Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
74a067ae10 | ||
|
|
3bbd50764a | ||
|
|
49e46e7e9f | ||
|
|
cd372e1512 |
@@ -1,5 +1,5 @@
|
||||
// yaml_stream.jsonnet
|
||||
local Build(go, alpine, os, arch) = {
|
||||
local Build(mirror, go, alpine, os, arch) = {
|
||||
kind: "pipeline",
|
||||
type: "docker",
|
||||
name: "build-" + go + "-alpine" + alpine + "-" + arch,
|
||||
@@ -17,6 +17,7 @@ local Build(go, alpine, os, arch) = {
|
||||
{
|
||||
name: "build",
|
||||
image: "golang:" + go +"-alpine" + alpine,
|
||||
mirror: mirror,
|
||||
commands: [
|
||||
"apk update",
|
||||
"apk add --no-cache git",
|
||||
@@ -28,6 +29,7 @@ local Build(go, alpine, os, arch) = {
|
||||
{
|
||||
name: "check-policy-forgejo",
|
||||
image: "alpine:" + alpine,
|
||||
mirror: mirror,
|
||||
depends_on: ["build"],
|
||||
commands: [
|
||||
"./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/forgejo.yml --policy-snippets examples/snippets/"
|
||||
@@ -36,6 +38,7 @@ local Build(go, alpine, os, arch) = {
|
||||
{
|
||||
name: "check-policy-generic",
|
||||
image: "alpine:" + alpine,
|
||||
mirror: mirror,
|
||||
depends_on: ["build"],
|
||||
commands: [
|
||||
"./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/generic.yml --policy-snippets examples/snippets/"
|
||||
@@ -44,6 +47,7 @@ local Build(go, alpine, os, arch) = {
|
||||
{
|
||||
name: "test-wasm-success",
|
||||
image: "alpine:" + alpine,
|
||||
mirror: mirror,
|
||||
depends_on: ["build"],
|
||||
commands: [
|
||||
"./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm " +
|
||||
@@ -56,6 +60,7 @@ local Build(go, alpine, os, arch) = {
|
||||
{
|
||||
name: "test-wasm-fail",
|
||||
image: "alpine:" + alpine,
|
||||
mirror: mirror,
|
||||
depends_on: ["build"],
|
||||
commands: [
|
||||
"./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm " +
|
||||
@@ -68,7 +73,7 @@ local Build(go, alpine, os, arch) = {
|
||||
]
|
||||
};
|
||||
|
||||
local Publish(registry, repo, secret, go, alpine, os, arch, trigger, platforms, extra) = {
|
||||
local Publish(mirror, registry, repo, secret, go, alpine, os, arch, trigger, platforms, extra) = {
|
||||
kind: "pipeline",
|
||||
type: "docker",
|
||||
name: "publish-" + go + "-alpine" + alpine + "-" + secret,
|
||||
@@ -78,6 +83,15 @@ local Publish(registry, repo, secret, go, alpine, os, arch, trigger, platforms,
|
||||
},
|
||||
trigger: trigger,
|
||||
steps: [
|
||||
{
|
||||
name: "setup-buildkitd",
|
||||
image: "alpine:" + alpine,
|
||||
mirror: mirror,
|
||||
commands: [
|
||||
"echo '[registry.\"docker.io\"]' > buildkitd.toml",
|
||||
"echo ' mirrors = [\"mirror.gcr.io\"]' >> buildkitd.toml"
|
||||
],
|
||||
},
|
||||
{
|
||||
name: "docker",
|
||||
image: "plugins/buildx",
|
||||
@@ -87,13 +101,15 @@ local Publish(registry, repo, secret, go, alpine, os, arch, trigger, platforms,
|
||||
SOURCE_DATE_EPOCH: 0,
|
||||
TZ: "UTC",
|
||||
LC_ALL: "C",
|
||||
PLUGIN_BUILDER_CONFIG: "buildkitd.toml",
|
||||
PLUGIN_BUILDER_DRIVER: "docker-container",
|
||||
},
|
||||
settings: {
|
||||
registry: registry,
|
||||
repo: repo,
|
||||
mirror: mirror,
|
||||
compress: true,
|
||||
platform: platforms,
|
||||
builder_driver: "docker-container",
|
||||
build_args: {
|
||||
from_builder: "golang:" + go +"-alpine" + alpine,
|
||||
from: "alpine:" + alpine,
|
||||
@@ -116,17 +132,19 @@ local containerArchitectures = ["linux/amd64", "linux/arm64", "linux/riscv64"];
|
||||
local alpineVersion = "3.21";
|
||||
local goVersion = "1.24";
|
||||
|
||||
local mirror = "https://mirror.gcr.io";
|
||||
|
||||
[
|
||||
Build(goVersion, alpineVersion, "linux", "amd64"),
|
||||
Build(goVersion, alpineVersion, "linux", "arm64"),
|
||||
Build(mirror, goVersion, alpineVersion, "linux", "amd64"),
|
||||
Build(mirror, goVersion, alpineVersion, "linux", "arm64"),
|
||||
|
||||
# latest
|
||||
Publish("git.gammaspectra.live", "git.gammaspectra.live/git/go-away", "git", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-git"},
|
||||
Publish("codeberg.org", "codeberg.org/weebdatahoarder/go-away", "codeberg", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-codeberg"},
|
||||
Publish("ghcr.io", "ghcr.io/weebdatahoarder/go-away", "github", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-github"},
|
||||
Publish(mirror, "git.gammaspectra.live", "git.gammaspectra.live/git/go-away", "git", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-git"},
|
||||
Publish(mirror, "codeberg.org", "codeberg.org/weebdatahoarder/go-away", "codeberg", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-codeberg"},
|
||||
Publish(mirror, "ghcr.io", "ghcr.io/weebdatahoarder/go-away", "github", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-github"},
|
||||
|
||||
# modern
|
||||
Publish("git.gammaspectra.live", "git.gammaspectra.live/git/go-away", "git", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
|
||||
Publish("codeberg.org", "codeberg.org/weebdatahoarder/go-away", "codeberg", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
|
||||
Publish("ghcr.io", "ghcr.io/weebdatahoarder/go-away", "github", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
|
||||
Publish(mirror, "git.gammaspectra.live", "git.gammaspectra.live/git/go-away", "git", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
|
||||
Publish(mirror, "codeberg.org", "codeberg.org/weebdatahoarder/go-away", "codeberg", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
|
||||
Publish(mirror, "ghcr.io", "ghcr.io/weebdatahoarder/go-away", "github", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
|
||||
]
|
||||
72
.drone.yml
72
.drone.yml
@@ -17,6 +17,7 @@ steps:
|
||||
- go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
|
||||
- go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
|
||||
image: golang:1.24-alpine3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: build
|
||||
- commands:
|
||||
- ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
|
||||
@@ -24,6 +25,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: check-policy-forgejo
|
||||
- commands:
|
||||
- ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
|
||||
@@ -31,6 +33,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: check-policy-generic
|
||||
- commands:
|
||||
- ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
|
||||
@@ -41,6 +44,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: test-wasm-success
|
||||
- commands:
|
||||
- ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
|
||||
@@ -51,6 +55,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: test-wasm-fail
|
||||
type: docker
|
||||
---
|
||||
@@ -72,6 +77,7 @@ steps:
|
||||
- go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
|
||||
- go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
|
||||
image: golang:1.24-alpine3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: build
|
||||
- commands:
|
||||
- ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
|
||||
@@ -79,6 +85,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: check-policy-forgejo
|
||||
- commands:
|
||||
- ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
|
||||
@@ -86,6 +93,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: check-policy-generic
|
||||
- commands:
|
||||
- ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
|
||||
@@ -96,6 +104,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: test-wasm-success
|
||||
- commands:
|
||||
- ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
|
||||
@@ -106,6 +115,7 @@ steps:
|
||||
depends_on:
|
||||
- build
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: test-wasm-fail
|
||||
type: docker
|
||||
---
|
||||
@@ -115,9 +125,17 @@ platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- echo '[registry."docker.io"]' > buildkitd.toml
|
||||
- echo ' mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: setup-buildkitd
|
||||
- environment:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
LC_ALL: C
|
||||
PLUGIN_BUILDER_CONFIG: buildkitd.toml
|
||||
PLUGIN_BUILDER_DRIVER: docker-container
|
||||
SOURCE_DATE_EPOCH: 0
|
||||
TZ: UTC
|
||||
image: plugins/buildx
|
||||
@@ -128,8 +146,8 @@ steps:
|
||||
build_args:
|
||||
from: alpine:3.21
|
||||
from_builder: golang:1.24-alpine3.21
|
||||
builder_driver: docker-container
|
||||
compress: true
|
||||
mirror: https://mirror.gcr.io
|
||||
password:
|
||||
from_secret: git_password
|
||||
platform:
|
||||
@@ -155,9 +173,17 @@ platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- echo '[registry."docker.io"]' > buildkitd.toml
|
||||
- echo ' mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: setup-buildkitd
|
||||
- environment:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
LC_ALL: C
|
||||
PLUGIN_BUILDER_CONFIG: buildkitd.toml
|
||||
PLUGIN_BUILDER_DRIVER: docker-container
|
||||
SOURCE_DATE_EPOCH: 0
|
||||
TZ: UTC
|
||||
image: plugins/buildx
|
||||
@@ -168,8 +194,8 @@ steps:
|
||||
build_args:
|
||||
from: alpine:3.21
|
||||
from_builder: golang:1.24-alpine3.21
|
||||
builder_driver: docker-container
|
||||
compress: true
|
||||
mirror: https://mirror.gcr.io
|
||||
password:
|
||||
from_secret: codeberg_password
|
||||
platform:
|
||||
@@ -195,9 +221,17 @@ platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- echo '[registry."docker.io"]' > buildkitd.toml
|
||||
- echo ' mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: setup-buildkitd
|
||||
- environment:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
LC_ALL: C
|
||||
PLUGIN_BUILDER_CONFIG: buildkitd.toml
|
||||
PLUGIN_BUILDER_DRIVER: docker-container
|
||||
SOURCE_DATE_EPOCH: 0
|
||||
TZ: UTC
|
||||
image: plugins/buildx
|
||||
@@ -208,8 +242,8 @@ steps:
|
||||
build_args:
|
||||
from: alpine:3.21
|
||||
from_builder: golang:1.24-alpine3.21
|
||||
builder_driver: docker-container
|
||||
compress: true
|
||||
mirror: https://mirror.gcr.io
|
||||
password:
|
||||
from_secret: github_password
|
||||
platform:
|
||||
@@ -235,9 +269,17 @@ platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- echo '[registry."docker.io"]' > buildkitd.toml
|
||||
- echo ' mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: setup-buildkitd
|
||||
- environment:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
LC_ALL: C
|
||||
PLUGIN_BUILDER_CONFIG: buildkitd.toml
|
||||
PLUGIN_BUILDER_DRIVER: docker-container
|
||||
SOURCE_DATE_EPOCH: 0
|
||||
TZ: UTC
|
||||
image: plugins/buildx
|
||||
@@ -249,8 +291,8 @@ steps:
|
||||
build_args:
|
||||
from: alpine:3.21
|
||||
from_builder: golang:1.24-alpine3.21
|
||||
builder_driver: docker-container
|
||||
compress: true
|
||||
mirror: https://mirror.gcr.io
|
||||
password:
|
||||
from_secret: git_password
|
||||
platform:
|
||||
@@ -275,9 +317,17 @@ platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- echo '[registry."docker.io"]' > buildkitd.toml
|
||||
- echo ' mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: setup-buildkitd
|
||||
- environment:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
LC_ALL: C
|
||||
PLUGIN_BUILDER_CONFIG: buildkitd.toml
|
||||
PLUGIN_BUILDER_DRIVER: docker-container
|
||||
SOURCE_DATE_EPOCH: 0
|
||||
TZ: UTC
|
||||
image: plugins/buildx
|
||||
@@ -289,8 +339,8 @@ steps:
|
||||
build_args:
|
||||
from: alpine:3.21
|
||||
from_builder: golang:1.24-alpine3.21
|
||||
builder_driver: docker-container
|
||||
compress: true
|
||||
mirror: https://mirror.gcr.io
|
||||
password:
|
||||
from_secret: codeberg_password
|
||||
platform:
|
||||
@@ -315,9 +365,17 @@ platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- echo '[registry."docker.io"]' > buildkitd.toml
|
||||
- echo ' mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
|
||||
image: alpine:3.21
|
||||
mirror: https://mirror.gcr.io
|
||||
name: setup-buildkitd
|
||||
- environment:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
LC_ALL: C
|
||||
PLUGIN_BUILDER_CONFIG: buildkitd.toml
|
||||
PLUGIN_BUILDER_DRIVER: docker-container
|
||||
SOURCE_DATE_EPOCH: 0
|
||||
TZ: UTC
|
||||
image: plugins/buildx
|
||||
@@ -329,8 +387,8 @@ steps:
|
||||
build_args:
|
||||
from: alpine:3.21
|
||||
from_builder: golang:1.24-alpine3.21
|
||||
builder_driver: docker-container
|
||||
compress: true
|
||||
mirror: https://mirror.gcr.io
|
||||
password:
|
||||
from_secret: github_password
|
||||
platform:
|
||||
@@ -350,6 +408,6 @@ trigger:
|
||||
type: docker
|
||||
---
|
||||
kind: signature
|
||||
hmac: 8aed9810938e4aa4b34c4afb35e1101f27f98a61ffe5349be9a30f22ce7480ed
|
||||
hmac: ad13c88b81cd1c6ebd4bb8d33479ffe8e67bc8caefdcc1c06dd1a6b75476bcd7
|
||||
|
||||
...
|
||||
|
||||
12
README.md
12
README.md
@@ -409,9 +409,6 @@ services:
|
||||
GOAWAY_CHALLENGE_TEMPLATE: forgejo
|
||||
GOAWAY_CHALLENGE_TEMPLATE_THEME: forgejo-dark
|
||||
|
||||
# specify a DNSBL for usage in conditions. Defaults to DroneBL
|
||||
# GOAWAY_DNSBL: "dnsbl.dronebl.org"
|
||||
|
||||
# Backend to match. Can be subdomain or full wildcards, "*.example.com" or "*"
|
||||
GOAWAY_BACKEND: "git.example.com=http://forgejo:3000"
|
||||
|
||||
@@ -426,9 +423,12 @@ services:
|
||||
|
||||
|
||||
## Other Similar Projects
|
||||
* [Anubis](https://anubis.techaro.lol/): Proxy that uses JavaScript proof of work to weight request based on rules [[source]](https://github.com/TecharoHQ/anubis)
|
||||
* [powxy](https://sr.ht/~runxiyu/powxy/): Powxy is a reverse proxy that protects your upstream service by challenging clients with SHA-256 proof-of-work. [[source](https://git.sr.ht/~runxiyu/powxy)]
|
||||
* [anticrawl](https://flak.tedunangst.com/post/anticrawl): Go http handler / proxy for regex based rules [[source]](https://humungus.tedunangst.com/r/anticrawl)
|
||||
|
||||
| Project | Forge | Description |
|
||||
|:-------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------------------------------------------|
|
||||
| [Anubis](https://anubis.techaro.lol/) | [](https://github.com/TecharoHQ/anubis)<br/>Go / [MIT](https://github.com/TecharoHQ/anubis/blob/main/LICENSE) | Proxy that uses JavaScript proof of work to weight request based on simple match rules |
|
||||
| [powxy](https://sr.ht/~runxiyu/powxy/) | [](https://git.sr.ht/~runxiyu/powxy)<br/> Go / [BSD 2-Clause](https://git.sr.ht/~runxiyu/powxy/tree/master/item/LICENSE) | Powxy is a reverse proxy that protects your upstream service by challenging clients with SHA-256 proof-of-work. |
|
||||
| [anticrawl](https://flak.tedunangst.com/post/anticrawl) | [[source]](https://humungus.tedunangst.com/r/anticrawl)<br/>Go / None | Go http handler / proxy for regex based rules |
|
||||
|
||||
|
||||
## Development
|
||||
|
||||
@@ -23,7 +23,7 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
|
||||
return challenge.VerifyResultFail
|
||||
}
|
||||
|
||||
utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
utils.SetCookie(challenge.RequestDataFromContext(r.Context()).CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
|
||||
uri, err := challenge.RedirectUrl(r, reg)
|
||||
if err != nil {
|
||||
|
||||
@@ -3,6 +3,7 @@ package challenge
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
@@ -37,6 +38,7 @@ type RequestData struct {
|
||||
ChallengeState map[Id]VerifyState
|
||||
RemoteAddress net.IP
|
||||
State StateInterface
|
||||
CookiePrefix string
|
||||
|
||||
r *http.Request
|
||||
|
||||
@@ -75,6 +77,13 @@ func CreateRequestData(r *http.Request, state StateInterface) (*http.Request, *R
|
||||
data.query = condition.NewValuesMap(r.URL.Query())
|
||||
data.header = condition.NewMIMEMap(textproto.MIMEHeader(r.Header))
|
||||
|
||||
sum := sha256.New()
|
||||
sum.Write([]byte(r.Host))
|
||||
sum.Write([]byte{0})
|
||||
sum.Write(state.PublicKey())
|
||||
sum.Write([]byte{0})
|
||||
data.CookiePrefix = utils.CookiePrefix + hex.EncodeToString(sum.Sum(nil)[:4]) + "-"
|
||||
|
||||
r = r.WithContext(context.WithValue(r.Context(), requestDataContextKey{}, &data))
|
||||
|
||||
return r, &data
|
||||
@@ -108,12 +117,17 @@ func (d *RequestData) Parent() cel.Activation {
|
||||
}
|
||||
|
||||
func (d *RequestData) EvaluateChallenges(w http.ResponseWriter, r *http.Request) {
|
||||
q := r.URL.Query()
|
||||
var issuedChallenge string
|
||||
if q.Has(QueryArgChallenge) {
|
||||
issuedChallenge = q.Get(QueryArgChallenge)
|
||||
}
|
||||
for _, reg := range d.State.GetChallenges() {
|
||||
key := GetChallengeKeyForRequest(d.State, reg, d.Expiration(reg.Duration), r)
|
||||
verifyResult, verifyState, err := reg.VerifyChallengeToken(d.State.PublicKey(), key, r)
|
||||
if err != nil && !errors.Is(err, http.ErrNoCookie) {
|
||||
// clear invalid cookie
|
||||
utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
|
||||
utils.ClearCookie(d.CookiePrefix+reg.Name, w, r)
|
||||
}
|
||||
|
||||
// prevent evaluating the challenge if not solved
|
||||
@@ -130,6 +144,11 @@ func (d *RequestData) EvaluateChallenges(w http.ResponseWriter, r *http.Request)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !verifyResult.Ok() && issuedChallenge == reg.Name {
|
||||
// we issued the challenge, must skip to prevent loops
|
||||
verifyResult = VerifyResultSkip
|
||||
}
|
||||
d.ChallengeVerify[reg.Id()] = verifyResult
|
||||
d.ChallengeState[reg.Id()] = verifyState
|
||||
}
|
||||
|
||||
@@ -133,14 +133,14 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
|
||||
if err != nil {
|
||||
return challenge.VerifyResultFail
|
||||
}
|
||||
utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
utils.SetCookie(data.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
return challenge.VerifyResultNotOK
|
||||
} else {
|
||||
token, err := reg.IssueChallengeToken(state.PrivateKey(), key, nil, expiry, true)
|
||||
if err != nil {
|
||||
return challenge.VerifyResultFail
|
||||
}
|
||||
utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
utils.SetCookie(data.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
return challenge.VerifyResultOK
|
||||
}
|
||||
}
|
||||
|
||||
@@ -138,7 +138,7 @@ func VerifyHandlerFunc(state StateInterface, reg *Registration, verify VerifyFun
|
||||
if err != nil {
|
||||
return err
|
||||
} else if !verifyResult.Ok() {
|
||||
utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
|
||||
utils.ClearCookie(data.CookiePrefix+reg.Name, w, r)
|
||||
state.ChallengeFailed(r, reg, nil, redirect, nil)
|
||||
responseFunc(state, data, w, r, verifyResult, nil, redirect)
|
||||
return nil
|
||||
@@ -146,9 +146,9 @@ func VerifyHandlerFunc(state StateInterface, reg *Registration, verify VerifyFun
|
||||
|
||||
challengeToken, err := reg.IssueChallengeToken(state.PrivateKey(), key, []byte(token), expiration, true)
|
||||
if err != nil {
|
||||
utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
|
||||
utils.ClearCookie(data.CookiePrefix+reg.Name, w, r)
|
||||
} else {
|
||||
utils.SetCookie(utils.CookiePrefix+reg.Name, challengeToken, expiration, w, r)
|
||||
utils.SetCookie(data.CookiePrefix+reg.Name, challengeToken, expiration, w, r)
|
||||
}
|
||||
data.ChallengeVerify[reg.id] = verifyResult
|
||||
state.ChallengePassed(r, reg, redirect, nil)
|
||||
@@ -157,7 +157,7 @@ func VerifyHandlerFunc(state StateInterface, reg *Registration, verify VerifyFun
|
||||
return nil
|
||||
}()
|
||||
if err != nil {
|
||||
utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
|
||||
utils.ClearCookie(data.CookiePrefix+reg.Name, w, r)
|
||||
state.ChallengeFailed(r, reg, err, redirect, nil)
|
||||
responseFunc(state, data, w, r, VerifyResultFail, fmt.Errorf("access denied: error in challenge %s: %w", reg.Name, err), redirect)
|
||||
return
|
||||
|
||||
@@ -137,19 +137,21 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
|
||||
defer response.Body.Close()
|
||||
defer io.Copy(io.Discard, response.Body)
|
||||
|
||||
data := challenge.RequestDataFromContext(r.Context())
|
||||
|
||||
if response.StatusCode != params.HttpCode {
|
||||
token, err := reg.IssueChallengeToken(state.PrivateKey(), key, sum, expiry, false)
|
||||
if err != nil {
|
||||
return challenge.VerifyResultFail
|
||||
}
|
||||
utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
utils.SetCookie(data.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
return challenge.VerifyResultNotOK
|
||||
} else {
|
||||
token, err := reg.IssueChallengeToken(state.PrivateKey(), key, sum, expiry, true)
|
||||
if err != nil {
|
||||
return challenge.VerifyResultFail
|
||||
}
|
||||
utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
utils.SetCookie(data.CookiePrefix+reg.Name, token, expiry, w, r)
|
||||
return challenge.VerifyResultOK
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,7 +7,6 @@ import (
|
||||
"fmt"
|
||||
"git.gammaspectra.live/git/go-away/lib/condition"
|
||||
"git.gammaspectra.live/git/go-away/lib/policy"
|
||||
"git.gammaspectra.live/git/go-away/utils"
|
||||
"github.com/go-jose/go-jose/v4"
|
||||
"github.com/go-jose/go-jose/v4/jwt"
|
||||
"github.com/goccy/go-yaml/ast"
|
||||
@@ -193,7 +192,7 @@ var ErrVerifyVerifyMismatch = errors.New("verify: verification mismatch")
|
||||
var ErrTokenExpired = errors.New("token: expired")
|
||||
|
||||
func (reg Registration) VerifyChallengeToken(publicKey ed25519.PublicKey, expectedKey Key, r *http.Request) (VerifyResult, VerifyState, error) {
|
||||
cookie, err := r.Cookie(utils.CookiePrefix + reg.Name)
|
||||
cookie, err := r.Cookie(RequestDataFromContext(r.Context()).CookiePrefix + reg.Name)
|
||||
if err != nil {
|
||||
return VerifyResultNone, VerifyStateNone, err
|
||||
}
|
||||
|
||||
@@ -154,5 +154,5 @@ func NewMIMEMap(m textproto.MIMEHeader) traits.Mapper {
|
||||
}
|
||||
|
||||
func NewValuesMap(m map[string][]string) traits.Mapper {
|
||||
return mimeLike{m: m}
|
||||
return valuesLike{m: m}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user