zot/pkg/api/auth.go

package api

import (
	"bufio"
	"encoding/base64"
	"net/http"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/gorilla/mux"
	"golang.org/x/crypto/bcrypt"
)

func authFail(w http.ResponseWriter, realm string, delay int) {
	time.Sleep(time.Duration(delay) * time.Second)
	w.Header().Set("WWW-Authenticate", realm)
	w.Header().Set("Content-Type", "application/json")
	WriteJSON(w, http.StatusUnauthorized, NewError(UNAUTHORIZED))
}

func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
	realm := c.Config.HTTP.Realm
	if realm == "" {
		realm = "Authorization Required"
	}
	realm = "Basic realm=" + strconv.Quote(realm)
	delay := c.Config.HTTP.Auth.FailDelay

	if c.Config.HTTP.Auth.HTPasswd.Path == "" {
		return func(next http.Handler) http.Handler {
			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
				if c.Config.HTTP.AllowReadAccess &&
					c.Config.HTTP.TLS.CACert != "" &&
					r.TLS.VerifiedChains == nil &&
					r.Method != "GET" && r.Method != "HEAD" {
					authFail(w, realm, delay)
					return
				}

				// Process request
				next.ServeHTTP(w, r)
			})
		}
	}

	credMap := make(map[string]string)

	f, err := os.Open(c.Config.HTTP.Auth.HTPasswd.Path)
	if err != nil {
		panic(err)
	}

	for {
		r := bufio.NewReader(f)
		line, err := r.ReadString('\n')
		if err != nil {
			break
		}
		tokens := strings.Split(line, ":")
		credMap[tokens[0]] = tokens[1]
	}

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			if (r.Method == "GET" || r.Method == "HEAD") && c.Config.HTTP.AllowReadAccess {
				// Process request
				next.ServeHTTP(w, r)
				return
			}

			basicAuth := r.Header.Get("Authorization")
			if basicAuth == "" {
				authFail(w, realm, delay)
				return
			}

			s := strings.SplitN(basicAuth, " ", 2)
			if len(s) != 2 || strings.ToLower(s[0]) != "basic" {
				authFail(w, realm, delay)
				return
			}

			b, err := base64.StdEncoding.DecodeString(s[1])
			if err != nil {
				authFail(w, realm, delay)
				return
			}

			pair := strings.SplitN(string(b), ":", 2)
			if len(pair) != 2 {
				authFail(w, realm, delay)
				return
			}

			username := pair[0]
			passphrase := pair[1]

			passphraseHash, ok := credMap[username]
			if !ok {
				authFail(w, realm, delay)
				return
			}

			if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {
				authFail(w, realm, delay)
				return
			}

			// Process request
			next.ServeHTTP(w, r)
		})
	}
}
zot: initial commit 2019-06-20 18:36:40 -05:00			`package api`

			`import (`
			`"bufio"`
			`"encoding/base64"`
			`"net/http"`
			`"os"`
			`"strconv"`
			`"strings"`
			`"time"`

router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`"github.com/gorilla/mux"`
zot: initial commit 2019-06-20 18:36:40 -05:00			`"golang.org/x/crypto/bcrypt"`
			`)`

router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`func authFail(w http.ResponseWriter, realm string, delay int) {`
zot: initial commit 2019-06-20 18:36:40 -05:00			`time.Sleep(time.Duration(delay) * time.Second)`
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`w.Header().Set("WWW-Authenticate", realm)`
			`w.Header().Set("Content-Type", "application/json")`
			`WriteJSON(w, http.StatusUnauthorized, NewError(UNAUTHORIZED))`
zot: initial commit 2019-06-20 18:36:40 -05:00			`}`

router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {`
auth: allow for world-readable deployment mode 2019-08-28 16:05:16 -05:00			`realm := c.Config.HTTP.Realm`
			`if realm == "" {`
			`realm = "Authorization Required"`
			`}`
			`realm = "Basic realm=" + strconv.Quote(realm)`
			`delay := c.Config.HTTP.Auth.FailDelay`

zot: initial commit 2019-06-20 18:36:40 -05:00			`if c.Config.HTTP.Auth.HTPasswd.Path == "" {`
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
auth: allow for world-readable deployment mode 2019-08-28 16:05:16 -05:00			`if c.Config.HTTP.AllowReadAccess &&`
			`c.Config.HTTP.TLS.CACert != "" &&`
			`r.TLS.VerifiedChains == nil &&`
			`r.Method != "GET" && r.Method != "HEAD" {`
			`authFail(w, realm, delay)`
			`return`
			`}`

router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`// Process request`
			`next.ServeHTTP(w, r)`
			`})`
zot: initial commit 2019-06-20 18:36:40 -05:00			`}`
			`}`

			`credMap := make(map[string]string)`

			`f, err := os.Open(c.Config.HTTP.Auth.HTPasswd.Path)`
			`if err != nil {`
			`panic(err)`
			`}`

			`for {`
			`r := bufio.NewReader(f)`
			`line, err := r.ReadString('\n')`
			`if err != nil {`
			`break`
			`}`
			`tokens := strings.Split(line, ":")`
			`credMap[tokens[0]] = tokens[1]`
			`}`

router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
auth: allow for world-readable deployment mode 2019-08-28 16:05:16 -05:00			`if (r.Method == "GET" \|\| r.Method == "HEAD") && c.Config.HTTP.AllowReadAccess {`
			`// Process request`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`basicAuth := r.Header.Get("Authorization")`
			`if basicAuth == "" {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 18:36:40 -05:00
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`s := strings.SplitN(basicAuth, " ", 2)`
			`if len(s) != 2 \|\| strings.ToLower(s[0]) != "basic" {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 18:36:40 -05:00
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`b, err := base64.StdEncoding.DecodeString(s[1])`
			`if err != nil {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 18:36:40 -05:00
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`pair := strings.SplitN(string(b), ":", 2)`
			`if len(pair) != 2 {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 18:36:40 -05:00
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`username := pair[0]`
			`passphrase := pair[1]`
zot: initial commit 2019-06-20 18:36:40 -05:00
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`passphraseHash, ok := credMap[username]`
			`if !ok {`
			`authFail(w, realm, delay)`
			`return`
			`}`
zot: initial commit 2019-06-20 18:36:40 -05:00
router: move to gorilla/mux to support multiple name path components 2019-07-10 00:23:59 -05:00			`if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {`
			`authFail(w, realm, delay)`
			`return`
			`}`

			`// Process request`
			`next.ServeHTTP(w, r)`
			`})`
zot: initial commit 2019-06-20 18:36:40 -05:00			`}`
			`}`