2011-01-28 07:07:18 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2011 Google Inc.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2010-11-15 03:52:52 +00:00
|
|
|
package auth
|
2010-07-26 03:34:04 +00:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"fmt"
|
Update from r60 to [almost] Go 1.
A lot is still broken, but most stuff at least compiles now.
The directory tree has been rearranged now too. Go libraries are now
under "pkg". Fully qualified, they are e.g. "camlistore.org/pkg/jsonsign".
The go tool cannot yet fetch from arbitrary domains, but discussion is
happening now on which mechanism to use to allow that.
For now, put the camlistore root under $GOPATH/src. Typically $GOPATH
is $HOME, so Camlistore should be at $HOME/src/camlistore.org.
Then you can:
$ go build ./server/camlistored
... etc
The build.pl script is currently disabled. It'll be resurrected at
some point, but with a very different role (helping create a fake
GOPATH and running the go build command, if things are installed at
the wrong place, and/or running fileembed generators).
Many things are certainly broken.
Many things are disabled. (MySQL, all indexing, etc).
Many things need to be moved into
camlistore.org/third_party/{code.google.com,github.com} and updated
from their r60 to Go 1 versions, where applicable.
The GoMySQL stuff should be updated to use database/sql and the ziutek
library implementing database/sql/driver.
Help wanted.
Change-Id: If71217dc5c8f0e70dbe46e9504ca5131c6eeacde
2012-02-19 05:53:06 +00:00
|
|
|
"net/http"
|
2011-06-09 23:09:21 +00:00
|
|
|
"os"
|
2010-07-26 03:34:04 +00:00
|
|
|
"regexp"
|
|
|
|
|
"strings"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var kBasicAuthPattern *regexp.Regexp = regexp.MustCompile(`^Basic ([a-zA-Z0-9\+/=]+)`)
|
|
|
|
|
|
2011-11-16 10:41:38 +00:00
|
|
|
var (
|
2011-11-28 17:45:08 +00:00
|
|
|
mode AuthMode // the auth logic depending on the choosen auth mechanism
|
2011-11-16 10:41:38 +00:00
|
|
|
)
|
2010-07-26 03:34:04 +00:00
|
|
|
|
2011-11-16 10:41:38 +00:00
|
|
|
type AuthMode interface {
|
2011-12-02 10:35:28 +00:00
|
|
|
// IsAuthorized checks the credentials in req.
|
2011-11-28 17:45:08 +00:00
|
|
|
IsAuthorized(req *http.Request) bool
|
2011-12-02 10:35:28 +00:00
|
|
|
// AddAuthHeader inserts in req the credentials needed
|
|
|
|
|
// for a client to authenticate.
|
|
|
|
|
AddAuthHeader(req *http.Request)
|
2011-03-05 08:03:53 +00:00
|
|
|
}
|
|
|
|
|
|
Update from r60 to [almost] Go 1.
A lot is still broken, but most stuff at least compiles now.
The directory tree has been rearranged now too. Go libraries are now
under "pkg". Fully qualified, they are e.g. "camlistore.org/pkg/jsonsign".
The go tool cannot yet fetch from arbitrary domains, but discussion is
happening now on which mechanism to use to allow that.
For now, put the camlistore root under $GOPATH/src. Typically $GOPATH
is $HOME, so Camlistore should be at $HOME/src/camlistore.org.
Then you can:
$ go build ./server/camlistored
... etc
The build.pl script is currently disabled. It'll be resurrected at
some point, but with a very different role (helping create a fake
GOPATH and running the go build command, if things are installed at
the wrong place, and/or running fileembed generators).
Many things are certainly broken.
Many things are disabled. (MySQL, all indexing, etc).
Many things need to be moved into
camlistore.org/third_party/{code.google.com,github.com} and updated
from their r60 to Go 1 versions, where applicable.
The GoMySQL stuff should be updated to use database/sql and the ziutek
library implementing database/sql/driver.
Help wanted.
Change-Id: If71217dc5c8f0e70dbe46e9504ca5131c6eeacde
2012-02-19 05:53:06 +00:00
|
|
|
func FromEnv() (AuthMode, error) {
|
2011-11-16 10:41:38 +00:00
|
|
|
return FromConfig(os.Getenv("CAMLI_AUTH"))
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-28 17:45:08 +00:00
|
|
|
// FromConfig parses authConfig and accordingly sets up the AuthMode
|
|
|
|
|
// that will be used for all upcoming authentication exchanges. The
|
|
|
|
|
// supported modes are UserPass and DevAuth. UserPass requires an authConfig
|
|
|
|
|
// of the kind "userpass:joe:ponies". If the CAMLI_ADVERTISED_PASSWORD
|
|
|
|
|
// environment variable is defined, the mode will default to DevAuth.
|
Update from r60 to [almost] Go 1.
A lot is still broken, but most stuff at least compiles now.
The directory tree has been rearranged now too. Go libraries are now
under "pkg". Fully qualified, they are e.g. "camlistore.org/pkg/jsonsign".
The go tool cannot yet fetch from arbitrary domains, but discussion is
happening now on which mechanism to use to allow that.
For now, put the camlistore root under $GOPATH/src. Typically $GOPATH
is $HOME, so Camlistore should be at $HOME/src/camlistore.org.
Then you can:
$ go build ./server/camlistored
... etc
The build.pl script is currently disabled. It'll be resurrected at
some point, but with a very different role (helping create a fake
GOPATH and running the go build command, if things are installed at
the wrong place, and/or running fileembed generators).
Many things are certainly broken.
Many things are disabled. (MySQL, all indexing, etc).
Many things need to be moved into
camlistore.org/third_party/{code.google.com,github.com} and updated
from their r60 to Go 1 versions, where applicable.
The GoMySQL stuff should be updated to use database/sql and the ziutek
library implementing database/sql/driver.
Help wanted.
Change-Id: If71217dc5c8f0e70dbe46e9504ca5131c6eeacde
2012-02-19 05:53:06 +00:00
|
|
|
func FromConfig(authConfig string) (AuthMode, error) {
|
2011-11-16 10:41:38 +00:00
|
|
|
pieces := strings.Split(authConfig, ":")
|
|
|
|
|
if len(pieces) < 1 {
|
|
|
|
|
return nil, fmt.Errorf("Invalid auth string: %q", authConfig)
|
2011-06-15 09:44:38 +00:00
|
|
|
}
|
2011-11-28 03:23:23 +00:00
|
|
|
authType := pieces[0]
|
|
|
|
|
|
|
|
|
|
if pw := os.Getenv("CAMLI_ADVERTISED_PASSWORD"); pw != "" {
|
|
|
|
|
mode = &DevAuth{pw}
|
|
|
|
|
return mode, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch authType {
|
2011-11-16 10:41:38 +00:00
|
|
|
case "userpass":
|
|
|
|
|
if len(pieces) != 3 {
|
|
|
|
|
return nil, fmt.Errorf("Wrong userpass auth string; needs to be \"userpass:user:password\"")
|
|
|
|
|
}
|
2011-11-28 17:45:08 +00:00
|
|
|
username := pieces[1]
|
|
|
|
|
password := pieces[2]
|
2011-11-30 09:38:18 +00:00
|
|
|
mode = &UserPass{Username: username, Password: password}
|
2011-11-16 10:41:38 +00:00
|
|
|
default:
|
2011-11-28 03:23:23 +00:00
|
|
|
return nil, fmt.Errorf("Unknown auth type: %q", authType)
|
2011-11-16 10:41:38 +00:00
|
|
|
}
|
|
|
|
|
return mode, nil
|
2011-06-15 09:44:38 +00:00
|
|
|
}
|
|
|
|
|
|
Update from r60 to [almost] Go 1.
A lot is still broken, but most stuff at least compiles now.
The directory tree has been rearranged now too. Go libraries are now
under "pkg". Fully qualified, they are e.g. "camlistore.org/pkg/jsonsign".
The go tool cannot yet fetch from arbitrary domains, but discussion is
happening now on which mechanism to use to allow that.
For now, put the camlistore root under $GOPATH/src. Typically $GOPATH
is $HOME, so Camlistore should be at $HOME/src/camlistore.org.
Then you can:
$ go build ./server/camlistored
... etc
The build.pl script is currently disabled. It'll be resurrected at
some point, but with a very different role (helping create a fake
GOPATH and running the go build command, if things are installed at
the wrong place, and/or running fileembed generators).
Many things are certainly broken.
Many things are disabled. (MySQL, all indexing, etc).
Many things need to be moved into
camlistore.org/third_party/{code.google.com,github.com} and updated
from their r60 to Go 1 versions, where applicable.
The GoMySQL stuff should be updated to use database/sql and the ziutek
library implementing database/sql/driver.
Help wanted.
Change-Id: If71217dc5c8f0e70dbe46e9504ca5131c6eeacde
2012-02-19 05:53:06 +00:00
|
|
|
func basicAuth(req *http.Request) (string, string, error) {
|
2011-02-24 01:56:40 +00:00
|
|
|
auth := req.Header.Get("Authorization")
|
|
|
|
|
if auth == "" {
|
2011-11-16 10:41:38 +00:00
|
|
|
return "", "", fmt.Errorf("Missing \"Authorization\" in header")
|
2010-07-26 03:34:04 +00:00
|
|
|
}
|
2010-09-08 05:02:20 +00:00
|
|
|
matches := kBasicAuthPattern.FindStringSubmatch(auth)
|
2010-07-26 03:34:04 +00:00
|
|
|
if len(matches) != 2 {
|
2011-11-16 10:41:38 +00:00
|
|
|
return "", "", fmt.Errorf("Bogus Authorization header")
|
2010-07-26 03:34:04 +00:00
|
|
|
}
|
|
|
|
|
encoded := matches[1]
|
|
|
|
|
enc := base64.StdEncoding
|
|
|
|
|
decBuf := make([]byte, enc.DecodedLen(len(encoded)))
|
|
|
|
|
n, err := enc.Decode(decBuf, []byte(encoded))
|
|
|
|
|
if err != nil {
|
2011-11-16 10:41:38 +00:00
|
|
|
return "", "", err
|
|
|
|
|
}
|
|
|
|
|
pieces := strings.SplitN(string(decBuf[0:n]), ":", 2)
|
|
|
|
|
if len(pieces) != 2 {
|
|
|
|
|
return "", "", fmt.Errorf("didn't get two pieces")
|
|
|
|
|
}
|
|
|
|
|
return pieces[0], pieces[1], nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// UserPass is used when the auth string provided in the config
|
|
|
|
|
// is of the kind "userpass:username:pass"
|
|
|
|
|
type UserPass struct {
|
|
|
|
|
Username, Password string
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-28 17:45:08 +00:00
|
|
|
func (up *UserPass) IsAuthorized(req *http.Request) bool {
|
2011-11-16 10:41:38 +00:00
|
|
|
user, pass, err := basicAuth(req)
|
|
|
|
|
if err != nil {
|
2010-07-26 03:34:04 +00:00
|
|
|
return false
|
|
|
|
|
}
|
2011-11-16 10:41:38 +00:00
|
|
|
return user == up.Username && pass == up.Password
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-02 10:35:28 +00:00
|
|
|
func (up *UserPass) AddAuthHeader(req *http.Request) {
|
|
|
|
|
req.SetBasicAuth(up.Username, up.Password)
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-28 17:45:08 +00:00
|
|
|
// DevAuth is used when the env var CAMLI_ADVERTISED_PASSWORD
|
|
|
|
|
// is defined
|
2011-11-16 10:41:38 +00:00
|
|
|
type DevAuth struct {
|
|
|
|
|
Password string
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-28 17:45:08 +00:00
|
|
|
func (da *DevAuth) IsAuthorized(req *http.Request) bool {
|
2011-11-16 10:41:38 +00:00
|
|
|
_, pass, err := basicAuth(req)
|
|
|
|
|
if err != nil {
|
2010-07-26 03:34:04 +00:00
|
|
|
return false
|
|
|
|
|
}
|
2011-11-16 10:41:38 +00:00
|
|
|
return pass == da.Password
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-02 10:35:28 +00:00
|
|
|
func (da *DevAuth) AddAuthHeader(req *http.Request) {
|
|
|
|
|
req.SetBasicAuth("", da.Password)
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-16 10:41:38 +00:00
|
|
|
func IsAuthorized(req *http.Request) bool {
|
2011-11-28 17:45:08 +00:00
|
|
|
return mode.IsAuthorized(req)
|
2011-11-16 10:41:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TriedAuthorization(req *http.Request) bool {
|
|
|
|
|
// Currently a simple test just using HTTP basic auth
|
|
|
|
|
// (presumably over https); may expand.
|
|
|
|
|
return req.Header.Get("Authorization") != ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func SendUnauthorized(conn http.ResponseWriter) {
|
|
|
|
|
realm := "camlistored"
|
2011-11-28 03:23:23 +00:00
|
|
|
if devAuth, ok := mode.(*DevAuth); ok {
|
|
|
|
|
realm = "Any username, password is: " + devAuth.Password
|
2011-11-16 10:41:38 +00:00
|
|
|
}
|
|
|
|
|
conn.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", realm))
|
|
|
|
|
conn.WriteHeader(http.StatusUnauthorized)
|
|
|
|
|
fmt.Fprintf(conn, "<h1>Unauthorized</h1>")
|
2010-07-26 03:34:04 +00:00
|
|
|
}
|
|
|
|
|
|
2011-12-11 00:56:35 +00:00
|
|
|
type Handler struct {
|
|
|
|
|
http.Handler
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if mode.IsAuthorized(r) {
|
|
|
|
|
h.Handler.ServeHTTP(w, r)
|
|
|
|
|
} else {
|
|
|
|
|
SendUnauthorized(w)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-07-26 03:34:04 +00:00
|
|
|
// requireAuth wraps a function with another function that enforces
|
|
|
|
|
// HTTP Basic Auth.
|
2011-06-30 04:13:03 +00:00
|
|
|
func RequireAuth(handler func(conn http.ResponseWriter, req *http.Request)) func(conn http.ResponseWriter, req *http.Request) {
|
|
|
|
|
return func(conn http.ResponseWriter, req *http.Request) {
|
2011-11-28 17:45:08 +00:00
|
|
|
if mode.IsAuthorized(req) {
|
2011-06-15 09:44:38 +00:00
|
|
|
handler(conn, req)
|
|
|
|
|
} else {
|
|
|
|
|
SendUnauthorized(conn)
|
2010-07-26 03:34:04 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|