distribution/registry/auth/htpasswd/htpasswd.go

package htpasswd

import (
	"bufio"
	"fmt"
	"io"
	"strings"

	"golang.org/x/crypto/bcrypt"
)

// htpasswd holds a path to a system .htpasswd file and the machinery to parse
// it. Only bcrypt hash entries are supported.
type htpasswd struct {
	entries map[string][]byte // maps username to password byte slice.
}

// newHTPasswd parses the reader and returns an htpasswd or an error.
func newHTPasswd(rd io.Reader) (*htpasswd, error) {
	entries, err := parseHTPasswd(rd)
	if err != nil {
		return nil, err
	}

	return &htpasswd{entries: entries}, nil
}

// AuthenticateUser checks a given user:password credential against the
// receiving HTPasswd's file. If the check passes, nil is returned.
func (htpasswd *htpasswd) authenticateUser(username string, password string) error {
	credentials, ok := htpasswd.entries[username]
	if !ok {
		// timing attack paranoia
		bcrypt.CompareHashAndPassword([]byte{}, []byte(password))

		return ErrAuthenticationFailure
	}

	err := bcrypt.CompareHashAndPassword([]byte(credentials), []byte(password))
	if err != nil {
		return ErrAuthenticationFailure
	}

	return nil
}

// parseHTPasswd parses the contents of htpasswd. This will read all the
// entries in the file, whether or not they are needed. An error is returned
// if an syntax errors are encountered or if the reader fails.
func parseHTPasswd(rd io.Reader) (map[string][]byte, error) {
	entries := map[string][]byte{}
	scanner := bufio.NewScanner(rd)
	var line int
	for scanner.Scan() {
		line++ // 1-based line numbering
		t := strings.TrimSpace(scanner.Text())

		if len(t) < 1 {
			continue
		}

		// lines that *begin* with a '#' are considered comments
		if t[0] == '#' {
			continue
		}

		i := strings.Index(t, ":")
		if i < 0 || i >= len(t) {
			return nil, fmt.Errorf("htpasswd: invalid entry at line %d: %q", line, scanner.Text())
		}

		entries[t[:i]] = []byte(t[i+1:])
	}

	if err := scanner.Err(); err != nil {
		return nil, err
	}

	return entries, nil
}
Rename the basic access controller to htpasswd Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:40:05 +00:00			`package htpasswd`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00
			`import (`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`"bufio"`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`"fmt"`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`"io"`
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`"strings"`
Fixed golint, gofmt warning advice. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 16:02:13 +00:00
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`"golang.org/x/crypto/bcrypt"`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`)`

Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`// htpasswd holds a path to a system .htpasswd file and the machinery to parse`
			`// it. Only bcrypt hash entries are supported.`
Removed dashes from comments, unexported htpasswd struct Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-06 05:37:32 +00:00			`type htpasswd struct {`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`entries map[string][]byte // maps username to password byte slice.`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`// newHTPasswd parses the reader and returns an htpasswd or an error.`
			`func newHTPasswd(rd io.Reader) (*htpasswd, error) {`
			`entries, err := parseHTPasswd(rd)`
			`if err != nil {`
			`return nil, err`
Added support for bcrypt, plaintext; extension points for other htpasswd hash methods. Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-06-04 15:46:34 +00:00			`}`

Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`return &htpasswd{entries: entries}, nil`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`

Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`// AuthenticateUser checks a given user:password credential against the`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`// receiving HTPasswd's file. If the check passes, nil is returned.`
			`func (htpasswd *htpasswd) authenticateUser(username string, password string) error {`
			`credentials, ok := htpasswd.entries[username]`
			`if !ok {`
			`// timing attack paranoia`
			`bcrypt.CompareHashAndPassword([]byte{}, []byte(password))`

			`return ErrAuthenticationFailure`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`err := bcrypt.CompareHashAndPassword([]byte(credentials), []byte(password))`
			`if err != nil {`
			`return ErrAuthenticationFailure`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`return nil`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`}`

Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`// parseHTPasswd parses the contents of htpasswd. This will read all the`
			`// entries in the file, whether or not they are needed. An error is returned`
			`// if an syntax errors are encountered or if the reader fails.`
			`func parseHTPasswd(rd io.Reader) (map[string][]byte, error) {`
			`entries := map[string][]byte{}`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`scanner := bufio.NewScanner(rd)`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`var line int`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`for scanner.Scan() {`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`line++ // 1-based line numbering`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`t := strings.TrimSpace(scanner.Text())`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00
			`if len(t) < 1 {`
			`continue`
			`}`

			`// lines that begin with a '#' are considered comments`
			`if t[0] == '#' {`
			`continue`
			`}`

Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`i := strings.Index(t, ":")`
			`if i < 0 \|\| i >= len(t) {`
Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`return nil, fmt.Errorf("htpasswd: invalid entry at line %d: %q", line, scanner.Text())`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`}`

Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`entries[t[:i]] = []byte(t[i+1:])`
			`}`

			`if err := scanner.Err(); err != nil {`
			`return nil, err`
Refactor Basic Authentication package This change refactors the basic authentication implementation to better follow Go coding standards. Many types are no longer exported. The parser is now a separate function from the authentication code. The standard functions (*http.Request).BasicAuth/SetBasicAuth are now used where appropriate. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-09 01:56:48 +00:00			`}`

Harden basic auth implementation After consideration, the basic authentication implementation has been simplified to only support bcrypt entries in an htpasswd file. This greatly increases the security of the implementation by reducing the possibility of timing attacks and other problems trying to detect the password hash type. Also, the htpasswd file is only parsed at startup, ensuring that the file can be edited and not effect ongoing requests. Newly added passwords take effect on restart. Subsequently, password hash entries are now stored in a map. Test cases have been modified accordingly. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-06-11 02:29:27 +00:00			`return entries, nil`
Implementation of a basic authentication scheme using standard .htpasswd files Signed-off-by: BadZen <dave.trombley@gmail.com> Signed-off-by: Dave Trombley <dave.trombley@gmail.com> 2015-04-21 19:57:12 +00:00			`}`