Harden basic auth implementation

After consideration, the basic authentication implementation has been
simplified to only support bcrypt entries in an htpasswd file. This greatly
increases the security of the implementation by reducing the possibility of
timing attacks and other problems trying to detect the password hash type.

Also, the htpasswd file is only parsed at startup, ensuring that the file can
be edited and not effect ongoing requests. Newly added passwords take effect on
restart. Subsequently, password hash entries are now stored in a map.

Test cases have been modified accordingly.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
This commit is contained in:
Stephen J Day 2015-06-10 19:29:27 -07:00
parent ffe56ebe41
commit ffd3662982
5 changed files with 164 additions and 124 deletions

View file

@ -9,6 +9,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
"os"
ctxu "github.com/docker/distribution/context" ctxu "github.com/docker/distribution/context"
"github.com/docker/distribution/registry/auth" "github.com/docker/distribution/registry/auth"
@ -41,7 +42,18 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
return nil, fmt.Errorf(`"path" must be set for basic access controller`) return nil, fmt.Errorf(`"path" must be set for basic access controller`)
} }
return &accessController{realm: realm.(string), htpasswd: newHTPasswd(path.(string))}, nil f, err := os.Open(path.(string))
if err != nil {
return nil, err
}
defer f.Close()
h, err := newHTPasswd(f)
if err != nil {
return nil, err
}
return &accessController{realm: realm.(string), htpasswd: h}, nil
} }
func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) { func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {
@ -58,7 +70,7 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut
} }
} }
if err := ac.htpasswd.authenticateUser(ctx, username, password); err != nil { if err := ac.htpasswd.authenticateUser(username, password); err != nil {
ctxu.GetLogger(ctx).Errorf("error authenticating user %q: %v", username, err) ctxu.GetLogger(ctx).Errorf("error authenticating user %q: %v", username, err)
return nil, &challenge{ return nil, &challenge{
realm: ac.realm, realm: ac.realm,

View file

@ -11,7 +11,6 @@ import (
) )
func TestBasicAccessController(t *testing.T) { func TestBasicAccessController(t *testing.T) {
testRealm := "The-Shire" testRealm := "The-Shire"
testUsers := []string{"bilbo", "frodo", "MiShil", "DeokMan"} testUsers := []string{"bilbo", "frodo", "MiShil", "DeokMan"}
testPasswords := []string{"baggins", "baggins", "새주", "공주님"} testPasswords := []string{"baggins", "baggins", "새주", "공주님"}
@ -85,6 +84,11 @@ func TestBasicAccessController(t *testing.T) {
t.Fatalf("unexpected non-fail response status: %v != %v", resp.StatusCode, http.StatusUnauthorized) t.Fatalf("unexpected non-fail response status: %v != %v", resp.StatusCode, http.StatusUnauthorized)
} }
nonbcrypt := map[string]struct{}{
"bilbo": struct{}{},
"DeokMan": struct{}{},
}
for i := 0; i < len(testUsers); i++ { for i := 0; i < len(testUsers); i++ {
userNumber = i userNumber = i
req, err := http.NewRequest("GET", server.URL, nil) req, err := http.NewRequest("GET", server.URL, nil)
@ -100,10 +104,18 @@ func TestBasicAccessController(t *testing.T) {
} }
defer resp.Body.Close() defer resp.Body.Close()
if _, ok := nonbcrypt[testUsers[i]]; ok {
// these are not allowed.
// Request should be authorized
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("unexpected non-success response status: %v != %v for %s %s", resp.StatusCode, http.StatusUnauthorized, testUsers[i], testPasswords[i])
}
} else {
// Request should be authorized // Request should be authorized
if resp.StatusCode != http.StatusNoContent { if resp.StatusCode != http.StatusNoContent {
t.Fatalf("unexpected non-success response status: %v != %v for %s %s", resp.StatusCode, http.StatusNoContent, testUsers[i], testPasswords[i]) t.Fatalf("unexpected non-success response status: %v != %v for %s %s", resp.StatusCode, http.StatusNoContent, testUsers[i], testPasswords[i])
} }
} }
}
} }

View file

@ -2,149 +2,79 @@ package basic
import ( import (
"bufio" "bufio"
"crypto/sha1" "fmt"
"encoding/base64"
"io" "io"
"os"
"regexp"
"strings" "strings"
"github.com/docker/distribution/context"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
) )
// htpasswd holds a path to a system .htpasswd file and the machinery to parse it. // htpasswd holds a path to a system .htpasswd file and the machinery to parse
// it. Only bcrypt hash entries are supported.
type htpasswd struct { type htpasswd struct {
path string entries map[string][]byte // maps username to password byte slice.
} }
// authType represents a particular hash function used in the htpasswd file. // newHTPasswd parses the reader and returns an htpasswd or an error.
type authType int func newHTPasswd(rd io.Reader) (*htpasswd, error) {
entries, err := parseHTPasswd(rd)
const ( if err != nil {
authTypePlainText authType = iota // Plain-text password storage (htpasswd -p) return nil, err
authTypeSHA1 // sha hashed password storage (htpasswd -s)
authTypeApacheMD5 // apr iterated md5 hashing (htpasswd -m)
authTypeBCrypt // BCrypt adapative password hashing (htpasswd -B)
authTypeCrypt // System crypt() hashes. (htpasswd -d)
)
var bcryptPrefixRegexp = regexp.MustCompile(`^\$2[ab]?y\$`)
// detectAuthCredentialType inspects the credential and resolves the encryption scheme.
func detectAuthCredentialType(cred string) authType {
if strings.HasPrefix(cred, "{SHA}") {
return authTypeSHA1
} }
if strings.HasPrefix(cred, "$apr1$") {
return authTypeApacheMD5
}
if bcryptPrefixRegexp.MatchString(cred) {
return authTypeBCrypt
}
// There's just not a great way to distinguish between these next two...
if len(cred) == 13 {
return authTypeCrypt
}
return authTypePlainText
}
// String Returns a text representation of the AuthType return &htpasswd{entries: entries}, nil
func (at authType) String() string {
switch at {
case authTypePlainText:
return "plaintext"
case authTypeSHA1:
return "sha1"
case authTypeApacheMD5:
return "md5"
case authTypeBCrypt:
return "bcrypt"
case authTypeCrypt:
return "system crypt"
}
return "unknown"
}
// NewHTPasswd Create a new HTPasswd with the given path to .htpasswd file.
func newHTPasswd(htpath string) *htpasswd {
return &htpasswd{path: htpath}
} }
// AuthenticateUser checks a given user:password credential against the // AuthenticateUser checks a given user:password credential against the
// receiving HTPasswd's file. If the check passes, nil is returned. Note that // receiving HTPasswd's file. If the check passes, nil is returned.
// this parses the htpasswd file on each request so ensure that updates are func (htpasswd *htpasswd) authenticateUser(username string, password string) error {
// available. credentials, ok := htpasswd.entries[username]
func (htpasswd *htpasswd) authenticateUser(ctx context.Context, username string, password string) error { if !ok {
// Open the file. // timing attack paranoia
in, err := os.Open(htpasswd.path) bcrypt.CompareHashAndPassword([]byte{}, []byte(password))
if err != nil {
return err
}
defer in.Close()
for _, entry := range parseHTPasswd(ctx, in) {
if entry.username != username {
continue // wrong entry
}
switch t := detectAuthCredentialType(entry.password); t {
case authTypeSHA1:
sha := sha1.New()
sha.Write([]byte(password))
hash := base64.StdEncoding.EncodeToString(sha.Sum(nil))
if entry.password[5:] != hash {
return ErrAuthenticationFailure return ErrAuthenticationFailure
} }
return nil err := bcrypt.CompareHashAndPassword([]byte(credentials), []byte(password))
case authTypeBCrypt:
err := bcrypt.CompareHashAndPassword([]byte(entry.password), []byte(password))
if err != nil { if err != nil {
return ErrAuthenticationFailure return ErrAuthenticationFailure
} }
return nil return nil
case authTypePlainText:
if password != entry.password {
return ErrAuthenticationFailure
}
return nil
default:
context.GetLogger(ctx).Errorf("unsupported basic authentication type: %v", t)
}
}
return ErrAuthenticationFailure
} }
// htpasswdEntry represents a line in an htpasswd file. // parseHTPasswd parses the contents of htpasswd. This will read all the
type htpasswdEntry struct { // entries in the file, whether or not they are needed. An error is returned
username string // username, plain text // if an syntax errors are encountered or if the reader fails.
password string // stores hashed passwd func parseHTPasswd(rd io.Reader) (map[string][]byte, error) {
} entries := map[string][]byte{}
// parseHTPasswd parses the contents of htpasswd. Bad entries are skipped and
// logged, so this may return empty. This will read all the entries in the
// file, whether or not they are needed.
func parseHTPasswd(ctx context.Context, rd io.Reader) []htpasswdEntry {
entries := []htpasswdEntry{}
scanner := bufio.NewScanner(rd) scanner := bufio.NewScanner(rd)
var line int
for scanner.Scan() { for scanner.Scan() {
line++ // 1-based line numbering
t := strings.TrimSpace(scanner.Text()) t := strings.TrimSpace(scanner.Text())
i := strings.Index(t, ":")
if i < 0 || i >= len(t) { if len(t) < 1 {
context.GetLogger(ctx).Errorf("bad entry in htpasswd: %q", t)
continue continue
} }
entries = append(entries, htpasswdEntry{ // lines that *begin* with a '#' are considered comments
username: t[:i], if t[0] == '#' {
password: t[i+1:], continue
})
} }
return entries i := strings.Index(t, ":")
if i < 0 || i >= len(t) {
return nil, fmt.Errorf("htpasswd: invalid entry at line %d: %q", line, scanner.Text())
}
entries[t[:i]] = []byte(t[i+1:])
}
if err := scanner.Err(); err != nil {
return nil, err
}
return entries, nil
} }

View file

@ -0,0 +1,85 @@
package basic
import (
"fmt"
"reflect"
"strings"
"testing"
)
func TestParseHTPasswd(t *testing.T) {
for _, tc := range []struct {
desc string
input string
err error
entries map[string][]byte
}{
{
desc: "basic example",
input: `
# This is a comment in a basic example.
bilbo:{SHA}5siv5c0SHx681xU6GiSx9ZQryqs=
frodo:$2y$05$926C3y10Quzn/LnqQH86VOEVh/18T6RnLaS.khre96jLNL/7e.K5W
MiShil:$2y$05$0oHgwMehvoe8iAWS8I.7l.KoECXrwVaC16RPfaSCU5eVTFrATuMI2
DeokMan:공주님
`,
entries: map[string][]byte{
"bilbo": []byte("{SHA}5siv5c0SHx681xU6GiSx9ZQryqs="),
"frodo": []byte("$2y$05$926C3y10Quzn/LnqQH86VOEVh/18T6RnLaS.khre96jLNL/7e.K5W"),
"MiShil": []byte("$2y$05$0oHgwMehvoe8iAWS8I.7l.KoECXrwVaC16RPfaSCU5eVTFrATuMI2"),
"DeokMan": []byte("공주님"),
},
},
{
desc: "ensures comments are filtered",
input: `
# asdf:asdf
`,
},
{
desc: "ensure midline hash is not comment",
input: `
asdf:as#df
`,
entries: map[string][]byte{
"asdf": []byte("as#df"),
},
},
{
desc: "ensure midline hash is not comment",
input: `
# A valid comment
valid:entry
asdf
`,
err: fmt.Errorf(`htpasswd: invalid entry at line 4: "asdf"`),
},
} {
entries, err := parseHTPasswd(strings.NewReader(tc.input))
if err != tc.err {
if tc.err == nil {
t.Fatalf("%s: unexpected error: %v", tc.desc, err)
} else {
if err.Error() != tc.err.Error() { // use string equality here.
t.Fatalf("%s: expected error not returned: %v != %v", tc.desc, err, tc.err)
}
}
}
if tc.err != nil {
continue // don't test output
}
// allow empty and nil to be equal
if tc.entries == nil {
tc.entries = map[string][]byte{}
}
if !reflect.DeepEqual(entries, tc.entries) {
t.Fatalf("%s: entries not parsed correctly: %v != %v", tc.desc, entries, tc.entries)
}
}
}

View file

@ -147,6 +147,7 @@ func NewApp(ctx context.Context, configuration configuration.Configuration) *App
panic(fmt.Sprintf("unable to configure authorization (%s): %v", authType, err)) panic(fmt.Sprintf("unable to configure authorization (%s): %v", authType, err))
} }
app.accessController = accessController app.accessController = accessController
ctxu.GetLogger(app).Debugf("configured %q access controller", authType)
} }
return app return app