2015-06-11 02:40:05 +00:00
|
|
|
package htpasswd
|
2015-04-21 19:57:12 +00:00
|
|
|
|
|
|
|
import (
|
2015-06-09 01:56:48 +00:00
|
|
|
"bufio"
|
2015-06-11 02:29:27 +00:00
|
|
|
"fmt"
|
2015-06-09 01:56:48 +00:00
|
|
|
"io"
|
2015-06-04 15:46:34 +00:00
|
|
|
"strings"
|
2015-06-04 16:02:13 +00:00
|
|
|
|
2020-08-24 11:18:39 +00:00
|
|
|
"github.com/distribution/distribution/v3/registry/auth"
|
2016-02-13 01:15:19 +00:00
|
|
|
|
2015-06-04 15:46:34 +00:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
2015-04-21 19:57:12 +00:00
|
|
|
)
|
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
// htpasswd holds a path to a system .htpasswd file and the machinery to parse
|
|
|
|
// it. Only bcrypt hash entries are supported.
|
2015-06-06 05:37:32 +00:00
|
|
|
type htpasswd struct {
|
2015-06-11 02:29:27 +00:00
|
|
|
entries map[string][]byte // maps username to password byte slice.
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
// newHTPasswd parses the reader and returns an htpasswd or an error.
|
|
|
|
func newHTPasswd(rd io.Reader) (*htpasswd, error) {
|
|
|
|
entries, err := parseHTPasswd(rd)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2015-06-04 15:46:34 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
return &htpasswd{entries: entries}, nil
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
|
|
|
|
2015-06-09 01:56:48 +00:00
|
|
|
// AuthenticateUser checks a given user:password credential against the
|
2015-06-11 02:29:27 +00:00
|
|
|
// receiving HTPasswd's file. If the check passes, nil is returned.
|
|
|
|
func (htpasswd *htpasswd) authenticateUser(username string, password string) error {
|
|
|
|
credentials, ok := htpasswd.entries[username]
|
|
|
|
if !ok {
|
|
|
|
// timing attack paranoia
|
|
|
|
bcrypt.CompareHashAndPassword([]byte{}, []byte(password))
|
|
|
|
|
2016-02-13 01:15:19 +00:00
|
|
|
return auth.ErrAuthenticationFailure
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
2015-06-09 01:56:48 +00:00
|
|
|
|
2018-08-06 21:34:15 +00:00
|
|
|
err := bcrypt.CompareHashAndPassword(credentials, []byte(password))
|
2015-06-11 02:29:27 +00:00
|
|
|
if err != nil {
|
2016-02-13 01:15:19 +00:00
|
|
|
return auth.ErrAuthenticationFailure
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|
2015-06-09 01:56:48 +00:00
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
return nil
|
2015-06-09 01:56:48 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
// parseHTPasswd parses the contents of htpasswd. This will read all the
|
|
|
|
// entries in the file, whether or not they are needed. An error is returned
|
2016-06-02 05:31:13 +00:00
|
|
|
// if a syntax errors are encountered or if the reader fails.
|
2015-06-11 02:29:27 +00:00
|
|
|
func parseHTPasswd(rd io.Reader) (map[string][]byte, error) {
|
|
|
|
entries := map[string][]byte{}
|
2015-06-09 01:56:48 +00:00
|
|
|
scanner := bufio.NewScanner(rd)
|
2015-06-11 02:29:27 +00:00
|
|
|
var line int
|
2015-06-09 01:56:48 +00:00
|
|
|
for scanner.Scan() {
|
2015-06-11 02:29:27 +00:00
|
|
|
line++ // 1-based line numbering
|
2015-06-09 01:56:48 +00:00
|
|
|
t := strings.TrimSpace(scanner.Text())
|
2015-06-11 02:29:27 +00:00
|
|
|
|
|
|
|
if len(t) < 1 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// lines that *begin* with a '#' are considered comments
|
|
|
|
if t[0] == '#' {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2015-06-09 01:56:48 +00:00
|
|
|
i := strings.Index(t, ":")
|
|
|
|
if i < 0 || i >= len(t) {
|
2015-06-11 02:29:27 +00:00
|
|
|
return nil, fmt.Errorf("htpasswd: invalid entry at line %d: %q", line, scanner.Text())
|
2015-06-09 01:56:48 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
entries[t[:i]] = []byte(t[i+1:])
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := scanner.Err(); err != nil {
|
|
|
|
return nil, err
|
2015-06-09 01:56:48 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 02:29:27 +00:00
|
|
|
return entries, nil
|
2015-04-21 19:57:12 +00:00
|
|
|
}
|