forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
password.go
261 lines (226 loc) · 6.88 KB
/
password.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
package scmauth
import (
"fmt"
"io/ioutil"
"log"
"net/http"
"net/http/httputil"
"net/url"
"os"
"path/filepath"
"strings"
"github.com/golang/glog"
cmdutil "github.com/openshift/origin/pkg/cmd/util"
"github.com/openshift/origin/pkg/util/file"
)
const (
DefaultUsername = "builder"
UsernamePasswordName = "password"
UsernameSecret = "username"
PasswordSecret = "password"
TokenSecret = "token"
curlPasswordThreshold = 255
proxyHost = "127.0.0.1:8080"
UserPassGitConfig = `# credential git config
[credential]
helper = store --file=%s
`
)
// UsernamePassword implements SCMAuth interface for using Username and Password credentials
type UsernamePassword struct {
SourceURL url.URL
}
// Setup creates a gitconfig fragment that includes a substitution URL with the username/password
// included in the URL. Returns source URL stripped of username/password credentials.
func (u UsernamePassword) Setup(baseDir string, context SCMAuthContext) error {
// Only apply to https and http URLs
if scheme := strings.ToLower(u.SourceURL.Scheme); scheme != "http" && scheme != "https" {
return nil
}
// Read data from secret files
usernameSecret, err := readSecret(baseDir, UsernameSecret)
if err != nil {
return err
}
passwordSecret, err := readSecret(baseDir, PasswordSecret)
if err != nil {
return err
}
tokenSecret, err := readSecret(baseDir, TokenSecret)
if err != nil {
return err
}
// Determine overrides
overrideFn := longPasswordOverride(baseDir, removeCredentials)
overrideSourceURL, gitconfigURL, err := doSetup(u.SourceURL, usernameSecret, passwordSecret, tokenSecret, overrideFn)
if err != nil {
return err
}
if overrideSourceURL != nil {
if err := context.SetOverrideURL(overrideSourceURL); err != nil {
return err
}
}
// Write git config if needed
if gitconfigURL != nil {
gitcredentials, err := ioutil.TempFile("", "gitcredentials.")
if err != nil {
return err
}
defer gitcredentials.Close()
gitconfig, err := ioutil.TempFile("", "gitcredentialscfg.")
if err != nil {
return err
}
defer gitconfig.Close()
fmt.Fprintf(gitconfig, UserPassGitConfig, gitcredentials.Name())
fmt.Fprintf(gitcredentials, "%s", gitconfigURL.String())
return ensureGitConfigIncludes(gitconfig.Name(), context)
}
return nil
}
type overrideURLFunc func(sourceURL *url.URL, username, password string) (*url.URL, error)
func removeCredentials(sourceURL *url.URL, username, password string) (*url.URL, error) {
overrideURL := *sourceURL
overrideURL.User = nil
return &overrideURL, nil
}
func longPasswordOverride(dir string, overrideFn overrideURLFunc) overrideURLFunc {
return func(sourceURL *url.URL, username, password string) (*url.URL, error) {
if len(password) > curlPasswordThreshold {
return startProxy(dir, sourceURL, username, password)
}
return overrideFn(sourceURL, username, password)
}
}
func doSetup(sourceURL url.URL, usernameSecret, passwordSecret, tokenSecret string, overrideURLFn overrideURLFunc) (*url.URL, *url.URL, error) {
// Extract auth from the source URL
urlUsername := ""
urlPassword := ""
if sourceURL.User != nil {
urlUsername = sourceURL.User.Username()
urlPassword, _ = sourceURL.User.Password()
}
// Determine username in this order: secret, url
username := usernameSecret
if username == "" {
username = urlUsername
}
// Determine password in this order: token secret, password secret, url
password := tokenSecret
if password == "" {
password = passwordSecret
}
if password == "" {
password = urlPassword
}
// If we have no password, and the username matches what is already in the URL, no overrides or config are needed
if password == "" && username == urlUsername {
return nil, nil, nil
}
// If we're going to write config, ensure we have a username
if username == "" {
username = DefaultUsername
}
overrideSourceURL, err := overrideURLFn(&sourceURL, username, password)
if err != nil {
return nil, nil, err
}
// Set user/pw in the config url
configURL := sourceURL
configURL.User = url.UserPassword(username, password)
return overrideSourceURL, &configURL, nil
}
// Name returns the name of this auth method.
func (_ UsernamePassword) Name() string {
return UsernamePasswordName
}
// Handles returns true if a username, password or token secret is present
func (_ UsernamePassword) Handles(name string) bool {
switch name {
case UsernameSecret, PasswordSecret, TokenSecret:
return true
}
return false
}
// readSecret reads the contents of a secret file
func readSecret(baseDir, fileName string) (string, error) {
path := filepath.Join(baseDir, fileName)
lines, err := file.ReadLines(path)
if err != nil {
if os.IsNotExist(err) {
return "", nil
}
return "", err
}
// If the file is empty, simply return empty string
if len(lines) == 0 {
return "", nil
}
return lines[0], nil
}
type basicAuthTransport struct {
transport http.RoundTripper
username string
password string
}
func (t *basicAuthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
req.SetBasicAuth(t.username, t.password)
// Ensure that the Host header has the value of the real git server
// and not the local proxy.
req.Host = req.URL.Host
if glog.V(8) {
glog.Infof("Proxying request to URL %q", req.URL.String())
if reqdump, err := httputil.DumpRequestOut(req, false); err == nil {
glog.Infof("Request:\n%s\n", string(reqdump))
}
}
resp, err := t.transport.RoundTrip(req)
if glog.V(8) {
if err != nil {
glog.Infof("Proxy RoundTrip error: %#v", err)
} else {
if respdump, err := httputil.DumpResponse(resp, false); err == nil {
glog.Infof("Response:\n%s\n", string(respdump))
}
}
}
return resp, err
}
func startProxy(dir string, sourceURL *url.URL, username, password string) (*url.URL, error) {
// Setup the targetURL of the proxy to be the host of the original URL
targetURL := &url.URL{
Scheme: sourceURL.Scheme,
Host: sourceURL.Host,
}
proxyHandler := httputil.NewSingleHostReverseProxy(targetURL)
// The baseTransport will either be the default transport or a
// transport with the appropriate TLSConfig if a ca.crt is present.
baseTransport := http.DefaultTransport
// Check whether a CA cert is available and use it if it is.
caCertFile := filepath.Join(dir, "ca.crt")
_, err := os.Stat(caCertFile)
if err == nil && sourceURL.Scheme == "https" {
baseTransport, err = cmdutil.TransportFor(caCertFile, "", "")
if err != nil {
return nil, err
}
}
// Build a basic auth RoundTripper for use by the proxy
authTransport := &basicAuthTransport{
username: username,
password: password,
transport: baseTransport,
}
proxyHandler.Transport = authTransport
// Start the proxy go-routine
go func() {
log.Fatal(http.ListenAndServe(proxyHost, proxyHandler))
}()
// The new URL will use the proxy endpoint
proxyURL := *sourceURL
proxyURL.User = nil
proxyURL.Host = proxyHost
proxyURL.Scheme = "http"
return &proxyURL, nil
}