From 7d8ee6125421e2cf033f6d6c89ea59e6fd061ccf Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sat, 18 Jul 2020 00:41:42 +0100 Subject: [PATCH] Add HTPasswdValidator to basic authentication package --- pkg/authentication/basic/basic_suite_test.go | 16 ++++ pkg/authentication/basic/htpasswd.go | 96 +++++++++++++++++++ pkg/authentication/basic/htpasswd_test.go | 96 +++++++++++++++++++ .../basic/test/htpasswd-bcrypt.txt | 8 ++ .../basic/test/htpasswd-mixed.txt | 8 ++ .../basic/test/htpasswd-sha1.txt | 8 ++ pkg/authentication/basic/validator.go | 7 ++ 7 files changed, 239 insertions(+) create mode 100644 pkg/authentication/basic/basic_suite_test.go create mode 100644 pkg/authentication/basic/htpasswd.go create mode 100644 pkg/authentication/basic/htpasswd_test.go create mode 100644 pkg/authentication/basic/test/htpasswd-bcrypt.txt create mode 100644 pkg/authentication/basic/test/htpasswd-mixed.txt create mode 100644 pkg/authentication/basic/test/htpasswd-sha1.txt create mode 100644 pkg/authentication/basic/validator.go diff --git a/pkg/authentication/basic/basic_suite_test.go b/pkg/authentication/basic/basic_suite_test.go new file mode 100644 index 00000000..4d5fa806 --- /dev/null +++ b/pkg/authentication/basic/basic_suite_test.go @@ -0,0 +1,16 @@ +package basic + +import ( + "testing" + + "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +func TestBasicSuite(t *testing.T) { + logger.SetOutput(GinkgoWriter) + + RegisterFailHandler(Fail) + RunSpecs(t, "Basic") +} diff --git a/pkg/authentication/basic/htpasswd.go b/pkg/authentication/basic/htpasswd.go new file mode 100644 index 00000000..ff87894f --- /dev/null +++ b/pkg/authentication/basic/htpasswd.go @@ -0,0 +1,96 @@ +package basic + +import ( + "crypto/sha1" + "encoding/base64" + "encoding/csv" + "fmt" + "io" + "os" + + "github.com/oauth2-proxy/oauth2-proxy/pkg/logger" + "golang.org/x/crypto/bcrypt" +) + +// htpasswdMap represents the structure of an htpasswd file. +// Passwords must be generated with -B for bcrypt or -s for SHA1. +type htpasswdMap struct { + users map[string]interface{} +} + +// bcryptPass is used to identify bcrypt passwords in the +// htpasswdMap users. +type bcryptPass string + +// sha1Pass os used to identify sha1 passwords in the +// htpasswdMap users. +type sha1Pass string + +// NewHTPasswdValidator constructs an httpasswd based validator from the file +// at the path given. +func NewHTPasswdValidator(path string) (Validator, error) { + r, err := os.Open(path) + if err != nil { + return nil, fmt.Errorf("could not open htpasswd file: %v", err) + } + defer r.Close() + return newHtpasswd(r) +} + +// newHtpasswd consctructs an htpasswd from an io.Reader (an opened file). +func newHtpasswd(file io.Reader) (*htpasswdMap, error) { + csvReader := csv.NewReader(file) + csvReader.Comma = ':' + csvReader.Comment = '#' + csvReader.TrimLeadingSpace = true + + records, err := csvReader.ReadAll() + if err != nil { + return nil, fmt.Errorf("could not read htpasswd file: %v", err) + } + + return createHtpasswdMap(records) +} + +// createHtasswdMap constructs an htpasswdMap from the given records +func createHtpasswdMap(records [][]string) (*htpasswdMap, error) { + h := &htpasswdMap{users: make(map[string]interface{})} + for _, record := range records { + user, realPassword := record[0], record[1] + shaPrefix := realPassword[:5] + if shaPrefix == "{SHA}" { + h.users[user] = sha1Pass(realPassword[5:]) + continue + } + + bcryptPrefix := realPassword[:4] + if bcryptPrefix == "$2a$" || bcryptPrefix == "$2b$" || bcryptPrefix == "$2x$" || bcryptPrefix == "$2y$" { + h.users[user] = bcryptPass(realPassword) + continue + } + + // Password is neither sha1 or bcrypt + // TODO(JoelSpeed): In the next breaking release, make this return an error. + logger.Printf("Invalid htpasswd entry for %s. Must be a SHA or bcrypt entry.", user) + } + return h, nil +} + +// Validate checks a users password against the htpasswd entries +func (h *htpasswdMap) Validate(user string, password string) bool { + realPassword, exists := h.users[user] + if !exists { + return false + } + + switch real := realPassword.(type) { + case sha1Pass: + d := sha1.New() + d.Write([]byte(password)) + return string(real) == base64.StdEncoding.EncodeToString(d.Sum(nil)) + case bcryptPass: + return bcrypt.CompareHashAndPassword([]byte(real), []byte(password)) == nil + default: + return false + } +} diff --git a/pkg/authentication/basic/htpasswd_test.go b/pkg/authentication/basic/htpasswd_test.go new file mode 100644 index 00000000..0c2a197e --- /dev/null +++ b/pkg/authentication/basic/htpasswd_test.go @@ -0,0 +1,96 @@ +package basic + +import ( + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +const ( + adminUser = "admin" + adminPassword = "Adm1n1str$t0r" + user1 = "user1" + user1Password = "UsErOn3P455" + user2 = "user2" + user2Password = "us3r2P455W0Rd!" +) + +var _ = Describe("HTPasswd Suite", func() { + Context("with an HTPassword Validator", func() { + assertHtpasswdMapFromFile := func(filePath string) { + var htpasswd *htpasswdMap + var err error + + BeforeEach(func() { + var validator Validator + validator, err = NewHTPasswdValidator(filePath) + + var ok bool + htpasswd, ok = validator.(*htpasswdMap) + Expect(ok).To(BeTrue()) + }) + + It("does not return an error", func() { + Expect(err).ToNot(HaveOccurred()) + }) + + It("has the correct number of users", func() { + Expect(htpasswd.users).To(HaveLen(3)) + }) + + It("accepts the correct passwords", func() { + Expect(htpasswd.Validate(adminUser, adminPassword)).To(BeTrue()) + Expect(htpasswd.Validate(user1, user1Password)).To(BeTrue()) + Expect(htpasswd.Validate(user2, user2Password)).To(BeTrue()) + }) + + It("rejects incorrect passwords", func() { + Expect(htpasswd.Validate(adminUser, "asvdfda")).To(BeFalse()) + Expect(htpasswd.Validate(user1, "BHEdgbtr")).To(BeFalse()) + Expect(htpasswd.Validate(user2, "12345")).To(BeFalse()) + }) + + It("rejects a non existent user", func() { + // Users are case sensitive + Expect(htpasswd.Validate("ADMIN", adminPassword)).To(BeFalse()) + }) + } + + Context("load from file", func() { + Context("with sha1 entries", func() { + const filePath = "./test/htpasswd-sha1.txt" + + assertHtpasswdMapFromFile(filePath) + }) + + Context("with bcrypt entries", func() { + const filePath = "./test/htpasswd-bcrypt.txt" + + assertHtpasswdMapFromFile(filePath) + }) + + Context("with mixed entries", func() { + const filePath = "./test/htpasswd-mixed.txt" + + assertHtpasswdMapFromFile(filePath) + }) + + Context("with a non existent file", func() { + const filePath = "./test/htpasswd-doesnt-exist.txt" + var validator Validator + var err error + + BeforeEach(func() { + validator, err = NewHTPasswdValidator(filePath) + }) + + It("returns an error", func() { + Expect(err).To(MatchError("could not open htpasswd file: open ./test/htpasswd-doesnt-exist.txt: no such file or directory")) + }) + + It("returns a nil validator", func() { + Expect(validator).To(BeNil()) + }) + }) + }) + }) +}) diff --git a/pkg/authentication/basic/test/htpasswd-bcrypt.txt b/pkg/authentication/basic/test/htpasswd-bcrypt.txt new file mode 100644 index 00000000..5fcaa381 --- /dev/null +++ b/pkg/authentication/basic/test/htpasswd-bcrypt.txt @@ -0,0 +1,8 @@ +# admin:Adm1n1str$t0r +admin:$2y$05$SXWrNM7ldtbRzBvUC3VXyOvUeiUcP45XPwM93P5eeGOEPIiAZmJjC + +# user1:UsErOn3P455 +user1:$2y$05$/sZYJOk8.3Etg4V6fV7puuXfCJLmV5Q7u3xvKpjBSJUka.t2YtmmG + +# user2: us3r2P455W0Rd! +user2:$2y$05$l22MubgKTZFTjTs8TNg5k.YKvcnM2.bA/.iwl0idef5CbekdvBxva diff --git a/pkg/authentication/basic/test/htpasswd-mixed.txt b/pkg/authentication/basic/test/htpasswd-mixed.txt new file mode 100644 index 00000000..fd66c575 --- /dev/null +++ b/pkg/authentication/basic/test/htpasswd-mixed.txt @@ -0,0 +1,8 @@ +# admin:Adm1n1str$t0r +admin:$2y$05$SXWrNM7ldtbRzBvUC3VXyOvUeiUcP45XPwM93P5eeGOEPIiAZmJjC + +# user1:UsErOn3P455 +user1:{SHA}Dvs/L78raajL4jEAHPkwflQXJzI= + +# user2: us3r2P455W0Rd! +user2:{SHA}MoN9/JCJEcYUb6GCQ+2buDvn9pI= diff --git a/pkg/authentication/basic/test/htpasswd-sha1.txt b/pkg/authentication/basic/test/htpasswd-sha1.txt new file mode 100644 index 00000000..beb1f0d2 --- /dev/null +++ b/pkg/authentication/basic/test/htpasswd-sha1.txt @@ -0,0 +1,8 @@ +# admin:Adm1n1str$t0r +admin:{SHA}gXQeRH0bcaCfhAk2gOLm1uaePMA= + +# user1:UsErOn3P455 +user1:{SHA}Dvs/L78raajL4jEAHPkwflQXJzI= + +# user2: us3r2P455W0Rd! +user2:{SHA}MoN9/JCJEcYUb6GCQ+2buDvn9pI= diff --git a/pkg/authentication/basic/validator.go b/pkg/authentication/basic/validator.go new file mode 100644 index 00000000..7a1ceda9 --- /dev/null +++ b/pkg/authentication/basic/validator.go @@ -0,0 +1,7 @@ +package basic + +// Validator is a minimal interface for something that can validate a +// username and password combination. +type Validator interface { + Validate(user, password string) bool +}