This repository has been archived by the owner on Mar 12, 2018. It is now read-only.
/
jenkins-authentication-proxy.go
133 lines (113 loc) · 2.79 KB
/
jenkins-authentication-proxy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
package main
import (
"fmt"
"log"
"net/http"
"net/http/httputil"
"net/url"
"os"
"strings"
"time"
)
var openPrefixes = []string{
"/git",
"/buildByToken",
"/cli",
"/jnlpJars",
"/subversion",
"/whoAmI",
}
const version = "1.1"
const planio_url = "https://recras.plan.io/users/current.json"
var authCache = map[string]time.Time{}
func main() {
jenkins_address := os.Getenv("JENKINS_URL")
listen_address := os.Getenv("LISTEN_ADDRESS")
if listen_address == "" {
listen_address = "[::]:8080"
}
if jenkins_address == "" {
log.Fatalln("Use environment variables JENKINS_URL and LISTEN_ADDRESS (default \"[::]:8080\")")
}
remote, err := url.Parse(jenkins_address)
if err != nil {
log.Panic(err)
}
proxy := httputil.NewSingleHostReverseProxy(remote)
http.HandleFunc("/", handler(proxy))
log.Println("jenkins-authentication-proxy", version, "starting")
log.Println("Authentication endpoint:", planio_url)
err = http.ListenAndServe(listen_address, nil)
if err != nil {
log.Panic(err)
}
}
func isOpenPrefix(requestURI string) bool {
for _, prefix := range openPrefixes {
if strings.HasPrefix(requestURI, prefix) {
return true
}
}
return false
}
func isCached(authorization string) bool {
const cacheTime = time.Duration(5) * time.Minute
if t, ok := authCache[authorization]; ok {
if time.Now().Before(t.Add(cacheTime)) {
return true
}
log.Print("cache expired:", authorization)
delete(authCache, authorization)
}
return false
}
func addToCache(authorization string) {
authCache[authorization] = time.Now()
log.Print("added to cache:", authorization)
}
func authenticateWithBackend(req *http.Request) (bool, error) {
auth, authExists := req.Header["Authorization"]
if authExists && isCached(auth[0]) {
return true, nil
}
var r *http.Request
var err error
var resp *http.Response
r, err = http.NewRequest("GET", planio_url, nil)
if err != nil {
return false, err
}
r.Header["Authorization"] = auth
client := http.Client{}
resp, err = client.Do(r)
if err != nil {
return false, err
}
resp.Body.Close()
if resp.StatusCode == 200 {
if authExists {
addToCache(auth[0])
}
return true, nil
}
return false, nil
}
func handler(fw *httputil.ReverseProxy) func(http.ResponseWriter, *http.Request) {
return func(wr http.ResponseWriter, req *http.Request) {
wr.Header()["X-Powered-By"] = []string{"jenkins-authentication-proxy/" + version}
if isOpenPrefix(req.RequestURI) {
fw.ServeHTTP(wr, req)
return
}
if authed, err := authenticateWithBackend(req); err != nil {
wr.WriteHeader(http.StatusInternalServerError)
fmt.Fprint(wr, "error", err)
log.Print(err)
} else if authed {
fw.ServeHTTP(wr, req)
} else {
wr.Header()["Www-Authenticate"] = []string{"Basic realm=\"Jenkins\""}
wr.WriteHeader(http.StatusUnauthorized)
}
}
}