feat(auth): add cli option to enable auth for specified users

marjune163 · marjune163 · commit 251195bb52a7 · 2024-03-03T12:46:45.000+08:00
diff --git a/README.md b/README.md
@@ -226,12 +226,6 @@ ghfs [options]
 --cors-dir <fs-path> ...
     Allow CORS requests for specific file system paths(and sub paths).
 
---global-auth
-    Use Basic Auth for all url path.
---auth <url-path> ...
-    Use Basic Auth for specific url paths(and sub paths).
---auth-dir <fs-path> ...
-    Use Basic Auth for specific file system paths(and sub paths).
 --user [<username>]:[<password>] ...
     Specify users for current virtual host for Basic Auth, empty username and/or password is allowed.
 --user-base64 [<username>]:[<base64-password>] ...
@@ -241,6 +235,15 @@ ghfs [options]
 --user-sha512 [<username>]:<sha512-password> ...
     Specify users for Basic Auth, with encoded password.
 
+--global-auth
+    Use Basic Auth for all url path.
+--auth <url-path> ...
+--auth-user <separator><url-path>[<separator><allowed-username>...] ...
+    Use Basic Auth for specific url paths(and sub paths).
+--auth-dir <fs-path> ...
+--auth-dir-user <separator><fs-path>[<separator><allowed-username>...] ...
+    Use Basic Auth for specific file system paths(and sub paths).
+
 -c|--cert <file> ...
     Specify TLS certificate file.
 
diff --git a/README.zh-CN.md b/README.zh-CN.md
@@ -216,12 +216,6 @@ ghfs [选项]
 --cors-dir <文件系统路径> ...
     接受指定文件系统路径（及子路径）的CORS跨域请求。
 
---global-auth
-    对所有URL路径启用http基本验证(Basic Auth)。
---auth <URL路径> ...
-    对指定URL路径（及子路径）启用http基本验证。
---auth-dir <文件系统路径> ...
-    对指定文件系统路径（及子路径）启用http基本验证。
 --user [<用户名>]:[<密码>] ...
     为当前虚拟主机指定用于http基本验证的用户，允许空的用户名和/或密码。
 --user-base64 [<用户名>]:[<base64密码>] ...
@@ -231,6 +225,15 @@ ghfs [选项]
 --user-sha512 [<用户名>]:<sha512密码> ...
     指定http基本验证的用户，对密码使用特定的编码。
 
+--global-auth
+    对所有URL路径启用http基本验证(Basic Auth)。
+--auth <URL路径> ...
+--auth-user <分隔符><URL路径>[<分隔符><允许的用户名>...] ...
+    对指定URL路径（及子路径）启用http基本验证。
+--auth-dir <文件系统路径> ...
+--auth-dir-user <分隔符><文件系统路径>[<分隔符><允许的用户名>...] ...
+    对指定文件系统路径（及子路径）启用http基本验证。
+
 -c|--cert <证书文件> ...
     指定TLS证书文件。
 
diff --git a/src/param/cli.go b/src/param/cli.go
@@ -42,13 +42,46 @@ func NewCliCmd() *goNixArgParser.Command {
 	err = options.AddFlagsValues("dirindexes", []string{"-I", "--dir-index"}, "GHFS_DIR_INDEX", nil, "default index page for directory")
 	serverError.CheckFatal(err)
 
+	err = options.AddFlagValues("users", "--user", "", nil, "user info: <username>:<password>")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("usersbase64", "--user-base64", "", nil, "user info: <username>:<base64-password>")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("usersmd5", "--user-md5", "", nil, "user info: <username>:<md5-password>")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("userssha1", "--user-sha1", "", nil, "user info: <username>:<sha1-password>")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("userssha256", "--user-sha256", "", nil, "user info: <username>:<sha256-password>")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("userssha512", "--user-sha512", "", nil, "user info: <username>:<sha512-password>")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlag("globalauth", "--global-auth", "GHFS_GLOBAL_AUTH", "require Basic Auth for all directories")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("authurls", "--auth", "", nil, "url path that require Basic Auth")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("authurlsusers", "--auth-user", "", nil, "url path that require Basic Auth for specific users, <sep><url-path>[<sep><user>...]")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("authdirs", "--auth-dir", "", nil, "file system path that require Basic Auth")
+	serverError.CheckFatal(err)
+
+	err = options.AddFlagValues("authdirsusers", "--auth-dir-user", "", nil, "file system path that require Basic Auth for specific users, <sep><fs-path>[<sep><user>...]")
+	serverError.CheckFatal(err)
+
 	err = options.AddFlagValues("globalrestrictaccess", "--global-restrict-access", "GHFS_GLOBAL_RESTRICT_ACCESS", []string{}, "restrict access to all url paths from current host, with optional extra allow list")
 	serverError.CheckFatal(err)
 
-	err = options.AddFlagValues("restrictaccessurls", "--restrict-access", "", []string{}, "restrict access to specific url paths from current host, with optional extra allow list")
+	err = options.AddFlagValues("restrictaccessurls", "--restrict-access", "", []string{}, "restrict access to specific url paths from current host, with optional extra allow list, <sep><url-path>[<sep><allowed-host>...]")
 	serverError.CheckFatal(err)
 
-	err = options.AddFlagValues("restrictaccessdirs", "--restrict-access-dir", "", []string{}, "restrict access to specific file system paths from current host, with optional extra allow list")
+	err = options.AddFlagValues("restrictaccessdirs", "--restrict-access-dir", "", []string{}, "restrict access to specific file system paths from current host, with optional extra allow list, <sep><fs-path>[<sep><allowed-host>...]")
 	serverError.CheckFatal(err)
 
 	err = options.AddFlagValues("globalheaders", "--global-header", "GHFS_GLOBAL_HEADER", []string{}, "custom headers for all url paths, e.g. <name>:<value>")
@@ -105,33 +138,6 @@ func NewCliCmd() *goNixArgParser.Command {
 	err = options.AddFlagValues("corsdirs", "--cors-dir", "", nil, "file system path that enable CORS headers")
 	serverError.CheckFatal(err)
 
-	err = options.AddFlag("globalauth", "--global-auth", "GHFS_GLOBAL_AUTH", "require Basic Auth for all directories")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("authurls", "--auth", "", nil, "url path that require Basic Auth")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("authdirs", "--auth-dir", "", nil, "file system path that require Basic Auth")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("users", "--user", "", nil, "user info: <username>:<password>")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("usersbase64", "--user-base64", "", nil, "user info: <username>:<base64-password>")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("usersmd5", "--user-md5", "", nil, "user info: <username>:<md5-password>")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("userssha1", "--user-sha1", "", nil, "user info: <username>:<sha1-password>")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("userssha256", "--user-sha256", "", nil, "user info: <username>:<sha256-password>")
-	serverError.CheckFatal(err)
-
-	err = options.AddFlagValues("userssha512", "--user-sha512", "", nil, "user info: <username>:<sha512-password>")
-	serverError.CheckFatal(err)
-
 	err = options.AddFlagsValues("certs", []string{"-c", "--cert"}, "GHFS_CERT", nil, "TLS certificate path")
 	serverError.CheckFatal(err)
 
@@ -366,6 +372,12 @@ func CmdResultsToParams(results []*goNixArgParser.ParseResult) (params Params, e
 		param.GlobalAuth = result.HasKey("globalauth")
 		param.AuthUrls, _ = result.GetStrings("authurls")
 		param.AuthDirs, _ = result.GetStrings("authdirs")
+		// auth urls users
+		authUrlsUsers, _ := result.GetStrings("authurlsusers")
+		param.AuthUrlsUsers = SplitAllKeyValues(authUrlsUsers)
+		// auth dirs users
+		authDirsUsers, _ := result.GetStrings("authdirsusers")
+		param.AuthDirsUsers = SplitAllKeyValues(authDirsUsers)
 
 		// users
 		arrUsersPlain, _ := result.GetStrings("users")
diff --git a/src/param/main.go b/src/param/main.go
@@ -18,17 +18,29 @@ type Param struct {
 
 	DefaultSort string
 	DirIndexes  []string
-	// value: [url-path, fs-path]
-	Aliases [][2]string
+	Aliases     [][2]string // [][url-path, fs-path]
+
+	// [][username, password]
+	UsersPlain  [][2]string
+	UsersBase64 [][2]string
+	UsersMd5    [][2]string
+	UsersSha1   [][2]string
+	UsersSha256 [][2]string
+	UsersSha512 [][2]string
+
+	GlobalAuth    bool
+	AuthUrls      []string
+	AuthUrlsUsers [][]string // [][path, user...]
+	AuthDirs      []string
+	AuthDirsUsers [][]string // [][path, user...]
 
 	GlobalRestrictAccess []string
-	// value: [restrict-path, allow-hosts...]
+	// [][restrict-path, allow-hosts...]
 	RestrictAccessUrls [][]string
 	RestrictAccessDirs [][]string
 
-	// value: [name, value]
-	GlobalHeaders [][2]string
-	// value: [path, (name, value)...]
+	GlobalHeaders [][2]string // [][name, value]
+	// [][path, (name, value)...]
 	HeadersUrls [][]string
 	HeadersDirs [][]string
 
@@ -52,17 +64,6 @@ type Param struct {
 	CorsUrls   []string
 	CorsDirs   []string
 
-	GlobalAuth bool
-	AuthUrls   []string
-	AuthDirs   []string
-	// value: [username, password]
-	UsersPlain  [][2]string
-	UsersBase64 [][2]string
-	UsersMd5    [][2]string
-	UsersSha1   [][2]string
-	UsersSha256 [][2]string
-	UsersSha512 [][2]string
-
 	Certificates []tls.Certificate
 	Listens      []string
 	ListensPlain []string
@@ -138,6 +139,21 @@ func (param *Param) normalize() (errs []error) {
 	// dir indexes
 	param.DirIndexes = normalizeFilenames(param.DirIndexes)
 
+	// auth users
+	param.AuthUrlsUsers, es = normalizeAllPathValues(param.AuthUrlsUsers, true, util.NormalizeUrlPath, nil)
+	if len(es) == 0 {
+		dedupAllPathValues(param.AuthUrlsUsers)
+	} else {
+		errs = append(errs, es...)
+	}
+
+	param.AuthDirsUsers, es = normalizeAllPathValues(param.AuthDirsUsers, true, filepath.Abs, nil)
+	if len(es) == 0 {
+		dedupAllPathValues(param.AuthDirsUsers)
+	} else {
+		errs = append(errs, es...)
+	}
+
 	// global restrict access, nil to disable, non-nil to enable with allowed hosts
 	if param.GlobalRestrictAccess != nil {
 		param.GlobalRestrictAccess = util.ExtractHostsFromUrls(param.GlobalRestrictAccess)
diff --git a/src/serverHandler/aliasHandler.go b/src/serverHandler/aliasHandler.go
@@ -212,9 +212,11 @@ func newAliasHandler(
 		dirIndexes: p.DirIndexes,
 		aliases:    allAliases.filterSuccessor(currentAlias.url),
 
-		globalAuth: p.GlobalAuth || prefixMatched(p.AuthUrls, util.HasUrlPrefixDir, currentAlias.url) || prefixMatched(p.AuthDirs, util.HasFsPrefixDir, currentAlias.fs),
-		authUrls:   filterSuccessor(p.AuthUrls, util.HasUrlPrefixDir, currentAlias.url),
-		authDirs:   filterSuccessor(p.AuthDirs, util.HasFsPrefixDir, currentAlias.fs),
+		globalAuth:    p.GlobalAuth || prefixMatched(p.AuthUrls, util.HasUrlPrefixDir, currentAlias.url) || prefixMatched(p.AuthDirs, util.HasFsPrefixDir, currentAlias.fs),
+		authUrls:      filterSuccessor(p.AuthUrls, util.HasUrlPrefixDir, currentAlias.url),
+		authUrlsUsers: vhostCtx.authUrlsUsers.filterSuccessor(util.HasUrlPrefixDir, currentAlias.url),
+		authDirs:      filterSuccessor(p.AuthDirs, util.HasFsPrefixDir, currentAlias.fs),
+		authDirsUsers: vhostCtx.authDirsUsers.filterSuccessor(util.HasFsPrefixDir, currentAlias.fs),
 
 		globalRestrictAccess: globalRestrictAccess,
 		restrictAccessUrls:   vhostCtx.restrictAccessUrls.filterSuccessor(util.HasUrlPrefixDir, currentAlias.url),
diff --git a/src/serverHandler/util.go b/src/serverHandler/util.go
@@ -1,6 +1,7 @@
 package serverHandler
 
 import (
+	"mjpclab.dev/ghfs/src/user"
 	"mjpclab.dev/ghfs/src/util"
 	"net/http"
 	"os"
@@ -9,6 +10,27 @@ import (
 	"strings"
 )
 
+func pathUsernamesToPathUids(users *user.List, pathsUsernames [][]string) pathIntsList {
+	list := make(pathIntsList, 0, len(pathsUsernames))
+	for _, pathUsernames := range pathsUsernames {
+		if len(pathUsernames) < 1 {
+			continue
+		}
+		pathIds := pathInts{
+			path: pathUsernames[0],
+			ints: make([]int, 0, len(pathUsernames)-1),
+		}
+		for _, username := range pathUsernames[1:] {
+			uid := users.FindIndex(username)
+			if uid >= 0 {
+				pathIds.ints = append(pathIds.ints, uid)
+			}
+		}
+		list = append(list, pathIds)
+	}
+	return list
+}
+
 func wildcardToRegexp(wildcards []string) (*regexp.Regexp, error) {
 	if len(wildcards) == 0 {
 		return nil, nil
diff --git a/src/serverHandler/vhostHandler.go b/src/serverHandler/vhostHandler.go
@@ -22,6 +22,9 @@ type vhostContext struct {
 	hideDirs  *regexp.Regexp
 	hideFiles *regexp.Regexp
 
+	authUrlsUsers pathIntsList
+	authDirsUsers pathIntsList
+
 	restrictAccessUrls pathStringsList
 	restrictAccessDirs pathStringsList
 
@@ -75,6 +78,10 @@ func NewVhostHandler(
 		return nil, errs
 	}
 
+	// auth urls users
+	authUrlsUsers := pathUsernamesToPathUids(users, p.AuthUrlsUsers)
+	authDirsUsers := pathUsernamesToPathUids(users, p.AuthDirsUsers)
+
 	// restrict access
 	restrictAccessUrls := newRestrictAccesses(p.RestrictAccessUrls)
 	restrictAccessDirs := newRestrictAccesses(p.RestrictAccessDirs)
@@ -84,10 +91,13 @@ func NewVhostHandler(
 
 	// alias param
 	vhostCtx := &vhostContext{
-		users:  users,
 		theme:  theme,
 		logger: logger,
 
+		users:         users,
+		authUrlsUsers: authUrlsUsers,
+		authDirsUsers: authDirsUsers,
+
 		shows:     shows,
 		showDirs:  showDirs,
 		showFiles: showFiles,
diff --git a/test/case/007.auth.bash b/test/case/007.auth.bash
@@ -2,7 +2,7 @@
 
 source "$root"/lib.bash
 
-"$ghfs" -l 3003 -r "$fs"/vhost1 --auth /hello --user alice:AliceSecret -E '' &
+"$ghfs" -l 3003 -r "$fs"/vhost1 --auth /hello --auth-user :/world:bob --user alice:AliceSecret --user bob:BobSecret -E '' &
 sleep 0.05 # wait server ready
 
 status=$(curl_get_status http://127.0.0.1:3003/yes/)
@@ -17,10 +17,22 @@ assert "$status" '200'
 status=$(curl_head_status http://alice:AliceSecret@127.0.0.1:3003/hello/)
 assert "$status" '200'
 
+status=$(curl_get_status http://alice:AliceSecret@127.0.0.1:3003/world/)
+assert "$status" '401'
+
+status=$(curl_head_status http://alice:AliceSecret@127.0.0.1:3003/world/)
+assert "$status" '401'
+
+status=$(curl_get_status http://bob:BobSecret@127.0.0.1:3003/world/)
+assert "$status" '200'
+
+status=$(curl_head_status http://bob:BobSecret@127.0.0.1:3003/world/)
+assert "$status" '200'
+
 status=$(curl_get_status http://127.0.0.1:3003/yes/?auth)
 assert "$status" '401'
 
-status=$(curl_get_status http://bob:BobSecret@127.0.0.1:3003/yes/)
+status=$(curl_get_status http://eve:EveSecret@127.0.0.1:3003/yes/)
 assert "$status" '200'
 
 status=$(curl_get_status http://alice:AliceSecret@127.0.0.1:3003/yes/?auth)
