Skip to content

Commit

Permalink
Merge pull request #75 from patrickhener/client-certificate-auth
Browse files Browse the repository at this point in the history
implement ca certificate based authentication
  • Loading branch information
patrickhener authored Jul 11, 2024
2 parents 4724363 + 89f3801 commit 25ac43d
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 6 deletions.
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
![Version](https://img.shields.io/badge/Version-v0.4.0-green)
![Version](https://img.shields.io/badge/Version-v0.4.1-green)
[![GitHub](https://img.shields.io/github/license/patrickhener/goshs)](https://github.com/patrickhener/goshs/blob/master/LICENSE)
![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/patrickhener/goshs)
[![GitHub issues](https://img.shields.io/github/issues-raw/patrickhener/goshs)](https://github.com/patrickhener/goshs/issues)
Expand Down Expand Up @@ -26,7 +26,9 @@ For a detailed documentation go to [goshs.de](https://goshs.de)
* Delete files
* Individually
* Bulk delete
* Basic Authentication
* Authentication
* Basic Authentication
* Certificate Based Authentication via Client Certificate
* Transport Layer Security (HTTPS)
* self-signed
* let's encrypt
Expand Down
17 changes: 17 additions & 0 deletions httpserver/helper.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
package httpserver

import (
"crypto/tls"
"crypto/x509"
"io/fs"
"net/http"
"os"
"strings"

"github.com/patrickhener/goshs/logger"
Expand Down Expand Up @@ -36,3 +40,16 @@ func (files *FileServer) PrintEmbeddedFiles() {
}

}

func (files *FileServer) AddCertAuth(server *http.Server) {
logger.Infof("Using certificate auth with ca certificate: %+v", files.CACert)
caCert, err := os.ReadFile(files.CACert)
if err != nil {
logger.Fatalf("error reading the ca certificate for cert based client authentication: %+v", err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

server.TLSConfig.ClientCAs = caCertPool
server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
}
11 changes: 11 additions & 0 deletions httpserver/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,12 @@ func (fs *FileServer) Start(what string) {
logger.Fatalf("Unable to start SSL enabled server: %+v\n", err)
}
server.TLSConfig = serverTLSConf

// If client-cert auth add it to TLS Config of server
if fs.CACert != "" {
fs.AddCertAuth(&server)
}

fs.Fingerprint256 = fingerprint256
fs.Fingerprint1 = fingerprint1
fs.logStart(what)
Expand Down Expand Up @@ -162,6 +168,11 @@ func (fs *FileServer) Start(what string) {
MinVersion: tls.VersionTLS12,
}

// If client-cert auth add it to TLS Config of server
if fs.CACert != "" {
fs.AddCertAuth(&server)
}

fs.Fingerprint256 = fingerprint256
fs.Fingerprint1 = fingerprint1
fs.logStart(what)
Expand Down
1 change: 1 addition & 0 deletions httpserver/structs.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ type FileServer struct {
MyP12 string
User string
Pass string
CACert string
DropUser string
Version string
Fingerprint256 string
Expand Down
20 changes: 16 additions & 4 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
"github.com/patrickhener/goshs/utils"
)

const goshsVersion = "v0.4.0"
const goshsVersion = "v0.4.1"

var (
port = 8000
Expand All @@ -29,6 +29,7 @@ var (
myCert = ""
myP12 = ""
basicAuth = ""
certAuth = ""
webdav = false
webdavPort = 8001
uploadOnly = false
Expand Down Expand Up @@ -75,8 +76,9 @@ TLS options:
-slt, --le-tls Port to use for Let's Encrypt TLS ALPN Challenge (default: 443)
Authentication options:
-b, --basic-auth Use basic authentication (user:pass - user can be empty)
-H, --hash Hash a password for file based ACLs
-b, --basic-auth Use basic authentication (user:pass - user can be empty)
-ca, --cert-auth Use certificate based authentication - provide ca certificate
-H, --hash Hash a password for file based ACLs
Misc options:
-u --user Drop privs to user (unix only) (default: current user)
Expand Down Expand Up @@ -121,6 +123,8 @@ func init() {
flag.StringVar(&myP12, "pkcs12", myP12, "server p12")
flag.StringVar(&basicAuth, "b", basicAuth, "basic auth")
flag.StringVar(&basicAuth, "basic-auth", basicAuth, "basic auth")
flag.StringVar(&certAuth, "ca", certAuth, "cert auth")
flag.StringVar(&certAuth, "cert-auth", certAuth, "cert auth")
flag.BoolVar(&webdav, "w", webdav, "enable webdav")
flag.BoolVar(&webdav, "webdav", webdav, "enable webdav")
flag.IntVar(&webdavPort, "wp", webdavPort, "webdav port")
Expand Down Expand Up @@ -191,7 +195,14 @@ func init() {

// Sanity check if cli mode is combined with auth and tls
if cli && (!ssl || basicAuth == "") {
logger.Fatal("With cli mode you need to enable basic auth and tls for security reasons.")
if cli && (!ssl || certAuth == "") {
logger.Fatal("With cli mode you need to enable basic/cert auth and tls for security reasons.")
}
}

// Sanity check if CA mode enabled you will also need TLS enabled in some way
if certAuth != "" && !ssl {
logger.Fatal("To use certificate based authentication with a CA cert you will need tls in any mode (-ss, -sk/-sc, -p12, -sl)")
}

if webdav {
Expand Down Expand Up @@ -258,6 +269,7 @@ func main() {
MyP12: myP12,
User: user,
Pass: pass,
CACert: certAuth,
DropUser: dropuser,
UploadOnly: uploadOnly,
ReadOnly: readOnly,
Expand Down

0 comments on commit 25ac43d

Please sign in to comment.