distribution/registry/auth/basic/access.go

// Package basic provides a simple authentication scheme that checks for the
// user credential hash in an htpasswd formatted file in a configuration-determined
// location.
//
// The use of SHA hashes (htpasswd -s) is enforced since MD5 is insecure and simple
// system crypt() may be as well.
//
// This authentication method MUST be used under TLS, as simple token-replay attack is possible.
package basic

import (
	"encoding/base64"
	"errors"
	"fmt"
	"net/http"
	"strings"

	ctxu "github.com/docker/distribution/context"
	"github.com/docker/distribution/registry/auth"
	"golang.org/x/net/context"
)

type accessController struct {
	realm    string
	htpasswd *HTPasswd
}

type challenge struct {
	realm string
	err   error
}

var _ auth.AccessController = &accessController{}
var (
	// ErrPasswordRequired - returned when no auth token is given.
	ErrPasswordRequired = errors.New("authorization credential required")
	// ErrInvalidCredential - returned when the auth token does not authenticate correctly.
	ErrInvalidCredential = errors.New("invalid authorization credential")
)

func newAccessController(options map[string]interface{}) (auth.AccessController, error) {
	realm, present := options["realm"]
	if _, ok := realm.(string); !present || !ok {
		return nil, fmt.Errorf(`"realm" must be set for basic access controller`)
	}

	path, present := options["path"]
	if _, ok := path.(string); !present || !ok {
		return nil, fmt.Errorf(`"path" must be set for basic access controller`)
	}

	return &accessController{realm: realm.(string), htpasswd: NewHTPasswd(path.(string))}, nil
}

func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {
	req, err := ctxu.GetRequest(ctx)
	if err != nil {
		return nil, err
	}

	authHeader := req.Header.Get("Authorization")

	if authHeader == "" {
		challenge := challenge{
			realm: ac.realm,
		}
		return nil, &challenge
	}

	parts := strings.Split(req.Header.Get("Authorization"), " ")

	challenge := challenge{
		realm: ac.realm,
	}

	if len(parts) != 2 || strings.ToLower(parts[0]) != "basic" {
		challenge.err = ErrPasswordRequired
		return nil, &challenge
	}

	text, err := base64.StdEncoding.DecodeString(parts[1])
	if err != nil {
		challenge.err = ErrInvalidCredential
		return nil, &challenge
	}

	credential := strings.Split(string(text), ":")
	if len(credential) != 2 {
		challenge.err = ErrInvalidCredential
		return nil, &challenge
	}

	if res, _ := ac.htpasswd.AuthenticateUser(credential[0], credential[1]); !res {
		challenge.err = ErrInvalidCredential
		return nil, &challenge
	}

	return auth.WithUser(ctx, auth.UserInfo{Name: credential[0]}), nil
}

func (ch *challenge) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	header := fmt.Sprintf("Basic realm=%q", ch.realm)
	w.Header().Set("WWW-Authenticate", header)
	w.WriteHeader(http.StatusUnauthorized)
}

func (ch *challenge) Error() string {
	return fmt.Sprintf("basic authentication challenge: %#v", ch)
}

func init() {
	auth.Register("basic", auth.InitFunc(newAccessController))
}
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`// Package basic provides a simple authentication scheme that checks for the`
			`// user credential hash in an htpasswd formatted file in a configuration-determined`
			`// location.`
			`//`
			`// The use of SHA hashes (htpasswd -s) is enforced since MD5 is insecure and simple`
			`// system crypt() may be as well.`
			`//`
			`// This authentication method MUST be used under TLS, as simple token-replay attack is possible.`
			`package basic`

			`import (`
			`"encoding/base64"`
			`"errors"`
			`"fmt"`
			`"net/http"`
			`"strings"`

			`ctxu "github.com/docker/distribution/context"`
			`"github.com/docker/distribution/registry/auth"`
			`"golang.org/x/net/context"`
			`)`

			`type accessController struct {`
			`realm string`
			`htpasswd *HTPasswd`
			`}`

			`type challenge struct {`
			`realm string`
			`err error`
			`}`

			`var _ auth.AccessController = &accessController{}`
			`var (`
Fixed WWW-Authenticate: header, added example config and import into main, fixed golint warnings Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-22 14:35:59 +00:00			`// ErrPasswordRequired - returned when no auth token is given.`
Aligned formatting with gofmt Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-22 15:13:48 +00:00			`ErrPasswordRequired = errors.New("authorization credential required")`
			`// ErrInvalidCredential - returned when the auth token does not authenticate correctly.`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`ErrInvalidCredential = errors.New("invalid authorization credential")`
			`)`

			`func newAccessController(options map[string]interface{}) (auth.AccessController, error) {`
			`realm, present := options["realm"]`
			`if _, ok := realm.(string); !present \|\| !ok {`
			return nil, fmt.Errorf(`"realm" must be set for basic access controller`)
			`}`

			`path, present := options["path"]`
			`if _, ok := path.(string); !present \|\| !ok {`
			return nil, fmt.Errorf(`"path" must be set for basic access controller`)
			`}`

			`return &accessController{realm: realm.(string), htpasswd: NewHTPasswd(path.(string))}, nil`
			`}`

			`func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {`
			`req, err := ctxu.GetRequest(ctx)`
			`if err != nil {`
			`return nil, err`
			`}`

			`authHeader := req.Header.Get("Authorization")`

			`if authHeader == "" {`
			`challenge := challenge{`
			`realm: ac.realm,`
			`}`
			`return nil, &challenge`
			`}`

			`parts := strings.Split(req.Header.Get("Authorization"), " ")`

			`challenge := challenge{`
			`realm: ac.realm,`
			`}`

			`if len(parts) != 2 \|\| strings.ToLower(parts[0]) != "basic" {`
			`challenge.err = ErrPasswordRequired`
			`return nil, &challenge`
			`}`

			`text, err := base64.StdEncoding.DecodeString(parts[1])`
			`if err != nil {`
			`challenge.err = ErrInvalidCredential`
			`return nil, &challenge`
			`}`

			`credential := strings.Split(string(text), ":")`
			`if len(credential) != 2 {`
			`challenge.err = ErrInvalidCredential`
			`return nil, &challenge`
			`}`

			`if res, _ := ac.htpasswd.AuthenticateUser(credential[0], credential[1]); !res {`
			`challenge.err = ErrInvalidCredential`
			`return nil, &challenge`
			`}`

			`return auth.WithUser(ctx, auth.UserInfo{Name: credential[0]}), nil`
			`}`

			`func (ch challenge) ServeHTTP(w http.ResponseWriter, r http.Request) {`
Fixed WWW-Authenticate: header, added example config and import into main, fixed golint warnings Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-22 14:35:59 +00:00			`header := fmt.Sprintf("Basic realm=%q", ch.realm)`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`w.Header().Set("WWW-Authenticate", header)`
			`w.WriteHeader(http.StatusUnauthorized)`
			`}`

			`func (ch *challenge) Error() string {`
			`return fmt.Sprintf("basic authentication challenge: %#v", ch)`
			`}`

			`func init() {`
			`auth.Register("basic", auth.InitFunc(newAccessController))`
			`}`