osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
關注 15
收藏 7
Wiki 捐赠
本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
分支: gamification
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 'gamification'
${ noResults }
com/vendor/github.com/couchbase/goutils/scramsha/scramsha_http.go

253 line
6.4KB
原始文件 永久連結 Blame 歷史記錄 

  1. // @author Couchbase <info@couchbase.com>

  2. // @copyright 2018 Couchbase, Inc.

  3. //

  4. // Licensed under the Apache License, Version 2.0 (the "License");

  5. // you may not use this file except in compliance with the License.

  6. // You may obtain a copy of the License at

  7. //

  8. //      http://www.apache.org/licenses/LICENSE-2.0

  9. //

  10. // Unless required by applicable law or agreed to in writing, software

  11. // distributed under the License is distributed on an "AS IS" BASIS,

  12. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. // See the License for the specific language governing permissions and

  14. // limitations under the License.

  15. 

  16. // Package scramsha provides implementation of client side SCRAM-SHA

  17. // via Http according to https://tools.ietf.org/html/rfc7804

  18. package scramsha

  19. 

  20. import (

  21. 	"encoding/base64"

  22. 	"github.com/pkg/errors"

  23. 	"io"

  24. 	"io/ioutil"

  25. 	"net/http"

  26. 	"strings"

  27. )

  28. 

  29. // consts used to parse scramsha response from target

  30. const (

  31. 	WWWAuthenticate    = "WWW-Authenticate"

  32. 	AuthenticationInfo = "Authentication-Info"

  33. 	Authorization      = "Authorization"

  34. 	DataPrefix         = "data="

  35. 	SidPrefix          = "sid="

  36. )

  37. 

  38. // Request provides implementation of http request that can be retried

  39. type Request struct {

  40. 	body io.ReadSeeker

  41. 

  42. 	// Embed an HTTP request directly. This makes a *Request act exactly

  43. 	// like an *http.Request so that all meta methods are supported.

  44. 	*http.Request

  45. }

  46. 

  47. type lenReader interface {

  48. 	Len() int

  49. }

  50. 

  51. // NewRequest creates http request that can be retried

  52. func NewRequest(method, url string, body io.ReadSeeker) (*Request, error) {

  53. 	// Wrap the body in a noop ReadCloser if non-nil. This prevents the

  54. 	// reader from being closed by the HTTP client.

  55. 	var rcBody io.ReadCloser

  56. 	if body != nil {

  57. 		rcBody = ioutil.NopCloser(body)

  58. 	}

  59. 

  60. 	// Make the request with the noop-closer for the body.

  61. 	httpReq, err := http.NewRequest(method, url, rcBody)

  62. 	if err != nil {

  63. 		return nil, err

  64. 	}

  65. 

  66. 	// Check if we can set the Content-Length automatically.

  67. 	if lr, ok := body.(lenReader); ok {

  68. 		httpReq.ContentLength = int64(lr.Len())

  69. 	}

  70. 

  71. 	return &Request{body, httpReq}, nil

  72. }

  73. 

  74. func encode(str string) string {

  75. 	return base64.StdEncoding.EncodeToString([]byte(str))

  76. }

  77. 

  78. func decode(str string) (string, error) {

  79. 	bytes, err := base64.StdEncoding.DecodeString(str)

  80. 	if err != nil {

  81. 		return "", errors.Errorf("Cannot base64 decode %s",

  82. 			str)

  83. 	}

  84. 	return string(bytes), err

  85. }

  86. 

  87. func trimPrefix(s, prefix string) (string, error) {

  88. 	l := len(s)

  89. 	trimmed := strings.TrimPrefix(s, prefix)

  90. 	if l == len(trimmed) {

  91. 		return trimmed, errors.Errorf("Prefix %s not found in %s",

  92. 			prefix, s)

  93. 	}

  94. 	return trimmed, nil

  95. }

  96. 

  97. func drainBody(resp *http.Response) {

  98. 	defer resp.Body.Close()

  99. 	io.Copy(ioutil.Discard, resp.Body)

  100. }

  101. 

  102. // DoScramSha performs SCRAM-SHA handshake via Http

  103. func DoScramSha(req *Request,

  104. 	username string,

  105. 	password string,

  106. 	client *http.Client) (*http.Response, error) {

  107. 

  108. 	method := "SCRAM-SHA-512"

  109. 	s, err := NewScramSha("SCRAM-SHA512")

  110. 	if err != nil {

  111. 		return nil, errors.Wrap(err,

  112. 			"Unable to initialize SCRAM-SHA handler")

  113. 	}

  114. 

  115. 	message, err := s.GetStartRequest(username)

  116. 	if err != nil {

  117. 		return nil, err

  118. 	}

  119. 

  120. 	encodedMessage := method + " " + DataPrefix + encode(message)

  121. 

  122. 	req.Header.Set(Authorization, encodedMessage)

  123. 

  124. 	res, err := client.Do(req.Request)

  125. 	if err != nil {

  126. 		return nil, errors.Wrap(err, "Problem sending SCRAM-SHA start"+

  127. 			"request")

  128. 	}

  129. 

  130. 	if res.StatusCode != http.StatusUnauthorized {

  131. 		return res, nil

  132. 	}

  133. 

  134. 	authHeader := res.Header.Get(WWWAuthenticate)

  135. 	if authHeader == "" {

  136. 		drainBody(res)

  137. 		return nil, errors.Errorf("Header %s is not populated in "+

  138. 			"SCRAM-SHA start response", WWWAuthenticate)

  139. 	}

  140. 

  141. 	authHeader, err = trimPrefix(authHeader, method+" ")

  142. 	if err != nil {

  143. 		if strings.HasPrefix(authHeader, "Basic ") {

  144. 			// user not found

  145. 			return res, nil

  146. 		}

  147. 		drainBody(res)

  148. 		return nil, errors.Wrapf(err, "Error while parsing SCRAM-SHA "+

  149. 			"start response %s", authHeader)

  150. 	}

  151. 

  152. 	drainBody(res)

  153. 

  154. 	sid, response, err := parseSidAndData(authHeader)

  155. 	if err != nil {

  156. 		return nil, errors.Wrapf(err, "Error while parsing SCRAM-SHA "+

  157. 			"start response %s", authHeader)

  158. 	}

  159. 

  160. 	err = s.HandleStartResponse(response)

  161. 	if err != nil {

  162. 		return nil, errors.Wrapf(err, "Error parsing SCRAM-SHA start "+

  163. 			"response %s", response)

  164. 	}

  165. 

  166. 	message = s.GetFinalRequest(password)

  167. 	encodedMessage = method + " " + SidPrefix + sid + "," + DataPrefix +

  168. 		encode(message)

  169. 

  170. 	req.Header.Set(Authorization, encodedMessage)

  171. 

  172. 	// rewind request body so it can be resent again

  173. 	if req.body != nil {

  174. 		if _, err = req.body.Seek(0, 0); err != nil {

  175. 			return nil, errors.Errorf("Failed to seek body: %v",

  176. 				err)

  177. 		}

  178. 	}

  179. 

  180. 	res, err = client.Do(req.Request)

  181. 	if err != nil {

  182. 		return nil, errors.Wrap(err, "Problem sending SCRAM-SHA final"+

  183. 			"request")

  184. 	}

  185. 

  186. 	if res.StatusCode == http.StatusUnauthorized {

  187. 		// TODO retrieve and return error

  188. 		return res, nil

  189. 	}

  190. 

  191. 	if res.StatusCode >= http.StatusInternalServerError {

  192. 		// in this case we cannot expect server to set headers properly

  193. 		return res, nil

  194. 	}

  195. 

  196. 	authHeader = res.Header.Get(AuthenticationInfo)

  197. 	if authHeader == "" {

  198. 		drainBody(res)

  199. 		return nil, errors.Errorf("Header %s is not populated in "+

  200. 			"SCRAM-SHA final response", AuthenticationInfo)

  201. 	}

  202. 

  203. 	finalSid, response, err := parseSidAndData(authHeader)

  204. 	if err != nil {

  205. 		drainBody(res)

  206. 		return nil, errors.Wrapf(err, "Error while parsing SCRAM-SHA "+

  207. 			"final response %s", authHeader)

  208. 	}

  209. 

  210. 	if finalSid != sid {

  211. 		drainBody(res)

  212. 		return nil, errors.Errorf("Sid %s returned by server "+

  213. 			"doesn't match the original sid %s", finalSid, sid)

  214. 	}

  215. 

  216. 	err = s.HandleFinalResponse(response)

  217. 	if err != nil {

  218. 		drainBody(res)

  219. 		return nil, errors.Wrapf(err,

  220. 			"Error handling SCRAM-SHA final server response %s",

  221. 			response)

  222. 	}

  223. 	return res, nil

  224. }

  225. 

  226. func parseSidAndData(authHeader string) (string, string, error) {

  227. 	sidIndex := strings.Index(authHeader, SidPrefix)

  228. 	if sidIndex < 0 {

  229. 		return "", "", errors.Errorf("Cannot find %s in %s",

  230. 			SidPrefix, authHeader)

  231. 	}

  232. 

  233. 	sidEndIndex := strings.Index(authHeader, ",")

  234. 	if sidEndIndex < 0 {

  235. 		return "", "", errors.Errorf("Cannot find ',' in %s",

  236. 			authHeader)

  237. 	}

  238. 

  239. 	sid := authHeader[sidIndex+len(SidPrefix) : sidEndIndex]

  240. 

  241. 	dataIndex := strings.Index(authHeader, DataPrefix)

  242. 	if dataIndex < 0 {

  243. 		return "", "", errors.Errorf("Cannot find %s in %s",

  244. 			DataPrefix, authHeader)

  245. 	}

  246. 

  247. 	data, err := decode(authHeader[dataIndex+len(DataPrefix):])

  248. 	if err != nil {

  249. 		return "", "", err

  250. 	}

  251. 	return sid, data, nil

  252. }
上海开阖软件有限公司 沪ICP备12045867号-1