2015-06-11 02:40:05 +00:00
|
|
|
// Package htpasswd provides a simple authentication scheme that checks for the
|
2015-04-21 19:57:12 +00:00
|
|
|
// user credential hash in an htpasswd formatted file in a configuration-determined
|
|
|
|
// location.
|
|
|
|
//
|
|
|
|
// This authentication method MUST be used under TLS, as simple token-replay attack is possible.
|
2015-06-11 02:40:05 +00:00
|
|
|
package htpasswd
|
2015-04-21 19:57:12 +00:00
|
|
|
|
|
|
|
import (
|
2017-08-11 22:31:16 +00:00
|
|
|
"context"
|
2017-08-13 05:56:11 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"encoding/base64"
|
2015-04-21 19:57:12 +00:00
|
|
|
"fmt"
|
|
|
|
"net/http"
|
2015-06-11 02:29:27 +00:00
|
|
|
"os"
|
2017-08-13 05:56:11 +00:00
|
|
|
"path/filepath"
|
2016-08-26 05:18:34 +00:00
|
|
|
"sync"
|
|
|
|
"time"
|
2015-04-21 19:57:12 +00:00
|
|
|
|
2018-09-05 00:35:16 +00:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
|
2023-10-24 17:16:58 +00:00
|
|
|
"github.com/distribution/distribution/v3/internal/dcontext"
|
2020-08-24 11:18:39 +00:00
|
|
|
"github.com/distribution/distribution/v3/registry/auth"
|
2015-04-21 19:57:12 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type accessController struct {
|
|
|
|
realm string
|
2016-08-26 05:18:34 +00:00
|
|
|
path string
|
|
|
|
modtime time.Time
|
|
|
|
mu sync.Mutex
|
2015-06-06 05:37:32 +00:00
|
|
|
htpasswd *htpasswd
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var _ auth.AccessController = &accessController{}
|
|
|
|
|
|
|
|
func newAccessController(options map[string]interface{}) (auth.AccessController, error) {
|
|
|
|
realm, present := options["realm"]
|
|
|
|
if _, ok := realm.(string); !present || !ok {
|
2015-06-11 02:40:05 +00:00
|
|
|
return nil, fmt.Errorf(`"realm" must be set for htpasswd access controller`)
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2017-08-13 05:56:11 +00:00
|
|
|
pathOpt, present := options["path"]
|
|
|
|
path, ok := pathOpt.(string)
|
|
|
|
if !present || !ok {
|
2015-06-11 02:40:05 +00:00
|
|
|
return nil, fmt.Errorf(`"path" must be set for htpasswd access controller`)
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
2017-08-13 05:56:11 +00:00
|
|
|
if err := createHtpasswdFile(path); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &accessController{realm: realm.(string), path: path}, nil
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2023-10-24 18:08:04 +00:00
|
|
|
func (ac *accessController) Authorized(req *http.Request, accessRecords ...auth.Access) (context.Context, error) {
|
2015-06-09 01:56:48 +00:00
|
|
|
username, password, ok := req.BasicAuth()
|
|
|
|
if !ok {
|
|
|
|
return nil, &challenge{
|
2015-04-21 19:57:12 +00:00
|
|
|
realm: ac.realm,
|
2016-02-13 01:15:19 +00:00
|
|
|
err: auth.ErrInvalidCredential,
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
}
|
2015-06-04 16:02:13 +00:00
|
|
|
|
2016-08-26 05:18:34 +00:00
|
|
|
// Dynamically parsing the latest account list
|
|
|
|
fstat, err := os.Stat(ac.path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
lastModified := fstat.ModTime()
|
|
|
|
ac.mu.Lock()
|
|
|
|
if ac.htpasswd == nil || !ac.modtime.Equal(lastModified) {
|
|
|
|
ac.modtime = lastModified
|
|
|
|
|
|
|
|
f, err := os.Open(ac.path)
|
|
|
|
if err != nil {
|
|
|
|
ac.mu.Unlock()
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
|
h, err := newHTPasswd(f)
|
|
|
|
if err != nil {
|
|
|
|
ac.mu.Unlock()
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
ac.htpasswd = h
|
|
|
|
}
|
|
|
|
localHTPasswd := ac.htpasswd
|
|
|
|
ac.mu.Unlock()
|
|
|
|
|
|
|
|
if err := localHTPasswd.authenticateUser(username, password); err != nil {
|
2023-10-24 18:08:04 +00:00
|
|
|
dcontext.GetLogger(req.Context()).Errorf("error authenticating user %q: %v", username, err)
|
2015-06-09 01:56:48 +00:00
|
|
|
return nil, &challenge{
|
2015-06-04 15:46:34 +00:00
|
|
|
realm: ac.realm,
|
2016-02-13 01:15:19 +00:00
|
|
|
err: auth.ErrAuthenticationFailure,
|
2015-06-04 15:46:34 +00:00
|
|
|
}
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2023-10-24 18:08:04 +00:00
|
|
|
return auth.WithUser(req.Context(), auth.UserInfo{Name: username}), nil
|
2015-06-09 01:56:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// challenge implements the auth.Challenge interface.
|
|
|
|
type challenge struct {
|
|
|
|
realm string
|
|
|
|
err error
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2015-07-24 02:39:56 +00:00
|
|
|
var _ auth.Challenge = challenge{}
|
|
|
|
|
|
|
|
// SetHeaders sets the basic challenge header on the response.
|
2017-03-13 23:35:15 +00:00
|
|
|
func (ch challenge) SetHeaders(r *http.Request, w http.ResponseWriter) {
|
2015-07-24 02:39:56 +00:00
|
|
|
w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm))
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2015-07-24 02:39:56 +00:00
|
|
|
func (ch challenge) Error() string {
|
2015-11-07 01:10:28 +00:00
|
|
|
return fmt.Sprintf("basic authentication challenge for realm %q: %s", ch.realm, ch.err)
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2017-08-13 05:56:11 +00:00
|
|
|
// createHtpasswdFile creates and populates htpasswd file with a new user in case the file is missing
|
|
|
|
func createHtpasswdFile(path string) error {
|
|
|
|
if f, err := os.Open(path); err == nil {
|
|
|
|
f.Close()
|
|
|
|
return nil
|
|
|
|
} else if !os.IsNotExist(err) {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-11-02 21:05:45 +00:00
|
|
|
if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
|
2017-08-13 05:56:11 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-11-02 21:05:45 +00:00
|
|
|
f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE, 0o600)
|
2017-08-13 05:56:11 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to open htpasswd path %s", err)
|
|
|
|
}
|
|
|
|
defer f.Close()
|
|
|
|
var secretBytes [32]byte
|
|
|
|
if _, err := rand.Read(secretBytes[:]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
pass := base64.RawURLEncoding.EncodeToString(secretBytes[:])
|
|
|
|
encryptedPass, err := bcrypt.GenerateFromPassword([]byte(pass), bcrypt.DefaultCost)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if _, err := f.Write([]byte(fmt.Sprintf("docker:%s", string(encryptedPass[:])))); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
dcontext.GetLoggerWithFields(context.Background(), map[interface{}]interface{}{
|
|
|
|
"user": "docker",
|
|
|
|
"password": pass,
|
|
|
|
}).Warnf("htpasswd is missing, provisioning with default user")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-04-21 19:57:12 +00:00
|
|
|
func init() {
|
2015-06-11 02:40:05 +00:00
|
|
|
auth.Register("htpasswd", auth.InitFunc(newAccessController))
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|