Add header remapping and an allowlist

2024-10-12 13:18:15 +01:00 · 2024-10-12 13:18:15 +01:00 · ba69bd699f
commit ba69bd699f
parent 707ad4a78a
2 changed files with 88 additions and 38 deletions
--- a/caddyfile.go
+++ b/caddyfile.go
@ -2,6 +2,7 @@ package caddy_tailscale

 import (
 	"encoding/json"
+	"fmt"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
@ -9,16 +10,20 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/caddyauth"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/headers"
 	"net/http"
+	"strings"
 )

 func init() {
 	httpcaddyfile.RegisterDirective("tailscale_auth", parseCaddyfile)
-	httpcaddyfile.RegisterDirec1tiveOrder("tailscale_auth", httpcaddyfile.After, "basic_auth")
+	httpcaddyfile.RegisterDirectiveOrder("tailscale_auth", httpcaddyfile.After, "basic_auth")
 }

 // parseCaddyfile sets up the handler from Caddyfile tokens. Syntax:
 //
-//	tailscale_auth [set_headers]
+//	tailscale_auth [set_headers] [{
+//	  [remap <from header> <to header>]
+//	  [allowed_logins <login> [<login>...]]
+//	}]
 //
 // See also for further examples:
 // - https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/caddyauth/caddyfile.go
@ -26,18 +31,7 @@ func init() {
 func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) {
 	h.Next() // consume directive name

-	handlers := []json.RawMessage{
-		caddyconfig.JSONModuleObject(
-			caddyauth.Authentication{
-				ProvidersRaw: caddy.ModuleMap{
-					"tailscale": caddyconfig.JSON(new(TailscaleAuth), nil),
-				},
-			},
-			"handler",
-			"authentication",
-			nil,
-		),
-	}
+	tsAuth := new(TailscaleAuth)

 	var setHeaders bool

@ -49,33 +43,74 @@ func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error)
 		}
 	}

-	headerOps := new(headers.HeaderOps)
-
-	// If both the Set and Delete are set at the same time, Delete will take priority and prevent any headers from being
-	// included in the request so we have to only do one or the other
-	if setHeaders {
-		headerOps.Set = http.Header{
-			"Tailscale-User-Id":    []string{"{http.auth.user.id}"},
-			"Tailscale-User-Name":  []string{"{http.auth.user.display_name}"},
-			"Tailscale-User-Login": []string{"{http.auth.user.login_name}"},
-		}
-	} else {
-		headerOps.Delete = []string{"Tailscale-User-Id", "Tailscale-User-Name", "Tailscale-User-Login"}
+	// All header names are in lowercase to easily do "case insensitive" comparisons as Caddy will normalise them later
+	// on
+	headersToSet := http.Header{
+		"tailscale-user-id":    []string{"{http.auth.user.id}"},
+		"tailscale-user-name":  []string{"{http.auth.user.display_name}"},
+		"tailscale-user-login": []string{"{http.auth.user.login_name}"},
 	}

-	handlers = append(handlers, caddyconfig.JSONModuleObject(
-		&headers.Handler{
-			Request: headerOps,
-		},
-		"handler",
-		"headers",
-		nil,
-	))
+	for nesting := h.Nesting(); h.NextBlock(nesting); {
+		switch h.Val() {
+		case "remap":
+			var from, to string
+			if !h.Args(&from, &to) {
+				return nil, h.Errf("remap takes two arguments")
+			}
+
+			from = strings.ToLower(from)
+			to = strings.ToLower(to)
+
+			v, foundFrom := headersToSet[from]
+			if !foundFrom {
+				return nil, h.Errf("unknown from header %#v", from)
+			}
+
+			headersToSet[to] = v
+			delete(headersToSet, from)
+		case "allowed_logins":
+			for h.NextArg() {
+				tsAuth.AllowedUsers = append(tsAuth.AllowedUsers, h.Val())
+			}
+			if len(tsAuth.AllowedUsers) == 0 {
+				return nil, h.Err("allowed_logins must have 1 or more arguments")
+			}
+		default:
+			return nil, h.Errf("unknown argument %#v", h.Val())
+		}
+	}
+
+	handlers := []json.RawMessage{
+		caddyconfig.JSONModuleObject(
+			caddyauth.Authentication{
+				ProvidersRaw: caddy.ModuleMap{
+					"tailscale": caddyconfig.JSON(tsAuth, nil),
+				},
+			},
+			"handler",
+			"authentication",
+			nil,
+		),
+	}
+
+	if setHeaders {
+		handlers = append(handlers, caddyconfig.JSONModuleObject(
+			&headers.Handler{
+				Request: &headers.HeaderOps{Set: headersToSet},
+			},
+			"handler",
+			"headers",
+			nil,
+		))
+	}

 	if h.NextArg() {
 		return nil, h.Err("too many arguments")
 	}

+	fmt.Println(string(handlers[0]))
+
 	return []httpcaddyfile.ConfigValue{
 		{
 			Class: "route",