internal/auth: Add native NetAuth authentication integration.

NetAuth is an easy to deploy and manage organizational source of truth for identity and group management. This commit adds support for maddy to ask NetAuth about authentication using the native protocol.
2025-04-05 14:07:38 +03:00 · 2022-09-04 23:47:27 -05:00 · 2022-09-04 23:47:27 -05:00 · 86d3d89f95
commit 86d3d89f95
parent 1463886fc2
4 changed files with 224 additions and 0 deletions
--- a/internal/auth/netauth/netauth.go
+++ b/internal/auth/netauth/netauth.go
@ -0,0 +1,117 @@
+package netauth
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/foxcpp/maddy/framework/config"
+	"github.com/foxcpp/maddy/framework/log"
+	"github.com/foxcpp/maddy/framework/module"
+	"github.com/hashicorp/go-hclog"
+	"github.com/netauth/netauth/pkg/netauth"
+)
+
+const modName = "auth.netauth"
+
+func init() {
+	var _ module.PlainAuth = &Auth{}
+	var _ module.Table = &Auth{}
+	module.Register(modName, New)
+	module.Register("table.netauth", New)
+}
+
+// Auth binds all methods related to the NetAuth client library.
+type Auth struct {
+	instName  string
+	mustGroup string
+
+	nacl *netauth.Client
+
+	log log.Logger
+}
+
+// New creates a new instance of the NetAuth module.
+func New(modName, instName string, _, inlineArgs []string) (module.Module, error) {
+	return &Auth{
+		instName: instName,
+		log:      log.Logger{Name: modName},
+	}, nil
+}
+
+// Init performs deferred initialization actions.
+func (a *Auth) Init(cfg *config.Map) error {
+	l := hclog.New(&hclog.LoggerOptions{Output: a.log})
+	n, err := netauth.NewWithLog(l)
+	if err != nil {
+		return err
+	}
+	a.nacl = n
+	a.nacl.SetServiceName("maddy")
+	cfg.String("require_group", false, false, "", &a.mustGroup)
+	cfg.Bool("debug", true, false, &a.log.Debug)
+	if _, err := cfg.Process(); err != nil {
+		return err
+	}
+
+	a.log.Debugln("Debug logging enabled")
+	a.log.Debugf("mustGroups status: %s", a.mustGroup)
+	return nil
+}
+
+// Name returns "auth.netauth" as the fixed module name.
+func (a *Auth) Name() string {
+	return modName
+}
+
+// InstanceName returns the configured name for this instance of the
+// plugin.  Given the way that NetAuth works it doesn't really make
+// sense to have more than one instance, but this is part of the API.
+func (a *Auth) InstanceName() string {
+	return a.instName
+}
+
+// Lookup requests the entity from the remote NetAuth server,
+// potentially returning that the user does not exist at all.
+func (a *Auth) Lookup(ctx context.Context, username string) (string, bool, error) {
+	e, err := a.nacl.EntityInfo(ctx, username)
+	if err != nil {
+		return "", false, fmt.Errorf("%s: search: %w", modName, err)
+	}
+
+	if a.mustGroup != "" {
+		if err := a.checkMustGroup(username); err != nil {
+			return "", false, err
+		}
+	}
+	return e.GetID(), true, nil
+}
+
+// AuthPlain attempts straightforward authentication of the entity on
+// the remote NetAuth server.
+func (a *Auth) AuthPlain(username, password string) error {
+	a.log.Debugf("attempting to auth user: %s", username)
+	if err := a.nacl.AuthEntity(context.Background(), username, password); err != nil {
+		return module.ErrUnknownCredentials
+	}
+	a.log.Debugln("netauth returns successful auth")
+	if a.mustGroup != "" {
+		if err := a.checkMustGroup(username); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (a *Auth) checkMustGroup(username string) error {
+	a.log.Debugf("Performing require_group check: must=%s", a.mustGroup)
+	groups, err := a.nacl.EntityGroups(context.Background(), username)
+	if err != nil {
+		return fmt.Errorf("%s: groups: %w", modName, err)
+	}
+	for _, g := range groups {
+		if g.GetName() == a.mustGroup {
+			return nil
+		}
+	}
+	return fmt.Errorf("%s: missing required group (%s not in %s)", modName, username, a.mustGroup)
+}