Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

basic auth: add option to exclude bcrypt at build time #258

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions web/basic_auth/bcrypt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
// Copyright 2024 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build !nobcrypt
// +build !nobcrypt

package basic_auth

import (
config_util "github.com/prometheus/common/config"
"golang.org/x/crypto/bcrypt"
)

func Validate(users map[string]config_util.Secret) error {
for _, p := range users {
_, err := bcrypt.Cost([]byte(p))
if err != nil {
return err
}
}

return nil
}

func CompareAndHash(hashedPassword, pass []byte) error {
return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
}
35 changes: 35 additions & 0 deletions web/basic_auth/no_bcrypt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
// Copyright 2024 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build nobcrypt
// +build nobcrypt

package basic_auth

import (
"fmt"
"log/slog"

config_util "github.com/prometheus/common/config"
)

func Validate(users map[string]config_util.Secret) error {
if len(users) > 0 {
slog.Info("basic auth via bcrypt hashes not implemented")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cloud also return an error so a server without bcrypt support can not start with a config that includes authorized users.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that would be better, if we know at startup time that a configuration cannot work, failing explicitly lets the operator figure out what they want to do about it.

}
return nil
}

func CompareAndHash(hashedPassword, pass []byte) error {
return fmt.Errorf("basic auth via bcrypt hashes not implemented")
}
13 changes: 3 additions & 10 deletions web/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (
"strings"
"sync"

"golang.org/x/crypto/bcrypt"
"github.com/prometheus/exporter-toolkit/web/basic_auth"
)

// extraHTTPHeaders is a map of HTTP headers that can be added to HTTP
Expand All @@ -43,14 +43,7 @@ func validateUsers(configPath string) error {
return err
}

for _, p := range c.Users {
_, err = bcrypt.Cost([]byte(p))
if err != nil {
return err
}
}

return nil
return basic_auth.Validate(c.Users)
}

// validateHeaderConfig checks that the provided header configuration is correct.
Expand Down Expand Up @@ -125,7 +118,7 @@ func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !ok {
// This user, hashedPassword, password is not cached.
u.bcryptMtx.Lock()
err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
err := basic_auth.CompareAndHash([]byte(hashedPassword), []byte(pass))
u.bcryptMtx.Unlock()

authOk = validUser && err == nil
Expand Down
3 changes: 3 additions & 0 deletions web/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build go1.14 && !nobcrypt
// +build go1.14,!nobcrypt

package web

import (
Expand Down
63 changes: 0 additions & 63 deletions web/tls_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,11 +172,6 @@ func TestYAMLFiles(t *testing.T) {
YAMLConfigPath: "testdata/web_config_auth_clientCAs_invalid.bad.yml",
ExpectedError: ErrorMap["No such file"],
},
{
Name: `invalid config yml (invalid user list)`,
YAMLConfigPath: "testdata/web_config_auth_user_list_invalid.bad.yml",
ExpectedError: ErrorMap["Bad password"],
},
{
Name: `invalid config yml (bad cipher)`,
YAMLConfigPath: "testdata/web_config_noAuth_inventedCiphers.bad.yml",
Expand Down Expand Up @@ -635,61 +630,3 @@ func swapFileContents(file1, file2 string) error {
}
return nil
}

func TestUsers(t *testing.T) {
testTables := []*TestInputs{
{
Name: `without basic auth`,
YAMLConfigPath: "testdata/web_config_users_noTLS.good.yml",
ExpectedError: ErrorMap["Unauthorized"],
},
{
Name: `with correct basic auth`,
YAMLConfigPath: "testdata/web_config_users_noTLS.good.yml",
Username: "dave",
Password: "dave123",
ExpectedError: nil,
},
{
Name: `without basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
ExpectedError: ErrorMap["Unauthorized"],
},
{
Name: `with correct basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "dave",
Password: "dave123",
ExpectedError: nil,
},
{
Name: `with another correct basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "carol",
Password: "carol123",
ExpectedError: nil,
},
{
Name: `with bad password and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "dave",
Password: "bad",
ExpectedError: ErrorMap["Unauthorized"],
},
{
Name: `with bad username and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "nonexistent",
Password: "nonexistent",
ExpectedError: ErrorMap["Unauthorized"],
},
}
for _, testInputs := range testTables {
t.Run(testInputs.Name, testInputs.Test)
}
}
91 changes: 91 additions & 0 deletions web/user_auth_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
// Copyright 2019 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build go1.14 && !nobcrypt
// +build go1.14,!nobcrypt

package web

import "testing"

func TestYAMLFilesUsers(t *testing.T) {
testTables := []*TestInputs{
{
Name: `invalid config yml (invalid user list)`,
YAMLConfigPath: "testdata/web_config_auth_user_list_invalid.bad.yml",
ExpectedError: ErrorMap["Bad password"],
},
}
for _, testInputs := range testTables {
t.Run("run/"+testInputs.Name, testInputs.Test)
t.Run("validate/"+testInputs.Name, testInputs.TestValidate)
}
}

func TestUsers(t *testing.T) {
testTables := []*TestInputs{
{
Name: `without basic auth`,
YAMLConfigPath: "testdata/web_config_users_noTLS.good.yml",
ExpectedError: ErrorMap["Unauthorized"],
},
{
Name: `with correct basic auth`,
YAMLConfigPath: "testdata/web_config_users_noTLS.good.yml",
Username: "dave",
Password: "dave123",
ExpectedError: nil,
},
{
Name: `without basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
ExpectedError: ErrorMap["Unauthorized"],
},
{
Name: `with correct basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "dave",
Password: "dave123",
ExpectedError: nil,
},
{
Name: `with another correct basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "carol",
Password: "carol123",
ExpectedError: nil,
},
{
Name: `with bad password and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "dave",
Password: "bad",
ExpectedError: ErrorMap["Unauthorized"],
},
{
Name: `with bad username and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
UseTLSClient: true,
Username: "nonexistent",
Password: "nonexistent",
ExpectedError: ErrorMap["Unauthorized"],
},
}
for _, testInputs := range testTables {
t.Run(testInputs.Name, testInputs.Test)
}
}
Loading