feat(server): role based authentication system (#2434)

- Parse toml configuration file, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication - Retro-compatible with existing AND documented routes, until after v3.41 release - Log a warning if an unprotected-by-default route is accessed unprotected - Authentication methods: none, apikey, basic - `genkey` command to generate API keys Co-authored-by: Joe Jose <45399349+joejose97@users.noreply.github.com>
2024-09-18 13:29:36 +02:00
parent 07651683f9
commit a2e76e1683
25 changed files with 920 additions and 10 deletions
--- a/internal/server/middlewares/auth/lookup.go
+++ b/internal/server/middlewares/auth/lookup.go
@@ -0,0 +1,47 @@
+package auth
+
+import (
+	"fmt"
+)
+
+type internalRole struct {
+	name    string
+	checker authorizationChecker
+}
+
+func settingsToLookupMap(settings Settings) (routeToRoles map[string][]internalRole, err error) {
+	routeToRoles = make(map[string][]internalRole)
+	for _, role := range settings.Roles {
+		var checker authorizationChecker
+		switch role.Auth {
+		case AuthNone:
+			checker = newNoneMethod()
+		case AuthAPIKey:
+			checker = newAPIKeyMethod(role.APIKey)
+		case AuthBasic:
+			checker = newBasicAuthMethod(role.Username, role.Password)
+		default:
+			return nil, fmt.Errorf("%w: %s", ErrMethodNotSupported, role.Auth)
+		}
+
+		iRole := internalRole{
+			name:    role.Name,
+			checker: checker,
+		}
+		for _, route := range role.Routes {
+			checkerExists := false
+			for _, role := range routeToRoles[route] {
+				if role.checker.equal(iRole.checker) {
+					checkerExists = true
+					break
+				}
+			}
+			if checkerExists {
+				// even if the role name is different, if the checker is the same, skip it.
+				continue
+			}
+			routeToRoles[route] = append(routeToRoles[route], iRole)
+		}
+	}
+	return routeToRoles, nil
+}