From 2b8475044e30ab40d05d0e32f8d8d3631f666b5b Mon Sep 17 00:00:00 2001 From: Kamus Hadenes Date: Sun, 5 May 2019 19:22:02 -0300 Subject: [PATCH 1/2] add basic auth support --- .gitignore | 1 + aws-es-proxy.go | 80 +++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 72 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index cc1d36e6..5a847aff 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ vendor glide.lock dist +.idea \ No newline at end of file diff --git a/aws-es-proxy.go b/aws-es-proxy.go index 1a0af49b..9abbefe1 100644 --- a/aws-es-proxy.go +++ b/aws-es-proxy.go @@ -2,6 +2,7 @@ package main import ( "bytes" + "crypto/subtle" "encoding/json" "flag" "fmt" @@ -53,6 +54,24 @@ type proxy struct { fileRequest *os.File fileResponse *os.File credentials *credentials.Credentials + auth bool + username string + password string + realm string +} + +func newSecureProxy(args ...interface{}) *proxy { + return &proxy{ + endpoint: args[0].(string), + verbose: args[1].(bool), + prettify: args[2].(bool), + logtofile: args[3].(bool), + nosignreq: args[4].(bool), + auth: args[5].(bool), + username: args[6].(string), + password: args[7].(string), + realm: args[8].(string), + } } func newProxy(args ...interface{}) *proxy { @@ -118,6 +137,17 @@ func (p *proxy) getSigner() *v4.Signer { } func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) { + if p.auth { + user, pass, ok := r.BasicAuth() + + if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(p.username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(p.password)) != 1 { + w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=\"%s\"", p.realm)) + w.WriteHeader(401) + _, _ = w.Write([]byte("Unauthorised.\n")) + return + } + } + requestStarted := time.Now() dump, err := httputil.DumpRequest(r, true) if err != nil { @@ -281,15 +311,22 @@ func replaceBody(req *http.Request) []byte { func copyHeaders(dst, src http.Header) { for k, vals := range src { - for _, v := range vals { - dst.Add(k, v) + if k != "Authorization" { + for _, v := range vals { + dst.Add(k, v) + } } + } } func main() { var ( + auth bool + username string + password string + realm string verbose bool prettify bool logtofile bool @@ -307,6 +344,10 @@ func main() { flag.BoolVar(&logtofile, "log-to-file", false, "Log user requests and ElasticSearch responses to files") flag.BoolVar(&prettify, "pretty", false, "Prettify verbose and file output") flag.BoolVar(&nosignreq, "no-sign-reqs", false, "Disable AWS Signature v4") + flag.BoolVar(&auth, "auth", false, "Require HTTP Basic Auth") + flag.StringVar(&username, "username", "", "HTTP Basic Auth Username") + flag.StringVar(&password, "password", "", "HTTP Basic Auth Password") + flag.StringVar(&realm, "realm", "", "Authentication Required") flag.Parse() if len(os.Args) < 3 { @@ -315,13 +356,34 @@ func main() { os.Exit(1) } - p := newProxy( - endpoint, - verbose, - prettify, - logtofile, - nosignreq, - ) + var p *proxy + + if auth { + if len(username) == 0 || len(password) == 0 { + fmt.Println("You need to specify username and password when using authentication.") + fmt.Println("Please run with '-h' for a list of available arguments.") + os.Exit(1) + } + p = newSecureProxy( + endpoint, + verbose, + prettify, + logtofile, + nosignreq, + auth, + username, + password, + realm, + ) + } else { + p = newProxy( + endpoint, + verbose, + prettify, + logtofile, + nosignreq, + ) + } if err = p.parseEndpoint(); err != nil { log.Fatalln(err) From d333cb7c810a277ccf72b60e088a39d9de3bc518 Mon Sep 17 00:00:00 2001 From: Kamus Hadenes Date: Sun, 5 May 2019 19:27:08 -0300 Subject: [PATCH 2/2] fix version --- cross-compile.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cross-compile.sh b/cross-compile.sh index e30fdecd..191afdd4 100755 --- a/cross-compile.sh +++ b/cross-compile.sh @@ -1,6 +1,6 @@ #!/bin/bash -VERSION="0.9" +VERSION="0.10" rm -rf dist; mkdir -p dist for GOOS in darwin linux windows; do