Added basic oauth module structure (wip)

- Added struct for oauth - Added interception handler for Zoraxy SSO - Added user structure for SSO
2025-08-06 05:08:28 +02:00 · 2024-09-12 10:55:01 +08:00
parent 3392013a5c
commit 5c56da1180
21 changed files with 1644 additions and 13 deletions
--- a/src/mod/auth/sso/sso.go
+++ b/src/mod/auth/sso/sso.go
@@ -0,0 +1,158 @@
+package sso
+
+import (
+	"embed"
+	"net/http"
+
+	"github.com/gorilla/sessions"
+	"imuslab.com/zoraxy/mod/database"
+	"imuslab.com/zoraxy/mod/info/logger"
+)
+
+/*
+	sso.go
+
+	This file contains the main SSO handler and the SSO configuration
+	structure. It also contains the main SSO handler functions.
+
+	SSO web interface are stored in the static folder, which is embedded
+	into the binary.
+*/
+
+//go:embed static/*
+var staticFiles embed.FS //Static files for the SSO portal
+
+type SSOConfig struct {
+	SystemUUID       string             //System UUID, should be passed in from main scope
+	AuthURL          string             //Authentication subdomain URL, e.g. auth.example.com
+	PortalServerPort int                //SSO portal server port
+	Database         *database.Database //System master key-value database
+	Logger           *logger.Logger
+}
+
+// SSOHandler is the main SSO handler structure
+type SSOHandler struct {
+	cookieStore     *sessions.CookieStore
+	ssoPortalServer *http.Server
+	ssoPortalMux    *http.ServeMux
+	Oauth2Server    *OAuth2Server
+	Config          *SSOConfig
+	Apps            map[string]RegisteredUpstreamApp
+}
+
+// Create a new Zoraxy SSO handler
+func NewSSOHandler(config *SSOConfig) (*SSOHandler, error) {
+	//Create a cookie store for the SSO handler
+	cookieStore := sessions.NewCookieStore([]byte(config.SystemUUID))
+	cookieStore.Options = &sessions.Options{
+		Path:     "",
+		Domain:   "",
+		MaxAge:   0,
+		Secure:   false,
+		HttpOnly: false,
+		SameSite: 0,
+	}
+
+	config.Database.NewTable("sso_users") //For storing user information
+	config.Database.NewTable("sso_conf")  //For storing SSO configuration
+	config.Database.NewTable("sso_apps")  //For storing registered apps
+
+	//Create the SSO Handler
+	thisHandler := SSOHandler{
+		cookieStore: cookieStore,
+		Config:      config,
+	}
+
+	//Read the app info from database
+	thisHandler.Apps = make(map[string]RegisteredUpstreamApp)
+
+	//Create an oauth2 server
+	oauth2Server, err := NewOAuth2Server(config, &thisHandler)
+	if err != nil {
+		return nil, err
+	}
+
+	//Register endpoints
+	thisHandler.Oauth2Server = oauth2Server
+	thisHandler.InitSSOPortal(config.PortalServerPort)
+
+	return &thisHandler, nil
+}
+
+func (h *SSOHandler) RestorePreviousRunningState() {
+	//Load the previous SSO state
+	ssoEnabled := false
+	ssoPort := 5488
+	ssoAuthURL := ""
+	h.Config.Database.Read("sso_conf", "enabled", &ssoEnabled)
+	h.Config.Database.Read("sso_conf", "port", &ssoPort)
+	h.Config.Database.Read("sso_conf", "authurl", &ssoAuthURL)
+
+	if ssoAuthURL == "" {
+		//Cannot enable SSO without auth URL
+		ssoEnabled = false
+	}
+
+	h.Config.PortalServerPort = ssoPort
+	h.Config.AuthURL = ssoAuthURL
+
+	if ssoEnabled {
+		go h.StartSSOPortal()
+	}
+}
+
+// ServeForwardAuth handle the SSO request in interception mode
+// Suppose to be called in dynamicproxy.
+// Return true if the request is allowed to pass, false if the request is blocked and shall not be further processed
+func (h *SSOHandler) ServeForwardAuth(w http.ResponseWriter, r *http.Request) bool {
+	//Get the current uri for appending to the auth subdomain
+	originalRequestURL := r.RequestURI
+
+	redirectAuthURL := h.Config.AuthURL
+	if redirectAuthURL == "" || !h.IsRunning() {
+		//Redirect not set or auth server is offlined
+		w.Write([]byte("SSO auth URL not set or SSO server offline."))
+		//TODO: Use better looking template if exists
+		return false
+	}
+
+	//Check if the user have the cookie "Zoraxy-SSO" set
+	session, err := h.cookieStore.Get(r, "Zoraxy-SSO")
+	if err != nil {
+		//Redirect to auth subdomain
+		http.Redirect(w, r, redirectAuthURL+"/sso/login?m=new&t="+originalRequestURL, http.StatusFound)
+		return false
+	}
+
+	//Check if the user is logged in
+	if session.Values["username"] != true {
+		//Redirect to auth subdomain
+		http.Redirect(w, r, redirectAuthURL+"/sso/login?m=expired&t="+originalRequestURL, http.StatusFound)
+		return false
+	}
+
+	//Check if the current request subdomain is allowed
+	userName := session.Values["username"].(string)
+	user, err := h.GetSSOUser(userName)
+	if err != nil {
+		//User might have been removed from SSO. Redirect to auth subdomain
+		http.Redirect(w, r, redirectAuthURL, http.StatusFound)
+		return false
+	}
+
+	//Check if the user have access to the current subdomain
+	if !user.Subdomains[r.Host].AllowAccess {
+		//User is not allowed to access the current subdomain. Sent 403
+		http.Error(w, "Forbidden", http.StatusForbidden)
+		//TODO: Use better looking template if exists
+		return false
+	}
+
+	//User is logged in, continue to the next handler
+	return true
+}
+
+// Log a message with the SSO module tag
+func (h *SSOHandler) Log(message string, err error) {
+	h.Config.Logger.PrintAndLog("SSO", message, err)
+}