caddy/caddyhttp/basicauth/basicauth.go

// Package basicauth implements HTTP Basic Authentication for Caddy.
//
// This is useful for simple protections on a website, like requiring
// a password to access an admin interface. This package assumes a
// fairly small threat model.
package basicauth

import (
	"bufio"
	"context"
	"crypto/sha1"
	"crypto/subtle"
	"fmt"
	"io"
	"net/http"
	"os"
	"path/filepath"
	"strings"
	"sync"

	"github.com/jimstudt/http-authentication/basic"
	"github.com/mholt/caddy"
	"github.com/mholt/caddy/caddyhttp/httpserver"
)

// BasicAuth is middleware to protect resources with a username and password.
// Note that HTTP Basic Authentication is not secure by itself and should
// not be used to protect important assets without HTTPS. Even then, the
// security of HTTP Basic Auth is disputed. Use discretion when deciding
// what to protect with BasicAuth.
type BasicAuth struct {
	Next     httpserver.Handler
	SiteRoot string
	Rules    []Rule
}

// ServeHTTP implements the httpserver.Handler interface.
func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
	var protected, isAuthenticated bool

	for _, rule := range a.Rules {
		for _, res := range rule.Resources {
			if !httpserver.Path(r.URL.Path).Matches(res) {
				continue
			}

			// path matches; this endpoint is protected
			protected = true

			// parse auth header
			username, password, ok := r.BasicAuth()

			// check credentials
			if !ok ||
				username != rule.Username ||
				!rule.Password(password) {
				continue
			}

			// by this point, authentication was successful
			isAuthenticated = true

			// remove credentials from request to avoid leaking upstream
			r.Header.Del("Authorization")

			// let upstream middleware (e.g. fastcgi and cgi) know about authenticated
			// user; this replaces the request with a wrapped instance
			r = r.WithContext(context.WithValue(r.Context(),
				caddy.CtxKey("remote_user"), username))
		}
	}

	if protected && !isAuthenticated {
		// browsers show a message that says something like:
		// "The website says: <realm>"
		// which is kinda dumb, but whatever.
		w.Header().Set("WWW-Authenticate", "Basic realm=\"Restricted\"")
		return http.StatusUnauthorized, nil
	}

	// Pass-through when no paths match
	return a.Next.ServeHTTP(w, r)
}

// Rule represents a BasicAuth rule. A username and password
// combination protect the associated resources, which are
// file or directory paths.
type Rule struct {
	Username  string
	Password  func(string) bool
	Resources []string
}

// PasswordMatcher determines whether a password matches a rule.
type PasswordMatcher func(pw string) bool

var (
	htpasswords   map[string]map[string]PasswordMatcher
	htpasswordsMu sync.Mutex
)

// GetHtpasswdMatcher matches password rules.
func GetHtpasswdMatcher(filename, username, siteRoot string) (PasswordMatcher, error) {
	filename = filepath.Join(siteRoot, filename)
	htpasswordsMu.Lock()
	if htpasswords == nil {
		htpasswords = make(map[string]map[string]PasswordMatcher)
	}
	pm := htpasswords[filename]
	if pm == nil {
		fh, err := os.Open(filename)
		if err != nil {
			return nil, fmt.Errorf("open %q: %v", filename, err)
		}
		defer fh.Close()
		pm = make(map[string]PasswordMatcher)
		if err = parseHtpasswd(pm, fh); err != nil {
			return nil, fmt.Errorf("parsing htpasswd %q: %v", fh.Name(), err)
		}
		htpasswords[filename] = pm
	}
	htpasswordsMu.Unlock()
	if pm[username] == nil {
		return nil, fmt.Errorf("username %q not found in %q", username, filename)
	}
	return pm[username], nil
}

func parseHtpasswd(pm map[string]PasswordMatcher, r io.Reader) error {
	scanner := bufio.NewScanner(r)
	for scanner.Scan() {
		line := strings.TrimSpace(scanner.Text())
		if line == "" || strings.IndexByte(line, '#') == 0 {
			continue
		}
		i := strings.IndexByte(line, ':')
		if i <= 0 {
			return fmt.Errorf("malformed line, no color: %q", line)
		}
		user, encoded := line[:i], line[i+1:]
		for _, p := range basic.DefaultSystems {
			matcher, err := p(encoded)
			if err != nil {
				return err
			}
			if matcher != nil {
				pm[user] = matcher.MatchesPassword
				break
			}
		}
	}
	return scanner.Err()
}

// PlainMatcher returns a PasswordMatcher that does a constant-time
// byte comparison against the password passw.
func PlainMatcher(passw string) PasswordMatcher {
	// compare hashes of equal length instead of actual password
	// to avoid leaking password length
	passwHash := sha1.New()
	passwHash.Write([]byte(passw))
	passwSum := passwHash.Sum(nil)
	return func(pw string) bool {
		pwHash := sha1.New()
		pwHash.Write([]byte(pw))
		pwSum := pwHash.Sum(nil)
		return subtle.ConstantTimeCompare([]byte(pwSum), []byte(passwSum)) == 1
	}
}
Improve basicauth password comparison Thanks to @jaredfolkins for the feedback 2016-07-06 02:49:25 +08:00			`// Package basicauth implements HTTP Basic Authentication for Caddy.`
			`//`
			`// This is useful for simple protections on a website, like requiring`
			`// a password to access an admin interface. This package assumes a`
			`// fairly small threat model.`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`package basicauth`

			`import (`
			`"bufio"`
basicauth: Store name of authenticated user (#1426) * Store name of authenticated user in basicauth for use by upstream middleware such as fastcgi and cgi. * Use request context to transfer name of authorized user from basicauth to upstream middleware. Test retrieval of name from context. * Remove development code that was inadvertently left in place * Use keys of type httpserver.CtxKey to access Context values 2017-02-18 06:37:58 +08:00			`"context"`
Improve basicauth password comparison Thanks to @jaredfolkins for the feedback 2016-07-06 02:49:25 +08:00			`"crypto/sha1"`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`"crypto/subtle"`
			`"fmt"`
			`"io"`
			`"net/http"`
			`"os"`
			`"path/filepath"`
			`"strings"`
			`"sync"`

			`"github.com/jimstudt/http-authentication/basic"`
Use RequestURI when redirecting to canonical path. (#1331) * Use RequestURI when redirecting to canonical path. Caddy may trim a request's URL path when it starts with the path that's associated with the virtual host. This change uses the path from the request's RequestURI when performing a redirect. Fix issue #1327. * Rename redirurl to redirURL. * Redirect to the full URL. The scheme and host from the virtual host's site configuration is used in order to redirect to the full URL. * Add comment and remove redundant check. * Store the original URL path in request context. By storing the original URL path as a value in the request context, middlewares can access both it and the sanitized path. The default default FileServer handler will use the original URL on redirects. * Replace contextKey type with CtxKey. In addition to moving the CtxKey definition to the caddy package, this change updates the CtxKey references in the httpserver, fastcgi, and basicauth packages. * httpserver: Fix reference to CtxKey 2017-02-28 20:54:12 +08:00			`"github.com/mholt/caddy"`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`"github.com/mholt/caddy/caddyhttp/httpserver"`
			`)`

			`// BasicAuth is middleware to protect resources with a username and password.`
			`// Note that HTTP Basic Authentication is not secure by itself and should`
			`// not be used to protect important assets without HTTPS. Even then, the`
			`// security of HTTP Basic Auth is disputed. Use discretion when deciding`
			`// what to protect with BasicAuth.`
			`type BasicAuth struct {`
			`Next httpserver.Handler`
			`SiteRoot string`
			`Rules []Rule`
			`}`

			`// ServeHTTP implements the httpserver.Handler interface.`
			`func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {`
basicauth: Remove Authorization header on successful authz (issue #1324) If a site owner protects a path with basicauth, no need to use the Authorization header elsewhere upstream, especially since it contains credentials. If this breaks anyone, it means they're double-dipping. It's usually good practice to clear out credentials as soon as they're not needed anymore. (Note that we only clear credentials after they're used, they stay for any other reason.) 2017-01-04 08:40:07 +08:00			`var protected, isAuthenticated bool`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00
			`for _, rule := range a.Rules {`
			`for _, res := range rule.Resources {`
			`if !httpserver.Path(r.URL.Path).Matches(res) {`
			`continue`
			`}`

basicauth: Remove Authorization header on successful authz (issue #1324) If a site owner protects a path with basicauth, no need to use the Authorization header elsewhere upstream, especially since it contains credentials. If this breaks anyone, it means they're double-dipping. It's usually good practice to clear out credentials as soon as they're not needed anymore. (Note that we only clear credentials after they're used, they stay for any other reason.) 2017-01-04 08:40:07 +08:00			`// path matches; this endpoint is protected`
			`protected = true`

			`// parse auth header`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`username, password, ok := r.BasicAuth()`

basicauth: Remove Authorization header on successful authz (issue #1324) If a site owner protects a path with basicauth, no need to use the Authorization header elsewhere upstream, especially since it contains credentials. If this breaks anyone, it means they're double-dipping. It's usually good practice to clear out credentials as soon as they're not needed anymore. (Note that we only clear credentials after they're used, they stay for any other reason.) 2017-01-04 08:40:07 +08:00			`// check credentials`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`if !ok \|\|`
			`username != rule.Username \|\|`
			`!rule.Password(password) {`
			`continue`
			`}`

basicauth: Remove Authorization header on successful authz (issue #1324) If a site owner protects a path with basicauth, no need to use the Authorization header elsewhere upstream, especially since it contains credentials. If this breaks anyone, it means they're double-dipping. It's usually good practice to clear out credentials as soon as they're not needed anymore. (Note that we only clear credentials after they're used, they stay for any other reason.) 2017-01-04 08:40:07 +08:00			`// by this point, authentication was successful`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`isAuthenticated = true`
basicauth: Remove Authorization header on successful authz (issue #1324) If a site owner protects a path with basicauth, no need to use the Authorization header elsewhere upstream, especially since it contains credentials. If this breaks anyone, it means they're double-dipping. It's usually good practice to clear out credentials as soon as they're not needed anymore. (Note that we only clear credentials after they're used, they stay for any other reason.) 2017-01-04 08:40:07 +08:00
			`// remove credentials from request to avoid leaking upstream`
			`r.Header.Del("Authorization")`
basicauth: Store name of authenticated user (#1426) * Store name of authenticated user in basicauth for use by upstream middleware such as fastcgi and cgi. * Use request context to transfer name of authorized user from basicauth to upstream middleware. Test retrieval of name from context. * Remove development code that was inadvertently left in place * Use keys of type httpserver.CtxKey to access Context values 2017-02-18 06:37:58 +08:00
			`// let upstream middleware (e.g. fastcgi and cgi) know about authenticated`
			`// user; this replaces the request with a wrapped instance`
			`r = r.WithContext(context.WithValue(r.Context(),`
Use RequestURI when redirecting to canonical path. (#1331) * Use RequestURI when redirecting to canonical path. Caddy may trim a request's URL path when it starts with the path that's associated with the virtual host. This change uses the path from the request's RequestURI when performing a redirect. Fix issue #1327. * Rename redirurl to redirURL. * Redirect to the full URL. The scheme and host from the virtual host's site configuration is used in order to redirect to the full URL. * Add comment and remove redundant check. * Store the original URL path in request context. By storing the original URL path as a value in the request context, middlewares can access both it and the sanitized path. The default default FileServer handler will use the original URL on redirects. * Replace contextKey type with CtxKey. In addition to moving the CtxKey definition to the caddy package, this change updates the CtxKey references in the httpserver, fastcgi, and basicauth packages. * httpserver: Fix reference to CtxKey 2017-02-28 20:54:12 +08:00			`caddy.CtxKey("remote_user"), username))`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`}`
			`}`

basicauth: Remove Authorization header on successful authz (issue #1324) If a site owner protects a path with basicauth, no need to use the Authorization header elsewhere upstream, especially since it contains credentials. If this breaks anyone, it means they're double-dipping. It's usually good practice to clear out credentials as soon as they're not needed anymore. (Note that we only clear credentials after they're used, they stay for any other reason.) 2017-01-04 08:40:07 +08:00			`if protected && !isAuthenticated {`
			`// browsers show a message that says something like:`
			`// "The website says: <realm>"`
			`// which is kinda dumb, but whatever.`
			`w.Header().Set("WWW-Authenticate", "Basic realm=\"Restricted\"")`
			`return http.StatusUnauthorized, nil`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`}`

Fix misspellings 2016-09-06 00:20:34 +08:00			`// Pass-through when no paths match`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`return a.Next.ServeHTTP(w, r)`
			`}`

			`// Rule represents a BasicAuth rule. A username and password`
			`// combination protect the associated resources, which are`
			`// file or directory paths.`
			`type Rule struct {`
			`Username string`
			`Password func(string) bool`
			`Resources []string`
			`}`

			`// PasswordMatcher determines whether a password matches a rule.`
			`type PasswordMatcher func(pw string) bool`

			`var (`
			`htpasswords map[string]map[string]PasswordMatcher`
			`htpasswordsMu sync.Mutex`
			`)`

			`// GetHtpasswdMatcher matches password rules.`
			`func GetHtpasswdMatcher(filename, username, siteRoot string) (PasswordMatcher, error) {`
			`filename = filepath.Join(siteRoot, filename)`
			`htpasswordsMu.Lock()`
			`if htpasswords == nil {`
			`htpasswords = make(map[string]map[string]PasswordMatcher)`
			`}`
			`pm := htpasswords[filename]`
			`if pm == nil {`
			`fh, err := os.Open(filename)`
			`if err != nil {`
			`return nil, fmt.Errorf("open %q: %v", filename, err)`
			`}`
			`defer fh.Close()`
			`pm = make(map[string]PasswordMatcher)`
			`if err = parseHtpasswd(pm, fh); err != nil {`
			`return nil, fmt.Errorf("parsing htpasswd %q: %v", fh.Name(), err)`
			`}`
			`htpasswords[filename] = pm`
			`}`
			`htpasswordsMu.Unlock()`
			`if pm[username] == nil {`
			`return nil, fmt.Errorf("username %q not found in %q", username, filename)`
			`}`
			`return pm[username], nil`
			`}`

			`func parseHtpasswd(pm map[string]PasswordMatcher, r io.Reader) error {`
			`scanner := bufio.NewScanner(r)`
			`for scanner.Scan() {`
			`line := strings.TrimSpace(scanner.Text())`
			`if line == "" \|\| strings.IndexByte(line, '#') == 0 {`
			`continue`
			`}`
			`i := strings.IndexByte(line, ':')`
			`if i <= 0 {`
			`return fmt.Errorf("malformed line, no color: %q", line)`
			`}`
			`user, encoded := line[:i], line[i+1:]`
			`for _, p := range basic.DefaultSystems {`
			`matcher, err := p(encoded)`
			`if err != nil {`
			`return err`
			`}`
			`if matcher != nil {`
			`pm[user] = matcher.MatchesPassword`
			`break`
			`}`
			`}`
			`}`
			`return scanner.Err()`
			`}`

			`// PlainMatcher returns a PasswordMatcher that does a constant-time`
Improve basicauth password comparison Thanks to @jaredfolkins for the feedback 2016-07-06 02:49:25 +08:00			`// byte comparison against the password passw.`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`func PlainMatcher(passw string) PasswordMatcher {`
Improve basicauth password comparison Thanks to @jaredfolkins for the feedback 2016-07-06 02:49:25 +08:00			`// compare hashes of equal length instead of actual password`
			`// to avoid leaking password length`
			`passwHash := sha1.New()`
			`passwHash.Write([]byte(passw))`
			`passwSum := passwHash.Sum(nil)`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`return func(pw string) bool {`
Improve basicauth password comparison Thanks to @jaredfolkins for the feedback 2016-07-06 02:49:25 +08:00			`pwHash := sha1.New()`
			`pwHash.Write([]byte(pw))`
			`pwSum := pwHash.Sum(nil)`
			`return subtle.ConstantTimeCompare([]byte(pwSum), []byte(passwSum)) == 1`
Migrating more middleware packages 2016-06-06 11:51:56 +08:00			`}`
			`}`