diff --git a/api/go.mod b/api/go.mod index f81a51b43..b2d0b0525 100644 --- a/api/go.mod +++ b/api/go.mod @@ -104,6 +104,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.2 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/portainer/portainer/third_party/digest v0.0.0-20221201002639-8fd0efa34f73 // indirect github.com/sergi/go-diff v1.1.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect diff --git a/api/go.sum b/api/go.sum index 723425fbf..3183e1486 100644 --- a/api/go.sum +++ b/api/go.sum @@ -373,6 +373,8 @@ github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9 h1:PMw+45hocpYsM github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA= github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a h1:BJ5V4EDNhg3ImYbmXnGS8vrMhq6rzsEneIXyJh0g4dc= github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a/go.mod h1:ckuHnoLA5kLuE5WkvPBXmrw63LUMdSH4aX71QRi9y10= +github.com/portainer/portainer/third_party/digest v0.0.0-20221201002639-8fd0efa34f73 h1:7bPOnwucE0nor0so1BQJxQKCL5t+vCWO4nAz/S0lci0= +github.com/portainer/portainer/third_party/digest v0.0.0-20221201002639-8fd0efa34f73/go.mod h1:E2w/A6qsKuG2VyiUubPdXpDyPykWfQqxuCs0YNS0MhM= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= diff --git a/api/hostmanagement/fdo/owner_client.go b/api/hostmanagement/fdo/owner_client.go index 3fc424c8e..bfd10b8ce 100644 --- a/api/hostmanagement/fdo/owner_client.go +++ b/api/hostmanagement/fdo/owner_client.go @@ -10,7 +10,7 @@ import ( "strings" "time" - "github.com/portainer/portainer/api/third_party/digest" + "github.com/portainer/portainer/third_party/digest" ) type FDOOwnerClient struct { diff --git a/api/third_party/digest/CONTRIBUTORS b/api/third_party/digest/CONTRIBUTORS deleted file mode 100644 index 2db3b3e04..000000000 --- a/api/third_party/digest/CONTRIBUTORS +++ /dev/null @@ -1,17 +0,0 @@ -# This is the official list of people who can contribute -# (and typically have contributed) code to the mlab-ns2 -# repository. -# -# Names should be added to this file like so: -# Name -# -# An entry with two email addresses specifies that the -# first address should be used in the submit logs and -# that the second address should be recognized as the -# same person when interacting with Rietveld. - -# Please keep the list sorted. - -Bipasa Chattopadhyay -Eric Gavaletz -Seon-Wook Park diff --git a/api/third_party/digest/COPYING b/api/third_party/digest/COPYING deleted file mode 100644 index f433b1a53..000000000 --- a/api/third_party/digest/COPYING +++ /dev/null @@ -1,177 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS diff --git a/api/third_party/digest/README.md b/api/third_party/digest/README.md deleted file mode 100644 index 3afbeed28..000000000 --- a/api/third_party/digest/README.md +++ /dev/null @@ -1,27 +0,0 @@ -[![GoDoc](https://godoc.org/github.com/bobziuchkovski/digest?status.svg)](https://godoc.org/github.com/bobziuchkovski/digest) - -# Golang HTTP Digest Authentication - -## Overview - -This is a fork of the (unmaintained) code.google.com/p/mlab-ns2/gae/ns/digest package. -There's a descriptor leak in the original package, so this fork was created to patch -the leak. - -## Usage - -See the [godocs](https://godoc.org/github.com/bobziuchkovski/digest) for details. - -## Fork Maintainer - -Bob Ziuchkovski (@bobziuchkovski) - -## Original Authors - -Bipasa Chattopadhyay -Eric Gavaletz -Seon-Wook Park - -## License - -Apache 2.0 diff --git a/api/third_party/digest/digest.go b/api/third_party/digest/digest.go deleted file mode 100644 index b747bd490..000000000 --- a/api/third_party/digest/digest.go +++ /dev/null @@ -1,290 +0,0 @@ -// Copyright 2013 M-Lab -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// The digest package provides an implementation of http.RoundTripper that takes -// care of HTTP Digest Authentication (http://www.ietf.org/rfc/rfc2617.txt). -// This only implements the MD5 and "auth" portions of the RFC, but that covers -// the majority of avalible server side implementations including apache web -// server. -// -// Example usage: -// -// t := NewTransport("myUserName", "myP@55w0rd") -// req, err := http.NewRequest("GET", "http://notreal.com/path?arg=1", nil) -// if err != nil { -// return err -// } -// resp, err := t.RoundTrip(req) -// if err != nil { -// return err -// } -// -// OR it can be used as a client: -// -// c, err := t.Client() -// if err != nil { -// return err -// } -// resp, err := c.Get("http://notreal.com/path?arg=1") -// if err != nil { -// return err -// } -package digest - -import ( - "bytes" - "crypto/md5" - "crypto/rand" - "errors" - "fmt" - "io" - "io/ioutil" - "net/http" - "strings" -) - -var ( - ErrNilTransport = errors.New("Transport is nil") - ErrBadChallenge = errors.New("Challenge is bad") - ErrAlgNotImplemented = errors.New("Alg not implemented") -) - -// Transport is an implementation of http.RoundTripper that takes care of http -// digest authentication. -type Transport struct { - Username string - Password string - Transport http.RoundTripper -} - -// NewTransport creates a new digest transport using the http.DefaultTransport. -func NewTransport(username, password string) *Transport { - t := &Transport{ - Username: username, - Password: password, - } - t.Transport = http.DefaultTransport - return t -} - -type challenge struct { - Realm string - Domain string - Nonce string - Opaque string - Stale string - Algorithm string - Qop string -} - -func parseChallenge(input string) (*challenge, error) { - const ws = " \n\r\t" - const qs = `"` - s := strings.Trim(input, ws) - if !strings.HasPrefix(s, "Digest ") { - return nil, ErrBadChallenge - } - s = strings.Trim(s[7:], ws) - sl := strings.Split(s, ", ") - c := &challenge{ - Algorithm: "MD5", - } - var r []string - for i := range sl { - r = strings.SplitN(sl[i], "=", 2) - switch r[0] { - case "realm": - c.Realm = strings.Trim(r[1], qs) - case "domain": - c.Domain = strings.Trim(r[1], qs) - case "nonce": - c.Nonce = strings.Trim(r[1], qs) - case "opaque": - c.Opaque = strings.Trim(r[1], qs) - case "stale": - c.Stale = strings.Trim(r[1], qs) - case "algorithm": - c.Algorithm = strings.Trim(r[1], qs) - case "qop": - //TODO(gavaletz) should be an array of strings? - c.Qop = strings.Trim(r[1], qs) - default: - return nil, ErrBadChallenge - } - } - return c, nil -} - -type credentials struct { - Username string - Realm string - Nonce string - DigestURI string - Algorithm string - Cnonce string - Opaque string - MessageQop string - NonceCount int - method string - password string -} - -func h(data string) string { - hf := md5.New() - io.WriteString(hf, data) - return fmt.Sprintf("%x", hf.Sum(nil)) -} - -func kd(secret, data string) string { - return h(fmt.Sprintf("%s:%s", secret, data)) -} - -func (c *credentials) ha1() string { - return h(fmt.Sprintf("%s:%s:%s", c.Username, c.Realm, c.password)) -} - -func (c *credentials) ha2() string { - return h(fmt.Sprintf("%s:%s", c.method, c.DigestURI)) -} - -func (c *credentials) resp(cnonce string) (string, error) { - c.NonceCount++ - if c.MessageQop == "auth" { - if cnonce != "" { - c.Cnonce = cnonce - } else { - b := make([]byte, 8) - io.ReadFull(rand.Reader, b) - c.Cnonce = fmt.Sprintf("%x", b)[:16] - } - return kd(c.ha1(), fmt.Sprintf("%s:%08x:%s:%s:%s", - c.Nonce, c.NonceCount, c.Cnonce, c.MessageQop, c.ha2())), nil - } else if c.MessageQop == "" { - return kd(c.ha1(), fmt.Sprintf("%s:%s", c.Nonce, c.ha2())), nil - } - return "", ErrAlgNotImplemented -} - -func (c *credentials) authorize() (string, error) { - // Note that this is only implemented for MD5 and NOT MD5-sess. - // MD5-sess is rarely supported and those that do are a big mess. - if c.Algorithm != "MD5" { - return "", ErrAlgNotImplemented - } - // Note that this is NOT implemented for "qop=auth-int". Similarly the - // auth-int server side implementations that do exist are a mess. - if c.MessageQop != "auth" && c.MessageQop != "" { - return "", ErrAlgNotImplemented - } - resp, err := c.resp("") - if err != nil { - return "", ErrAlgNotImplemented - } - sl := []string{fmt.Sprintf(`username="%s"`, c.Username)} - sl = append(sl, fmt.Sprintf(`realm="%s"`, c.Realm)) - sl = append(sl, fmt.Sprintf(`nonce="%s"`, c.Nonce)) - sl = append(sl, fmt.Sprintf(`uri="%s"`, c.DigestURI)) - sl = append(sl, fmt.Sprintf(`response="%s"`, resp)) - if c.Algorithm != "" { - sl = append(sl, fmt.Sprintf(`algorithm="%s"`, c.Algorithm)) - } - if c.Opaque != "" { - sl = append(sl, fmt.Sprintf(`opaque="%s"`, c.Opaque)) - } - if c.MessageQop != "" { - sl = append(sl, fmt.Sprintf("qop=%s", c.MessageQop)) - sl = append(sl, fmt.Sprintf("nc=%08x", c.NonceCount)) - sl = append(sl, fmt.Sprintf(`cnonce="%s"`, c.Cnonce)) - } - return fmt.Sprintf("Digest %s", strings.Join(sl, ", ")), nil -} - -func (t *Transport) newCredentials(req *http.Request, c *challenge) *credentials { - return &credentials{ - Username: t.Username, - Realm: c.Realm, - Nonce: c.Nonce, - DigestURI: req.URL.RequestURI(), - Algorithm: c.Algorithm, - Opaque: c.Opaque, - MessageQop: c.Qop, // "auth" must be a single value - NonceCount: 0, - method: req.Method, - password: t.Password, - } -} - -// RoundTrip makes a request expecting a 401 response that will require digest -// authentication. It creates the credentials it needs and makes a follow-up -// request. -func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { - if t.Transport == nil { - return nil, ErrNilTransport - } - - // Copy the request so we don't modify the input. - req2 := new(http.Request) - *req2 = *req - req2.Header = make(http.Header) - for k, s := range req.Header { - req2.Header[k] = s - } - - // We need two reader for the body. - if req.Body != nil { - tmp, err := ioutil.ReadAll(req.Body) - if err != nil { - return nil, err - } - - reqBody01 := ioutil.NopCloser(bytes.NewBuffer(tmp)) - reqBody02 := ioutil.NopCloser(bytes.NewBuffer(tmp)) - - req.Body = reqBody01 - req2.Body = reqBody02 - } - - // Make a request to get the 401 that contains the challenge. - resp, err := t.Transport.RoundTrip(req) - if err != nil || resp.StatusCode != 401 { - return resp, err - } - chal := resp.Header.Get("WWW-Authenticate") - c, err := parseChallenge(chal) - if err != nil { - return resp, err - } - - // Form credentials based on the challenge. - cr := t.newCredentials(req2, c) - auth, err := cr.authorize() - if err != nil { - return resp, err - } - - // We'll no longer use the initial response, so close it - resp.Body.Close() - - // Make authenticated request. - req2.Header.Set("Authorization", auth) - return t.Transport.RoundTrip(req2) -} - -// Client returns an HTTP client that uses the digest transport. -func (t *Transport) Client() (*http.Client, error) { - if t.Transport == nil { - return nil, ErrNilTransport - } - return &http.Client{Transport: t}, nil -} diff --git a/api/third_party/digest/digest_test.go b/api/third_party/digest/digest_test.go deleted file mode 100644 index 095b953c4..000000000 --- a/api/third_party/digest/digest_test.go +++ /dev/null @@ -1,90 +0,0 @@ -// Copyright 2013 M-Lab -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// The digest package provides an implementation of http.RoundTripper that takes -// care of HTTP Digest Authentication (http://www.ietf.org/rfc/rfc2617.txt). -// This only implements the MD5 and "auth" portions of the RFC, but that covers -// the majority of avalible server side implementations including apache web -// server. -// - -package digest - -import ( - "fmt" - "testing" -) - -var cred = &credentials{ - Username: "Mufasa", - Realm: "testrealm@host.com", - Nonce: "dcd98b7102dd2f0e8b11d0f600bfb0c093", - DigestURI: "/dir/index.html", - Algorithm: "MD5", - Opaque: "5ccc069c403ebaf9f0171e9517f40e41", - MessageQop: "auth", - method: "GET", - password: "Circle Of Life", -} - -var cnonce = "0a4f113b" - -func TestH(t *testing.T) { - r1 := h("Mufasa:testrealm@host.com:Circle Of Life") - if r1 != "939e7578ed9e3c518a452acee763bce9" { - t.Fail() - } - - r2 := h("GET:/dir/index.html") - if r2 != "39aff3a2bab6126f332b942af96d3366" { - t.Fail() - } - - r3 := h(fmt.Sprintf("%s:dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth:%s", r1, r2)) - if r3 != "6629fae49393a05397450978507c4ef1" { - t.Fail() - } -} - -func TestKd(t *testing.T) { - r1 := kd("939e7578ed9e3c518a452acee763bce9", - "dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth:39aff3a2bab6126f332b942af96d3366") - if r1 != "6629fae49393a05397450978507c4ef1" { - t.Fail() - } -} - -func TestHa1(t *testing.T) { - r1 := cred.ha1() - if r1 != "939e7578ed9e3c518a452acee763bce9" { - t.Fail() - } -} - -func TestHa2(t *testing.T) { - r1 := cred.ha2() - if r1 != "39aff3a2bab6126f332b942af96d3366" { - t.Fail() - } -} - -func TestResp(t *testing.T) { - r1, err := cred.resp(cnonce) - if err != nil { - t.Fail() - } - if r1 != "6629fae49393a05397450978507c4ef1" { - t.Fail() - } -}