diff --git a/README.md b/README.md index 7fc05672..b80dd71b 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,11 @@

+!!! Note: + +This is a custom fork of the original homepage that integrates some per-user and per-group configuration settings +via proxy auth. Use at your own risk. +

A modern, fully static, fast, secure fully proxied, highly customizable application dashboard with integrations for over 100 services and translations into multiple languages. Easily configured via YAML files or through docker label discovery.

diff --git a/docs/configs/settings.md b/docs/configs/settings.md index 3bc843c1..29e3537e 100644 --- a/docs/configs/settings.md +++ b/docs/configs/settings.md @@ -423,3 +423,39 @@ or per service widget (`services.yaml`) with: ``` If either value is set to true, the error message will be hidden. + +## Authentication + +Basic auth integration is implemeted via an `auth` section. An auth provider can be configured using the `provider` section with the given type. Currently the only provider supported is `proxy`, where the users identification and group membership are passed via HTTP Request headers (in plaintext). The expectation is that the application will be accessed only via an authenticating proxy (i.e treafik ). + +The group and user headers are both configurable like so: +```yaml +auth: + provider: + type: proxy + groupHeader: "X-group-header" + userHeader: "X-user-header" +``` + +Auth can be configured on the service, bookmark, and widget level using the `allowUsers` and `allowGroups` list. + +```yaml +- Example Servie: + allowGroups: + - Group1 + - Group2 + - Group3 + allowUsers: + - User1 + - User2 + - User3 +``` + +Auth for groups can be set in the `groups` under `auth`. + +```yaml +auth: + groups: + My Service Group: + allowGroups: ['Group1', 'Group2'] +``` \ No newline at end of file diff --git a/src/pages/api/auth.js b/src/pages/api/auth.js new file mode 100644 index 00000000..6d0d6033 --- /dev/null +++ b/src/pages/api/auth.js @@ -0,0 +1,17 @@ +import { checkAllowedGroup, readAuthSettings } from "utils/auth/auth-helpers"; +import { getSettings } from "utils/config/config"; + +export default async function handler(req, res) { + const { group } = req.query; + const { provider, groups } = readAuthSettings(getSettings().auth) + + try { + if (checkAllowedGroup(provider.permissions(req), groups, group)) { + res.json({ group: group}) + } else { + res.status(401).json({message:"Group unathorized"}) + } + } catch (err) { + res.status(500).send("Error authenticating"); + } +} diff --git a/src/pages/api/bookmarks.js b/src/pages/api/bookmarks.js index a7b0ae17..d8c4e456 100644 --- a/src/pages/api/bookmarks.js +++ b/src/pages/api/bookmarks.js @@ -1,8 +1,8 @@ -import { createAuthProvider } from "utils/auth/auth-helpers"; +import { readAuthSettings } from "utils/auth/auth-helpers"; import { bookmarksResponse } from "utils/config/api-response"; import { getSettings } from "utils/config/config"; export default async function handler(req, res) { - const auth = createAuthProvider(getSettings()) - res.send(await bookmarksResponse(auth.permissions(req))); + const { provider, groups } = readAuthSettings(getSettings().auth) + res.send(await bookmarksResponse(provider.permissions(req), groups)); } diff --git a/src/pages/api/services/index.js b/src/pages/api/services/index.js index 749ee420..77573ead 100644 --- a/src/pages/api/services/index.js +++ b/src/pages/api/services/index.js @@ -1,14 +1,8 @@ -import { createAuthProvider } from "utils/auth/auth-helpers"; +import { readAuthSettings } from "utils/auth/auth-helpers"; import { servicesResponse } from "utils/config/api-response"; import { getSettings } from "utils/config/config"; -import createLogger from "utils/logger"; - -let logger = createLogger("services_index") export default async function handler(req, res) { - logger.log("Call services"); - const auth = createAuthProvider(getSettings) - const result = await servicesResponse(auth.permissions(req)) - logger.log(result); - res.send(result); + const { provider, groups } = readAuthSettings(getSettings().auth) + res.send(await servicesResponse(provider.permissions(req), groups)); } diff --git a/src/pages/api/widgets/index.js b/src/pages/api/widgets/index.js index beb642f3..a0aa3d1c 100644 --- a/src/pages/api/widgets/index.js +++ b/src/pages/api/widgets/index.js @@ -1,9 +1,8 @@ -import { createAuthProvider } from "utils/auth/auth-helpers"; +import { readAuthSettings } from "utils/auth/auth-helpers"; import { widgetsResponse } from "utils/config/api-response"; import { getSettings } from "utils/config/config"; export default async function handler(req, res) { - const auth = createAuthProvider(getSettings()); - - res.send(await widgetsResponse(auth.permissions(req))); + const { provider } = readAuthSettings(getSettings().auth) + res.send(await widgetsResponse(provider.permissions(req))); } diff --git a/src/pages/index.jsx b/src/pages/index.jsx index 6701b3a8..55724010 100644 --- a/src/pages/index.jsx +++ b/src/pages/index.jsx @@ -27,7 +27,7 @@ import ErrorBoundary from "components/errorboundry"; import themes from "utils/styles/themes"; import QuickLaunch from "components/quicklaunch"; import { getStoredProvider, searchProviders } from "components/widgets/search/search"; -import { createAuthorizer, fetchWithAuth } from "utils/auth/auth-helpers"; +import { fetchWithAuth, readAuthSettings } from "utils/auth/auth-helpers"; import { NullAuthProvider } from "utils/auth/null"; const ThemeToggle = dynamic(() => import("components/toggles/theme"), { ssr: false, @@ -48,12 +48,12 @@ export async function getServerSideProps({req}) { try { logger = createLogger("index"); const { providers, auth, ...settings } = getSettings(); - const authProvider = createAuthorizer({auth: auth}); + const { provider, groups } = readAuthSettings(auth); - const services = await servicesResponse(authProvider.authorize(req)); - const bookmarks = await bookmarksResponse(authProvider.authorize(req)); - const widgets = await widgetsResponse(authProvider.authorize(req)); - const authContext = authProvider.getContext(req); + const services = await servicesResponse(provider.authorize(req), groups); + const bookmarks = await bookmarksResponse(provider.authorize(req), groups); + const widgets = await widgetsResponse(provider.authorize(req)); + const authContext = provider.getContext(req); return { props: { diff --git a/src/utils/auth/auth-helpers.js b/src/utils/auth/auth-helpers.js index e04b5365..49b9e494 100644 --- a/src/utils/auth/auth-helpers.js +++ b/src/utils/auth/auth-helpers.js @@ -10,31 +10,44 @@ function getProviderByKey(key) { return AuthProviders.find((provider) => provider.key == key) ?? NullAuthProvider; } -export function createAuthorizer({auth}) { - if (auth) { - getProviderByKey(Object.keys(auth)[0]).create(auth[ProxyAuthKey]); - } - return NullAuthProvider.create(); +export function readAuthSettings({provider, groups} = {}) { + return { + provider: provider ? getProviderByKey(provider.type).create(provider) : NullAuthProvider.create(), + groups: groups ? groups.map((group) => ({ + name: Object.keys(group)[0], + allowUsers: group[Object.keys(group)[0]].allowUsers, + allowGroups: group[Object.keys(group)[0]].allowGroups + })) : [] + } } export async function fetchWithAuth(key, context) { return getProviderByKey(context.provider).fetch([key, context]); } -export const filterAllowedServices = (perms, services) => filterAllowedItems(perms, services, 'services'); -export const filterAllowedBookmarks = (perms, bookmarks) => filterAllowedItems(perms, bookmarks, 'bookmarks'); +export function checkAllowedGroup(perms, authGroups, groupName) { + testGroup = authGroups.find((group) => group.name == groupName ) + return testGroup ? authAllow(perms, testGroup) : true +} + +export const filterAllowedServices = (perms, authGroups, services) => filterAllowedItems(perms, authGroups, services, 'services'); +export const filterAllowedBookmarks = (perms, authGroups, bookmarks) => filterAllowedItems(perms, authGroups, bookmarks, 'bookmarks'); export const filterAllowedWidgets = (perms, widgets) => { return widgets.filter((widget) => authItemFilter(perms, widget.options) ) } -function filterAllowedItems({user, groups}, itemGroups, groupKey) { - return itemGroups.map((group) => ({ +function filterAllowedItems(perms, authGroups, groups, groupKey) { + return groups.filter((group) => checkAllowedGroup(perms, authGroups, group.name)) + .map((group) => ({ name: group.name, - [groupKey]: group[groupKey].filter((item) => authItemFilter({user, groups}, item)) - })).filter((group) => group[groupKey].length); + [groupKey]: group[groupKey].filter((item) => authAllow(perms, item)) + })) + .filter((group) => group[groupKey].length); } -function authItemFilter({user, groups}, item) { + + +function authAllow({user, groups}, item) { const groupAllow = (('allowGroups' in item)) && groups.some(group => item.allowGroups.includes(group)); const userAllow = (('allowUsers' in item)) && item.allowUsers.includes(user); const allowAll = (!('allowGroups' in item)) && (!('allowUsers' in item)); diff --git a/src/utils/auth/proxy.js b/src/utils/auth/proxy.js index 7e824cb0..3369e62f 100644 --- a/src/utils/auth/proxy.js +++ b/src/utils/auth/proxy.js @@ -1,6 +1,6 @@ -// Proxy auth is meant to be used by a reverse proxy that injects permission headers into the origin +// 'proxy' auth provider is meant to be used by a reverse proxy that injects permission headers into the origin // request. In this case we are relying on our proxy to authenitcate our users and validate. -const ProxyAuthKey="proxy_auth" +const ProxyAuthKey="proxy" function getProxyPermissions(userHeader, groupHeader, request) { const user = (userHeader)?request.headers.get(userHeader):None; @@ -13,11 +13,9 @@ function createProxyAuth({groupHeader, userHeader}) { return { getContext : (request) => { return { - provider: ProxyAuthKey, - headers: { - ...userHeader && {[userHeader]: request.headers.get(userHeader) }, - ...groupHeader && {[groupHeader]: request.headers.get(groupHeader)} - } + type: ProxyAuthKey, + ...userHeader && {[userHeader]: request.headers.get(userHeader) }, + ...groupHeader && {[groupHeader]: request.headers.get(groupHeader)} } }, authorize : (request) => getProxyPermissions(userHeader, groupHeader, request) diff --git a/src/utils/config/api-response.js b/src/utils/config/api-response.js index 62937e8a..280a8268 100644 --- a/src/utils/config/api-response.js +++ b/src/utils/config/api-response.js @@ -12,7 +12,6 @@ import { servicesFromKubernetes, } from "utils/config/service-helpers"; import { cleanWidgetGroups, widgetsFromConfig } from "utils/config/widget-helpers"; -import { filterAuthBookmarks } from "utils/auth/auth-helpers"; import { filterAllowedBookmarks, @@ -31,7 +30,7 @@ function compareServices(service1, service2) { return service1.name.localeCompare(service2.name); } -export async function bookmarksResponse(perms) { +export async function bookmarksResponse(perms, authGroups) { checkAndCopyConfig("bookmarks.yaml"); const bookmarksYaml = path.join(CONF_DIR, "bookmarks.yaml"); @@ -52,7 +51,7 @@ export async function bookmarksResponse(perms) { } // map easy to write YAML objects into easy to consume JS arrays - const bookmarksArray = filterAllowedBookmarks(perms, + const bookmarksArray = filterAllowedBookmarks(perms, authGroups, bookmarks.map((group) => ({ name: Object.keys(group)[0], bookmarks: group[Object.keys(group)[0]].map((entries) => ({ @@ -93,14 +92,14 @@ export async function widgetsResponse(perms) { return configuredWidgets; } -export async function servicesResponse(perms) { +export async function servicesResponse(perms, authGroups) { let discoveredDockerServices; let discoveredKubernetesServices; let configuredServices; let initialSettings; try { - discoveredDockerServices = filterAllowedServices(perms, cleanServiceGroups(await servicesFromDocker())); + discoveredDockerServices = filterAllowedServices(perms, authGroups, cleanServiceGroups(await servicesFromDocker())); if (discoveredDockerServices?.length === 0) { console.debug("No containers were found with homepage labels."); } @@ -111,7 +110,7 @@ export async function servicesResponse(perms) { } try { - discoveredKubernetesServices = filterAllowedServices(perms, cleanServiceGroups(await servicesFromKubernetes())); + discoveredKubernetesServices = filterAllowedServices(perms, authGroups, cleanServiceGroups(await servicesFromKubernetes())); } catch (e) { console.error("Failed to discover services, please check kubernetes.yaml for errors or remove example entries."); if (e) console.error(e.toString()); @@ -119,7 +118,7 @@ export async function servicesResponse(perms) { } try { - configuredServices = filterAllowedServices(perms, cleanServiceGroups(await servicesFromConfig())); + configuredServices = filterAllowedServices(perms, authGroups, cleanServiceGroups(await servicesFromConfig())); } catch (e) { console.error("Failed to load services.yaml, please check for errors"); if (e) console.error(e.toString());