Try simulating caddy forward_auth

2025-02-16 13:51:53 -05:00 · 2025-02-16 13:51:53 -05:00 · 65934ea570
commit 65934ea570
parent 1af1d774d3
3 changed files with 56 additions and 14 deletions
--- a/main.go
+++ b/main.go
@ -22,16 +22,18 @@ func main() {

 	keyPath := flag.String("key", "", "Path to the private (client mode) or public (server mode) to use")

+	simulateCaddy := flag.Bool("caddy", false, "Simulate caddy reverse proxy")
+
 	flag.Parse()

 	if *useClient {
-		runClient(keyPath)
+		runClient(keyPath, *simulateCaddy)
 	} else {
-		runServer(keyPath)
+		runServer(keyPath, *simulateCaddy)
 	}
 }

-func runClient(keyFile *string) {
+func runClient(keyFile *string, simulateCaddy bool) {
 	testData := map[string]string{"hello": "world"}
 	json_data, _ := json.Marshal(testData)

@ -49,7 +51,9 @@ func runClient(keyFile *string) {

 	id := digest.FromBytes(json_data)

-	req, err := http.NewRequest("POST", "http://localhost:8080/post", bytes.NewBuffer(json_data))
+	var req *http.Request
+
+	req, err = http.NewRequest("POST", "http://localhost:8080/post", bytes.NewBuffer(json_data))

 	if err != nil {
 		log.Fatal(err)
@ -58,6 +62,11 @@ func runClient(keyFile *string) {
 	req.Header.Add("Content-Digest", string(id.Algorithm())+"="+id.Encoded())
 	req.Header.Add("Content-Type", "application/json")

+	if simulateCaddy {
+		req.Header.Add("X-Forwarded-Method", req.Method)
+		req.Header.Add("X-Forwarded-Uri", req.RequestURI)
+	}
+
 	resp, err := client.Do(req)

 	if err != nil {
@ -73,17 +82,18 @@ func runClient(keyFile *string) {
 	}

 	fmt.Println(resp.StatusCode)
+	fmt.Println(resp.Header)
 	fmt.Println(string(out[:]))
 }

-func runServer(keyFile *string) {
+func runServer(keyFile *string, simulateCaddy bool) {
 	key, err := loadPublicKey(*keyFile)

 	if err != nil {
 		log.Fatal(err)
 	}

-	server.Start(key)
+	server.Start(key, simulateCaddy)
 }

 func loadPrivateKey(keyFile string) (crypto.PrivateKey, error) {
--- a/server/caddy_rewrite.go
+++ b/server/caddy_rewrite.go
@ -0,0 +1,20 @@
+package server
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func rewriteHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		forwardedMethod := r.Header.Get("X-Forwarded-Method")
+		forwardedUri := r.Header.Get("X-Forwarded-Uri")
+
+		fmt.Printf("Headers: %s, %s\n", forwardedMethod, forwardedUri)
+
+		r.Method = forwardedMethod
+		r.RequestURI = forwardedUri
+
+		next.ServeHTTP(w, r)
+	})
+}
--- a/server/server.go
+++ b/server/server.go
@ -10,7 +10,7 @@ import (
 	"github.com/common-fate/httpsig/inmemory"
 )

-func Start(publicKey crypto.PublicKey) error {
+func Start(publicKey crypto.PublicKey, isCaddyAuth bool) error {
 	keyDir := InMemoryDirectory{
 		records: map[string]KeyEntry{},
 	}
@ -41,14 +41,26 @@ func Start(publicKey crypto.PublicKey) error {
 		},
 	})

-	mux.Handle("/", verifier(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fmt.Printf("Responding...\n")
+	verifyHandler := verifier(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		attr := httpsig.AttributesFromContext(r.Context()).(string)
-		fmt.Printf("User is %s\n", attr)
+
+		if isCaddyAuth {
+			w.Header().Add("Remote-User", attr)
+		} else {
 			msg := fmt.Sprintf("hello, %s!", attr)
 			w.Write([]byte(msg))
-		fmt.Printf("Responded...\n")
-	})))
+		}
+	}))
+
+	var handler http.Handler
+
+	if isCaddyAuth {
+		handler = rewriteHeaders(verifyHandler)
+	} else {
+		handler = verifyHandler
+	}
+
+	mux.Handle("/", handler)

 	err := http.ListenAndServe("localhost:8080", mux)