula-nginx-authenticator
+Section: admin
+Priority: optional
+Maintainer: Autistici/Inventati <info@autistici.org>
+Build-Depends: debhelper-compat (= 13), dh-golang, golang-any
+Standards-Version: 3.9.6
+XS-Go-Import-Path: git.autistici.org/ula/nginx-authenticator
+
+Package: ula-nginx-authenticator
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Built-Using: ${misc:Built-Using}
+Description: NGINX Authenticator
+ Simple NGINX authenticator for mod_http_auth_request.
+
--- a/debian/copyright
+++ b/debian/copyright
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: nginx-authenticator
+Source: <https://git.autistici.org/ula/nginx-authenticator>
+
+Files: *
+Copyright: 2024 Autistici/Inventati <info@autistici.org>
+License: GPL-3.0+
+
+License: GPL-3.0+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
--- a/debian/docs
+++ b/debian/docs
--- a/debian/rules
+++ b/debian/rules
+#!/usr/bin/make -f
+
+export DH_GOLANG_EXCLUDES := vendor
+export DH_GOLANG_INSTALL_ALL := 1
+
+%:
+	dh $@ --buildsystem=golang --with=golang
+
+override_dh_installsystemd:
+	dh_installsysusers
+	dh_installsystemd
+
+override_dh_auto_install:
+	dh_auto_install -- --no-source
+
--- a/debian/source/format
+++ b/debian/source/format
+3.0 (native)
--- a/debian/ula-nginx-authenticator.install
+++ b/debian/ula-nginx-authenticator.install
+usr/bin/nginx-authenticator /usr/bin/ula-nginx-authenticator
--- a/debian/ula-nginx-authenticator.service
+++ b/debian/ula-nginx-authenticator.service
+[Unit]
+Description=ULA Nginx Authenticator
+Requires=ula-nginx-authenticator.socket
+
+[Service]
+Type=notify
+User=ula-nginx-authenticator
+ExecStart=/usr/bin/ula-nginx-authenticator --systemd-activation
+Restart=always
+RestartSec=3
+
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+
+[Install]
+WantedBy=multi-user.target
+
--- a/debian/ula-nginx-authenticator.socket
+++ b/debian/ula-nginx-authenticator.socket
+[Unit]
+Description=ULA NGINX authenticator socket
+
+[Socket]
+ListenStream=/run/nginx-authenticator/socket
+SocketMode=660
+DirectoryMode=755
+SocketUser=root
+SocketGroup=nginx
+Accept=false
+
--- a/debian/ula-nginx-authenticator.sysusers
+++ b/debian/ula-nginx-authenticator.sysusers
+u ula-nginx-authenticator - -
--- a/go.mod
+++ b/go.mod
+module git.autistici.org/ula/nginx-authenticator
+
+go 1.22.9
+
+require (
+	git.autistici.org/ai3/go-common v0.0.0-20241017171051-880a2c5ae7f4
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+)
+
+require (
+	github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+)
--- a/go.sum
+++ b/go.sum
+git.autistici.org/ai3/go-common v0.0.0-20241017171051-880a2c5ae7f4 h1:xB5K4GL4VlguEOknhgz+AN3k8nmx19y91RRUvByaLnQ=
+git.autistici.org/ai3/go-common v0.0.0-20241017171051-880a2c5ae7f4/go.mod h1:JpPfOTGgbvAElF0wdmv81y6l3CRsdS4z3IkNOETUDVo=
+github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 h1:I9YN9WMo3SUh7p/4wKeNvD/IQla3U3SUa61U7ul+xM4=
+github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964/go.mod h1:eFiR01PwTcpbzXtdMces7zxg6utvFM5puiWHpWB8D/k=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
--- a/socket.go
+++ b/socket.go
+package main
+
+import (
+	"flag"
+	"net"
+	"os"
+	"strings"
+
+	"github.com/coreos/go-systemd/activation"
+)
+
+var (
+	addr       = flag.String("addr", "", "TCP listen address or UNIX socket path")
+	useSystemd = flag.Bool("systemd-activation", false, "use systemd activation")
+)
+
+func newSystemdListener() (net.Listener, error) {
+	listeners, err := activation.Listeners()
+	if err != nil {
+		return nil, err
+	}
+	return listeners[0], nil
+}
+
+func newListener() (net.Listener, error) {
+	if *useSystemd {
+		return newSystemdListener()
+	}
+
+	network := "tcp"
+	address := *addr
+	if strings.HasPrefix(address, "unix:") {
+		network = "unix"
+		address = address[5:]
+		os.Remove(address)
+	}
+	return net.Listen(network, address)
+}