basic auth working for orga membership and github users. jwt token implemented. token expires after 4hours

Author: offboarded-x233534

README.md

@@ -88,9 +88,16 @@ cd github-pages-basic-auth-proxy
 sudo python3 setup.py install
 ```
 
-run in background on Port 8881
+Run Proxy
+
+  * proxy that allows only members of the organization to access page: (owner must be an GitHub Organization)
 
 ```
-cs-gh-proxy -e wsgi -u csgruenebe -gh https://comsysto.github.io/github-pages-basic-auth-proxy/086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3/ &
+$> cs-gh-proxy -e wsgi -p 8881 --authType onlyGitHubOrgUsers --owner comsysto --repository github-pages-basic-auth-proxy --obfuscator 086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3
 ```
 
+  * proxy that allows all GitHub Users to access page: (owner can be GitHub Organization or normal user)
+
+```
+$> cs-gh-proxy -e wsgi -p 8881 --authType allGitHubUsers --owner comsysto --repository github-pages-basic-auth-proxy --obfuscator 086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3
+```

cs_proxy/proxy.py

@@ -1,10 +1,21 @@
 import sys, os
 from bottle import route, request, response, run, hook, abort, redirect, error, install, auth_basic
 import simplejson as json
+import random
 import logging
 import datetime
 import requests
+from requests.auth import HTTPBasicAuth
+from jose import jwt
+from jose.exceptions import JWSError
+import datetime
 
+#
+# global vars
+#
+owner = 0
+auth_type = 0
+jwt_secret = "%032x" % random.getrandbits(128)
 
 #
 # HELPERS
@@ -13,11 +24,52 @@ def return_json(object, response):
     response.set_header('Content-Type', 'application/json')
     return json.dumps(object)
 
+def create_jwt_token():
+    return jwt.encode({'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=4)}, jwt_secret, algorithm='HS256')
+
+
+def valid_jwt_token(token):
+    try:
+        res = jwt.decode(token, jwt_secret, algorithms=['HS256'])
+        print (res)
+        return True
+    except JWSError:
+        return False
+
 def check_pass(username, password):
+    # FIXME: REMOVE ME IN PRODUCTION (JUST FOR DEMO)
     if username == 'bob' and password == '5678':
         return True
+    #
+    # First check if already valid JWT Token in Cookie
+    #
+    auth_cookie = request.get_cookie("cs-proxy-auth")
+    if auth_cookie and valid_jwt_token(auth_cookie):
+        print ('PROXY-AUTH: found valid JWT Token in cookie')
+        return True
+
+    #
+    # GitHub Basic Auth - also working with username + personal_access_token
+    #
+    print ('PROXY-AUTH: doing github basic auth - authType: {0}, owner: {1}'.format(auth_type, owner))
+    basic_auth = HTTPBasicAuth(username, password)
+    auth_response = requests.get('https://api.github.com/user', auth=basic_auth)
+    if auth_response.status_code == 200:
+        if auth_type == 'onlyGitHubOrgUsers':
+            print ('PROXY-AUTH: doing org membership request')
+            org_membership_response = requests.get('https://api.github.com/user/orgs', auth=basic_auth)
+            if org_membership_response.status_code == 200:
+                for org in org_membership_response.json():
+                    if org['login'] == owner:
+                        response.set_cookie("cs-proxy-auth", create_jwt_token())
+                        return True
+                return False
+        else:
+            response.set_cookie("cs-proxy-auth", create_jwt_token())
+            return True
     return False
 
+
 def normalize_proxy_url(url):
     print ('URL:')
     print (url)
@@ -57,23 +109,28 @@ def error500(error):
     def hello():
         return 'ok'
 
+    #
+    # make args available in auth callback
+    #
+    global owner, auth_type
+    owner = args.owner
+    auth_type = args.authType
 
     @route('/<url:re:.+>')
     @auth_basic(check_pass)
     def proxy_trough(url):
-        return proxy_trough_helper('{0}{1}'.format(args.githubPagesUrl, normalize_proxy_url(url)))
+        return proxy_trough_helper('https://{0}.github.io/{1}/{2}/{3}'.format(args.owner, args.repository, args.obfuscator, normalize_proxy_url(url)))
 
     @route('/')
     @auth_basic(check_pass)
     def proxy_trough_root_page():
-        return proxy_trough_helper('{0}{1}'.format(args.githubPagesUrl, '/index.html'))
-
+        return proxy_trough_helper('https://{0}.github.io/{1}/{2}/{3}'.format(args.owner, args.repository, args.obfuscator, '/index.html'))
 
     #
     # RUN BY ENVIRONMENT
     #
     if args.environment == 'wsgi':
-        run(host='localhost', port=8881, debug=True)
+        run(host='localhost', port=args.port, debug=True)
     else:
         run(server='cgi')
 

cs_proxy/run_proxy.py

@@ -12,14 +12,21 @@ def main():
     parser = argparse.ArgumentParser(description='comSysto GitHub Pages Auth Basic Proxy')
 
     parser.add_argument("-e", "--environment", help='Which environment.', choices=['cgi', 'wsgi'])
-    parser.add_argument("-gh", "--githubPagesUrl", help='baseUrl to gh-pages page e.g. https://foo.github.io/repo/2323/')
-    parser.add_argument("-u", "--allowedUsers", help='allowed usernames.')
+    parser.add_argument("-gho", "--owner", help='the owner of the repository. Either organizationname or username.')
+    parser.add_argument("-ghr", "--repository", help='the repository name.')
+    parser.add_argument("-obf", "--obfuscator", help='the subfolder-name in gh-pages branch used as obfuscator')
+    parser.add_argument("-p", "--port", help='the port to run proxy e.g. 8881')
+    parser.add_argument("-a", "--authType", help='how should users auth.', choices=['allGitHubUsers', 'onlyGitHubOrgUsers'] )
+
 
     args = parser.parse_args()
     if not args.environment:
         print ('USAGE')
-        print ('    proxy:')
-        print ('      $> cs-gh-proxy -e wsgi -u csgruenebe -gh https://comsysto.github.io/github-pages-basic-auth-proxy/086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3/ ')
+        print ('    proxy that allows only members of the organization to access page: (owner must be an GitHub Organization)')
+        print ('      $> cs-gh-proxy -e wsgi -p 8881 --authType onlyGitHubOrgUsers --owner comsysto --repository github-pages-basic-auth-proxy --obfuscator 086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3')
+        print ('')
+        print ('    proxy that allows all GitHub Users to access page: (owner can be GitHub Organization or normal user)')
+        print ('      $> cs-gh-proxy -e wsgi -p 8881 --authType allGitHubUsers --owner comsysto --repository github-pages-basic-auth-proxy --obfuscator 086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3')
         print ('')
 
         sys.exit(1)

setup.py

@@ -16,7 +16,8 @@
           'validators',
           'colorama',
           'bottle',
-          'simplejson'
+          'simplejson',
+          'python-jose'
       ],
       zip_safe=False,
       entry_points = {