zydronium/rdpgw
1
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2025-08-17 22:13:50 +02:00
Code Issues Projects Releases Packages Wiki Activity

Make the use of a user token configurable

Browse source
This commit is contained in:
Bolke de Bruin 2020-08-22 10:04:31 +02:00
parent 2f27bd9e94
commit 27f2220a6e
4 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -86,8 +86,11 @@ security:
# a random string of at least 32 characters to secure cookies on the client # a random string of at least 32 characters to secure cookies on the client
# make sure to share this amongst different pods # make sure to share this amongst different pods
PAATokenSigningKey: thisisasessionkeyreplacethisjetzt PAATokenSigningKey: thisisasessionkeyreplacethisjetzt
PAATokenEncryptionKey: thisisasessionkeyreplacethisjetzt # PAATokenEncryptionKey: thisisasessionkeyreplacethisjetzt
UserTokenEncryptionKey: thisisasessionkeyreplacethisjetzt UserTokenEncryptionKey: thisisasessionkeyreplacethisjetzt
# if you want to enable token generation for the user
# if true the username will be set to a jwt with the username embedded into it
EnableUserToken: true
``` ```
## Testing locally ## Testing locally
A convenience docker-compose allows you to test the RDPGW locally. It uses [Keycloak](http://www.keycloak.org) A convenience docker-compose allows you to test the RDPGW locally. It uses [Keycloak](http://www.keycloak.org)
@ -119,7 +122,6 @@ In this way you can integrate, for example, it with [pam-jwt](https://github.com
* Integrate Open Policy Agent * Integrate Open Policy Agent
* Integrate GOKRB5 * Integrate GOKRB5
* Integrate uber-go/zap * Integrate uber-go/zap
* Integrate prometheus
* Research: TLS defragmentation * Research: TLS defragmentation
* Improve Web Interface * Improve Web Interface

6
api/web.go
View file

@ -30,6 +30,7 @@ type Config struct {
SessionEncryptionKey []byte SessionEncryptionKey []byte
PAATokenGenerator TokenGeneratorFunc PAATokenGenerator TokenGeneratorFunc
UserTokenGenerator UserTokenGeneratorFunc UserTokenGenerator UserTokenGeneratorFunc
EnableUserToken bool
OAuth2Config *oauth2.Config OAuth2Config *oauth2.Config
store *sessions.CookieStore store *sessions.CookieStore
OIDCTokenVerifier *oidc.IDTokenVerifier OIDCTokenVerifier *oidc.IDTokenVerifier
@ -170,11 +171,14 @@ func (c *Config) HandleDownload(w http.ResponseWriter, r *http.Request) {
http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError) http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError)
} }
userToken, err := c.UserTokenGenerator(ctx, user) userToken := user
if c.EnableUserToken {
userToken, err = c.UserTokenGenerator(ctx, user)
if err != nil { if err != nil {
log.Printf("Cannot generate token for user %s due to %s", user, err) log.Printf("Cannot generate token for user %s due to %s", user, err)
http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError) http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError)
} }
}
// authenticated // authenticated
seed := make([]byte, 16) seed := make([]byte, 16)

1
config/configuration.go
View file

@ -49,6 +49,7 @@ type SecurityConfig struct {
UserTokenEncryptionKey string UserTokenEncryptionKey string
UserTokenSigningKey string UserTokenSigningKey string
VerifyClientIp bool VerifyClientIp bool
EnableUserToken bool
} }
type ClientConfig struct { type ClientConfig struct {

1
main.go
View file

@ -68,6 +68,7 @@ func main() {
OIDCTokenVerifier: verifier, OIDCTokenVerifier: verifier,
PAATokenGenerator: security.GeneratePAAToken, PAATokenGenerator: security.GeneratePAAToken,
UserTokenGenerator: security.GenerateUserToken, UserTokenGenerator: security.GenerateUserToken,
EnableUserToken: conf.Security.EnableUserToken,
SessionKey: []byte(conf.Server.SessionKey), SessionKey: []byte(conf.Server.SessionKey),
SessionEncryptionKey: []byte(conf.Server.SessionEncryptionKey), SessionEncryptionKey: []byte(conf.Server.SessionEncryptionKey),
Hosts: conf.Server.Hosts, Hosts: conf.Server.Hosts,