Merge pull request #202 from SenseUnit/tlssess_hidden_domain

Auth fixes and improvements

Author: Snawoot

README.md

@@ -302,10 +302,11 @@ Authentication parameters are passed as URI via `-auth` parameter. Scheme of URI
   * `code` - optional parameter specifying HTTP response code. Default is 403.
   * `body` - optional parameter specifying file with response body.
   * `headers` - optional parameter specifying file with response headers. It uses format identical to request header file format used by `curl` program.
-* `tlscookie` - (EXPERIMENTAL) auth provider which grants access to whitelisted TLS session IDs. Whitelist is checked by query of another auth provider (provided as URL in `lookup` query parameter) with session ID as username and empty password. Example of auth parameter: `-auth tlscookie://?lookup=basicfile%3A%2F%2F%3Fpath%3D%2Fetc%2Fdumbproxy%2Fsessions`. Parameters of this scheme are:
+* `tlscookie` - (EXPERIMENTAL) auth provider which grants access to whitelisted TLS session IDs. Whitelist is either checked by query of another auth provider (provided as URL in `lookup` query parameter) with session ID as username and empty password, or checked against list of sessions which once requested some secret domain name through proxy. Example of auth parameter: `-auth tlscookie://?lookup=basicfile%3A%2F%2F%3Fpath%3D%2Fetc%2Fdumbproxy%2Fsessions`. Parameters of this scheme are:
+  * `hidden_domain` - if specified and is not an empty string, authorize every session ID which requested this secret domain.
   * `next` - optional URL specifying the next auth provider to chain to, if authentication succeeded.
   * `else` - optional URL specifying the next auth provider to chain to, if authentication failed.
-  * `lookup` - mandatory URL specifying another auth provider queried for session validity (typically `basicfile` or some Redis-backed password auth). Queries to this lookup provider ask for validity of session providing hexadecimal session ID as username and empty string as password.
+  * `lookup` - optional URL specifying another auth provider queried for session validity (typically `basicfile` or some Redis-backed password auth). Queries to this lookup provider ask for validity of session providing hexadecimal session ID as username and empty string as password.
 
 ## Scripting
 

auth/basic.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -64,10 +63,10 @@ func NewBasicFileAuth(param_url *url.URL, logger *clog.CondLogger) (*BasicAuth,
 	if reloadInterval > 0 {
 		go auth.reloadLoop(reloadInterval)
 	}
-
 	if nextAuth := values.Get("else"); nextAuth != "" {
 		nap, err := NewAuth(nextAuth, logger)
 		if err != nil {
+			defer auth.Close()
 			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
 		}
 		auth.next = nap
@@ -157,13 +156,11 @@ func (auth *BasicAuth) Validate(ctx context.Context, wr http.ResponseWriter, req
 
 	if pwFile.Match(login, password) {
 		if auth.hiddenDomain != "" &&
-			(req.Host == auth.hiddenDomain || req.URL.Host == auth.hiddenDomain) {
-			wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_TRIGGERED_MSG))))
+			(matchHiddenDomain(req.Host, auth.hiddenDomain) || matchHiddenDomain(req.URL.Host, auth.hiddenDomain)) {
 			wr.Header().Set("Pragma", "no-cache")
 			wr.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 			wr.Header().Set("Expires", EPOCH_EXPIRE)
-			wr.Header()["Date"] = nil
-			wr.WriteHeader(http.StatusOK)
+			wr.WriteHeader(http.StatusBadRequest)
 			wr.Write([]byte(AUTH_TRIGGERED_MSG))
 			return "", false
 		} else {

auth/cert.go

@@ -68,13 +68,15 @@ func NewCertAuth(param_url *url.URL, logger *clog.CondLogger) (*CertAuth, error)
 	if nextAuth := values.Get("next"); nextAuth != "" {
 		nap, err := NewAuth(nextAuth, logger)
 		if err != nil {
+			defer auth.Close()
 			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
 		}
 		auth.next = nap
 	}
 	if nextAuth := values.Get("else"); nextAuth != "" {
 		nap, err := NewAuth(nextAuth, logger)
 		if err != nil {
+			defer auth.Close()
 			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
 		}
 		auth.reject = nap

auth/redis.go

@@ -58,6 +58,7 @@ func NewRedisAuth(param_url *url.URL, cluster bool, logger *clog.CondLogger) (*R
 	if nextAuth := values.Get("else"); nextAuth != "" {
 		nap, err := NewAuth(nextAuth, logger)
 		if err != nil {
+			defer auth.Close()
 			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
 		}
 		auth.next = nap

auth/tlscookie.go

@@ -3,10 +3,10 @@ package auth
 import (
 	"context"
 	"encoding/hex"
-	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
@@ -17,14 +17,18 @@ import (
 
 type sessionValidator interface {
 	Valid(sessionID, _, userAddr string) bool
+	Close() error
 }
 
 type TLSCookieAuth struct {
-	logger   *clog.CondLogger
-	stopOnce sync.Once
-	next     Auth
-	reject   Auth
-	lookup   sessionValidator
+	logger          *clog.CondLogger
+	stopOnce        sync.Once
+	next            Auth
+	reject          Auth
+	lookup          sessionValidator
+	hiddenDomain    string
+	lsMux           sync.RWMutex
+	learnedSessions map[tlsutil.TLSSessionID]struct{}
 }
 
 func NewTLSCookieAuth(param_url *url.URL, logger *clog.CondLogger) (*TLSCookieAuth, error) {
@@ -33,48 +37,86 @@ func NewTLSCookieAuth(param_url *url.URL, logger *clog.CondLogger) (*TLSCookieAu
 		return nil, err
 	}
 	auth := &TLSCookieAuth{
-		logger: logger,
+		logger:          logger,
+		hiddenDomain:    strings.ToLower(values.Get("hidden_domain")),
+		learnedSessions: make(map[tlsutil.TLSSessionID]struct{}),
 	}
-	if lookupURL := values.Get("lookup"); lookupURL == "" {
-		return nil, errors.New("\"lookup\" parameter is mandatory for TLS cookie auth provider")
-	} else {
+	if lookupURL := values.Get("lookup"); lookupURL != "" {
 		lookupAuth, err := NewAuth(lookupURL, logger)
 		if err != nil {
 			return nil, fmt.Errorf("unable to construct lookup provider for TLS cookie auth provider: %w", err)
 		}
 		lookup, ok := lookupAuth.(sessionValidator)
 		if !ok {
+			lookupAuth.Close()
+			defer auth.Close()
 			return nil, fmt.Errorf("unable to construct TLS cookie auth provider: provided lookup provider %q is not suitable for session validation", lookupURL)
 		}
 		auth.lookup = lookup
 	}
 	if nextAuth := values.Get("next"); nextAuth != "" {
 		nap, err := NewAuth(nextAuth, logger)
 		if err != nil {
+			defer auth.Close()
 			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
 		}
 		auth.next = nap
 	}
 	if nextAuth := values.Get("else"); nextAuth != "" {
 		nap, err := NewAuth(nextAuth, logger)
 		if err != nil {
+			defer auth.Close()
 			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
 		}
 		auth.reject = nap
 	}
 	return auth, nil
 }
 
+func (auth *TLSCookieAuth) checkLearned(sessionID tlsutil.TLSSessionID) bool {
+	auth.lsMux.RLock()
+	defer auth.lsMux.RUnlock()
+	_, ok := auth.learnedSessions[sessionID]
+	return ok
+}
+
+func (auth *TLSCookieAuth) addLearned(sessionID tlsutil.TLSSessionID) {
+	auth.lsMux.Lock()
+	defer auth.lsMux.Unlock()
+	auth.learnedSessions[sessionID] = struct{}{}
+}
+
 func (auth *TLSCookieAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	sessionID, ok := tlsutil.TLSSessionIDFromContext(ctx)
 	if !ok {
 		auth.logger.Debug("tlscookie: no session extracted for %s", req.RemoteAddr)
 		return auth.handleReject(ctx, wr, req)
 	}
-	if !auth.lookup.Valid(hex.EncodeToString(sessionID[:]), "", req.RemoteAddr) {
-		auth.logger.Info("tlscookie: session ID %x from %s is not permitted", sessionID, req.RemoteAddr)
-		return auth.handleReject(ctx, wr, req)
+	if auth.hiddenDomain != "" {
+		if matchHiddenDomain(req.Host, auth.hiddenDomain) || matchHiddenDomain(req.URL.Host, auth.hiddenDomain) {
+			auth.logger.Debug("tlscookie: session %x from %s requested magic domain", sessionID, req.RemoteAddr)
+			auth.addLearned(sessionID)
+			wr.Header().Set("Pragma", "no-cache")
+			wr.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+			wr.Header().Set("Expires", EPOCH_EXPIRE)
+			wr.WriteHeader(http.StatusBadRequest)
+			wr.Write([]byte(AUTH_TRIGGERED_MSG))
+			return "", false
+		}
+		if auth.checkLearned(sessionID) {
+			auth.logger.Debug("tlscookie: session %x from %s passed because it is in learned set", sessionID, req.RemoteAddr)
+			return auth.handleSuccess(ctx, wr, req, sessionID)
+		}
 	}
+	if auth.lookup != nil && auth.lookup.Valid(hex.EncodeToString(sessionID[:]), "", req.RemoteAddr) {
+		auth.logger.Debug("tlscookie: session %x from %s passed because external lookup said yay", sessionID, req.RemoteAddr)
+		return auth.handleSuccess(ctx, wr, req, sessionID)
+	}
+	auth.logger.Info("tlscookie: session ID %x from %s is not permitted", sessionID, req.RemoteAddr)
+	return auth.handleReject(ctx, wr, req)
+}
+
+func (auth *TLSCookieAuth) handleSuccess(ctx context.Context, wr http.ResponseWriter, req *http.Request, sessionID tlsutil.TLSSessionID) (string, bool) {
 	if auth.next != nil {
 		return auth.next.Validate(ctx, wr, req)
 	}
@@ -92,6 +134,11 @@ func (auth *TLSCookieAuth) handleReject(ctx context.Context, wr http.ResponseWri
 func (auth *TLSCookieAuth) Close() error {
 	var err error
 	auth.stopOnce.Do(func() {
+		if auth.lookup != nil {
+			if closeErr := auth.lookup.Close(); closeErr != nil {
+				err = multierror.Append(err, closeErr)
+			}
+		}
 		if auth.next != nil {
 			if closeErr := auth.next.Close(); closeErr != nil {
 				err = multierror.Append(err, closeErr)