distribution/registry/auth/htpasswd/access.go

// Package htpasswd provides a simple authentication scheme that checks for the
// user credential hash in an htpasswd formatted file in a configuration-determined
// location.
//
// This authentication method MUST be used under TLS, as simple token-replay attack is possible.
package htpasswd

import (
	"context"
	"crypto/rand"
	"encoding/base64"
	"fmt"
	"net/http"
	"os"
	"path/filepath"
	"sync"
	"time"

	"golang.org/x/crypto/bcrypt"

	dcontext "github.com/distribution/distribution/v3/context"
	"github.com/distribution/distribution/v3/registry/auth"
)

type accessController struct {
	realm    string
	path     string
	modtime  time.Time
	mu       sync.Mutex
	htpasswd *htpasswd
}

var _ auth.AccessController = &accessController{}

func newAccessController(options map[string]interface{}) (auth.AccessController, error) {
	realm, present := options["realm"]
	if _, ok := realm.(string); !present || !ok {
		return nil, fmt.Errorf(`"realm" must be set for htpasswd access controller`)
	}

	pathOpt, present := options["path"]
	path, ok := pathOpt.(string)
	if !present || !ok {
		return nil, fmt.Errorf(`"path" must be set for htpasswd access controller`)
	}
	if err := createHtpasswdFile(path); err != nil {
		return nil, err
	}
	return &accessController{realm: realm.(string), path: path}, nil
}

func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {
	req, err := dcontext.GetRequest(ctx)
	if err != nil {
		return nil, err
	}

	username, password, ok := req.BasicAuth()
	if !ok {
		return nil, &challenge{
			realm: ac.realm,
			err:   auth.ErrInvalidCredential,
		}
	}

	// Dynamically parsing the latest account list
	fstat, err := os.Stat(ac.path)
	if err != nil {
		return nil, err
	}

	lastModified := fstat.ModTime()
	ac.mu.Lock()
	if ac.htpasswd == nil || !ac.modtime.Equal(lastModified) {
		ac.modtime = lastModified

		f, err := os.Open(ac.path)
		if err != nil {
			ac.mu.Unlock()
			return nil, err
		}
		defer f.Close()

		h, err := newHTPasswd(f)
		if err != nil {
			ac.mu.Unlock()
			return nil, err
		}
		ac.htpasswd = h
	}
	localHTPasswd := ac.htpasswd
	ac.mu.Unlock()

	if err := localHTPasswd.authenticateUser(username, password); err != nil {
		dcontext.GetLogger(ctx).Errorf("error authenticating user %q: %v", username, err)
		return nil, &challenge{
			realm: ac.realm,
			err:   auth.ErrAuthenticationFailure,
		}
	}

	return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil
}

// challenge implements the auth.Challenge interface.
type challenge struct {
	realm string
	err   error
}

var _ auth.Challenge = challenge{}

// SetHeaders sets the basic challenge header on the response.
func (ch challenge) SetHeaders(r *http.Request, w http.ResponseWriter) {
	w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm))
}

func (ch challenge) Error() string {
	return fmt.Sprintf("basic authentication challenge for realm %q: %s", ch.realm, ch.err)
}

// createHtpasswdFile creates and populates htpasswd file with a new user in case the file is missing
func createHtpasswdFile(path string) error {
	if f, err := os.Open(path); err == nil {
		f.Close()
		return nil
	} else if !os.IsNotExist(err) {
		return err
	}

	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
		return err
	}
	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE, 0600)
	if err != nil {
		return fmt.Errorf("failed to open htpasswd path %s", err)
	}
	defer f.Close()
	var secretBytes [32]byte
	if _, err := rand.Read(secretBytes[:]); err != nil {
		return err
	}
	pass := base64.RawURLEncoding.EncodeToString(secretBytes[:])
	encryptedPass, err := bcrypt.GenerateFromPassword([]byte(pass), bcrypt.DefaultCost)
	if err != nil {
		return err
	}
	if _, err := f.Write([]byte(fmt.Sprintf("docker:%s", string(encryptedPass[:])))); err != nil {
		return err
	}
	dcontext.GetLoggerWithFields(context.Background(), map[interface{}]interface{}{
		"user":     "docker",
		"password": pass,
	}).Warnf("htpasswd is missing, provisioning with default user")
	return nil
}

func init() {
	auth.Register("htpasswd", auth.InitFunc(newAccessController))
}
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`// Package htpasswd provides a simple authentication scheme that checks for the`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`// user credential hash in an htpasswd formatted file in a configuration-determined`
			`// location.`
			`//`
			`// This authentication method MUST be used under TLS, as simple token-replay attack is possible.`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`package htpasswd`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00
			`import (`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`"context"`
Create and populate htpasswd file if missing If htpasswd authentication option is configured but the htpasswd file is missing, populate it with a default user and automatically generated password. The password will be printed to stdout. Signed-off-by: Liron Levin <liron@twistlock.com> 2017-08-13 05:56:11 +00:00			`"crypto/rand"`
			`"encoding/base64"`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`"fmt"`
			`"net/http"`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`"os"`
Create and populate htpasswd file if missing If htpasswd authentication option is configured but the htpasswd file is missing, populate it with a default user and automatically generated password. The password will be printed to stdout. Signed-off-by: Liron Levin <liron@twistlock.com> 2017-08-13 05:56:11 +00:00			`"path/filepath"`
Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`"sync"`
			`"time"`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00
fix goimports and gofmt Signed-off-by: David Wu <david.wu@docker.com> 2018-09-05 00:35:16 +00:00			`"golang.org/x/crypto/bcrypt"`

go.mod: change imports to github.com/distribution/distribution/v3 Go 1.13 and up enforce import paths to be versioned if a project contains a go.mod and has released v2 or up. The current v2.x branches (and releases) do not yet have a go.mod, and therefore are still allowed to be imported with a non-versioned import path (go modules add a `+incompatible` annotation in that case). However, now that this project has a `go.mod` file, incompatible import paths will not be accepted by go modules, and attempting to use code from this repository will fail. This patch uses `v3` for the import-paths (not `v2`), because changing import paths itself is a breaking change, which means that the next release should increment the "major" version to comply with SemVer (as go modules dictate). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 11:18:39 +00:00			`dcontext "github.com/distribution/distribution/v3/context"`
			`"github.com/distribution/distribution/v3/registry/auth"`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`)`

			`type accessController struct {`
			`realm string`
Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`path string`
			`modtime time.Time`
			`mu sync.Mutex`
Removed dashes from comments, unexported htpasswd struct Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-06 05:37:32 +00:00			`htpasswd *htpasswd`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

			`var _ auth.AccessController = &accessController{}`

			`func newAccessController(options map[string]interface{}) (auth.AccessController, error) {`
			`realm, present := options["realm"]`
			`if _, ok := realm.(string); !present \|\| !ok {`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			return nil, fmt.Errorf(`"realm" must be set for htpasswd access controller`)
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Create and populate htpasswd file if missing If htpasswd authentication option is configured but the htpasswd file is missing, populate it with a default user and automatically generated password. The password will be printed to stdout. Signed-off-by: Liron Levin <liron@twistlock.com> 2017-08-13 05:56:11 +00:00			`pathOpt, present := options["path"]`
			`path, ok := pathOpt.(string)`
			`if !present \|\| !ok {`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			return nil, fmt.Errorf(`"path" must be set for htpasswd access controller`)
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`
Create and populate htpasswd file if missing If htpasswd authentication option is configured but the htpasswd file is missing, populate it with a default user and automatically generated password. The password will be printed to stdout. Signed-off-by: Liron Levin <liron@twistlock.com> 2017-08-13 05:56:11 +00:00			`if err := createHtpasswdFile(path); err != nil {`
			`return nil, err`
			`}`
			`return &accessController{realm: realm.(string), path: path}, nil`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

			`func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`req, err := dcontext.GetRequest(ctx)`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`username, password, ok := req.BasicAuth()`
			`if !ok {`
			`return nil, &challenge{`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`realm: ac.realm,`
Add credential authenticator interface Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-13 01:15:19 +00:00			`err: auth.ErrInvalidCredential,`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`
			`}`
Fixed golint, gofmt warning advice. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 16:02:13 +00:00
Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`// Dynamically parsing the latest account list`
			`fstat, err := os.Stat(ac.path)`
			`if err != nil {`
			`return nil, err`
			`}`

			`lastModified := fstat.ModTime()`
			`ac.mu.Lock()`
			`if ac.htpasswd == nil \|\| !ac.modtime.Equal(lastModified) {`
			`ac.modtime = lastModified`

			`f, err := os.Open(ac.path)`
			`if err != nil {`
			`ac.mu.Unlock()`
			`return nil, err`
			`}`
			`defer f.Close()`

			`h, err := newHTPasswd(f)`
			`if err != nil {`
			`ac.mu.Unlock()`
			`return nil, err`
			`}`
			`ac.htpasswd = h`
			`}`
			`localHTPasswd := ac.htpasswd`
			`ac.mu.Unlock()`

			`if err := localHTPasswd.authenticateUser(username, password); err != nil {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ctx).Errorf("error authenticating user %q: %v", username, err)`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`return nil, &challenge{`
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`realm: ac.realm,`
Add credential authenticator interface Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-13 01:15:19 +00:00			`err: auth.ErrAuthenticationFailure,`
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`}`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil`
			`}`

			`// challenge implements the auth.Challenge interface.`
			`type challenge struct {`
			`realm string`
			`err error`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Simplify auth.Challenge interface to SetHeaders This removes the erroneous http.Handler interface in favor a simple SetHeaders method that only operattes on the response. Several unnecessary uses of pointer types were also fixed up. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:39:56 +00:00			`var _ auth.Challenge = challenge{}`

			`// SetHeaders sets the basic challenge header on the response.`
add autoredirect auth config It redirects the user to to the Host header's domain whenever they try to use token auth. Signed-off-by: David Wu <david.wu@docker.com> 2017-03-13 23:35:15 +00:00			`func (ch challenge) SetHeaders(r *http.Request, w http.ResponseWriter) {`
Simplify auth.Challenge interface to SetHeaders This removes the erroneous http.Handler interface in favor a simple SetHeaders method that only operattes on the response. Several unnecessary uses of pointer types were also fixed up. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:39:56 +00:00			`w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm))`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Simplify auth.Challenge interface to SetHeaders This removes the erroneous http.Handler interface in favor a simple SetHeaders method that only operattes on the response. Several unnecessary uses of pointer types were also fixed up. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:39:56 +00:00			`func (ch challenge) Error() string {`
De-obfuscate error message Previously, this error message would stringify as a pointer address, which isn't particularly helpful. This change breaks out the elements of the challenge object such that the error is appropriately represented. Signed-off-by: Ted Reed <ted.reed@gmail.com> 2015-11-07 01:10:28 +00:00			`return fmt.Sprintf("basic authentication challenge for realm %q: %s", ch.realm, ch.err)`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Create and populate htpasswd file if missing If htpasswd authentication option is configured but the htpasswd file is missing, populate it with a default user and automatically generated password. The password will be printed to stdout. Signed-off-by: Liron Levin <liron@twistlock.com> 2017-08-13 05:56:11 +00:00			`// createHtpasswdFile creates and populates htpasswd file with a new user in case the file is missing`
			`func createHtpasswdFile(path string) error {`
			`if f, err := os.Open(path); err == nil {`
			`f.Close()`
			`return nil`
			`} else if !os.IsNotExist(err) {`
			`return err`
			`}`

			`if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {`
			`return err`
			`}`
			`f, err := os.OpenFile(path, os.O_WRONLY\|os.O_CREATE, 0600)`
			`if err != nil {`
			`return fmt.Errorf("failed to open htpasswd path %s", err)`
			`}`
			`defer f.Close()`
			`var secretBytes [32]byte`
			`if _, err := rand.Read(secretBytes[:]); err != nil {`
			`return err`
			`}`
			`pass := base64.RawURLEncoding.EncodeToString(secretBytes[:])`
			`encryptedPass, err := bcrypt.GenerateFromPassword([]byte(pass), bcrypt.DefaultCost)`
			`if err != nil {`
			`return err`
			`}`
			`if _, err := f.Write([]byte(fmt.Sprintf("docker:%s", string(encryptedPass[:])))); err != nil {`
			`return err`
			`}`
			`dcontext.GetLoggerWithFields(context.Background(), map[interface{}]interface{}{`
			`"user": "docker",`
			`"password": pass,`
			`}).Warnf("htpasswd is missing, provisioning with default user")`
			`return nil`
			`}`

Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`func init() {`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`auth.Register("htpasswd", auth.InitFunc(newAccessController))`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`