add http-basic auth reading from a htpasswd file

fabiolb · Nov 19, 2018 · 8374e1b · 8374e1b
1 parent fea29da
commit 8374e1b
Show file tree

Hide file tree

Showing 21 changed files with 728 additions and 5 deletions.
diff --git a/auth/auth.go b/auth/auth.go
@@ -0,0 +1,30 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/fabiolb/fabio/config"
+)
+
+type AuthScheme interface {
+	Authorized(request *http.Request, response http.ResponseWriter) bool
+}
+
+func LoadAuthSchemes(cfg map[string]config.AuthScheme) (map[string]AuthScheme, error) {
+	auths := map[string]AuthScheme{}
+	for _, a := range cfg {
+		switch a.Type {
+		case "basic":
+			b, err := newBasicAuth(a.Basic)
+			if err != nil {
+				return nil, err
+			}
+			auths[a.Name] = b
+		default:
+			return nil, fmt.Errorf("unknown auth type '%s'", a.Type)
+		}
+	}
+
+	return auths, nil
+}
diff --git a/auth/auth_test.go b/auth/auth_test.go
@@ -0,0 +1,76 @@
+package auth
+
+import (
+	"testing"
+
+	"github.com/fabiolb/fabio/config"
+)
+
+func TestLoadAuthSchemes(t *testing.T) {
+
+	t.Run("should fail when auth scheme fails to load", func(t *testing.T) {
+		_, err := LoadAuthSchemes(map[string]config.AuthScheme{
+			"myauth": {
+				Name: "myauth",
+				Type: "basic",
+				Basic: config.BasicAuth{
+					File: "/some/non/existant/file",
+				},
+			},
+		})
+
+		const errorText = "open /some/non/existant/file: no such file or directory"
+
+		if err.Error() != errorText {
+			t.Fatalf("got %s, want %s", err.Error(), errorText)
+		}
+	})
+
+	t.Run("should return an error when auth type is unknown", func(t *testing.T) {
+		_, err := LoadAuthSchemes(map[string]config.AuthScheme{
+			"myauth": {
+				Name: "myauth",
+				Type: "foo",
+			},
+		})
+
+		const errorText = "unknown auth type 'foo'"
+
+		if err.Error() != errorText {
+			t.Fatalf("got %s, want %s", err.Error(), errorText)
+		}
+	})
+
+	t.Run("should load multiple auth schemes", func(t *testing.T) {
+		myauth, err := createBasicAuthFile("foo:bar")
+		if err != nil {
+			t.Fatalf("could not create file on disk %s", err)
+		}
+
+		myotherauth, err := createBasicAuthFile("bar:foo")
+		if err != nil {
+			t.Fatalf("could not create file on disk %s", err)
+		}
+
+		result, err := LoadAuthSchemes(map[string]config.AuthScheme{
+			"myauth": {
+				Name: "myauth",
+				Type: "basic",
+				Basic: config.BasicAuth{
+					File: myauth,
+				},
+			},
+			"myotherauth": {
+				Name: "myotherauth",
+				Type: "basic",
+				Basic: config.BasicAuth{
+					File: myotherauth,
+				},
+			},
+		})
+
+		if len(result) != 2 {
+			t.Fatalf("expected 2 auth schemes, got %d", len(result))
+		}
+	})
+}
diff --git a/auth/basic.go b/auth/basic.go
@@ -0,0 +1,41 @@
+package auth
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/fabiolb/fabio/config"
+	"github.com/tg123/go-htpasswd"
+)
+
+// basic is an implementation of AuthScheme
+type basic struct {
+	realm   string
+	secrets *htpasswd.HtpasswdFile
+}
+
+func newBasicAuth(cfg config.BasicAuth) (AuthScheme, error) {
+	secrets, err := htpasswd.New(cfg.File, htpasswd.DefaultSystems, func(err error) {
+		log.Println("[WARN] Error reading Htpasswd file: ", err)
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &basic{
+		secrets: secrets,
+		realm:   cfg.Realm,
+	}, nil
+}
+
+func (b *basic) Authorized(request *http.Request, response http.ResponseWriter) bool {
+	user, password, ok := request.BasicAuth()
+
+	if !ok {
+		response.Header().Set("WWW-Authenticate", "Basic realm=\""+b.realm+"\"")
+		return false
+	}
+
+	return b.secrets.Match(user, password)
+}
diff --git a/auth/basic_test.go b/auth/basic_test.go
@@ -0,0 +1,188 @@
+package auth
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/fabiolb/fabio/config"
+	"github.com/fabiolb/fabio/uuid"
+)
+
+type responseWriter struct {
+	header  http.Header
+	code    int
+	written []byte
+}
+
+func (rw *responseWriter) Header() http.Header {
+	if rw.header == nil {
+		rw.header = map[string][]string{}
+	}
+	return rw.header
+}
+
+func (rw *responseWriter) Write(b []byte) (int, error) {
+	rw.written = append(rw.written, b...)
+	return len(rw.written), nil
+}
+
+func (rw *responseWriter) WriteHeader(statusCode int) {
+	rw.code = statusCode
+}
+
+func createBasicAuthFile(contents string) (string, error) {
+	dir, err := ioutil.TempDir("", "basicauth")
+
+	if err != nil {
+		return "", fmt.Errorf("could not create temp dir: %s", err)
+	}
+
+	filename := fmt.Sprintf("%s/%s", dir, uuid.NewUUID())
+
+	err = ioutil.WriteFile(filename, []byte(contents), 0666)
+
+	if err != nil {
+		return "", fmt.Errorf("could not write password file: %s", err)
+	}
+
+	return filename, nil
+}
+
+func createBasicAuth(user string, password string) (AuthScheme, error) {
+	contents := fmt.Sprintf("%s:%s", user, password)
+
+	filename, err := createBasicAuthFile(contents)
+
+	a, err := newBasicAuth(config.BasicAuth{
+		File:  filename,
+		Realm: "testrealm",
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("could not create basic auth: %s", err)
+	}
+
+	return a, nil
+}
+
+func TestNewBasicAuth(t *testing.T) {
+
+	t.Run("should create a basic auth scheme from the supplied config", func(t *testing.T) {
+		filename, err := createBasicAuthFile("foo:bar")
+
+		if err != nil {
+			t.Error(err)
+		}
+
+		_, err = newBasicAuth(config.BasicAuth{
+			File: filename,
+		})
+
+		if err != nil {
+			t.Error(err)
+		}
+	})
+
+	t.Run("should log a warning when credentials are malformed", func(t *testing.T) {
+		filename, err := createBasicAuthFile("foosdlijdgohdgdbar")
+
+		if err != nil {
+			t.Error(err)
+		}
+
+		_, err = newBasicAuth(config.BasicAuth{
+			File: filename,
+		})
+
+		if err != nil {
+			t.Error(err)
+		}
+	})
+}
+
+func TestBasic_Authorised(t *testing.T) {
+	basicAuth, err := createBasicAuth("foo", "bar")
+	creds := []byte("foo:bar")
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		name string
+		req  *http.Request
+		res  http.ResponseWriter
+		out  bool
+	}{
+		{
+			"correct credentials should be authorized",
+			&http.Request{
+				Header: http.Header{
+					"Authorization": []string{fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString(creds))},
+				},
+			},
+			&responseWriter{},
+			true,
+		},
+		{
+			"incorrect credentials should not be authorized",
+			&http.Request{
+				Header: http.Header{
+					"Authorization": []string{fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("baz:blarg")))},
+				},
+			},
+			&responseWriter{},
+			false,
+		},
+		{
+			"missing Authorization header should not be authorized",
+			&http.Request{
+				Header: http.Header{},
+			},
+			&responseWriter{},
+			false,
+		},
+		{
+			"malformed Authorization header should not be authorized",
+			&http.Request{
+				Header: http.Header{
+					"Authorization": []string{"malformed"},
+				},
+			},
+			&responseWriter{},
+			false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got, want := basicAuth.Authorized(tt.req, tt.res), tt.out; !reflect.DeepEqual(got, want) {
+				t.Errorf("got %v want %v", got, want)
+			}
+		})
+	}
+}
+
+func TestBasic_Authorized_should_set_www_realm_header(t *testing.T) {
+	basicAuth, err := createBasicAuth("foo", "bar")
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rw := &responseWriter{}
+
+	_ = basicAuth.Authorized(&http.Request{Header: http.Header{}}, rw)
+
+	got := rw.Header().Get("WWW-Authenticate")
+	want := "Basic realm=\"testrealm\""
+
+	if strings.Compare(got, want) != 0 {
+		t.Errorf("got '%s', want '%s'", got, want)
+	}
+}
diff --git a/config/config.go b/config/config.go
@@ -69,6 +69,7 @@ type Proxy struct {
 	GZIPContentTypes      *regexp.Regexp
 	RequestID             string
 	STSHeader             STSHeader
+	AuthSchemes           map[string]AuthScheme
 }
 
 type STSHeader struct {
@@ -158,3 +159,14 @@ type Tracing struct {
 	SamplerRate    float64
 	SpanHost       string
 }
+
+type AuthScheme struct {
+	Name  string
+	Type  string
+	Basic BasicAuth
+}
+
+type BasicAuth struct {
+	Realm string
+	File  string
+}
diff --git a/config/default.go b/config/default.go
@@ -9,6 +9,7 @@ import (
 var defaultValues = struct {
 	ListenerValue         string
 	CertSourcesValue      string
+	AuthSchemesValue      string
 	ReadTimeout           time.Duration
 	WriteTimeout          time.Duration
 	UIListenerValue       string
@@ -44,6 +45,7 @@ var defaultConfig = &Config{
 		FlushInterval:       time.Second,
 		GlobalFlushInterval: 0,
 		LocalIP:             LocalIPString(),
+		AuthSchemes:         map[string]AuthScheme{},
 	},
 	Registry: Registry{
 		Backend: "consul",