forked from redpanda-data/connect
-
Notifications
You must be signed in to change notification settings - Fork 0
/
basic_auth.go
154 lines (131 loc) · 4.43 KB
/
basic_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package httpserver
import (
"crypto/md5"
"crypto/sha256"
"crypto/subtle"
"encoding/base64"
"errors"
"fmt"
"net/http"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/scrypt"
"github.com/benthosdev/benthos/v4/internal/docs"
)
const (
scryptN = 32768
scryptR = 8
scryptP = 1
scryptKeyLen = 32
)
// BasicAuthConfig contains struct based fields for basic authentication.
type BasicAuthConfig struct {
Enabled bool `json:"enabled" yaml:"enabled"`
Username string `json:"username" yaml:"username"`
PasswordHash string `json:"password_hash" yaml:"password_hash"`
Realm string `json:"realm" yaml:"realm"`
Algorithm string `json:"algorithm" yaml:"algorithm"`
Salt string `json:"salt" yaml:"salt"`
}
// NewBasicAuthConfig returns a BasicAuthConfig with default values.
func NewBasicAuthConfig() BasicAuthConfig {
return BasicAuthConfig{
Enabled: false,
Username: "",
PasswordHash: "",
Realm: "restricted",
Algorithm: "sha256",
Salt: "",
}
}
// Validate confirms that the BasicAuth is properly configured.
func (b BasicAuthConfig) Validate() error {
if !b.Enabled {
return nil
}
if b.Username == "" || b.PasswordHash == "" {
return errors.New("both username and password_hash are required")
}
if !(b.Algorithm == "md5" || b.Algorithm == "sha256" || b.Algorithm == "bcrypt" || b.Algorithm == "scrypt") {
return errors.New("algorithm should be one of md5, sha256, bcrypt, or scrypt")
}
if b.Algorithm == "scrypt" && b.Salt == "" {
return errors.New("salt is required for scrypt")
}
if b.Algorithm == "scrypt" {
if _, err := base64.StdEncoding.DecodeString(b.Salt); err != nil {
return fmt.Errorf("invalid salt : %w", err)
}
}
return nil
}
// WrapHandler wraps the provided HTTP handler with middleware that enforces
// BasicAuth if it's enabled.
func (b BasicAuthConfig) WrapHandler(next http.HandlerFunc) http.HandlerFunc {
if !b.Enabled {
return next
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user, pass, ok := r.BasicAuth()
if !ok {
user = ""
pass = ""
}
if ok, err := b.matches(user, pass); !ok || err != nil {
if err != nil {
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm=%q, charset="UTF-8"`, b.Realm))
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
next.ServeHTTP(w, r)
})
}
// BasicAuthFieldSpec returns the spec for an HTTP BasicAuth component.
func BasicAuthFieldSpec() docs.FieldSpec {
return docs.FieldObject("basic_auth", "Allows you to enforce and customise basic authentication for requests to the HTTP server.").WithChildren(
docs.FieldBool("enabled", "Enable basic authentication").HasDefault(false),
docs.FieldString("realm", "Custom realm name").HasDefault("restricted"),
docs.FieldString("username", "Username required to authenticate.").HasDefault(""),
docs.FieldString("password_hash", "Hashed password required to authenticate. (base64 encoded)").HasDefault(""),
docs.FieldString("algorithm", "Encryption algorithm used to generate `password_hash`.", "md5", "sha256", "bcrypt", "scrypt").HasDefault("sha256"),
docs.FieldString("salt", "Salt for scrypt algorithm. (base64 encoded)").HasDefault(""),
).Advanced()
}
func (b BasicAuthConfig) matches(user, pass string) (bool, error) {
expectedPassHash, err := base64.StdEncoding.DecodeString(b.PasswordHash)
if err != nil {
return false, err
}
userMatch := (subtle.ConstantTimeCompare([]byte(user), []byte(b.Username)) == 1)
passMatch := b.compareHashAndPassword(expectedPassHash, []byte(pass))
return (userMatch && passMatch), nil
}
func (b BasicAuthConfig) compareHashAndPassword(hashedPassword, password []byte) bool {
switch b.Algorithm {
case "md5":
v := md5.Sum(password)
return (subtle.ConstantTimeCompare(hashedPassword, v[:]) == 1)
case "sha256":
v := sha256.Sum256(password)
return (subtle.ConstantTimeCompare(hashedPassword, v[:]) == 1)
case "bcrypt":
if err := bcrypt.CompareHashAndPassword(hashedPassword, password); err != nil {
return false
}
return true
case "scrypt":
salt, err := base64.StdEncoding.DecodeString(b.Salt)
if err != nil {
return false
}
v, err := scrypt.Key(password, salt, scryptN, scryptR, scryptP, scryptKeyLen)
if err != nil {
return false
}
return (subtle.ConstantTimeCompare(hashedPassword, v) == 1)
default:
return false
}
}