rclone/lib/http/auth.go

package http

import (
	"bytes"
	"fmt"
	"html/template"

	"github.com/rclone/rclone/fs"
	"github.com/rclone/rclone/fs/config/flags"
	"github.com/spf13/pflag"
)

// AuthHelp returns text describing the http authentication to add to the command help.
func AuthHelp(prefix string) string {
	help := `#### Authentication

By default this will serve files without needing a login.

You can either use an htpasswd file which can take lots of users, or
set a single username and password with the ` + "`--{{ .Prefix }}user` and `--{{ .Prefix }}pass`" + ` flags.

Alternatively, you can have the reverse proxy manage authentication and use the
username provided in the configured header with ` + "`--user-from-header`" + `  (e.g., ` + "`--{{ .Prefix }}--user-from-header=x-remote-user`" + `).
Ensure the proxy is trusted and headers cannot be spoofed, as misconfiguration may lead to unauthorized access.

If either of the above authentication methods is not configured and client
certificates are required by the ` + "`--client-ca`" + ` flag passed to the server, the
client certificate common name will be considered as the username.

Use ` + "`--{{ .Prefix }}htpasswd /path/to/htpasswd`" + ` to provide an htpasswd file.  This is
in standard apache format and supports MD5, SHA1 and BCrypt for basic
authentication.  Bcrypt is recommended.

To create an htpasswd file:

    touch htpasswd
    htpasswd -B htpasswd user
    htpasswd -B htpasswd anotherUser

The password file can be updated while rclone is running.

Use ` + "`--{{ .Prefix }}realm`" + ` to set the authentication realm.

Use ` + "`--{{ .Prefix }}salt`" + ` to change the password hashing salt from the default.

`
	tmpl, err := template.New("auth help").Parse(help)
	if err != nil {
		fs.Fatal(nil, fmt.Sprint("Fatal error parsing template", err))
	}

	data := struct {
		Prefix string
	}{
		Prefix: prefix,
	}
	buf := &bytes.Buffer{}
	err = tmpl.Execute(buf, data)
	if err != nil {
		fs.Fatal(nil, fmt.Sprint("Fatal error executing template", err))
	}
	return buf.String()
}

// CustomAuthFn if used will be used to authenticate user, pass. If an error
// is returned then the user is not authenticated.
//
// If a non nil value is returned then it is added to the context under the key
type CustomAuthFn func(user, pass string) (value interface{}, err error)

// AuthConfigInfo descripts the Options in use
var AuthConfigInfo = fs.Options{{
	Name:    "htpasswd",
	Default: "",
	Help:    "A htpasswd file - if not provided no authentication is done",
}, {
	Name:    "realm",
	Default: "",
	Help:    "Realm for authentication",
}, {
	Name:    "user",
	Default: "",
	Help:    "User name for authentication",
}, {
	Name:    "pass",
	Default: "",
	Help:    "Password for authentication",
}, {
	Name:    "salt",
	Default: "dlPL2MqE",
	Help:    "Password hashing salt",
}, {
	Name:    "user_from_header",
	Default: "",
	Help:    "User name from a defined HTTP header",
}}

// AuthConfig contains options for the http authentication
type AuthConfig struct {
	HtPasswd       string       `config:"htpasswd"`         // htpasswd file - if not provided no authentication is done
	Realm          string       `config:"realm"`            // realm for authentication
	BasicUser      string       `config:"user"`             // single username for basic auth if not using Htpasswd
	BasicPass      string       `config:"pass"`             // password for BasicUser
	Salt           string       `config:"salt"`             // password hashing salt
	UserFromHeader string       `config:"user_from_header"` // retrieve user name from a defined HTTP header
	CustomAuthFn   CustomAuthFn `json:"-" config:"-"`       // custom Auth (not set by command line flags)
}

// AddFlagsPrefix adds flags to the flag set for AuthConfig
func (cfg *AuthConfig) AddFlagsPrefix(flagSet *pflag.FlagSet, prefix string) {
	flags.StringVarP(flagSet, &cfg.HtPasswd, prefix+"htpasswd", "", cfg.HtPasswd, "A htpasswd file - if not provided no authentication is done", prefix)
	flags.StringVarP(flagSet, &cfg.Realm, prefix+"realm", "", cfg.Realm, "Realm for authentication", prefix)
	flags.StringVarP(flagSet, &cfg.BasicUser, prefix+"user", "", cfg.BasicUser, "User name for authentication", prefix)
	flags.StringVarP(flagSet, &cfg.BasicPass, prefix+"pass", "", cfg.BasicPass, "Password for authentication", prefix)
	flags.StringVarP(flagSet, &cfg.Salt, prefix+"salt", "", cfg.Salt, "Password hashing salt", prefix)
	flags.StringVarP(flagSet, &cfg.UserFromHeader, prefix+"user-from-header", "", cfg.UserFromHeader, "Retrieve the username from a specified HTTP header if no other authentication methods are configured (ideal for proxied setups)", prefix)
}

// AddAuthFlagsPrefix adds flags to the flag set for AuthConfig
func AddAuthFlagsPrefix(flagSet *pflag.FlagSet, prefix string, cfg *AuthConfig) {
	cfg.AddFlagsPrefix(flagSet, prefix)
}

// DefaultAuthCfg returns a new config which can be customized by command line flags
//
// Note that this needs to be kept in sync with AuthConfigInfo above and
// can be removed when all callers have been converted.
func DefaultAuthCfg() AuthConfig {
	return AuthConfig{
		Salt: "dlPL2MqE",
	}
}
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`package http`

			`import (`
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			`"bytes"`
build: update logging statements to make json log work - fixes #6038 This changes log statements from log to fs package, which is required for --use-json-log to properly make log output in JSON format. The recently added custom linting rule, handled by ruleguard via gocritic via golangci-lint, warns about these and suggests the alternative. Fixing was therefore basically running "golangci-lint run --fix", although some manual fixup of mainly imports are necessary following that. 2024-08-18 22:58:35 +08:00			`"fmt"`
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			`"html/template"`

lib/http: convert options to new style There are still users of the old style options which haven't been converted yet. 2024-07-08 23:22:48 +08:00			`"github.com/rclone/rclone/fs"`
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`"github.com/rclone/rclone/fs/config/flags"`
			`"github.com/spf13/pflag"`
			`)`

cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			`// AuthHelp returns text describing the http authentication to add to the command help.`
			`func AuthHelp(prefix string) string {`
docs: ensure empty line between text and a following heading 2024-04-05 19:27:33 +08:00			help := `#### Authentication
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00
			`By default this will serve files without needing a login.`

			`You can either use an htpasswd file which can take lots of users, or`
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			set a single username and password with the ` + "`--{{ .Prefix }}user` and `--{{ .Prefix }}pass`" + ` flags.
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00
http servers: add --user-from-header to use for authentication Retrieve the username from a specified HTTP header if no other authentication methods are configured (ideal for proxied setups) 2025-01-17 23:53:23 +08:00			`Alternatively, you can have the reverse proxy manage authentication and use the`
			username provided in the configured header with ` + "`--user-from-header`" + ` (e.g., ` + "`--{{ .Prefix }}--user-from-header=x-remote-user`" + `).
			`Ensure the proxy is trusted and headers cannot be spoofed, as misconfiguration may lead to unauthorized access.`

			`If either of the above authentication methods is not configured and client`
http: add client certificate user auth middleware This populates the authenticated user from the client certificate common name. Also added tests for the existing client certificate functionality. 2023-05-26 13:26:13 +08:00			certificates are required by the ` + "`--client-ca`" + ` flag passed to the server, the
			`client certificate common name will be considered as the username.`

cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			Use ` + "`--{{ .Prefix }}htpasswd /path/to/htpasswd`" + ` to provide an htpasswd file. This is
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`in standard apache format and supports MD5, SHA1 and BCrypt for basic`
			`authentication. Bcrypt is recommended.`

			`To create an htpasswd file:`

			`touch htpasswd`
			`htpasswd -B htpasswd user`
			`htpasswd -B htpasswd anotherUser`

			`The password file can be updated while rclone is running.`

cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			Use ` + "`--{{ .Prefix }}realm`" + ` to set the authentication realm.
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			Use ` + "`--{{ .Prefix }}salt`" + ` to change the password hashing salt from the default.
docs: ensure empty line between text and a following heading 2024-04-05 19:27:33 +08:00
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			`tmpl, err := template.New("auth help").Parse(help)`
			`if err != nil {`
build: update logging statements to make json log work - fixes #6038 This changes log statements from log to fs package, which is required for --use-json-log to properly make log output in JSON format. The recently added custom linting rule, handled by ruleguard via gocritic via golangci-lint, warns about these and suggests the alternative. Fixing was therefore basically running "golangci-lint run --fix", although some manual fixup of mainly imports are necessary following that. 2024-08-18 22:58:35 +08:00			`fs.Fatal(nil, fmt.Sprint("Fatal error parsing template", err))`
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			`}`

			`data := struct {`
			`Prefix string`
			`}{`
			`Prefix: prefix,`
			`}`
			`buf := &bytes.Buffer{}`
			`err = tmpl.Execute(buf, data)`
			`if err != nil {`
build: update logging statements to make json log work - fixes #6038 This changes log statements from log to fs package, which is required for --use-json-log to properly make log output in JSON format. The recently added custom linting rule, handled by ruleguard via gocritic via golangci-lint, warns about these and suggests the alternative. Fixing was therefore basically running "golangci-lint run --fix", although some manual fixup of mainly imports are necessary following that. 2024-08-18 22:58:35 +08:00			`fs.Fatal(nil, fmt.Sprint("Fatal error executing template", err))`
cmd/rcd: Fix command docs to include command specific prefix (#6675) This change addresses two issues with commands that re-used flags from common packages: 1) cobra.Command definitions did not include the command specific prefix in doc strings. 2) Command specific flag prefixes were added after generating command doc strings. 2023-01-11 13:05:44 +08:00			`}`
			`return buf.String()`
			`}`
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00
			`// CustomAuthFn if used will be used to authenticate user, pass. If an error`
			`// is returned then the user is not authenticated.`
			`//`
			`// If a non nil value is returned then it is added to the context under the key`
			`type CustomAuthFn func(user, pass string) (value interface{}, err error)`

lib/http: convert options to new style There are still users of the old style options which haven't been converted yet. 2024-07-08 23:22:48 +08:00			`// AuthConfigInfo descripts the Options in use`
			`var AuthConfigInfo = fs.Options{{`
			`Name: "htpasswd",`
			`Default: "",`
			`Help: "A htpasswd file - if not provided no authentication is done",`
			`}, {`
			`Name: "realm",`
			`Default: "",`
			`Help: "Realm for authentication",`
			`}, {`
			`Name: "user",`
			`Default: "",`
			`Help: "User name for authentication",`
			`}, {`
			`Name: "pass",`
			`Default: "",`
			`Help: "Password for authentication",`
			`}, {`
			`Name: "salt",`
			`Default: "dlPL2MqE",`
			`Help: "Password hashing salt",`
http servers: add --user-from-header to use for authentication Retrieve the username from a specified HTTP header if no other authentication methods are configured (ideal for proxied setups) 2025-01-17 23:53:23 +08:00			`}, {`
			`Name: "user_from_header",`
			`Default: "",`
			`Help: "User name from a defined HTTP header",`
lib/http: convert options to new style There are still users of the old style options which haven't been converted yet. 2024-07-08 23:22:48 +08:00			`}}`

serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`// AuthConfig contains options for the http authentication`
			`type AuthConfig struct {`
http servers: add --user-from-header to use for authentication Retrieve the username from a specified HTTP header if no other authentication methods are configured (ideal for proxied setups) 2025-01-17 23:53:23 +08:00			HtPasswd string `config:"htpasswd"` // htpasswd file - if not provided no authentication is done
			Realm string `config:"realm"` // realm for authentication
			BasicUser string `config:"user"` // single username for basic auth if not using Htpasswd
			BasicPass string `config:"pass"` // password for BasicUser
			Salt string `config:"salt"` // password hashing salt
			UserFromHeader string `config:"user_from_header"` // retrieve user name from a defined HTTP header
			CustomAuthFn CustomAuthFn `json:"-" config:"-"` // custom Auth (not set by command line flags)
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`}`

			`// AddFlagsPrefix adds flags to the flag set for AuthConfig`
			`func (cfg AuthConfig) AddFlagsPrefix(flagSet pflag.FlagSet, prefix string) {`
docs: group the global flags and make them appear on command and flags pages This adds an additional parameter to the creation of each flag. This specifies one or more flag groups. This must be set for global flags and must not be set for local flags. This causes flags.md to be built with sections to aid comprehension and it causes the documentation pages for each command (and the `--help`) to be built showing the flags groups as specified in the `groups` annotation on the command. See: https://forum.rclone.org/t/make-docs-for-mortals-not-only-rclone-gurus/39476/ 2023-07-11 01:34:10 +08:00			`flags.StringVarP(flagSet, &cfg.HtPasswd, prefix+"htpasswd", "", cfg.HtPasswd, "A htpasswd file - if not provided no authentication is done", prefix)`
			`flags.StringVarP(flagSet, &cfg.Realm, prefix+"realm", "", cfg.Realm, "Realm for authentication", prefix)`
			`flags.StringVarP(flagSet, &cfg.BasicUser, prefix+"user", "", cfg.BasicUser, "User name for authentication", prefix)`
			`flags.StringVarP(flagSet, &cfg.BasicPass, prefix+"pass", "", cfg.BasicPass, "Password for authentication", prefix)`
			`flags.StringVarP(flagSet, &cfg.Salt, prefix+"salt", "", cfg.Salt, "Password hashing salt", prefix)`
http servers: add --user-from-header to use for authentication Retrieve the username from a specified HTTP header if no other authentication methods are configured (ideal for proxied setups) 2025-01-17 23:53:23 +08:00			`flags.StringVarP(flagSet, &cfg.UserFromHeader, prefix+"user-from-header", "", cfg.UserFromHeader, "Retrieve the username from a specified HTTP header if no other authentication methods are configured (ideal for proxied setups)", prefix)`
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`}`

			`// AddAuthFlagsPrefix adds flags to the flag set for AuthConfig`
			`func AddAuthFlagsPrefix(flagSet pflag.FlagSet, prefix string, cfg AuthConfig) {`
			`cfg.AddFlagsPrefix(flagSet, prefix)`
			`}`

			`// DefaultAuthCfg returns a new config which can be customized by command line flags`
lib/http: convert options to new style There are still users of the old style options which haven't been converted yet. 2024-07-08 23:22:48 +08:00			`//`
			`// Note that this needs to be kept in sync with AuthConfigInfo above and`
			`// can be removed when all callers have been converted.`
serve http: support unix sockets and multiple listners - add support for unix sockets (which skip the auth). - add support for multiple listeners - collapse unnecessary internal structure of lib/http so it can all be imported together - moves files in sub directories of lib/http into the main lib/http directory and reworks the code that uses them. See: https://forum.rclone.org/t/wip-rc-rcd-over-unix-socket/33619 Fixes: #6605 2022-11-08 19:49:19 +08:00			`func DefaultAuthCfg() AuthConfig {`
			`return AuthConfig{`
			`Salt: "dlPL2MqE",`
			`}`
			`}`