Merge 0eabc15 into 36dc907

cloudtrust · May 14, 2019 · c3eb489 · c3eb489
2 parents 36dc907 + 0eabc15
commit c3eb489
Show file tree

Hide file tree

Showing 2 changed files with 166 additions and 0 deletions.
diff --git a/middleware/authentication.go b/middleware/authentication.go
@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"regexp"
@@ -11,6 +12,72 @@ import (
 	"github.com/gbrlsnchs/jwt"
 )
 
+// MakeHTTPBasicAuthenticationMW retrieve the token from the HTTP header 'Basic' and
+// check if the password value match the allowed one.
+// If there is no such header, the request is not allowed.
+// If the password is correct, the username is added into the context:
+//   - username: username extracted from the token
+func MakeHTTPBasicAuthenticationMW(passwordToMatch string, logger cs.Logger) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			var authorizationHeader = req.Header.Get("Authorization")
+
+			if authorizationHeader == "" {
+				logger.Log("Authorization Error", "Missing Authorization header")
+				httpErrorHandler(context.TODO(), http.StatusForbidden, fmt.Errorf("Missing Authorization header"), w)
+				return
+			}
+
+			var matched, _ = regexp.MatchString(`^[Bb]asic *`, authorizationHeader)
+
+			if !matched {
+				logger.Log("Authorization Error", "Missing basic token")
+				httpErrorHandler(context.TODO(), http.StatusForbidden, fmt.Errorf("Missing basic token"), w)
+				return
+			}
+
+			var splitToken = strings.Split(authorizationHeader, "Basic ")
+			if len(splitToken) < 2 {
+				splitToken = strings.Split(authorizationHeader, "basic ")
+			}
+
+			var accessToken = splitToken[1]
+
+			// Decode base 64
+			decodedToken, err := base64.StdEncoding.DecodeString(accessToken)
+
+			if err != nil {
+				logger.Log("Authorization Error", "Invalid base64 token")
+				httpErrorHandler(context.TODO(), http.StatusForbidden, fmt.Errorf("Invalid token"), w)
+				return
+			}
+
+			// Extract username & password values
+			var tokenSubparts = strings.Split(string(decodedToken), ":")
+
+			if len(tokenSubparts) != 2 {
+				logger.Log("Authorization Error", "Invalid token format (username:password)")
+				httpErrorHandler(context.TODO(), http.StatusForbidden, fmt.Errorf("Invalid token"), w)
+				return
+			}
+
+			var username = tokenSubparts[0]
+			var password = tokenSubparts[1]
+
+			// Check password match
+			if password != passwordToMatch {
+				logger.Log("Authorization Error", "Invalid password value")
+				httpErrorHandler(context.TODO(), http.StatusForbidden, fmt.Errorf("Invalid token"), w)
+				return
+			}
+
+			var ctx = context.WithValue(req.Context(), "username", username)
+
+			next.ServeHTTP(w, req.WithContext(ctx))
+		})
+	}
+}
+
 // KeycloakClient is the interface of the keycloak client.
 type KeycloakClient interface {
 	VerifyToken(realmName string, accessToken string) error

diff --git a/middleware/authentication_test.go b/middleware/authentication_test.go
@@ -26,6 +26,105 @@ const (
 	tokenAudString = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJJZTVzcXBLdTNwb1g5d1U3YTBhamxnUFlGRHFTTUF5M2l6NEZpelp4d2dnIn0.eyJqdGkiOiI4MDY4MjZkNy0xZjM4LTQxZjgtYTk5Ni1iYTYzYWI0YTY3MGIiLCJleHAiOjE1NTY2NjY3NzAsIm5iZiI6MCwiaWF0IjoxNTU2NjMwNzcwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoidGVzdC1yZWFsbSIsInN1YiI6IjczOTNhYjFhLTViMDQtNDNmNS04MDQ5LThhOTQ5MjMyZWQwYSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjFlMmI1Mzk5LTgyNDItNDA1OS05Y2M1LWE5MzI0NDVlY2JkMSIsImFjciI6IjEiLCJyZXNvdXJjZV9hY2Nlc3MiOnsidGVzdC1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZ3JvdXBzIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiL3RvZV9hZG1pbmlzdHJhdG9yIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJ0b3RvQHRvdG8uY29tIn0.QXUTPciZYYv8k688D27sOz5thyQH1OWwp-rqTnCQYoAbqXPVgSZxLIepk8JvS9drBl7jOH-M_w2tXMOjV-7kY7p57_9VyWaI42VgBVmJVXSWwMwPtWAwnpKqMh1wrrm_zYJRmZ43o1r6Rp_kELnfgwocFSLc3DTDVEoMuYE45kJg9JwPc2K7DYi6Om5qOm9ez-x8GpyGVy3xJiOa-Qr9oJpKCx02sRVEBIc0AE0pfpxfbBhJU06L4uVnwQ1JxquLKLU77bjPEkAKOnTeG-6D9OtH_K42KujZyhj7FytXAXv9CmISi9aIe7BVANFSu7TyOBjelZHVpI5dOKRc-E2L9w"
 )
 
+func TestHTTPBasicAuthenticationMW(t *testing.T) {
+	var token = "dXNlcm5hbWU6cGFzc3dvcmQ="
+
+	var mockCtrl = gomock.NewController(t)
+	defer mockCtrl.Finish()
+	var mockLogger = mock.NewLogger(mockCtrl)
+
+	var m = MakeHTTPBasicAuthenticationMW("password", mockLogger)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+
+	// HTTP request.
+	var req = httptest.NewRequest("POST", "http://cloudtrust.io/event/receiver", bytes.NewReader([]byte{}))
+
+	// Missing authorization token.
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", "Missing Authorization header").Return(nil).Times(1)
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
+	req.Header.Set("Authorization", "Non basic format")
+
+	// Missing basic token.
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", "Missing basic token").Return(nil).Times(1)
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
+	req.Header.Set("Authorization", "Basic X"+token)
+	// Invalid base64 token.
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", "Invalid base64 token").Return(nil).Times(1)
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
+	req.Header.Set("Authorization", "Basic "+token)
+
+	// Valid authorization token.
+	{
+		var w = httptest.NewRecorder()
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 200, result.StatusCode)
+	}
+
+	req.Header.Set("Authorization", "basic "+token)
+
+	// Valid authorization token.
+	{
+		var w = httptest.NewRecorder()
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 200, result.StatusCode)
+	}
+
+	req.Header.Set("Authorization", "basic dXNlcm5hbWU6cGFzc3dvcmQx")
+
+	// Invalid authorization token.
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", "Invalid password value").Return(nil).Times(1)
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
+	req.Header.Set("Authorization", "basic "+token)
+
+	// Invalid token format
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", gomock.Any()).Return(nil).Times(1)
+		req = httptest.NewRequest("POST", "http://cloudtrust.io/management/test", bytes.NewReader([]byte{}))
+		req.Header.Set("Authorization", "Basic 123456ABCDEF")
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
+	// Invalid token format
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", gomock.Any()).Return(nil).Times(1)
+		req = httptest.NewRequest("POST", "http://cloudtrust.io/management/test", bytes.NewReader([]byte{}))
+		req.Header.Set("Authorization", "Basic dXNlcm5hbWU=")
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
+}
+
 func checkContextEndpoint(ctx context.Context, request interface{}) (response interface{}, err error) {
 	var accessToken = ctx.Value("access_token").(string)
 	var realm = ctx.Value("realm").(string)