cmd/nginx-auth: ability to check application capabilities

A header `Expected-Cap` can now be passed which can be used to assert that `WhoIsResponse.Caps` contains the provided capability. This allows for ACL rules to define capabilities that can be checked here in cmd/nginx-auth, meaning that ACLs can be used to control access to various web services at Layer 7. Signed-off-by: Jamie Greeff <jamie@greeff.me>
2022-08-31 12:40:10 +01:00 · 2022-08-31 12:40:10 +01:00 · 932d1d28e8
parent 70ed22ccf9
commit 932d1d28e8
1 changed files with 15 additions and 0 deletions
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@ -21,6 +21,7 @@ import (
 	"os"
 	"strings"

+	"golang.org/x/exp/slices"
 	"github.com/coreos/go-systemd/activation"
 	"tailscale.com/client/tailscale"
 )
@ -89,6 +90,20 @@ func main() {
 			return
 		}

+		if expectedCap := r.Header.Get("Expected-Cap"); expectedCap != "" {
+			if info.Caps == nil {
+				w.WriteHeader(http.StatusForbidden)
+				log.Printf("user does not have any caps, wanted: %s", url.QueryEscape(expectedCap))
+				return
+			}
+
+			if !slices.Contains(info.Caps, expectedCap) {
+				w.WriteHeader(http.StatusForbidden)
+				log.Printf("user is missing expected cap, has: %s, wanted: %s", strings.Join(info.Caps[:], ","), url.QueryEscape(expectedCap))
+				return
+			}
+		}
+
 		h := w.Header()
 		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
 		h.Set("Tailscale-User", info.UserProfile.LoginName)