-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathutils.go
208 lines (170 loc) · 4.43 KB
/
utils.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
package traefik_oidc_auth
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"math/big"
"net/http"
"net/url"
"os"
"strings"
"time"
)
func shouldLog(minLevel, level string) bool {
return LogLevels[strings.ToUpper(minLevel)] >= LogLevels[strings.ToUpper(level)]
}
func log(minLevel string, level string, format string, a ...interface{}) {
if !shouldLog(minLevel, level) {
return
}
currentTime := time.Now().Format("2006-01-02 15:04:05")
os.Stdout.WriteString(currentTime + " [" + level + "]" + " [traefik-oidc-auth] " + fmt.Sprintf(format, a...) + "\n")
}
func urlIsAbsolute(u *url.URL) bool {
return u.Scheme != "" && u.Host != ""
}
func parseUrl(rawUrl string) (*url.URL, error) {
if rawUrl == "" {
return nil, errors.New("invalid empty url")
}
if !strings.Contains(rawUrl, "://") {
rawUrl = "https://" + rawUrl
}
u, err := url.Parse(rawUrl)
if err != nil {
return nil, err
}
if !strings.HasPrefix(u.Scheme, "http") {
return nil, fmt.Errorf("%v is not a valid scheme", u.Scheme)
}
return u, nil
}
func getSchemeFromRequest(req *http.Request) string {
scheme := req.Header.Get("X-Forwarded-Proto")
if scheme == "" {
if req.TLS != nil {
scheme = "https"
} else {
scheme = "http"
}
}
return scheme
}
func fillHostSchemeFromRequest(req *http.Request, u *url.URL) *url.URL {
scheme := getSchemeFromRequest(req)
host := req.Header.Get("X-Forwarded-Host")
if host == "" {
host = req.Host
}
u.Scheme = scheme
u.Host = host
return u
}
func getFullHost(req *http.Request) string {
scheme := getSchemeFromRequest(req)
host := req.Header.Get("X-Forwarded-Host")
if host == "" {
host = req.Host
}
return fmt.Sprintf("%s://%s", scheme, host)
}
func ensureAbsoluteUrl(req *http.Request, url string) string {
if strings.HasPrefix(url, "http://") || strings.HasPrefix(url, "https://") {
return url
} else {
host := getFullHost(req)
return host + url
}
}
func (state *OidcState) base64Encode() (string, error) {
stateBytes, err := json.Marshal(state)
if err != nil {
return "", err
}
stateBase64 := base64.StdEncoding.EncodeToString(stateBytes)
return stateBase64, nil
}
func base64DecodeState(base64State string) (*OidcState, error) {
stateBytes, err := base64.StdEncoding.DecodeString(base64State)
if err != nil {
return nil, err
}
var state OidcState
err2 := json.Unmarshal(stateBytes, &state)
if err2 != nil {
return nil, err2
}
return &state, nil
}
func ParseBigInt(s string) (*big.Int, error) {
b, err := base64.RawURLEncoding.DecodeString(s)
if err != nil {
return nil, err
}
return big.NewInt(0).SetBytes(b), nil
}
func ParseInt(s string) (int, error) {
v, err := ParseBigInt(s)
if err != nil {
return -1, err
}
return int(v.Int64()), nil
}
func encrypt(plaintext string, secret string) (string, error) {
aesCipher, err := aes.NewCipher([]byte(secret))
if err != nil {
return "", err
}
gcm, err := cipher.NewGCM(aesCipher)
if err != nil {
return "", err
}
// We need a 12-byte nonce for GCM (modifiable if you use cipher.NewGCMWithNonceSize())
// A nonce should always be randomly generated for every encryption.
nonce := make([]byte, gcm.NonceSize())
_, err = rand.Read(nonce)
if err != nil {
return "", err
}
// ciphertext here is actually nonce+ciphertext
// So that when we decrypt, just knowing the nonce size
// is enough to separate it from the ciphertext.
ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
return base64.StdEncoding.EncodeToString(ciphertext), nil
}
func decrypt(ciphertext string, secret string) (string, error) {
cipherbytes, err := base64.StdEncoding.DecodeString(ciphertext)
ciphertext = string(cipherbytes)
aesCipher, err := aes.NewCipher([]byte(secret))
if err != nil {
return "", err
}
gcm, err := cipher.NewGCM(aesCipher)
if err != nil {
return "", err
}
// Since we know the ciphertext is actually nonce+ciphertext
// And len(nonce) == NonceSize(). We can separate the two.
nonceSize := gcm.NonceSize()
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
plaintext, err := gcm.Open(nil, []byte(nonce), []byte(ciphertext), nil)
if err != nil {
return "", err
}
return string(plaintext), nil
}
func ChunkString(input string, chunkSize int) []string {
var chunks []string
for i := 0; i < len(input); i += chunkSize {
end := i + chunkSize
if end > len(input) {
end = len(input)
}
chunks = append(chunks, input[i:end])
}
return chunks
}