initial

2024-05-27 00:29:36 -04:00 · 2024-05-27 00:29:36 -04:00 · cb9d1193c3
commit cb9d1193c3
15 changed files with 394 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+data
--- a/build/nginx/Dockerfile
+++ b/build/nginx/Dockerfile
@ -0,0 +1,21 @@
+FROM alpine:3.19
+
+# install packages
+RUN apk add --no-cache nginx shadow tini
+RUN rm -fr /var/cache/apk/*
+
+# update nginx user
+RUN groupmod --gid 1000 nginx
+RUN usermod --uid 1000 nginx
+
+# remove build packages
+RUN apk del shadow
+
+# make log syms
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
+	ln -sf /dev/stderr /var/log/nginx/error.log
+
+# do the
+USER nginx
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf"]
--- a/build/php/Dockerfile
+++ b/build/php/Dockerfile
@ -0,0 +1,16 @@
+FROM php:fpm-alpine
+
+# install packages
+RUN apk add --no-cache runuser shadow openldap-dev
+RUN rm -fr /var/cache/apk/*
+
+# update php user
+RUN groupmod --gid 1000 www-data
+RUN usermod --uid 1000 www-data
+
+# install php packages
+RUN docker-php-ext-install ldap
+
+# remove build packages
+RUN apk del shadow
+USER www-data
--- a/conf/ldap/ldap.env
+++ b/conf/ldap/ldap.env
@ -0,0 +1,9 @@
+
+LDAP_URL=
+LDAP_BIND_DN=
+LDAP_BIND_PASSWORD=
+LDAP_BASE_DN=
+LDAP_FILTER="(&)"
+LDAP_UID="cn"
+
+HTTP_HOST=auth.example.com
--- a/conf/nginx/nginx.conf
+++ b/conf/nginx/nginx.conf
@ -0,0 +1,50 @@
+worker_processes 4;
+daemon off;
+pid	/tmp/nginx.pid;
+error_log /var/log/nginx/error.log;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include					mime.types;
+	default_type			application/octet-stream;
+	sendfile				on;
+	keepalive_timeout		70;
+	server_tokens			off;
+	client_max_body_size	2m;
+
+	access_log /var/log/nginx/access.log;
+
+	server {
+		listen 8080;
+		root /opt/website;
+
+		gzip on;
+		gzip_vary on;
+		gzip_proxied any;
+		gzip_comp_level 6;
+		gzip_buffers 16 8k;
+		gzip_http_version 1.1;
+		gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
+
+		location /favicon.ico {
+			add_header Cache-Control "public, max-age=31536000, immutable";
+			root /opt/website/public/icons;
+		}
+
+		location /public {
+			add_header Cache-Control "public, max-age=31536000, immutable";
+			try_files $uri =404;
+		}
+
+		location / {
+			add_header Content-Security-Policy "script-src 'none'; object-src 'none'; base-uri 'none'";
+			root /opt/website/web;
+			include fastcgi_params;
+			fastcgi_pass php:9000;
+			fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+		}
+	}
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,21 @@
+services:
+
+  web:
+    build: ./build/nginx
+    restart: unless-stopped
+    ports:
+     - '80:8080'
+    volumes:
+      - ./src:/opt/website:ro
+      - ./conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+    depends_on:
+      - php
+
+  php:
+    build: ./build/php
+    restart: unless-stopped
+    env_file:
+      - ./conf/ldap/ldap.env
+    volumes:
+      - ./src:/opt/website:ro
+      - ./data/session:/var/lib/php/session
--- a/src/public/bg.jpg
+++ b/src/public/bg.jpg
--- a/src/public/main.css
+++ b/src/public/main.css
@ -0,0 +1,70 @@
+
+:root {
+	--blue: rgb(0, 102, 204);
+}
+
+* {
+	box-sizing: border-box;
+}
+
+html, body {
+	height: 100%;
+	padding: 0;
+	margin: 0;
+}
+
+body {
+	display: flex;
+	justify-content: center;
+	background: #898989;
+	background-image: url('./bg.jpg');
+	background-size: 100%;
+	background-position: 50% 50%;
+	color: #fff;
+	font-family: "Open Sans", Helvetica, Arial, sans-serif;
+	font-weight: 100;
+	font-size: 12px;
+}
+
+main {
+	margin-top: 20vh;
+	height: fit-content;
+	width: 400px;
+	background: #fff;
+	color: #000;
+}
+
+main .heading {
+	border-top: 5px solid var(--blue);
+	font-size: 1.5rem;
+	text-align: center;
+	padding: 10px;
+}
+
+main .content {
+	padding: 10px;
+}
+
+main .content, form {
+	display: flex;
+	flex-direction: column;
+}
+
+main label,
+main #submit {
+	margin-top: 10px;
+}
+
+main input {
+	border: 1px solid #ddd;
+	outline: none;
+	padding: 7px;
+	font-size: 14px;
+	border-bottom-color: black;
+}
+
+main #submit {
+	background: var(--blue);
+	color: white;
+	cursor: pointer;
+}
--- a/src/web/helpers/auth.php
+++ b/src/web/helpers/auth.php
@ -0,0 +1,59 @@
+<?php /* Copyright (c) 2024 Freya Murphy */
+
+$keys = array();
+
+function load_key($key) {
+	$file = "/tmp/$key";
+	if (!file_exists($file))
+		return FALSE;
+	$content = explode("\n", file_get_contents($file));
+	return array(
+		'user' => $content[0],
+		'time' => $content[1]
+	);
+}
+
+function store_key($key, $user) {
+	$file = "/tmp/$key";
+	$now = (string)time();
+	$content = "$user\n{$now}";
+	file_put_contents($file, $content, LOCK_EX);
+}
+
+function get_random($n)
+{
+    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    $randomString = '';
+
+    for ($i = 0; $i < $n; $i++) {
+        $index = rand(0, strlen($characters) - 1);
+        $randomString .= $characters[$index];
+    }
+
+    return $randomString;
+}
+
+function key_auth() {
+	if (!isset($_SESSION['auth'])) {
+		return FALSE;
+	}
+	$key = $_SESSION['auth'];
+	$data = load_key($key);
+	if ($data === FALSE) {
+		return FALSE;
+	}
+	$user = $data['user'];
+	$time = $data['time'];
+	$now = time();
+	if ($time > $now || $now - $time > 60 * 60 * 24) {
+		return FALSE;
+	}
+	store_key($key, $user);
+	return  $user;
+}
+
+function key_new($user) {
+	$key = get_random(128);
+	store_key($key, $user);
+	$_SESSION['auth'] = $key;
+}
--- a/src/web/helpers/ldap.php
+++ b/src/web/helpers/ldap.php
@ -0,0 +1,41 @@
+<?php /* Copyright (c) 2024 Freya Murphy */
+
+function ldap_auth($auth_username, $auth_password) {
+	$url = getenv("LDAP_URL");
+	$bind = getenv("LDAP_BIND_DN");
+	$password = getenv("LDAP_BIND_PASSWORD");
+	$bound = getenv("LDAP_BASE_DN");
+	$filter = getenv("LDAP_FILTER");
+	$uid = getenv("LDAP_UID");
+
+	$conn = @ldap_connect($url);
+	if (!$conn) {
+		return NULL;
+	}
+	ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
+
+	$bind_conn = @ldap_bind($conn, $bind, $password);
+	if (!$bind_conn) {
+		return NULL;
+	}
+
+	$search = @ldap_search($conn, $bound, $filter);
+
+	$info = @ldap_get_entries($conn, $search);
+	$user = NULL;
+	for ($i=0; $i<$info['count']; $i++) {
+		$user = $info[$i];
+		if (!array_key_exists($uid, $user))
+			continue;
+		if ($user[$uid][0] == $auth_username)
+			break;
+	}
+
+	if ($user == NULL) {
+		return FALSE;
+	}
+
+	$succ = @ldap_bind($conn, $user['dn'], $auth_password);
+	return !!$succ;
+}
+
--- a/src/web/index.php
+++ b/src/web/index.php
@ -0,0 +1,66 @@
+<?php /* Copyright (c) 2024 Freya Murphy */
+
+ini_set('html_errors', '1');
+
+$webroot = dirname(__FILE__);
+$publicroot = realpath(dirname(__FILE__) . '/../public');
+
+// load stuff
+require($webroot . '/helpers/ldap.php');
+require($webroot . '/helpers/auth.php');
+
+// start session
+session_set_cookie_params(
+	60 * 60 * 24, // lifetime (seconds),
+	'/', // path
+	NULL, // domain,
+	TRUE, // secure,
+	TRUE // http only
+);
+session_start();
+
+function page($file,  $data = array()) {
+	extract($data);
+	$webroot = $GLOBALS['webroot'];
+	require($webroot . '/views/header.php');
+	require($webroot . "/views/$file.php");
+	require($webroot . '/views/footer.php');
+}
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+	parse_str(file_get_contents('php://input'), $post);
+	$res = ldap_auth($post['username'], $post['password']);
+	$msg = '';
+	$title = '';
+	if ($res) {
+		$msg = 'Authenticated. You can now go back to your content';
+		$title = 'Success';
+		key_new($post['username']);
+	} else {
+		$msg = 'Invalid Credentials';
+		$title = 'Error';
+	}
+	page('message', array(
+		'title' => $title,
+		'msg' => $msg
+	));
+} else {
+	if (($user = key_auth())) {
+		http_response_code(200);
+		header("X-Webauth-User: $user");
+		die();
+	}
+
+	$host = $_SERVER['HTTP_HOST'];
+	$env = getenv("HTTP_HOST");
+	if ($host != $env) {
+		// we are being forwarded authed
+		// redirect
+		http_response_code(301);
+		header("Location: https://$env");
+	} else {
+		page('login', array(
+			'title' => 'Login'
+		));
+	}
+}
--- a/src/web/views/footer.php
+++ b/src/web/views/footer.php
@ -0,0 +1,4 @@
+<?php /* Copyright (c) 2024 Freya Murphy */ ?>
+		</main>
+	</body>
+</html>
--- a/src/web/views/header.php
+++ b/src/web/views/header.php
@ -0,0 +1,13 @@
+<?php /* Copyright (c) 2024 Freya Murphy */ ?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<link href="//fonts.googleapis.com/css?family=Open+Sans:300,400,600,700&amp;subset=latin" rel="stylesheet">
+		<link rel="stylesheet" href="/public/main.css">
+	</head>
+	<body>
+		<main id="main" role="main">
+			<div class="heading">
+				<span><?=$title?></span>
+			</div>
+			<div class="content">
--- a/src/web/views/login.php
+++ b/src/web/views/login.php
@ -0,0 +1,22 @@
+<?php /* Copyright (c) 2024 Freya Murphy */ ?>
+<form method="post">
+<label for="username">Username</label>
+<input
+	type="text"
+	id="username"
+	name="username"
+	autofocus="true"
+>
+<label fot="password">Password</label>
+<input
+	type="password"
+	id="password"
+	name="password"
+>
+<input
+	type="submit"
+	role="button"
+	id="submit"
+	value="Sign In"
+>
+<form>
--- a/src/web/views/message.php
+++ b/src/web/views/message.php
@ -0,0 +1 @@
+<center><?=$msg?></center>