forked from oauth2-proxy/oauth2-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
htpasswd.go
162 lines (138 loc) · 4.29 KB
/
htpasswd.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
package basic
import (
// We support SHA1 & bcrypt in HTPasswd
"crypto/sha1" // #nosec G505
"encoding/base64"
"encoding/csv"
"fmt"
"io"
"os"
"sync"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/watcher"
"golang.org/x/crypto/bcrypt"
)
// htpasswdMap represents the structure of an htpasswd file.
// Passwords must be generated with -B for bcrypt or -s for SHA1.
type htpasswdMap struct {
users map[string]interface{}
rwm sync.RWMutex
}
// bcryptPass is used to identify bcrypt passwords in the
// htpasswdMap users.
type bcryptPass string
// sha1Pass os used to identify sha1 passwords in the
// htpasswdMap users.
type sha1Pass string
// NewHTPasswdValidator constructs an httpasswd based validator from the file
// at the path given.
func NewHTPasswdValidator(path string) (Validator, error) {
h := &htpasswdMap{users: make(map[string]interface{})}
err := h.loadHTPasswdFile(path)
if err != nil {
return nil, err
}
watcher.WatchFileForUpdates(path, nil, func() {
err := h.loadHTPasswdFile(path)
if err != nil {
logger.Errorf("%v: no changes were made to the current htpasswd map", err)
}
})
return h, nil
}
// loadHTPasswdFile loads htpasswd entries from an io.Reader (an opened file) into a htpasswdMap.
func (h *htpasswdMap) loadHTPasswdFile(filename string) error {
// We allow HTPasswd location via config options
r, err := os.Open(filename) // #nosec G304
if err != nil {
return fmt.Errorf("could not open htpasswd file: %v", err)
}
defer func(c io.Closer) {
cerr := c.Close()
if cerr != nil {
logger.Fatalf("error closing the htpasswd file: %v", cerr)
}
}(r)
csvReader := csv.NewReader(r)
csvReader.Comma = ':'
csvReader.Comment = '#'
csvReader.TrimLeadingSpace = true
records, err := csvReader.ReadAll()
if err != nil {
logger.Fatalf("could not read htpasswd file: %v", err)
}
updated, err := createHtpasswdMap(records)
if err != nil {
return fmt.Errorf("htpasswd entries error: %v", err)
}
h.rwm.Lock()
h.users = updated.users
h.rwm.Unlock()
return nil
}
// createHtasswdMap constructs an htpasswdMap from the given records
func createHtpasswdMap(records [][]string) (*htpasswdMap, error) {
h := &htpasswdMap{users: make(map[string]interface{})}
var invalidRecords, invalidEntries []string
for _, record := range records {
// If a record is invalid or malformed don't panic with index out of range,
// return a formatted error.
lr := len(record)
switch {
case lr == 2:
user, realPassword := record[0], record[1]
invalidEntries = passShaOrBcrypt(h, user, realPassword)
case lr == 1, lr > 2:
invalidRecords = append(invalidRecords, record[0])
}
}
if len(invalidRecords) > 0 {
return h, fmt.Errorf("invalid htpasswd record(s) %+q", invalidRecords)
}
if len(invalidEntries) > 0 {
return h, fmt.Errorf("'%+q' user(s) could not be added: invalid password, must be a SHA or bcrypt entry", invalidEntries)
}
if len(h.users) == 0 {
logger.Fatal("could not construct htpasswdMap: htpasswd file doesn't contain a single valid user entry")
}
return h, nil
}
// passShaOrBcrypt checks if a htpasswd entry is valid and the password is encrypted with SHA or bcrypt.
// Valid user entries are saved in the htpasswdMap, invalid records are reurned.
func passShaOrBcrypt(h *htpasswdMap, user, password string) (invalidEntries []string) {
passLen := len(password)
switch {
case passLen > 6 && password[:5] == "{SHA}":
h.users[user] = sha1Pass(password[5:])
case passLen > 5 &&
(password[:4] == "$2b$" ||
password[:4] == "$2y$" ||
password[:4] == "$2x$" ||
password[:4] == "$2a$"):
h.users[user] = bcryptPass(password)
default:
invalidEntries = append(invalidEntries, user)
}
return invalidEntries
}
// Validate checks a users password against the htpasswd entries
func (h *htpasswdMap) Validate(user string, password string) bool {
realPassword, exists := h.users[user]
if !exists {
return false
}
switch rp := realPassword.(type) {
case sha1Pass:
// We support SHA1 HTPasswd entries
d := sha1.New() // #nosec G401
_, err := d.Write([]byte(password))
if err != nil {
return false
}
return string(rp) == base64.StdEncoding.EncodeToString(d.Sum(nil))
case bcryptPass:
return bcrypt.CompareHashAndPassword([]byte(rp), []byte(password)) == nil
default:
return false
}
}