Commit 159b68aa authored by Matt Holt's avatar Matt Holt

Merge pull request #228 from tgulacsi/htpasswd

basicauth: Add htpasswd support
parents d76cf6d3 392f1d70
package setup package setup
import ( import (
"strings"
"github.com/mholt/caddy/middleware" "github.com/mholt/caddy/middleware"
"github.com/mholt/caddy/middleware/basicauth" "github.com/mholt/caddy/middleware/basicauth"
) )
...@@ -23,6 +25,7 @@ func BasicAuth(c *Controller) (middleware.Middleware, error) { ...@@ -23,6 +25,7 @@ func BasicAuth(c *Controller) (middleware.Middleware, error) {
func basicAuthParse(c *Controller) ([]basicauth.Rule, error) { func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
var rules []basicauth.Rule var rules []basicauth.Rule
var err error
for c.Next() { for c.Next() {
var rule basicauth.Rule var rule basicauth.Rule
...@@ -31,7 +34,10 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) { ...@@ -31,7 +34,10 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
switch len(args) { switch len(args) {
case 2: case 2:
rule.Username = args[0] rule.Username = args[0]
rule.Password = args[1] if rule.Password, err = passwordMatcher(rule.Username, args[1]); err != nil {
return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
}
for c.NextBlock() { for c.NextBlock() {
rule.Resources = append(rule.Resources, c.Val()) rule.Resources = append(rule.Resources, c.Val())
if c.NextArg() { if c.NextArg() {
...@@ -41,7 +47,9 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) { ...@@ -41,7 +47,9 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
case 3: case 3:
rule.Resources = append(rule.Resources, args[0]) rule.Resources = append(rule.Resources, args[0])
rule.Username = args[1] rule.Username = args[1]
rule.Password = args[2] if rule.Password, err = passwordMatcher(rule.Username, args[2]); err != nil {
return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
}
default: default:
return rules, c.ArgErr() return rules, c.ArgErr()
} }
...@@ -51,3 +59,11 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) { ...@@ -51,3 +59,11 @@ func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
return rules, nil return rules, nil
} }
func passwordMatcher(username, passw string) (basicauth.PasswordMatcher, error) {
if !strings.HasPrefix(passw, "htpasswd=") {
return basicauth.PlainMatcher(passw), nil
}
return basicauth.GetHtpasswdMatcher(passw[9:], username)
}
...@@ -2,6 +2,9 @@ package setup ...@@ -2,6 +2,9 @@ package setup
import ( import (
"fmt" "fmt"
"io/ioutil"
"os"
"strings"
"testing" "testing"
"github.com/mholt/caddy/middleware/basicauth" "github.com/mholt/caddy/middleware/basicauth"
...@@ -30,35 +33,57 @@ func TestBasicAuth(t *testing.T) { ...@@ -30,35 +33,57 @@ func TestBasicAuth(t *testing.T) {
} }
func TestBasicAuthParse(t *testing.T) { func TestBasicAuthParse(t *testing.T) {
htpasswdPasswd := "IedFOuGmTpT8"
htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
var skipHtpassword bool
htfh, err := ioutil.TempFile("", "basicauth-")
if err != nil {
t.Logf("Error creating temp file (%v), will skip htpassword test")
skipHtpassword = true
} else {
if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
}
htfh.Close()
defer os.Remove(htfh.Name())
}
tests := []struct { tests := []struct {
input string input string
shouldErr bool shouldErr bool
password string
expected []basicauth.Rule expected []basicauth.Rule
}{ }{
{`basicauth user pwd`, false, []basicauth.Rule{ {`basicauth user pwd`, false, "pwd", []basicauth.Rule{
{Username: "user", Password: "pwd"}, {Username: "user"},
}}, }},
{`basicauth user pwd { {`basicauth user pwd {
}`, false, []basicauth.Rule{ }`, false, "pwd", []basicauth.Rule{
{Username: "user", Password: "pwd"}, {Username: "user"},
}}, }},
{`basicauth user pwd { {`basicauth user pwd {
/resource1 /resource1
/resource2 /resource2
}`, false, []basicauth.Rule{ }`, false, "pwd", []basicauth.Rule{
{Username: "user", Password: "pwd", Resources: []string{"/resource1", "/resource2"}}, {Username: "user", Resources: []string{"/resource1", "/resource2"}},
}}, }},
{`basicauth /resource user pwd`, false, []basicauth.Rule{ {`basicauth /resource user pwd`, false, "pwd", []basicauth.Rule{
{Username: "user", Password: "pwd", Resources: []string{"/resource"}}, {Username: "user", Resources: []string{"/resource"}},
}}, }},
{`basicauth /res1 user1 pwd1 {`basicauth /res1 user1 pwd1
basicauth /res2 user2 pwd2`, false, []basicauth.Rule{ basicauth /res2 user2 pwd2`, false, "pwd", []basicauth.Rule{
{Username: "user1", Password: "pwd1", Resources: []string{"/res1"}}, {Username: "user1", Resources: []string{"/res1"}},
{Username: "user2", Password: "pwd2", Resources: []string{"/res2"}}, {Username: "user2", Resources: []string{"/res2"}},
}},
{`basicauth user`, true, "", []basicauth.Rule{}},
{`basicauth`, true, "", []basicauth.Rule{}},
{`basicauth /resource user pwd asdf`, true, "", []basicauth.Rule{}},
{`basicauth sha1 htpasswd=` + htfh.Name(), false, htpasswdPasswd, []basicauth.Rule{
{Username: "sha1"},
}}, }},
{`basicauth user`, true, []basicauth.Rule{}},
{`basicauth`, true, []basicauth.Rule{}},
{`basicauth /resource user pwd asdf`, true, []basicauth.Rule{}},
} }
for i, test := range tests { for i, test := range tests {
...@@ -84,9 +109,16 @@ func TestBasicAuthParse(t *testing.T) { ...@@ -84,9 +109,16 @@ func TestBasicAuthParse(t *testing.T) {
i, j, expectedRule.Username, actualRule.Username) i, j, expectedRule.Username, actualRule.Username)
} }
if actualRule.Password != expectedRule.Password { if strings.Contains(test.input, "htpasswd=") && skipHtpassword {
continue
}
pwd := test.password
if len(actual) > 1 {
pwd = fmt.Sprintf("%s%d", pwd, j+1)
}
if !actualRule.Password(pwd) || actualRule.Password(test.password+"!") {
t.Errorf("Test %d, rule %d: Expected password '%s', got '%s'", t.Errorf("Test %d, rule %d: Expected password '%s', got '%s'",
i, j, expectedRule.Password, actualRule.Password) i, j, test.password, actualRule.Password)
} }
expectedRes := fmt.Sprintf("%v", expectedRule.Resources) expectedRes := fmt.Sprintf("%v", expectedRule.Resources)
......
...@@ -2,9 +2,17 @@ ...@@ -2,9 +2,17 @@
package basicauth package basicauth
import ( import (
"bufio"
"crypto/subtle" "crypto/subtle"
"fmt"
"io"
"net/http" "net/http"
"os"
"path/filepath"
"strings"
"sync"
"github.com/jimstudt/http-authentication/basic"
"github.com/mholt/caddy/middleware" "github.com/mholt/caddy/middleware"
) )
...@@ -37,7 +45,8 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error ...@@ -37,7 +45,8 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
// Check credentials // Check credentials
if !ok || if !ok ||
username != rule.Username || username != rule.Username ||
subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 { !rule.Password(password) {
//subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
continue continue
} }
...@@ -64,6 +73,74 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error ...@@ -64,6 +73,74 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
// file or directory paths. // file or directory paths.
type Rule struct { type Rule struct {
Username string Username string
Password string Password func(string) bool
Resources []string Resources []string
} }
type PasswordMatcher func(pw string) bool
var (
htpasswords map[string]map[string]PasswordMatcher
htpasswordsMu sync.Mutex
)
func GetHtpasswdMatcher(filename, username string) (PasswordMatcher, error) {
filename, err := filepath.Abs(filename)
if err != nil {
return nil, err
}
htpasswordsMu.Lock()
if htpasswords == nil {
htpasswords = make(map[string]map[string]PasswordMatcher)
}
pm := htpasswords[filename]
if pm == nil {
fh, err := os.Open(filename)
if err != nil {
return nil, fmt.Errorf("open %q: %v", filename, err)
}
defer fh.Close()
pm = make(map[string]PasswordMatcher)
if err = parseHtpasswd(pm, fh); err != nil {
return nil, fmt.Errorf("parsing htpasswd %q: %v", fh.Name(), err)
}
htpasswords[filename] = pm
}
htpasswordsMu.Unlock()
if pm[username] == nil {
return nil, fmt.Errorf("username %q not found in %q", username, filename)
}
return pm[username], nil
}
func parseHtpasswd(pm map[string]PasswordMatcher, r io.Reader) error {
scanner := bufio.NewScanner(r)
for scanner.Scan() {
line := strings.TrimSpace(scanner.Text())
if line == "" || strings.IndexByte(line, '#') == 0 {
continue
}
i := strings.IndexByte(line, ':')
if i <= 0 {
return fmt.Errorf("malformed line, no color: %q", line)
}
user, encoded := line[:i], line[i+1:]
for _, p := range basic.DefaultSystems {
matcher, err := p(encoded)
if err != nil {
return err
}
if matcher != nil {
pm[user] = matcher.MatchesPassword
break
}
}
}
return scanner.Err()
}
func PlainMatcher(passw string) PasswordMatcher {
return func(pw string) bool {
return subtle.ConstantTimeCompare([]byte(pw), []byte(passw)) == 1
}
}
...@@ -3,8 +3,10 @@ package basicauth ...@@ -3,8 +3,10 @@ package basicauth
import ( import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os"
"testing" "testing"
"github.com/mholt/caddy/middleware" "github.com/mholt/caddy/middleware"
...@@ -15,7 +17,7 @@ func TestBasicAuth(t *testing.T) { ...@@ -15,7 +17,7 @@ func TestBasicAuth(t *testing.T) {
rw := BasicAuth{ rw := BasicAuth{
Next: middleware.HandlerFunc(contentHandler), Next: middleware.HandlerFunc(contentHandler),
Rules: []Rule{ Rules: []Rule{
{Username: "test", Password: "ttest", Resources: []string{"/testing"}}, {Username: "test", Password: PlainMatcher("ttest"), Resources: []string{"/testing"}},
}, },
} }
...@@ -66,8 +68,8 @@ func TestMultipleOverlappingRules(t *testing.T) { ...@@ -66,8 +68,8 @@ func TestMultipleOverlappingRules(t *testing.T) {
rw := BasicAuth{ rw := BasicAuth{
Next: middleware.HandlerFunc(contentHandler), Next: middleware.HandlerFunc(contentHandler),
Rules: []Rule{ Rules: []Rule{
{Username: "t", Password: "p1", Resources: []string{"/t"}}, {Username: "t", Password: PlainMatcher("p1"), Resources: []string{"/t"}},
{Username: "t1", Password: "p2", Resources: []string{"/t/t"}}, {Username: "t1", Password: PlainMatcher("p2"), Resources: []string{"/t/t"}},
}, },
} }
...@@ -111,3 +113,31 @@ func contentHandler(w http.ResponseWriter, r *http.Request) (int, error) { ...@@ -111,3 +113,31 @@ func contentHandler(w http.ResponseWriter, r *http.Request) (int, error) {
fmt.Fprintf(w, r.URL.String()) fmt.Fprintf(w, r.URL.String())
return http.StatusOK, nil return http.StatusOK, nil
} }
func TestHtpasswd(t *testing.T) {
htpasswdPasswd := "IedFOuGmTpT8"
htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
htfh, err := ioutil.TempFile("", "basicauth-")
if err != nil {
t.Skipf("Error creating temp file (%v), will skip htpassword test")
return
}
if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
}
htfh.Close()
defer os.Remove(htfh.Name())
for i, username := range []string{"sha1", "md5"} {
rule := Rule{Username: username, Resources: []string{"/testing"}}
if rule.Password, err = GetHtpasswdMatcher(htfh.Name(), rule.Username); err != nil {
t.Fatalf("GetHtpasswdMatcher(%q, %q): %v", htfh.Name(), rule.Username, err)
}
t.Logf("%d. username=%q password=%v", i, rule.Username, rule.Password)
if !rule.Password(htpasswdPasswd) || rule.Password(htpasswdPasswd+"!") {
t.Errorf("%d (%s) password does not match.", i, rule.Username)
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment