From 241440a4743547e3f9e631a1d7c8b5ccc589c485 Mon Sep 17 00:00:00 2001 From: Matt Hook Date: Wed, 30 Nov 2022 09:11:49 +1300 Subject: [PATCH] fix(fdo): import deleted digest library [EE-4654] (#8129) * import digest lib * update references * fix lint errors --- api/go.mod | 2 - api/go.sum | 6 - api/hostmanagement/fdo/owner_client.go | 2 +- api/third_party/digest/CONTRIBUTORS | 17 ++ api/third_party/digest/COPYING | 177 +++++++++++++++ api/third_party/digest/README.md | 27 +++ api/third_party/digest/digest.go | 290 +++++++++++++++++++++++++ api/third_party/digest/digest_test.go | 90 ++++++++ 8 files changed, 602 insertions(+), 9 deletions(-) create mode 100644 api/third_party/digest/CONTRIBUTORS create mode 100644 api/third_party/digest/COPYING create mode 100644 api/third_party/digest/README.md create mode 100644 api/third_party/digest/digest.go create mode 100644 api/third_party/digest/digest_test.go diff --git a/api/go.mod b/api/go.mod index fe117a216..574342fe2 100644 --- a/api/go.mod +++ b/api/go.mod @@ -22,7 +22,6 @@ require ( github.com/gofrs/uuid v4.0.0+incompatible github.com/golang-jwt/jwt/v4 v4.2.0 github.com/google/go-cmp v0.5.8 - github.com/google/uuid v1.1.2 github.com/gorilla/handlers v1.5.1 github.com/gorilla/mux v1.7.3 github.com/gorilla/securecookie v1.1.1 @@ -39,7 +38,6 @@ require ( github.com/portainer/libcrypto v0.0.0-20220506221303-1f4fb3b30f9a github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9 github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a - github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777 github.com/robfig/cron/v3 v3.0.1 github.com/rs/zerolog v1.28.0 github.com/stretchr/testify v1.7.0 diff --git a/api/go.sum b/api/go.sum index ebf7f7bee..2e5490b74 100644 --- a/api/go.sum +++ b/api/go.sum @@ -237,7 +237,6 @@ github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm4 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -368,15 +367,11 @@ github.com/portainer/docker-compose-wrapper v0.0.0-20220708023447-a69a4ebaa021 h github.com/portainer/docker-compose-wrapper v0.0.0-20220708023447-a69a4ebaa021/go.mod h1:WxDlJWZxCnicdLCPnLNEv7/gRhjeIVuCGmsv+iOPH3c= github.com/portainer/libcrypto v0.0.0-20220506221303-1f4fb3b30f9a h1:B0z3skIMT+OwVNJPQhKp52X+9OWW6A9n5UWig3lHBJk= github.com/portainer/libcrypto v0.0.0-20220506221303-1f4fb3b30f9a/go.mod h1:n54EEIq+MM0NNtqLeCby8ljL+l275VpolXO0ibHegLE= -github.com/portainer/libhelm v0.0.0-20221017001602-b619e0ddf8fc h1:Ms8ZDGvSydX7aoCfu06Rk8II2N4tlX3cn7whtGC5fDA= -github.com/portainer/libhelm v0.0.0-20221017001602-b619e0ddf8fc/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA= github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9 h1:PMw+45hocpYsMQ7WLIlzsf4854BhDM8C631kr0DVJtc= github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA= github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a h1:BJ5V4EDNhg3ImYbmXnGS8vrMhq6rzsEneIXyJh0g4dc= github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a/go.mod h1:ckuHnoLA5kLuE5WkvPBXmrw63LUMdSH4aX71QRi9y10= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777 h1:rDj3WeO+TiWyxfcydUnKegWAZoR5kQsnW0wzhggdOrw= -github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777/go.mod h1:xRVvTK+cS/dJSvrOufGUQFWfgvE7yXExeng96n8377o= github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -752,7 +747,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/api/hostmanagement/fdo/owner_client.go b/api/hostmanagement/fdo/owner_client.go index 1bca6dc7b..3fc424c8e 100644 --- a/api/hostmanagement/fdo/owner_client.go +++ b/api/hostmanagement/fdo/owner_client.go @@ -10,7 +10,7 @@ import ( "strings" "time" - "github.com/rkl-/digest" + "github.com/portainer/portainer/api/third_party/digest" ) type FDOOwnerClient struct { diff --git a/api/third_party/digest/CONTRIBUTORS b/api/third_party/digest/CONTRIBUTORS new file mode 100644 index 000000000..2db3b3e04 --- /dev/null +++ b/api/third_party/digest/CONTRIBUTORS @@ -0,0 +1,17 @@ +# This is the official list of people who can contribute +# (and typically have contributed) code to the mlab-ns2 +# repository. +# +# Names should be added to this file like so: +# Name +# +# An entry with two email addresses specifies that the +# first address should be used in the submit logs and +# that the second address should be recognized as the +# same person when interacting with Rietveld. + +# Please keep the list sorted. + +Bipasa Chattopadhyay +Eric Gavaletz +Seon-Wook Park diff --git a/api/third_party/digest/COPYING b/api/third_party/digest/COPYING new file mode 100644 index 000000000..f433b1a53 --- /dev/null +++ b/api/third_party/digest/COPYING @@ -0,0 +1,177 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/api/third_party/digest/README.md b/api/third_party/digest/README.md new file mode 100644 index 000000000..3afbeed28 --- /dev/null +++ b/api/third_party/digest/README.md @@ -0,0 +1,27 @@ +[![GoDoc](https://godoc.org/github.com/bobziuchkovski/digest?status.svg)](https://godoc.org/github.com/bobziuchkovski/digest) + +# Golang HTTP Digest Authentication + +## Overview + +This is a fork of the (unmaintained) code.google.com/p/mlab-ns2/gae/ns/digest package. +There's a descriptor leak in the original package, so this fork was created to patch +the leak. + +## Usage + +See the [godocs](https://godoc.org/github.com/bobziuchkovski/digest) for details. + +## Fork Maintainer + +Bob Ziuchkovski (@bobziuchkovski) + +## Original Authors + +Bipasa Chattopadhyay +Eric Gavaletz +Seon-Wook Park + +## License + +Apache 2.0 diff --git a/api/third_party/digest/digest.go b/api/third_party/digest/digest.go new file mode 100644 index 000000000..b747bd490 --- /dev/null +++ b/api/third_party/digest/digest.go @@ -0,0 +1,290 @@ +// Copyright 2013 M-Lab +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// The digest package provides an implementation of http.RoundTripper that takes +// care of HTTP Digest Authentication (http://www.ietf.org/rfc/rfc2617.txt). +// This only implements the MD5 and "auth" portions of the RFC, but that covers +// the majority of avalible server side implementations including apache web +// server. +// +// Example usage: +// +// t := NewTransport("myUserName", "myP@55w0rd") +// req, err := http.NewRequest("GET", "http://notreal.com/path?arg=1", nil) +// if err != nil { +// return err +// } +// resp, err := t.RoundTrip(req) +// if err != nil { +// return err +// } +// +// OR it can be used as a client: +// +// c, err := t.Client() +// if err != nil { +// return err +// } +// resp, err := c.Get("http://notreal.com/path?arg=1") +// if err != nil { +// return err +// } +package digest + +import ( + "bytes" + "crypto/md5" + "crypto/rand" + "errors" + "fmt" + "io" + "io/ioutil" + "net/http" + "strings" +) + +var ( + ErrNilTransport = errors.New("Transport is nil") + ErrBadChallenge = errors.New("Challenge is bad") + ErrAlgNotImplemented = errors.New("Alg not implemented") +) + +// Transport is an implementation of http.RoundTripper that takes care of http +// digest authentication. +type Transport struct { + Username string + Password string + Transport http.RoundTripper +} + +// NewTransport creates a new digest transport using the http.DefaultTransport. +func NewTransport(username, password string) *Transport { + t := &Transport{ + Username: username, + Password: password, + } + t.Transport = http.DefaultTransport + return t +} + +type challenge struct { + Realm string + Domain string + Nonce string + Opaque string + Stale string + Algorithm string + Qop string +} + +func parseChallenge(input string) (*challenge, error) { + const ws = " \n\r\t" + const qs = `"` + s := strings.Trim(input, ws) + if !strings.HasPrefix(s, "Digest ") { + return nil, ErrBadChallenge + } + s = strings.Trim(s[7:], ws) + sl := strings.Split(s, ", ") + c := &challenge{ + Algorithm: "MD5", + } + var r []string + for i := range sl { + r = strings.SplitN(sl[i], "=", 2) + switch r[0] { + case "realm": + c.Realm = strings.Trim(r[1], qs) + case "domain": + c.Domain = strings.Trim(r[1], qs) + case "nonce": + c.Nonce = strings.Trim(r[1], qs) + case "opaque": + c.Opaque = strings.Trim(r[1], qs) + case "stale": + c.Stale = strings.Trim(r[1], qs) + case "algorithm": + c.Algorithm = strings.Trim(r[1], qs) + case "qop": + //TODO(gavaletz) should be an array of strings? + c.Qop = strings.Trim(r[1], qs) + default: + return nil, ErrBadChallenge + } + } + return c, nil +} + +type credentials struct { + Username string + Realm string + Nonce string + DigestURI string + Algorithm string + Cnonce string + Opaque string + MessageQop string + NonceCount int + method string + password string +} + +func h(data string) string { + hf := md5.New() + io.WriteString(hf, data) + return fmt.Sprintf("%x", hf.Sum(nil)) +} + +func kd(secret, data string) string { + return h(fmt.Sprintf("%s:%s", secret, data)) +} + +func (c *credentials) ha1() string { + return h(fmt.Sprintf("%s:%s:%s", c.Username, c.Realm, c.password)) +} + +func (c *credentials) ha2() string { + return h(fmt.Sprintf("%s:%s", c.method, c.DigestURI)) +} + +func (c *credentials) resp(cnonce string) (string, error) { + c.NonceCount++ + if c.MessageQop == "auth" { + if cnonce != "" { + c.Cnonce = cnonce + } else { + b := make([]byte, 8) + io.ReadFull(rand.Reader, b) + c.Cnonce = fmt.Sprintf("%x", b)[:16] + } + return kd(c.ha1(), fmt.Sprintf("%s:%08x:%s:%s:%s", + c.Nonce, c.NonceCount, c.Cnonce, c.MessageQop, c.ha2())), nil + } else if c.MessageQop == "" { + return kd(c.ha1(), fmt.Sprintf("%s:%s", c.Nonce, c.ha2())), nil + } + return "", ErrAlgNotImplemented +} + +func (c *credentials) authorize() (string, error) { + // Note that this is only implemented for MD5 and NOT MD5-sess. + // MD5-sess is rarely supported and those that do are a big mess. + if c.Algorithm != "MD5" { + return "", ErrAlgNotImplemented + } + // Note that this is NOT implemented for "qop=auth-int". Similarly the + // auth-int server side implementations that do exist are a mess. + if c.MessageQop != "auth" && c.MessageQop != "" { + return "", ErrAlgNotImplemented + } + resp, err := c.resp("") + if err != nil { + return "", ErrAlgNotImplemented + } + sl := []string{fmt.Sprintf(`username="%s"`, c.Username)} + sl = append(sl, fmt.Sprintf(`realm="%s"`, c.Realm)) + sl = append(sl, fmt.Sprintf(`nonce="%s"`, c.Nonce)) + sl = append(sl, fmt.Sprintf(`uri="%s"`, c.DigestURI)) + sl = append(sl, fmt.Sprintf(`response="%s"`, resp)) + if c.Algorithm != "" { + sl = append(sl, fmt.Sprintf(`algorithm="%s"`, c.Algorithm)) + } + if c.Opaque != "" { + sl = append(sl, fmt.Sprintf(`opaque="%s"`, c.Opaque)) + } + if c.MessageQop != "" { + sl = append(sl, fmt.Sprintf("qop=%s", c.MessageQop)) + sl = append(sl, fmt.Sprintf("nc=%08x", c.NonceCount)) + sl = append(sl, fmt.Sprintf(`cnonce="%s"`, c.Cnonce)) + } + return fmt.Sprintf("Digest %s", strings.Join(sl, ", ")), nil +} + +func (t *Transport) newCredentials(req *http.Request, c *challenge) *credentials { + return &credentials{ + Username: t.Username, + Realm: c.Realm, + Nonce: c.Nonce, + DigestURI: req.URL.RequestURI(), + Algorithm: c.Algorithm, + Opaque: c.Opaque, + MessageQop: c.Qop, // "auth" must be a single value + NonceCount: 0, + method: req.Method, + password: t.Password, + } +} + +// RoundTrip makes a request expecting a 401 response that will require digest +// authentication. It creates the credentials it needs and makes a follow-up +// request. +func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { + if t.Transport == nil { + return nil, ErrNilTransport + } + + // Copy the request so we don't modify the input. + req2 := new(http.Request) + *req2 = *req + req2.Header = make(http.Header) + for k, s := range req.Header { + req2.Header[k] = s + } + + // We need two reader for the body. + if req.Body != nil { + tmp, err := ioutil.ReadAll(req.Body) + if err != nil { + return nil, err + } + + reqBody01 := ioutil.NopCloser(bytes.NewBuffer(tmp)) + reqBody02 := ioutil.NopCloser(bytes.NewBuffer(tmp)) + + req.Body = reqBody01 + req2.Body = reqBody02 + } + + // Make a request to get the 401 that contains the challenge. + resp, err := t.Transport.RoundTrip(req) + if err != nil || resp.StatusCode != 401 { + return resp, err + } + chal := resp.Header.Get("WWW-Authenticate") + c, err := parseChallenge(chal) + if err != nil { + return resp, err + } + + // Form credentials based on the challenge. + cr := t.newCredentials(req2, c) + auth, err := cr.authorize() + if err != nil { + return resp, err + } + + // We'll no longer use the initial response, so close it + resp.Body.Close() + + // Make authenticated request. + req2.Header.Set("Authorization", auth) + return t.Transport.RoundTrip(req2) +} + +// Client returns an HTTP client that uses the digest transport. +func (t *Transport) Client() (*http.Client, error) { + if t.Transport == nil { + return nil, ErrNilTransport + } + return &http.Client{Transport: t}, nil +} diff --git a/api/third_party/digest/digest_test.go b/api/third_party/digest/digest_test.go new file mode 100644 index 000000000..095b953c4 --- /dev/null +++ b/api/third_party/digest/digest_test.go @@ -0,0 +1,90 @@ +// Copyright 2013 M-Lab +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// The digest package provides an implementation of http.RoundTripper that takes +// care of HTTP Digest Authentication (http://www.ietf.org/rfc/rfc2617.txt). +// This only implements the MD5 and "auth" portions of the RFC, but that covers +// the majority of avalible server side implementations including apache web +// server. +// + +package digest + +import ( + "fmt" + "testing" +) + +var cred = &credentials{ + Username: "Mufasa", + Realm: "testrealm@host.com", + Nonce: "dcd98b7102dd2f0e8b11d0f600bfb0c093", + DigestURI: "/dir/index.html", + Algorithm: "MD5", + Opaque: "5ccc069c403ebaf9f0171e9517f40e41", + MessageQop: "auth", + method: "GET", + password: "Circle Of Life", +} + +var cnonce = "0a4f113b" + +func TestH(t *testing.T) { + r1 := h("Mufasa:testrealm@host.com:Circle Of Life") + if r1 != "939e7578ed9e3c518a452acee763bce9" { + t.Fail() + } + + r2 := h("GET:/dir/index.html") + if r2 != "39aff3a2bab6126f332b942af96d3366" { + t.Fail() + } + + r3 := h(fmt.Sprintf("%s:dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth:%s", r1, r2)) + if r3 != "6629fae49393a05397450978507c4ef1" { + t.Fail() + } +} + +func TestKd(t *testing.T) { + r1 := kd("939e7578ed9e3c518a452acee763bce9", + "dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth:39aff3a2bab6126f332b942af96d3366") + if r1 != "6629fae49393a05397450978507c4ef1" { + t.Fail() + } +} + +func TestHa1(t *testing.T) { + r1 := cred.ha1() + if r1 != "939e7578ed9e3c518a452acee763bce9" { + t.Fail() + } +} + +func TestHa2(t *testing.T) { + r1 := cred.ha2() + if r1 != "39aff3a2bab6126f332b942af96d3366" { + t.Fail() + } +} + +func TestResp(t *testing.T) { + r1, err := cred.resp(cnonce) + if err != nil { + t.Fail() + } + if r1 != "6629fae49393a05397450978507c4ef1" { + t.Fail() + } +}