Skip to content

Commit

Permalink
feat: Add support use own device authentication server
Browse files Browse the repository at this point in the history
Signed-off-by: Jianhui Zhao <[email protected]>
  • Loading branch information
zhaojh329 committed Dec 13, 2024
1 parent d17caa7 commit b341f16
Show file tree
Hide file tree
Showing 6 changed files with 67 additions and 6 deletions.
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,19 @@ Use token

$ rttys run -t 34762d07637276694b938d23f10d7164

### Use your own authentication server
If the device authentication URL is configured, when the device connecting,
rttys will initiate an authentication request to this URL, and the authentication
server will return whether the authentication has been passed.

Request data format:

{"devid":"test", "token":"34762d07637276694b938d23f10d7164"}

Authentication Server Response Format:

{"auth": true}

### mTLS
You can enable mTLS by specifying device CA storage (valid file) in config file or from CLI (variable ssl-cacert).
Device(s) without valid CA in storage will be disconnected in TLS handshake.
Expand Down
13 changes: 12 additions & 1 deletion README_ZH.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,18 @@ golang and node 20+ is required

使用 token

$rttys -t 34762d07637276694b938d23f10d7164
$ rttys -t 34762d07637276694b938d23f10d7164

### 使用自己的认证服务器
如果配置了设备认证 url, 设备连接时, rttys 会向此 url 发起认证请求, 认证服务器返回是否通过认证.

请求数据格式:

{"devid":"test", "token":"34762d07637276694b938d23f10d7164"}

认证服务器响应格式:

{"auth": true}

### SSL 双向认证(mTLS)
您可以在配置文件中指定设备 CA 存储(有效文件)或在 CLI 中指定设备 CA 存储(参数 ssl-cacert) 来启用 mTLS。
Expand Down
30 changes: 29 additions & 1 deletion broker.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import (
"encoding/binary"
"fmt"
"io"
"net/http"
"strings"
"sync"
"sync/atomic"
"time"
Expand Down Expand Up @@ -62,6 +64,32 @@ func newBroker(cfg *config.Config) *broker {
}
}

func devAuth(cfg *config.Config, dev *device) bool {
if cfg.DevAuthUrl == "" {
return cfg.Token == "" || dev.token == cfg.Token
}

cli := &http.Client{
Timeout: 3 * time.Second,
}

data := fmt.Sprintf(`{"devid":"%s", "token":"%s"}`, dev.id, dev.token)
resp, err := cli.Post(cfg.DevAuthUrl, "application/json", strings.NewReader(data))
if err != nil {
log.Error().Msg("device auth fail:" + err.Error())
return false
}
defer resp.Body.Close()

body, err := io.ReadAll(resp.Body)
if err != nil {
log.Error().Msg("device auth fail:" + err.Error())
return false
}

return jsoniter.Get(body, "auth").ToBool()
}

func (br *broker) run() {
for {
select {
Expand All @@ -81,7 +109,7 @@ func (br *broker) run() {
log.Error().Msg("Device ID conflicting: " + devid)
msg = "ID conflicting"
err = 1
} else if br.cfg.Token != "" && dev.token != br.cfg.Token {
} else if !devAuth(br.cfg, dev) {
log.Error().Msg("Invalid token from terminal device")
msg = "Invalid token"
err = 1
Expand Down
11 changes: 7 additions & 4 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,16 @@ type Config struct {
AddrDev string
AddrUser string
AddrHttpProxy string
DisableSignUp bool
DisableSignUp bool
HttpProxyRedirURL string
HttpProxyPort int
SslCert string
SslKey string
SslCacert string // mTLS for device
WebUISslCert string
WebUISslKey string
WebUISslCert string
WebUISslKey string
Token string
DevAuthUrl string
WhiteList map[string]bool
DB string
LocalAuth bool
Expand Down Expand Up @@ -52,7 +53,7 @@ func Parse(c *cli.Context) *Config {
AddrDev: c.String("addr-dev"),
AddrUser: c.String("addr-user"),
AddrHttpProxy: c.String("addr-http-proxy"),
DisableSignUp: c.Bool("disable-sign-up"),
DisableSignUp: c.Bool("disable-sign-up"),
HttpProxyRedirURL: c.String("http-proxy-redir-url"),
SslCert: c.String("ssl-cert"),
SslKey: c.String("ssl-key"),
Expand All @@ -61,6 +62,7 @@ func Parse(c *cli.Context) *Config {
WebUISslCert: c.String("webui-ssl-cert"),
WebUISslKey: c.String("webui-ssl-key"),
Token: c.String("token"),
DevAuthUrl: c.String("dev-auth-url"),
DB: c.String("db"),
LocalAuth: c.Bool("local-auth"),
}
Expand Down Expand Up @@ -96,6 +98,7 @@ func Parse(c *cli.Context) *Config {
cfg.WebUISslKey = cfg.SslKey
}
getConfigOpt(yamlCfg, "token", &cfg.Token)
getConfigOpt(yamlCfg, "dev-auth-url", &cfg.DevAuthUrl)
getConfigOpt(yamlCfg, "db", &cfg.DB)
getConfigOpt(yamlCfg, "local-auth", &cfg.LocalAuth)
val, err := yamlCfg.Get("white-list")
Expand Down
5 changes: 5 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,11 @@ func main() {
Value: "",
Usage: "token to use",
},
&cli.StringFlag{
Name: "dev-auth-url",
Value: "",
Usage: "using device auth url instead of token",
},
&cli.StringFlag{
Name: "white-list",
Value: "",
Expand Down
1 change: 1 addition & 0 deletions rttys.conf
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
#webui-ssl-key: /etc/rttys/webui-rttys.key

#token: a1d4cdb1a3cd6a0e94aa3599afcddcf5
#dev-auth-url: http://127.0.0.1:8080/rttys-dev-auth

# No login required to connect device.
# Values can be device IDs separated by spaces,
Expand Down

0 comments on commit b341f16

Please sign in to comment.