mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-20 22:52:58 -05:00
Add htpasswd support for basic auth
If the password arg starts with htpasswd=, then the rest is treated as the file name of the htpasswd file, and used for md5 and sha1 hashes.
This commit is contained in:
parent
d79d2611ca
commit
392f1d70eb
4 changed files with 178 additions and 23 deletions
|
@ -1,6 +1,8 @@
|
||||||
package setup
|
package setup
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/mholt/caddy/middleware"
|
"github.com/mholt/caddy/middleware"
|
||||||
"github.com/mholt/caddy/middleware/basicauth"
|
"github.com/mholt/caddy/middleware/basicauth"
|
||||||
)
|
)
|
||||||
|
@ -23,6 +25,7 @@ func BasicAuth(c *Controller) (middleware.Middleware, error) {
|
||||||
func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
|
func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
|
||||||
var rules []basicauth.Rule
|
var rules []basicauth.Rule
|
||||||
|
|
||||||
|
var err error
|
||||||
for c.Next() {
|
for c.Next() {
|
||||||
var rule basicauth.Rule
|
var rule basicauth.Rule
|
||||||
|
|
||||||
|
@ -31,7 +34,10 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
|
||||||
switch len(args) {
|
switch len(args) {
|
||||||
case 2:
|
case 2:
|
||||||
rule.Username = args[0]
|
rule.Username = args[0]
|
||||||
rule.Password = args[1]
|
if rule.Password, err = passwordMatcher(rule.Username, args[1]); err != nil {
|
||||||
|
return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
|
||||||
|
}
|
||||||
|
|
||||||
for c.NextBlock() {
|
for c.NextBlock() {
|
||||||
rule.Resources = append(rule.Resources, c.Val())
|
rule.Resources = append(rule.Resources, c.Val())
|
||||||
if c.NextArg() {
|
if c.NextArg() {
|
||||||
|
@ -41,7 +47,9 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
|
||||||
case 3:
|
case 3:
|
||||||
rule.Resources = append(rule.Resources, args[0])
|
rule.Resources = append(rule.Resources, args[0])
|
||||||
rule.Username = args[1]
|
rule.Username = args[1]
|
||||||
rule.Password = args[2]
|
if rule.Password, err = passwordMatcher(rule.Username, args[2]); err != nil {
|
||||||
|
return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
|
||||||
|
}
|
||||||
default:
|
default:
|
||||||
return rules, c.ArgErr()
|
return rules, c.ArgErr()
|
||||||
}
|
}
|
||||||
|
@ -51,3 +59,11 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
|
||||||
|
|
||||||
return rules, nil
|
return rules, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func passwordMatcher(username, passw string) (basicauth.PasswordMatcher, error) {
|
||||||
|
if !strings.HasPrefix(passw, "htpasswd=") {
|
||||||
|
return basicauth.PlainMatcher(passw), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return basicauth.GetHtpasswdMatcher(passw[9:], username)
|
||||||
|
}
|
||||||
|
|
|
@ -2,6 +2,9 @@ package setup
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/mholt/caddy/middleware/basicauth"
|
"github.com/mholt/caddy/middleware/basicauth"
|
||||||
|
@ -30,35 +33,57 @@ func TestBasicAuth(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBasicAuthParse(t *testing.T) {
|
func TestBasicAuthParse(t *testing.T) {
|
||||||
|
htpasswdPasswd := "IedFOuGmTpT8"
|
||||||
|
htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
|
||||||
|
md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
|
||||||
|
|
||||||
|
var skipHtpassword bool
|
||||||
|
htfh, err := ioutil.TempFile("", "basicauth-")
|
||||||
|
if err != nil {
|
||||||
|
t.Logf("Error creating temp file (%v), will skip htpassword test")
|
||||||
|
skipHtpassword = true
|
||||||
|
} else {
|
||||||
|
if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
|
||||||
|
t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
|
||||||
|
}
|
||||||
|
htfh.Close()
|
||||||
|
defer os.Remove(htfh.Name())
|
||||||
|
}
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
input string
|
input string
|
||||||
shouldErr bool
|
shouldErr bool
|
||||||
|
password string
|
||||||
expected []basicauth.Rule
|
expected []basicauth.Rule
|
||||||
}{
|
}{
|
||||||
{`basicauth user pwd`, false, []basicauth.Rule{
|
{`basicauth user pwd`, false, "pwd", []basicauth.Rule{
|
||||||
{Username: "user", Password: "pwd"},
|
{Username: "user"},
|
||||||
}},
|
}},
|
||||||
{`basicauth user pwd {
|
{`basicauth user pwd {
|
||||||
}`, false, []basicauth.Rule{
|
}`, false, "pwd", []basicauth.Rule{
|
||||||
{Username: "user", Password: "pwd"},
|
{Username: "user"},
|
||||||
}},
|
}},
|
||||||
{`basicauth user pwd {
|
{`basicauth user pwd {
|
||||||
/resource1
|
/resource1
|
||||||
/resource2
|
/resource2
|
||||||
}`, false, []basicauth.Rule{
|
}`, false, "pwd", []basicauth.Rule{
|
||||||
{Username: "user", Password: "pwd", Resources: []string{"/resource1", "/resource2"}},
|
{Username: "user", Resources: []string{"/resource1", "/resource2"}},
|
||||||
}},
|
}},
|
||||||
{`basicauth /resource user pwd`, false, []basicauth.Rule{
|
{`basicauth /resource user pwd`, false, "pwd", []basicauth.Rule{
|
||||||
{Username: "user", Password: "pwd", Resources: []string{"/resource"}},
|
{Username: "user", Resources: []string{"/resource"}},
|
||||||
}},
|
}},
|
||||||
{`basicauth /res1 user1 pwd1
|
{`basicauth /res1 user1 pwd1
|
||||||
basicauth /res2 user2 pwd2`, false, []basicauth.Rule{
|
basicauth /res2 user2 pwd2`, false, "pwd", []basicauth.Rule{
|
||||||
{Username: "user1", Password: "pwd1", Resources: []string{"/res1"}},
|
{Username: "user1", Resources: []string{"/res1"}},
|
||||||
{Username: "user2", Password: "pwd2", Resources: []string{"/res2"}},
|
{Username: "user2", Resources: []string{"/res2"}},
|
||||||
|
}},
|
||||||
|
{`basicauth user`, true, "", []basicauth.Rule{}},
|
||||||
|
{`basicauth`, true, "", []basicauth.Rule{}},
|
||||||
|
{`basicauth /resource user pwd asdf`, true, "", []basicauth.Rule{}},
|
||||||
|
|
||||||
|
{`basicauth sha1 htpasswd=` + htfh.Name(), false, htpasswdPasswd, []basicauth.Rule{
|
||||||
|
{Username: "sha1"},
|
||||||
}},
|
}},
|
||||||
{`basicauth user`, true, []basicauth.Rule{}},
|
|
||||||
{`basicauth`, true, []basicauth.Rule{}},
|
|
||||||
{`basicauth /resource user pwd asdf`, true, []basicauth.Rule{}},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for i, test := range tests {
|
for i, test := range tests {
|
||||||
|
@ -84,9 +109,16 @@ func TestBasicAuthParse(t *testing.T) {
|
||||||
i, j, expectedRule.Username, actualRule.Username)
|
i, j, expectedRule.Username, actualRule.Username)
|
||||||
}
|
}
|
||||||
|
|
||||||
if actualRule.Password != expectedRule.Password {
|
if strings.Contains(test.input, "htpasswd=") && skipHtpassword {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
pwd := test.password
|
||||||
|
if len(actual) > 1 {
|
||||||
|
pwd = fmt.Sprintf("%s%d", pwd, j+1)
|
||||||
|
}
|
||||||
|
if !actualRule.Password(pwd) || actualRule.Password(test.password+"!") {
|
||||||
t.Errorf("Test %d, rule %d: Expected password '%s', got '%s'",
|
t.Errorf("Test %d, rule %d: Expected password '%s', got '%s'",
|
||||||
i, j, expectedRule.Password, actualRule.Password)
|
i, j, test.password, actualRule.Password)
|
||||||
}
|
}
|
||||||
|
|
||||||
expectedRes := fmt.Sprintf("%v", expectedRule.Resources)
|
expectedRes := fmt.Sprintf("%v", expectedRule.Resources)
|
||||||
|
|
|
@ -2,9 +2,17 @@
|
||||||
package basicauth
|
package basicauth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bufio"
|
||||||
"crypto/subtle"
|
"crypto/subtle"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
|
||||||
|
"github.com/jimstudt/http-authentication/basic"
|
||||||
"github.com/mholt/caddy/middleware"
|
"github.com/mholt/caddy/middleware"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -37,7 +45,8 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
|
||||||
// Check credentials
|
// Check credentials
|
||||||
if !ok ||
|
if !ok ||
|
||||||
username != rule.Username ||
|
username != rule.Username ||
|
||||||
subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
|
!rule.Password(password) {
|
||||||
|
//subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -64,6 +73,74 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
|
||||||
// file or directory paths.
|
// file or directory paths.
|
||||||
type Rule struct {
|
type Rule struct {
|
||||||
Username string
|
Username string
|
||||||
Password string
|
Password func(string) bool
|
||||||
Resources []string
|
Resources []string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type PasswordMatcher func(pw string) bool
|
||||||
|
|
||||||
|
var (
|
||||||
|
htpasswords map[string]map[string]PasswordMatcher
|
||||||
|
htpasswordsMu sync.Mutex
|
||||||
|
)
|
||||||
|
|
||||||
|
func GetHtpasswdMatcher(filename, username string) (PasswordMatcher, error) {
|
||||||
|
filename, err := filepath.Abs(filename)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
htpasswordsMu.Lock()
|
||||||
|
if htpasswords == nil {
|
||||||
|
htpasswords = make(map[string]map[string]PasswordMatcher)
|
||||||
|
}
|
||||||
|
pm := htpasswords[filename]
|
||||||
|
if pm == nil {
|
||||||
|
fh, err := os.Open(filename)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("open %q: %v", filename, err)
|
||||||
|
}
|
||||||
|
defer fh.Close()
|
||||||
|
pm = make(map[string]PasswordMatcher)
|
||||||
|
if err = parseHtpasswd(pm, fh); err != nil {
|
||||||
|
return nil, fmt.Errorf("parsing htpasswd %q: %v", fh.Name(), err)
|
||||||
|
}
|
||||||
|
htpasswords[filename] = pm
|
||||||
|
}
|
||||||
|
htpasswordsMu.Unlock()
|
||||||
|
if pm[username] == nil {
|
||||||
|
return nil, fmt.Errorf("username %q not found in %q", username, filename)
|
||||||
|
}
|
||||||
|
return pm[username], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseHtpasswd(pm map[string]PasswordMatcher, r io.Reader) error {
|
||||||
|
scanner := bufio.NewScanner(r)
|
||||||
|
for scanner.Scan() {
|
||||||
|
line := strings.TrimSpace(scanner.Text())
|
||||||
|
if line == "" || strings.IndexByte(line, '#') == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
i := strings.IndexByte(line, ':')
|
||||||
|
if i <= 0 {
|
||||||
|
return fmt.Errorf("malformed line, no color: %q", line)
|
||||||
|
}
|
||||||
|
user, encoded := line[:i], line[i+1:]
|
||||||
|
for _, p := range basic.DefaultSystems {
|
||||||
|
matcher, err := p(encoded)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if matcher != nil {
|
||||||
|
pm[user] = matcher.MatchesPassword
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return scanner.Err()
|
||||||
|
}
|
||||||
|
|
||||||
|
func PlainMatcher(passw string) PasswordMatcher {
|
||||||
|
return func(pw string) bool {
|
||||||
|
return subtle.ConstantTimeCompare([]byte(pw), []byte(passw)) == 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -3,8 +3,10 @@ package basicauth
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/mholt/caddy/middleware"
|
"github.com/mholt/caddy/middleware"
|
||||||
|
@ -15,7 +17,7 @@ func TestBasicAuth(t *testing.T) {
|
||||||
rw := BasicAuth{
|
rw := BasicAuth{
|
||||||
Next: middleware.HandlerFunc(contentHandler),
|
Next: middleware.HandlerFunc(contentHandler),
|
||||||
Rules: []Rule{
|
Rules: []Rule{
|
||||||
{Username: "test", Password: "ttest", Resources: []string{"/testing"}},
|
{Username: "test", Password: PlainMatcher("ttest"), Resources: []string{"/testing"}},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -66,8 +68,8 @@ func TestMultipleOverlappingRules(t *testing.T) {
|
||||||
rw := BasicAuth{
|
rw := BasicAuth{
|
||||||
Next: middleware.HandlerFunc(contentHandler),
|
Next: middleware.HandlerFunc(contentHandler),
|
||||||
Rules: []Rule{
|
Rules: []Rule{
|
||||||
{Username: "t", Password: "p1", Resources: []string{"/t"}},
|
{Username: "t", Password: PlainMatcher("p1"), Resources: []string{"/t"}},
|
||||||
{Username: "t1", Password: "p2", Resources: []string{"/t/t"}},
|
{Username: "t1", Password: PlainMatcher("p2"), Resources: []string{"/t/t"}},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -111,3 +113,31 @@ func contentHandler(w http.ResponseWriter, r *http.Request) (int, error) {
|
||||||
fmt.Fprintf(w, r.URL.String())
|
fmt.Fprintf(w, r.URL.String())
|
||||||
return http.StatusOK, nil
|
return http.StatusOK, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestHtpasswd(t *testing.T) {
|
||||||
|
htpasswdPasswd := "IedFOuGmTpT8"
|
||||||
|
htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
|
||||||
|
md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
|
||||||
|
|
||||||
|
htfh, err := ioutil.TempFile("", "basicauth-")
|
||||||
|
if err != nil {
|
||||||
|
t.Skipf("Error creating temp file (%v), will skip htpassword test")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
|
||||||
|
t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
|
||||||
|
}
|
||||||
|
htfh.Close()
|
||||||
|
defer os.Remove(htfh.Name())
|
||||||
|
|
||||||
|
for i, username := range []string{"sha1", "md5"} {
|
||||||
|
rule := Rule{Username: username, Resources: []string{"/testing"}}
|
||||||
|
if rule.Password, err = GetHtpasswdMatcher(htfh.Name(), rule.Username); err != nil {
|
||||||
|
t.Fatalf("GetHtpasswdMatcher(%q, %q): %v", htfh.Name(), rule.Username, err)
|
||||||
|
}
|
||||||
|
t.Logf("%d. username=%q password=%v", i, rule.Username, rule.Password)
|
||||||
|
if !rule.Password(htpasswdPasswd) || rule.Password(htpasswdPasswd+"!") {
|
||||||
|
t.Errorf("%d (%s) password does not match.", i, rule.Username)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue