feat(grocy): vouch reverse-proxy auth

2026-02-09 04:19:19 -08:00 · 2024-03-20 12:54:08 -07:00 · 2024-03-20 12:54:08 -07:00 · bae4f32eff
commit bae4f32eff
parent c27a8da537
7 changed files with 388 additions and 68 deletions
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@ -1,38 +1,55 @@
 {
+  pkgs,
  config,
  lib,
  ...
 }: let
  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
+  inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault mkOverride;
+  inherit (lib.attrsets) mapAttrsToList;
+  inherit (lib.strings) toLower replaceStrings concatStringsSep;
  inherit (config) networking;
  inherit (config.services) vouch-proxy nginx tailscale;
  inherit (nginx) vouch;
+  mkAlmostOptionDefault = mkOverride 1250;
  locationModule = {config, virtualHost, ...}: {
    options.vouch = with lib.types; {
      requireAuth = mkEnableOption "require auth to access this location";
+      setProxyHeader = mkOption {
+        type = bool;
+        default = false;
+        description = "proxy_set_header X-Vouch-User";
+      };
    };
-    config = mkIf config.vouch.requireAuth {
-      proxied.xvars.enable = true;
+    config = let
+      enableVouchLocal = vouch.localSso.enable && config.local.enable;
+      enableVouchTail = enableVouchLocal && tailscale.enable;
+      allowOrigin = url: "add_header Access-Control-Allow-Origin ${url};";
+    in mkIf config.vouch.requireAuth {
+      lua = mkIf virtualHost.vouch.auth.lua.enable {
+        access.block = mkMerge [
+          (mkBefore virtualHost.vouch.auth.lua.accessRequest)
+          (mkBefore virtualHost.vouch.auth.lua.accessVariables)
+          (mkBefore virtualHost.vouch.auth.lua.accessLogic)
+        ];
+      };
+      proxied.xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true;
      extraConfig = assert virtualHost.vouch.enable; mkMerge [
-        ''
-          add_header Access-Control-Allow-Origin ${vouch.url};
-          add_header Access-Control-Allow-Origin ${vouch.authUrl};
-        ''
-        (mkIf (vouch.localSso.enable && config.local.enable) ''
-          add_header Access-Control-Allow-Origin ${vouch.localUrl};
-        '')
-        (mkIf (vouch.localSso.enable && config.local.enable && tailscale.enable) ''
-          add_header Access-Control-Allow-Origin $x_scheme://${vouch.tailDomain};
-        '')
-        ''
+        (mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective)
+        (allowOrigin vouch.url)
+        (allowOrigin vouch.authUrl)
+        (mkIf enableVouchLocal (allowOrigin vouch.localUrl))
+        (mkIf enableVouchTail (allowOrigin "$x_scheme://${vouch.tailDomain}"))
+        (mkIf config.vouch.setProxyHeader ''
          proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
-        ''
+        '')
      ];
    };
  };
  hostModule = {config, ...}: let
    cfg = config.vouch;
+    mkHeaderVar = header: toLower (replaceStrings [ "-" ] [ "_" ] header);
+    mkUpstreamVar = header: "\$upstream_http_${mkHeaderVar header}";
  in {
    options = with lib.types; {
      locations = mkOption {
@ -43,57 +60,125 @@
        requireAuth = mkEnableOption "require auth to access this host" // {
          default = true;
        };
-        errorLocation = mkOption {
-          type = str;
-          default = "@error401";
-        };
-        authRequestLocation = mkOption {
-          type = str;
-          default = "/validate";
-        };
-        authRequestDirective = mkOption {
-          type = lines;
-          default = ''
-            auth_request ${cfg.authRequestLocation};
-          '';
+        auth = {
+          lua = {
+            enable = mkEnableOption "lua";
+            accessRequest = mkOption {
+              type = lines;
+              default = ''
+                ngx.ctx.auth_res = ngx.location.capture("${cfg.auth.requestLocation}")
+              '';
+            };
+            accessVariables = mkOption {
+              type = lines;
+            };
+            accessLogic = mkOption {
+              type = lines;
+            };
+          };
+          errorLocation = mkOption {
+            type = nullOr str;
+            default = "@error401";
+          };
+          requestLocation = mkOption {
+            type = str;
+            default = "/validate";
+          };
+          requestDirective = mkOption {
+            type = lines;
+            default = ''
+              auth_request ${cfg.auth.requestLocation};
+            '';
+          };
+          variables = mkOption {
+            type = attrsOf str;
+            default = {
+              auth_resp_x_vouch_user = "X-Vouch-User";
+              auth_resp_jwt = "X-Vouch-Token";
+              auth_resp_err = "X-Vouch-Error";
+              auth_resp_success = "X-Vouch-Success";
+              auth_resp_redirect = "X-Vouch-Requested-URI";
+            };
+          };
        };
      };
    };
    config = {
-      extraConfig = mkIf (cfg.enable && cfg.requireAuth) ''
-        ${cfg.authRequestDirective}
-        error_page 401 = ${cfg.errorLocation};
-      '';
+      vouch.auth = {
+        lua = {
+          accessLogic = mkOptionDefault (mkAfter ''
+            if ngx.ctx.auth_res ~= nil and ngx.ctx.auth_res.status == ngx.HTTP_UNAUTHORIZED then
+              local vouch_url = ngx.var["vouch_url"] or "${vouch.url}"
+              local query_args = ngx.encode_args {
+                url = string.format("%s://%s%s", ngx.var.x_scheme, ngx.var.x_forwarded_host, ngx.var.request_uri),
+                ["X-Vouch-Token"] = ngx.ctx.auth_res.header["X-Vouch-Token"] or "",
+                error = ngx.ctx.auth_res.header["X-Vouch-Error"] or "",
+                -- ["vouch-failcount"] is now a session variable and shouldn't be needed anymore
+              }
+
+              return ngx.redirect(string.format("%s/login?%s", vouch_url, query_args), ngx.HTTP_MOVED_TEMPORARILY)
+            end
+            if ngx.ctx.auth_res ~= nil and ngx.ctx.auth_res.status == ngx.HTTP_FORBIDDEN or ngx.ctx.auth_res.status == ngx.HTTP_UNAUTHORIZED then
+              return ngx.exit(ngx.ctx.auth_res.status)
+            end
+
+            if ngx.ctx.auth_res ~= nil and ngx.ctx.auth_res.status ~= ngx.HTTP_OK then
+              return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+            end
+          '');
+          accessVariables = mkMerge (mapAttrsToList (authVar: header: mkOptionDefault
+            ''ngx.var["${authVar}"] = ngx.ctx.auth_res.header["${header}"] or ""''
+          ) cfg.auth.variables);
+        };
+        errorLocation = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault null);
+        requestDirective = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault "");
+      };
+      lua = mkIf (cfg.requireAuth && cfg.auth.lua.enable) {
+        access.block = mkMerge [
+          (mkBefore cfg.auth.lua.accessRequest)
+          (mkBefore cfg.auth.lua.accessVariables)
+          (mkBefore cfg.auth.lua.accessLogic)
+        ];
+      };
+      extraConfig = let
+        localVouchUrl = ''
+          if ($x_forwarded_host ~ "\.local\.${networking.domain}$") {
+            set $vouch_url ${vouch.localUrl};
+          }
+        '';
+        tailVouchUrl = ''
+          if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
+            set $vouch_url $x_scheme://${vouch.tailDomain};
+          }
+        '';
+        setVouchUrl = [
+          (mkBefore ''
+            set $vouch_url ${vouch.url};
+          '')
+          (mkIf (vouch.localSso.enable && config.local.enable or false) localVouchUrl)
+          (mkIf (vouch.localSso.enable && config.local.enable or false && tailscale.enable) tailVouchUrl)
+        ];
+      in mkIf cfg.enable (mkMerge (
+        [
+          (mkIf (cfg.requireAuth) (mkBefore cfg.auth.requestDirective))
+          (mkIf (cfg.auth.errorLocation != null) "error_page 401 = ${cfg.auth.errorLocation};")
+        ] ++ setVouchUrl
+        ++ mapAttrsToList (authVar: header: mkIf (!cfg.auth.lua.enable) (
+          mkBefore "auth_request_set \$${authVar} ${mkUpstreamVar header};"
+        )) cfg.auth.variables
+      ));
+      proxied.xvars.enable = mkIf cfg.enable true;
      locations = mkIf cfg.enable {
        "/" = mkIf cfg.requireAuth {
-          vouch.requireAuth = true;
+          vouch.requireAuth = mkAlmostOptionDefault true;
        };
-        ${cfg.errorLocation} = {
+        ${cfg.auth.errorLocation} = mkIf (cfg.auth.errorLocation != null) {
          proxied.xvars.enable = true;
-          extraConfig = let
-            localVouchUrl = ''
-              if ($x_forwarded_host ~ "\.local\.${networking.domain}$") {
-                set $vouch_url ${vouch.localUrl};
-              }
-            '';
-            tailVouchUrl = ''
-              if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
-                set $vouch_url $x_scheme://${vouch.tailDomain};
-              }
-            '';
-          in
-            mkMerge [
-              (mkBefore ''
-                set $vouch_url ${vouch.url};
-              '')
-              (mkIf (vouch.localSso.enable && config.local.enable or false) localVouchUrl)
-              (mkIf (vouch.localSso.enable && config.local.enable or false && tailscale.enable) tailVouchUrl)
-              ''
-                return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
-              ''
-            ];
+          extraConfig = ''
+            return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+          '';
        };
-        ${cfg.authRequestLocation} = {
+        ${cfg.auth.requestLocation} = {
          proxyPass = "${vouch.proxyOrigin}/validate";
          proxy.headers.enableRecommended = true;
          extraConfig = let
@ -105,10 +190,6 @@
            set $x_proxy_host ${vouchProxyHost};
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
-            auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
-            auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
-            auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
-            auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
          '';
        };
      };
@ -157,7 +238,7 @@ in {
    vouch = mkMerge [
      {
        proxyOrigin = mkIf (tailscale.enable && !vouch-proxy.enable) (
-          mkDefault "http://login.tail.${networking.domain}"
+          mkAlmostOptionDefault "http://login.tail.${networking.domain}"
        );
      }
      (mkIf vouch-proxy.enable {
@ -168,10 +249,10 @@ in {
            then "localhost"
            else listen;
        in
-          mkDefault "http://${host}:${toString port}";
-        authUrl = mkDefault vouch-proxy.authUrl;
-        url = mkDefault vouch-proxy.url;
-        doubleProxy = mkDefault false;
+          mkAlmostOptionDefault "http://${host}:${toString port}";
+        authUrl = mkAlmostOptionDefault vouch-proxy.authUrl;
+        url = mkAlmostOptionDefault vouch-proxy.url;
+        doubleProxy = mkAlmostOptionDefault false;
      })
    ];
  };