mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-04 21:17:37 +03:00
Code Issues Projects Releases Packages Wiki Activity

feat(server): require explicitly enabling reverse proxy auth for unix sockets (#3062)

Browse source
This commit is contained in:
crazygolem 2024-09-29 19:28:44 +02:00 committed by GitHub
parent ed3ab5385d
commit 06c9c1e64a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 43 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

16
server/auth.go
View file

@ -10,6 +10,7 @@ import (
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"slices"
"strings" "strings"
"time" "time"
@ -196,7 +197,7 @@ func UsernameFromToken(r *http.Request) string {
} }
func UsernameFromReverseProxyHeader(r *http.Request) string { func UsernameFromReverseProxyHeader(r *http.Request) string {
if conf.Server.ReverseProxyWhitelist == "" && !strings.HasPrefix(conf.Server.Address, "unix:") { if conf.Server.ReverseProxyWhitelist == "" {
return "" return ""
} }
reverseProxyIp, ok := request.ReverseProxyIpFrom(r.Context()) reverseProxyIp, ok := request.ReverseProxyIpFrom(r.Context())
@ -324,14 +325,16 @@ func handleLoginFromHeaders(ds model.DataStore, r *http.Request) map[string]inte
} }
func validateIPAgainstList(ip string, comaSeparatedList string) bool { func validateIPAgainstList(ip string, comaSeparatedList string) bool {
if comaSeparatedList == "" || ip == "" {
return false
}
cidrs := strings.Split(comaSeparatedList, ",")
// Per https://github.com/golang/go/issues/49825, the remote address // Per https://github.com/golang/go/issues/49825, the remote address
// on a unix socket is '@' // on a unix socket is '@'
if ip == "@" && strings.HasPrefix(conf.Server.Address, "unix:") { if ip == "@" && strings.HasPrefix(conf.Server.Address, "unix:") {
return true return slices.Contains(cidrs, "@")
}
if comaSeparatedList == "" || ip == "" {
return false
} }
if net.ParseIP(ip) == nil { if net.ParseIP(ip) == nil {
@ -342,7 +345,6 @@ func validateIPAgainstList(ip string, comaSeparatedList string) bool {
return false return false
} }
cidrs := strings.Split(comaSeparatedList, ",")
testedIP, _, err := net.ParseCIDR(fmt.Sprintf("%s/32", ip)) testedIP, _, err := net.ParseCIDR(fmt.Sprintf("%s/32", ip))
if err != nil { if err != nil {

34
server/auth_test.go
View file

@ -154,6 +154,40 @@ var _ = Describe("Auth", func() {
// Request Header authentication should not generate a JWT token // Request Header authentication should not generate a JWT token
Expect(parsed).ToNot(HaveKey("token")) Expect(parsed).ToNot(HaveKey("token"))
}) })
It("does not set auth data when listening on unix socket without whitelist", func() {
conf.Server.Address = "unix:/tmp/navidrome-test"
conf.Server.ReverseProxyWhitelist = ""
// No ReverseProxyIp in request context
serveIndex(ds, fs, nil)(resp, req)
config := extractAppConfig(resp.Body.String())
Expect(config["auth"]).To(BeNil())
})
It("does not set auth data when listening on unix socket with incorrect whitelist", func() {
conf.Server.Address = "unix:/tmp/navidrome-test"
req = req.WithContext(request.WithReverseProxyIp(req.Context(), "@"))
serveIndex(ds, fs, nil)(resp, req)
config := extractAppConfig(resp.Body.String())
Expect(config["auth"]).To(BeNil())
})
It("sets auth data when listening on unix socket with correct whitelist", func() {
conf.Server.Address = "unix:/tmp/navidrome-test"
conf.Server.ReverseProxyWhitelist = conf.Server.ReverseProxyWhitelist + ",@"
req = req.WithContext(request.WithReverseProxyIp(req.Context(), "@"))
serveIndex(ds, fs, nil)(resp, req)
config := extractAppConfig(resp.Body.String())
parsed := config["auth"].(map[string]interface{})
Expect(parsed["id"]).To(Equal("111"))
})
}) })
Describe("login", func() { Describe("login", func() {