distribution/registry/auth/htpasswd/access.go

// Package htpasswd provides a simple authentication scheme that checks for the
// user credential hash in an htpasswd formatted file in a configuration-determined
// location.
//
// This authentication method MUST be used under TLS, as simple token-replay attack is possible.
package htpasswd

import (
	"fmt"
	"net/http"
	"os"
	"sync"
	"time"

	"github.com/docker/distribution/context"
	"github.com/docker/distribution/registry/auth"
)

type accessController struct {
	realm    string
	path     string
	modtime  time.Time
	mu       sync.Mutex
	htpasswd *htpasswd
}

var _ auth.AccessController = &accessController{}

func newAccessController(options map[string]interface{}) (auth.AccessController, error) {
	realm, present := options["realm"]
	if _, ok := realm.(string); !present || !ok {
		return nil, fmt.Errorf(`"realm" must be set for htpasswd access controller`)
	}

	path, present := options["path"]
	if _, ok := path.(string); !present || !ok {
		return nil, fmt.Errorf(`"path" must be set for htpasswd access controller`)
	}

	return &accessController{realm: realm.(string), path: path.(string)}, nil
}

func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {
	req, err := context.GetRequest(ctx)
	if err != nil {
		return nil, err
	}

	username, password, ok := req.BasicAuth()
	if !ok {
		return nil, &challenge{
			realm: ac.realm,
			err:   auth.ErrInvalidCredential,
		}
	}

	// Dynamically parsing the latest account list
	fstat, err := os.Stat(ac.path)
	if err != nil {
		return nil, err
	}

	lastModified := fstat.ModTime()
	ac.mu.Lock()
	if ac.htpasswd == nil || !ac.modtime.Equal(lastModified) {
		ac.modtime = lastModified

		f, err := os.Open(ac.path)
		if err != nil {
			ac.mu.Unlock()
			return nil, err
		}
		defer f.Close()

		h, err := newHTPasswd(f)
		if err != nil {
			ac.mu.Unlock()
			return nil, err
		}
		ac.htpasswd = h
	}
	localHTPasswd := ac.htpasswd
	ac.mu.Unlock()

	if err := localHTPasswd.authenticateUser(username, password); err != nil {
		context.GetLogger(ctx).Errorf("error authenticating user %q: %v", username, err)
		return nil, &challenge{
			realm: ac.realm,
			err:   auth.ErrAuthenticationFailure,
		}
	}

	return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil
}

// challenge implements the auth.Challenge interface.
type challenge struct {
	realm string
	err   error
}

var _ auth.Challenge = challenge{}

// SetHeaders sets the basic challenge header on the response.
func (ch challenge) SetHeaders(w http.ResponseWriter) {
	w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm))
}

func (ch challenge) Error() string {
	return fmt.Sprintf("basic authentication challenge for realm %q: %s", ch.realm, ch.err)
}

func init() {
	auth.Register("htpasswd", auth.InitFunc(newAccessController))
}
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`// Package htpasswd provides a simple authentication scheme that checks for the`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`// user credential hash in an htpasswd formatted file in a configuration-determined`
			`// location.`
			`//`
			`// This authentication method MUST be used under TLS, as simple token-replay attack is possible.`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`package htpasswd`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00
			`import (`
			`"fmt"`
			`"net/http"`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`"os"`
Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`"sync"`
			`"time"`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00
auth.AccessController interface now uses distribution/context Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:48:47 +00:00			`"github.com/docker/distribution/context"`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`"github.com/docker/distribution/registry/auth"`
			`)`

			`type accessController struct {`
			`realm string`
Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`path string`
			`modtime time.Time`
			`mu sync.Mutex`
Removed dashes from comments, unexported htpasswd struct Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-06 05:37:32 +00:00			`htpasswd *htpasswd`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

			`var _ auth.AccessController = &accessController{}`

			`func newAccessController(options map[string]interface{}) (auth.AccessController, error) {`
			`realm, present := options["realm"]`
			`if _, ok := realm.(string); !present \|\| !ok {`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			return nil, fmt.Errorf(`"realm" must be set for htpasswd access controller`)
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

			`path, present := options["path"]`
			`if _, ok := path.(string); !present \|\| !ok {`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			return nil, fmt.Errorf(`"path" must be set for htpasswd access controller`)
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`return &accessController{realm: realm.(string), path: path.(string)}, nil`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

			`func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {`
auth.AccessController interface now uses distribution/context Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:48:47 +00:00			`req, err := context.GetRequest(ctx)`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`username, password, ok := req.BasicAuth()`
			`if !ok {`
			`return nil, &challenge{`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`realm: ac.realm,`
Add credential authenticator interface Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-13 01:15:19 +00:00			`err: auth.ErrInvalidCredential,`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`
			`}`
Fixed golint, gofmt warning advice. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 16:02:13 +00:00
Dynamically Parsing the Latest HTPassword File To parse the latest account list dynamically instead of restarting the distribution service frequently. Signed-off-by: CUI Wei <ghostplant@qq.com> 2016-08-26 05:18:34 +00:00			`// Dynamically parsing the latest account list`
			`fstat, err := os.Stat(ac.path)`
			`if err != nil {`
			`return nil, err`
			`}`

			`lastModified := fstat.ModTime()`
			`ac.mu.Lock()`
			`if ac.htpasswd == nil \|\| !ac.modtime.Equal(lastModified) {`
			`ac.modtime = lastModified`

			`f, err := os.Open(ac.path)`
			`if err != nil {`
			`ac.mu.Unlock()`
			`return nil, err`
			`}`
			`defer f.Close()`

			`h, err := newHTPasswd(f)`
			`if err != nil {`
			`ac.mu.Unlock()`
			`return nil, err`
			`}`
			`ac.htpasswd = h`
			`}`
			`localHTPasswd := ac.htpasswd`
			`ac.mu.Unlock()`

			`if err := localHTPasswd.authenticateUser(username, password); err != nil {`
auth.AccessController interface now uses distribution/context Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:48:47 +00:00			`context.GetLogger(ctx).Errorf("error authenticating user %q: %v", username, err)`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`return nil, &challenge{`
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`realm: ac.realm,`
Add credential authenticator interface Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-13 01:15:19 +00:00			`err: auth.ErrAuthenticationFailure,`
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`}`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil`
			`}`

			`// challenge implements the auth.Challenge interface.`
			`type challenge struct {`
			`realm string`
			`err error`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Simplify auth.Challenge interface to SetHeaders This removes the erroneous http.Handler interface in favor a simple SetHeaders method that only operattes on the response. Several unnecessary uses of pointer types were also fixed up. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:39:56 +00:00			`var _ auth.Challenge = challenge{}`

			`// SetHeaders sets the basic challenge header on the response.`
			`func (ch challenge) SetHeaders(w http.ResponseWriter) {`
			`w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm))`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Simplify auth.Challenge interface to SetHeaders This removes the erroneous http.Handler interface in favor a simple SetHeaders method that only operattes on the response. Several unnecessary uses of pointer types were also fixed up. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-07-24 02:39:56 +00:00			`func (ch challenge) Error() string {`
De-obfuscate error message Previously, this error message would stringify as a pointer address, which isn't particularly helpful. This change breaks out the elements of the challenge object such that the error is appropriately represented. Signed-off-by: Ted Reed <ted.reed@gmail.com> 2015-11-07 01:10:28 +00:00			`return fmt.Sprintf("basic authentication challenge for realm %q: %s", ch.realm, ch.err)`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

			`func init() {`
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`auth.Register("htpasswd", auth.InitFunc(newAccessController))`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`