1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
package main
import (
"context"
"crypto/sha256"
"encoding/hex"
"io"
"os"
"os/user"
"path/filepath"
"slices"
"strings"
"tildegit.org/tjp/sliderule"
"tildegit.org/tjp/sliderule/gemini"
)
func GeminiAuthMiddleware(auth *Auth) sliderule.Middleware {
if auth == nil {
return func(inner sliderule.Handler) sliderule.Handler { return inner }
}
return func(inner sliderule.Handler) sliderule.Handler {
return sliderule.HandlerFunc(func(ctx context.Context, request *sliderule.Request) *sliderule.Response {
if auth.Strategy.Approve(ctx, request) {
return inner.Handle(ctx, request)
}
if len(request.TLSState.PeerCertificates) == 0 {
return gemini.RequireCert("client certificate required")
}
return gemini.CertAuthFailure("client certificate rejected")
})
}
}
func ClientTLSFile(path string) (AuthStrategy, error) {
if strings.Contains(path, "~") {
return UserClientTLSAuth(path), nil
}
f, err := os.Open(path)
if err != nil {
return nil, err
}
defer func() { _ = f.Close() }()
contents, err := io.ReadAll(f)
if err != nil {
return nil, err
}
fingerprints := []string{}
for _, line := range strings.Split(string(contents), "\n") {
line = strings.Trim(line, " \t\r")
if len(line) == sha256.Size*2 {
fingerprints = append(fingerprints, line)
}
}
return ClientTLSAuth(fingerprints), nil
}
func ClientTLS(raw string) AuthStrategy {
fingerprints := []string{}
for _, fp := range strings.Split(raw, ",") {
fp = strings.Trim(fp, " \t\r")
if len(fp) == sha256.Size*2 {
fingerprints = append(fingerprints, fp)
}
}
return ClientTLSAuth(fingerprints)
}
type UserClientTLSAuth string
func (ca UserClientTLSAuth) Approve(ctx context.Context, request *sliderule.Request) bool {
u, err := user.Lookup(sliderule.RouteParams(ctx)["username"])
if err != nil {
return false
}
fpath := resolveTilde(string(ca), u)
strat, err := ClientTLSFile(fpath)
if err != nil {
return false
}
return strat.Approve(ctx, request)
}
func resolveTilde(path string, u *user.User) string {
if strings.HasPrefix(path, "~/") {
return filepath.Join(u.HomeDir, path[1:])
}
return strings.ReplaceAll(path, "~", u.Username)
}
type ClientTLSAuth []string
func (ca ClientTLSAuth) Approve(_ context.Context, request *sliderule.Request) bool {
if request.TLSState == nil || len(request.TLSState.PeerCertificates) == 0 {
return false
}
return slices.Contains(ca, fingerprint(request.TLSState.PeerCertificates[0].Raw))
}
func fingerprint(raw []byte) string {
hash := sha256.Sum256(raw)
return hex.EncodeToString(hash[:])
}
type HasClientTLSAuth struct{}
func (_ HasClientTLSAuth) Approve(_ context.Context, request *sliderule.Request) bool {
return request.TLSState != nil && len(request.TLSState.PeerCertificates) > 0
}
|
