zot/pkg/api/auth.go

package api

import (
	"bufio"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/anuvu/zot/errors"
	"github.com/gorilla/mux"
	"github.com/jtblin/go-ldap-client"
	"golang.org/x/crypto/bcrypt"
)

func authFail(w http.ResponseWriter, realm string, delay int) {
	time.Sleep(time.Duration(delay) * time.Second)
	w.Header().Set("WWW-Authenticate", realm)
	w.Header().Set("Content-Type", "application/json")
	WriteJSON(w, http.StatusUnauthorized, NewError(UNAUTHORIZED))
}

// nolint (gocyclo) - we use closure making this a complex subroutine
func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
	realm := c.Config.HTTP.Realm
	if realm == "" {
		realm = "Authorization Required"
	}
	realm = "Basic realm=" + strconv.Quote(realm)

	// no password based authN, if neither LDAP nor HTTP BASIC is enabled
	if c.Config.HTTP.Auth == nil || (c.Config.HTTP.Auth.HTPasswd.Path == "" && c.Config.HTTP.Auth.LDAP == nil) {
		return func(next http.Handler) http.Handler {
			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
				if c.Config.HTTP.AllowReadAccess &&
					c.Config.HTTP.TLS.CACert != "" &&
					r.TLS.VerifiedChains == nil &&
					r.Method != "GET" && r.Method != "HEAD" {
					authFail(w, realm, 5)
					return
				}
				// Process request
				next.ServeHTTP(w, r)
			})
		}
	}

	credMap := make(map[string]string)
	delay := c.Config.HTTP.Auth.FailDelay
	var ldapClient *LDAPClient

	if c.Config.HTTP.Auth != nil {
		if c.Config.HTTP.Auth.LDAP != nil {
			l := c.Config.HTTP.Auth.LDAP
			ldapClient = &LDAPClient{
				LDAPClient: ldap.LDAPClient{
					Host:               l.Address,
					Port:               l.Port,
					UseSSL:             !l.Insecure,
					SkipTLS:            !l.StartTLS,
					Base:               l.BaseDN,
					BindDN:             l.BindDN,
					BindPassword:       l.BindPassword,
					UserFilter:         fmt.Sprintf("(%s=%%s)", l.UserAttribute),
					InsecureSkipVerify: l.SkipVerify,
					ServerName:         l.Address,
				},
				log:           c.Log,
				subtreeSearch: l.SubtreeSearch,
			}
			if c.Config.HTTP.Auth.LDAP.CACert != "" {
				caCert, err := ioutil.ReadFile(c.Config.HTTP.Auth.LDAP.CACert)
				if err != nil {
					panic(err)
				}
				caCertPool := x509.NewCertPool()
				if !caCertPool.AppendCertsFromPEM(caCert) {
					panic(errors.ErrBadCACert)
				}
				ldapClient.clientCAs = caCertPool
			} else {
				// default to system cert pool
				caCertPool, err := x509.SystemCertPool()
				if err != nil {
					panic(errors.ErrBadCACert)
				}
				ldapClient.clientCAs = caCertPool
			}
		}
		if c.Config.HTTP.Auth.HTPasswd.Path != "" {
			f, err := os.Open(c.Config.HTTP.Auth.HTPasswd.Path)
			if err != nil {
				panic(err)
			}

			for {
				r := bufio.NewReader(f)
				line, err := r.ReadString('\n')
				if err != nil {
					break
				}
				tokens := strings.Split(line, ":")
				credMap[tokens[0]] = tokens[1]
			}
		}
	}

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			if (r.Method == "GET" || r.Method == "HEAD") && c.Config.HTTP.AllowReadAccess {
				// Process request
				next.ServeHTTP(w, r)
				return
			}

			basicAuth := r.Header.Get("Authorization")
			if basicAuth == "" {
				authFail(w, realm, delay)
				return
			}

			s := strings.SplitN(basicAuth, " ", 2)
			if len(s) != 2 || strings.ToLower(s[0]) != "basic" {
				authFail(w, realm, delay)
				return
			}

			b, err := base64.StdEncoding.DecodeString(s[1])
			if err != nil {
				authFail(w, realm, delay)
				return
			}

			pair := strings.SplitN(string(b), ":", 2)
			if len(pair) != 2 {
				authFail(w, realm, delay)
				return
			}

			username := pair[0]
			passphrase := pair[1]

			// prefer LDAP if configured
			if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {
				ok, _, err := ldapClient.Authenticate(username, passphrase)
				if ok && err == nil {
					// Process request
					next.ServeHTTP(w, r)
					return
				}
			}

			// fallback to HTTPPassword
			passphraseHash, ok := credMap[username]
			if !ok {
				authFail(w, realm, delay)
				return
			}

			if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {
				authFail(w, realm, delay)
				return
			}

			// Process request
			next.ServeHTTP(w, r)
		})
	}
}
zot: initial commit 2019-06-20 16:36:40 -07:00			`package api`

			`import (`
			`"bufio"`
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`"crypto/x509"`
zot: initial commit 2019-06-20 16:36:40 -07:00			`"encoding/base64"`
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`"fmt"`
			`"io/ioutil"`
zot: initial commit 2019-06-20 16:36:40 -07:00			`"net/http"`
			`"os"`
			`"strconv"`
			`"strings"`
			`"time"`

auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`"github.com/anuvu/zot/errors"`
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`"github.com/gorilla/mux"`
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`"github.com/jtblin/go-ldap-client"`
zot: initial commit 2019-06-20 16:36:40 -07:00			`"golang.org/x/crypto/bcrypt"`
			`)`

router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`func authFail(w http.ResponseWriter, realm string, delay int) {`
zot: initial commit 2019-06-20 16:36:40 -07:00			`time.Sleep(time.Duration(delay) * time.Second)`
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`w.Header().Set("WWW-Authenticate", realm)`
			`w.Header().Set("Content-Type", "application/json")`
			`WriteJSON(w, http.StatusUnauthorized, NewError(UNAUTHORIZED))`
zot: initial commit 2019-06-20 16:36:40 -07:00			`}`

auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`// nolint (gocyclo) - we use closure making this a complex subroutine`
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {`
auth: allow for world-readable deployment mode 2019-08-28 14:05:16 -07:00			`realm := c.Config.HTTP.Realm`
			`if realm == "" {`
			`realm = "Authorization Required"`
			`}`
			`realm = "Basic realm=" + strconv.Quote(realm)`

auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`// no password based authN, if neither LDAP nor HTTP BASIC is enabled`
			`if c.Config.HTTP.Auth == nil \|\| (c.Config.HTTP.Auth.HTPasswd.Path == "" && c.Config.HTTP.Auth.LDAP == nil) {`
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
auth: allow for world-readable deployment mode 2019-08-28 14:05:16 -07:00			`if c.Config.HTTP.AllowReadAccess &&`
			`c.Config.HTTP.TLS.CACert != "" &&`
			`r.TLS.VerifiedChains == nil &&`
			`r.Method != "GET" && r.Method != "HEAD" {`
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`authFail(w, realm, 5)`
auth: allow for world-readable deployment mode 2019-08-28 14:05:16 -07:00			`return`
			`}`
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`// Process request`
			`next.ServeHTTP(w, r)`
			`})`
zot: initial commit 2019-06-20 16:36:40 -07:00			`}`
			`}`

			`credMap := make(map[string]string)`
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`delay := c.Config.HTTP.Auth.FailDelay`
			`var ldapClient *LDAPClient`

			`if c.Config.HTTP.Auth != nil {`
			`if c.Config.HTTP.Auth.LDAP != nil {`
			`l := c.Config.HTTP.Auth.LDAP`
			`ldapClient = &LDAPClient{`
			`LDAPClient: ldap.LDAPClient{`
			`Host: l.Address,`
			`Port: l.Port,`
			`UseSSL: !l.Insecure,`
			`SkipTLS: !l.StartTLS,`
			`Base: l.BaseDN,`
			`BindDN: l.BindDN,`
			`BindPassword: l.BindPassword,`
			`UserFilter: fmt.Sprintf("(%s=%%s)", l.UserAttribute),`
			`InsecureSkipVerify: l.SkipVerify,`
			`ServerName: l.Address,`
			`},`
			`log: c.Log,`
			`subtreeSearch: l.SubtreeSearch,`
			`}`
			`if c.Config.HTTP.Auth.LDAP.CACert != "" {`
			`caCert, err := ioutil.ReadFile(c.Config.HTTP.Auth.LDAP.CACert)`
			`if err != nil {`
			`panic(err)`
			`}`
			`caCertPool := x509.NewCertPool()`
			`if !caCertPool.AppendCertsFromPEM(caCert) {`
			`panic(errors.ErrBadCACert)`
			`}`
			`ldapClient.clientCAs = caCertPool`
			`} else {`
			`// default to system cert pool`
			`caCertPool, err := x509.SystemCertPool()`
			`if err != nil {`
			`panic(errors.ErrBadCACert)`
			`}`
			`ldapClient.clientCAs = caCertPool`
			`}`
			`}`
			`if c.Config.HTTP.Auth.HTPasswd.Path != "" {`
			`f, err := os.Open(c.Config.HTTP.Auth.HTPasswd.Path)`
			`if err != nil {`
			`panic(err)`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`for {`
			`r := bufio.NewReader(f)`
			`line, err := r.ReadString('\n')`
			`if err != nil {`
			`break`
			`}`
			`tokens := strings.Split(line, ":")`
			`credMap[tokens[0]] = tokens[1]`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00			`}`
			`}`

router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
auth: allow for world-readable deployment mode 2019-08-28 14:05:16 -07:00			`if (r.Method == "GET" \|\| r.Method == "HEAD") && c.Config.HTTP.AllowReadAccess {`
			`// Process request`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`basicAuth := r.Header.Get("Authorization")`
			`if basicAuth == "" {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`s := strings.SplitN(basicAuth, " ", 2)`
			`if len(s) != 2 \|\| strings.ToLower(s[0]) != "basic" {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`b, err := base64.StdEncoding.DecodeString(s[1])`
			`if err != nil {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`pair := strings.SplitN(string(b), ":", 2)`
			`if len(pair) != 2 {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`username := pair[0]`
			`passphrase := pair[1]`
zot: initial commit 2019-06-20 16:36:40 -07:00
auth: add LDAP support fixes #23 2019-08-15 09:34:54 -07:00			`// prefer LDAP if configured`
			`if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {`
			`ok, _, err := ldapClient.Authenticate(username, passphrase)`
			`if ok && err == nil {`
			`// Process request`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`}`

			`// fallback to HTTPPassword`
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`passphraseHash, ok := credMap[username]`
			`if !ok {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 16:36:40 -07:00
router: move to gorilla/mux to support multiple name path components 2019-07-09 22:23:59 -07:00			`if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {`
			`authFail(w, realm, delay)`
			`return`
			`}`

			`// Process request`
			`next.ServeHTTP(w, r)`
			`})`
zot: initial commit 2019-06-20 16:36:40 -07:00			`}`
			`}`