2012-12-10 20:59:23 -05:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/sha1"
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/csv"
|
2012-12-17 13:38:33 -05:00
|
|
|
"io"
|
2012-12-10 20:59:23 -05:00
|
|
|
"os"
|
2018-02-16 02:14:41 -06:00
|
|
|
|
2020-03-29 14:54:36 +01:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/logger"
|
2018-02-16 02:14:41 -06:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
2012-12-10 20:59:23 -05:00
|
|
|
)
|
|
|
|
|
2018-02-16 02:14:41 -06:00
|
|
|
// Lookup passwords in a htpasswd file
|
|
|
|
// Passwords must be generated with -B for bcrypt or -s for SHA1.
|
2012-12-10 20:59:23 -05:00
|
|
|
|
2018-12-20 09:30:42 +00:00
|
|
|
// HtpasswdFile represents the structure of an htpasswd file
|
2012-12-10 20:59:23 -05:00
|
|
|
type HtpasswdFile struct {
|
|
|
|
Users map[string]string
|
|
|
|
}
|
|
|
|
|
2018-12-20 09:30:42 +00:00
|
|
|
// NewHtpasswdFromFile constructs an HtpasswdFile from the file at the path given
|
2012-12-17 13:38:33 -05:00
|
|
|
func NewHtpasswdFromFile(path string) (*HtpasswdFile, error) {
|
2012-12-10 20:59:23 -05:00
|
|
|
r, err := os.Open(path)
|
|
|
|
if err != nil {
|
2012-12-17 13:38:33 -05:00
|
|
|
return nil, err
|
2012-12-10 20:59:23 -05:00
|
|
|
}
|
Reload authenticated-emails-file upon update
This change extracts the UserMap class from NewValidator() so that its
LoadAuthenticatedEmailsFile() method can be called concurrently. This method
is called by a goroutine containing a fsnotify.Watcher watching the
authenticated emails file.
Watching isn't forever aborted when the authenticated emails file disappears.
The goroutine will call os.Stat() up to twenty times a second if the file is
persistently missing, but that's the pathological case, not the common one.
The common case is that some editors (including Vim) will perform a
rename-and-replace when updating a file, triggering fsnotify.Rename events,
and the file will temporarily disappear. This watcher goroutine handles that
case.
Also, on some platforms (notably Arch Linux), a remove will be preceded by a
fsnotify.Chmod, causing a race between the upcoming fsnotify.Remove and the
call to UserMap.LoadAuthenticatedEmailsFile(). Hence, we treat fsnotify.Chmod
the same as fsnotify.Remove and fsnotify.Rename. There's no significant
penalty to re-adding a file to the watcher.
Also contains the following small changes from the summary of commits below:
- Minor optimization of email domain search
- Fixed api_test.go on Windows
- Add deferred File.Close() calls where needed
- Log error and return if emails file doesn't parse
These are the original commits from #89 squashed into this one:
0c6f2b6 Refactor validator_test to prepare for more tests
e0c792b Add more test cases to validator_test
a9a9d93 Minor optimization of email domain search
b763ea5 Extract LoadAuthenticatedEmailsFile()
8cdaf7f Introduce synchronized UserMap type
1b84eef Add UserMap methods, locking
af15dcf Reload authenticated-emails-file upon update
6d95548 Make UserMap operations lock-free
Per:
- http://stackoverflow.com/questions/21447463/is-assigning-a-pointer-atomic-in-golang
- https://groups.google.com/forum/#!msg/golang-nuts/ueSvaEKgyLY/ZW_74IC4PekJ
75755d5 Fix tests on Windows
d0eab2e Ignore email file watcher Chmod events
0b9798b Fix watcher on Ubuntu 12.04
3a8251a WaitForReplacement() to retry emails file watch
a57fd29 Add deferred File.Close() calls where needed
Because correctness: Don't leak file handles anywhere, and prepare for
future panics and early returns.
52ed3fd Log error and return if emails file doesn't parse
40100d4 Add gopkg.in/fsnotify.v1 dependency to Godeps file
17dfbbc Avoid a race when Remove is preceded by Chmod
2015-05-09 19:31:38 -04:00
|
|
|
defer r.Close()
|
2012-12-17 13:38:33 -05:00
|
|
|
return NewHtpasswd(r)
|
|
|
|
}
|
|
|
|
|
2018-12-20 09:30:42 +00:00
|
|
|
// NewHtpasswd consctructs an HtpasswdFile from an io.Reader (opened file)
|
2012-12-17 13:38:33 -05:00
|
|
|
func NewHtpasswd(file io.Reader) (*HtpasswdFile, error) {
|
2018-11-29 14:26:41 +00:00
|
|
|
csvReader := csv.NewReader(file)
|
|
|
|
csvReader.Comma = ':'
|
|
|
|
csvReader.Comment = '#'
|
|
|
|
csvReader.TrimLeadingSpace = true
|
2012-12-10 20:59:23 -05:00
|
|
|
|
2018-11-29 14:26:41 +00:00
|
|
|
records, err := csvReader.ReadAll()
|
2012-12-10 20:59:23 -05:00
|
|
|
if err != nil {
|
2012-12-17 13:38:33 -05:00
|
|
|
return nil, err
|
2012-12-10 20:59:23 -05:00
|
|
|
}
|
|
|
|
h := &HtpasswdFile{Users: make(map[string]string)}
|
|
|
|
for _, record := range records {
|
|
|
|
h.Users[record[0]] = record[1]
|
|
|
|
}
|
2012-12-17 13:38:33 -05:00
|
|
|
return h, nil
|
2012-12-10 20:59:23 -05:00
|
|
|
}
|
|
|
|
|
2018-12-20 09:30:42 +00:00
|
|
|
// Validate checks a users password against the HtpasswdFile entries
|
2012-12-10 20:59:23 -05:00
|
|
|
func (h *HtpasswdFile) Validate(user string, password string) bool {
|
|
|
|
realPassword, exists := h.Users[user]
|
|
|
|
if !exists {
|
|
|
|
return false
|
|
|
|
}
|
2018-02-16 02:14:41 -06:00
|
|
|
|
|
|
|
shaPrefix := realPassword[:5]
|
|
|
|
if shaPrefix == "{SHA}" {
|
|
|
|
shaValue := realPassword[5:]
|
2012-12-10 20:59:23 -05:00
|
|
|
d := sha1.New()
|
|
|
|
d.Write([]byte(password))
|
2018-02-16 02:14:41 -06:00
|
|
|
return shaValue == base64.StdEncoding.EncodeToString(d.Sum(nil))
|
2012-12-10 20:59:23 -05:00
|
|
|
}
|
2018-02-16 02:14:41 -06:00
|
|
|
|
|
|
|
bcryptPrefix := realPassword[:4]
|
|
|
|
if bcryptPrefix == "$2a$" || bcryptPrefix == "$2b$" || bcryptPrefix == "$2x$" || bcryptPrefix == "$2y$" {
|
|
|
|
return bcrypt.CompareHashAndPassword([]byte(realPassword), []byte(password)) == nil
|
|
|
|
}
|
|
|
|
|
2019-02-10 08:37:45 -08:00
|
|
|
logger.Printf("Invalid htpasswd entry for %s. Must be a SHA or bcrypt entry.", user)
|
2012-12-10 20:59:23 -05:00
|
|
|
return false
|
|
|
|
}
|