forked from mudler/LocalAI
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: auth v2 - supercedes mudler#2894, metrics to follow later
Signed-off-by: Dave Lee <dave@gray101.com>
- Loading branch information
1 parent
b95c523
commit 5cd2adb
Showing
11 changed files
with
264 additions
and
158 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
package middleware | ||
|
||
import ( | ||
"crypto/subtle" | ||
"errors" | ||
|
||
"github.com/dave-gray101/v2keyauth" | ||
"github.com/gofiber/fiber/v2" | ||
"github.com/gofiber/fiber/v2/middleware/keyauth" | ||
"github.com/mudler/LocalAI/core/config" | ||
) | ||
|
||
// This file contains the configuration generators and handler functions that are used along with the fiber/keyauth middleware | ||
// Currently this requires an upstream patch - and feature patches are no longer accepted to v2 | ||
// Therefore `dave-gray101/v2keyauth` contains the v2 backport of the middleware until v3 stabilizes and we migrate. | ||
|
||
func GetKeyAuthConfig(applicationConfig *config.ApplicationConfig) (*v2keyauth.Config, error) { | ||
customLookup, err := v2keyauth.MultipleKeySourceLookup([]string{"header:Authorization", "header:x-api-key", "header:xi-api-key"}, keyauth.ConfigDefault.AuthScheme) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return &v2keyauth.Config{ | ||
CustomKeyLookup: customLookup, | ||
Next: getApiKeyRequiredFilterFunction(applicationConfig), | ||
Validator: getApiKeyValidationFunction(applicationConfig), | ||
ErrorHandler: getApiKeyErrorHandler(applicationConfig), | ||
AuthScheme: "Bearer", | ||
}, nil | ||
} | ||
|
||
func getApiKeyErrorHandler(applicationConfig *config.ApplicationConfig) fiber.ErrorHandler { | ||
return func(ctx *fiber.Ctx, err error) error { | ||
if errors.Is(err, v2keyauth.ErrMissingOrMalformedAPIKey) { | ||
if len(applicationConfig.ApiKeys) == 0 { | ||
return ctx.Next() // if no keys are set up, any error we get here is not an error. | ||
} | ||
if applicationConfig.OpaqueErrors { | ||
return ctx.SendStatus(403) | ||
} | ||
} | ||
if applicationConfig.OpaqueErrors { | ||
return ctx.SendStatus(500) | ||
} | ||
return err | ||
} | ||
} | ||
|
||
func getApiKeyValidationFunction(applicationConfig *config.ApplicationConfig) func(*fiber.Ctx, string) (bool, error) { | ||
|
||
if applicationConfig.UseSubtleKeyComparison { | ||
return func(ctx *fiber.Ctx, apiKey string) (bool, error) { | ||
if len(applicationConfig.ApiKeys) == 0 { | ||
return true, nil // If no keys are setup, accept everything | ||
} | ||
for _, validKey := range applicationConfig.ApiKeys { | ||
if subtle.ConstantTimeCompare([]byte(apiKey), []byte(validKey)) == 1 { | ||
return true, nil | ||
} | ||
} | ||
return false, v2keyauth.ErrMissingOrMalformedAPIKey | ||
} | ||
} | ||
|
||
return func(ctx *fiber.Ctx, apiKey string) (bool, error) { | ||
if len(applicationConfig.ApiKeys) == 0 { | ||
return true, nil // If no keys are setup, accept everything | ||
} | ||
for _, validKey := range applicationConfig.ApiKeys { | ||
if apiKey == validKey { | ||
return true, nil | ||
} | ||
} | ||
return false, v2keyauth.ErrMissingOrMalformedAPIKey | ||
} | ||
} | ||
|
||
func getApiKeyRequiredFilterFunction(applicationConfig *config.ApplicationConfig) func(*fiber.Ctx) bool { | ||
if applicationConfig.DisableApiKeyRequirementForHttpGet { | ||
return func(c *fiber.Ctx) bool { | ||
if c.Method() != "GET" { | ||
return false | ||
} | ||
for _, rx := range applicationConfig.HttpGetExemptedEndpoints { | ||
if rx.MatchString(c.Path()) { | ||
return true | ||
} | ||
} | ||
return false | ||
} | ||
} | ||
return func(c *fiber.Ctx) bool { return false } | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.