Add support for generating htpasswd hash

crypto.go

@@ -27,7 +27,10 @@ import (
 	"net"
 	"time"
 
+	"strings"
+
 	"github.com/google/uuid"
+	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/scrypt"
 )
 
@@ -46,6 +49,17 @@ func adler32sum(input string) string {
 	return fmt.Sprintf("%d", hash)
 }
 
+func htpasswd(username string, password string) string {
+	if strings.Contains(username, ":") {
+		return fmt.Sprintf("invalid username: %s", username)
+	}
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Sprintf("failed to create htpasswd: %s", err)
+	}
+	return fmt.Sprintf("%s:%s", username, hash)
+}
+
 // uuidv4 provides a safe and secure UUID v4 implementation
 func uuidv4() string {
 	return uuid.New().String()

crypto_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/bcrypt"
 )
 
 const (
@@ -36,6 +37,34 @@ func TestAdler32Sum(t *testing.T) {
 	}
 }
 
+type HtpasswdCred struct {
+	Username string
+	Password string
+	Valid    bool
+}
+
+func TestHtpasswd(t *testing.T) {
+	expectations := []HtpasswdCred{
+		{Username: "myUser", Password: "myPassword", Valid: true},
+		{Username: "special'o79Cv_*qFe,)<user", Password: "special<j7+3p#6-.Jx2U:m8G;kGypassword", Valid: true},
+		{Username: "wrongus:er", Password: "doesn'tmatter", Valid: false}, // ':' isn't allowed in the username - https://tools.ietf.org/html/rfc2617#page-6
+	}
+
+	for _, credential := range expectations {
+		out, err := runRaw(`{{htpasswd .Username .Password}}`, credential)
+		if err != nil {
+			t.Error(err)
+		}
+		result := strings.Split(out, ":")
+		if 0 != strings.Compare(credential.Username, result[0]) && credential.Valid {
+			t.Error("Generated username did not match for:", credential.Username)
+		}
+		if bcrypt.CompareHashAndPassword([]byte(result[1]), []byte(credential.Password)) != nil && credential.Valid {
+			t.Error("Generated hash is not the equivalent for password:", credential.Password)
+		}
+	}
+}
+
 func TestDerivePassword(t *testing.T) {
 	expectations := map[string]string{
 		`{{derivePassword 1 "long" "password" "user" "example.com"}}`:    "ZedaFaxcZaso9*",

docs/crypto.md

@@ -29,6 +29,16 @@ The `adler32sum` function receives a string, and computes its Adler-32 checksum.
 adler32sum "Hello world!"
 ```
 
+## htpasswd
+
+The `htpasswd` function takes a `username` and `password` and generates a `bcrypt` hash of the password. The result can be used for basic authentication on an [Apache HTTP Server](https://httpd.apache.org/docs/2.4/misc/password_encryptions.html#basic).
+
+```
+htpasswd "myUser" "myPassword"
+```
+
+Note that it is insecure to store the password directly in the template.
+
 ## derivePassword
 
 The `derivePassword` function can be used to derive a specific password based on

functions.go

@@ -297,6 +297,7 @@ var genericMap = map[string]interface{}{
 	"concat":      concat,
 
 	// Crypto:
+	"htpasswd":          htpasswd,
 	"genPrivateKey":     generatePrivateKey,
 	"derivePassword":    derivePassword,
 	"buildCustomCert":   buildCustomCertificate,