Merge pull request #75 from patrickhener/client-certificate-auth

implement ca certificate based authentication

README.md

@@ -1,4 +1,4 @@
-![Version](https://img.shields.io/badge/Version-v0.4.0-green)
+![Version](https://img.shields.io/badge/Version-v0.4.1-green)
 [![GitHub](https://img.shields.io/github/license/patrickhener/goshs)](https://github.com/patrickhener/goshs/blob/master/LICENSE)
 ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/patrickhener/goshs)
 [![GitHub issues](https://img.shields.io/github/issues-raw/patrickhener/goshs)](https://github.com/patrickhener/goshs/issues)
@@ -26,7 +26,9 @@ For a detailed documentation go to [goshs.de](https://goshs.de)
 * Delete files
   * Individually
   * Bulk delete
-* Basic Authentication
+* Authentication
+  * Basic Authentication
+  * Certificate Based Authentication via Client Certificate
 * Transport Layer Security (HTTPS)
   * self-signed
   * let's encrypt

httpserver/helper.go

@@ -1,7 +1,11 @@
 package httpserver
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"io/fs"
+	"net/http"
+	"os"
 	"strings"
 
 	"github.com/patrickhener/goshs/logger"
@@ -36,3 +40,16 @@ func (files *FileServer) PrintEmbeddedFiles() {
 	}
 
 }
+
+func (files *FileServer) AddCertAuth(server *http.Server) {
+	logger.Infof("Using certificate auth with ca certificate: %+v", files.CACert)
+	caCert, err := os.ReadFile(files.CACert)
+	if err != nil {
+		logger.Fatalf("error reading the ca certificate for cert based client authentication: %+v", err)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	server.TLSConfig.ClientCAs = caCertPool
+	server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+}

httpserver/server.go

@@ -104,6 +104,12 @@ func (fs *FileServer) Start(what string) {
 				logger.Fatalf("Unable to start SSL enabled server: %+v\n", err)
 			}
 			server.TLSConfig = serverTLSConf
+
+			// If client-cert auth add it to TLS Config of server
+			if fs.CACert != "" {
+				fs.AddCertAuth(&server)
+			}
+
 			fs.Fingerprint256 = fingerprint256
 			fs.Fingerprint1 = fingerprint1
 			fs.logStart(what)
@@ -162,6 +168,11 @@ func (fs *FileServer) Start(what string) {
 				MinVersion:   tls.VersionTLS12,
 			}
 
+			// If client-cert auth add it to TLS Config of server
+			if fs.CACert != "" {
+				fs.AddCertAuth(&server)
+			}
+
 			fs.Fingerprint256 = fingerprint256
 			fs.Fingerprint1 = fingerprint1
 			fs.logStart(what)

httpserver/structs.go

@@ -53,6 +53,7 @@ type FileServer struct {
 	MyP12          string
 	User           string
 	Pass           string
+	CACert         string
 	DropUser       string
 	Version        string
 	Fingerprint256 string

main.go

@@ -15,7 +15,7 @@ import (
 	"github.com/patrickhener/goshs/utils"
 )
 
-const goshsVersion = "v0.4.0"
+const goshsVersion = "v0.4.1"
 
 var (
 	port        = 8000
@@ -29,6 +29,7 @@ var (
 	myCert      = ""
 	myP12       = ""
 	basicAuth   = ""
+	certAuth    = ""
 	webdav      = false
 	webdavPort  = 8001
 	uploadOnly  = false
@@ -75,8 +76,9 @@ TLS options:
   -slt, --le-tls       Port to use for Let's Encrypt TLS ALPN Challenge (default: 443)
 
 Authentication options:
-  -b, --basic-auth    Use basic authentication (user:pass - user can be empty)
-  -H, --hash          Hash a password for file based ACLs
+  -b,  --basic-auth    Use basic authentication (user:pass - user can be empty)
+  -ca, --cert-auth     Use certificate based authentication - provide ca certificate
+  -H,  --hash          Hash a password for file based ACLs
 
 Misc options:
   -u  --user          Drop privs to user (unix only)          (default: current user)
@@ -121,6 +123,8 @@ func init() {
 	flag.StringVar(&myP12, "pkcs12", myP12, "server p12")
 	flag.StringVar(&basicAuth, "b", basicAuth, "basic auth")
 	flag.StringVar(&basicAuth, "basic-auth", basicAuth, "basic auth")
+	flag.StringVar(&certAuth, "ca", certAuth, "cert auth")
+	flag.StringVar(&certAuth, "cert-auth", certAuth, "cert auth")
 	flag.BoolVar(&webdav, "w", webdav, "enable webdav")
 	flag.BoolVar(&webdav, "webdav", webdav, "enable webdav")
 	flag.IntVar(&webdavPort, "wp", webdavPort, "webdav port")
@@ -191,7 +195,14 @@ func init() {
 
 	// Sanity check if cli mode is combined with auth and tls
 	if cli && (!ssl || basicAuth == "") {
-		logger.Fatal("With cli mode you need to enable basic auth and tls for security reasons.")
+		if cli && (!ssl || certAuth == "") {
+			logger.Fatal("With cli mode you need to enable basic/cert auth and tls for security reasons.")
+		}
+	}
+
+	// Sanity check if CA mode enabled you will also need TLS enabled in some way
+	if certAuth != "" && !ssl {
+		logger.Fatal("To use certificate based authentication with a CA cert you will need tls in any mode (-ss, -sk/-sc, -p12, -sl)")
 	}
 
 	if webdav {
@@ -258,6 +269,7 @@ func main() {
 		MyP12:       myP12,
 		User:        user,
 		Pass:        pass,
+		CACert:      certAuth,
 		DropUser:    dropuser,
 		UploadOnly:  uploadOnly,
 		ReadOnly:    readOnly,