add other session providers (#5963)

2025-06-04 09:24:36 -04:00 · 2019-02-05 11:52:51 -05:00 · 2019-02-05 11:52:51 -05:00 · 9de871a0f8
commit 9de871a0f8
parent bf4badad1d
160 changed files with 37644 additions and 66 deletions
--- a/vendor/github.com/couchbase/goutils/scramsha/scramsha.go
+++ b/vendor/github.com/couchbase/goutils/scramsha/scramsha.go
@ -0,0 +1,207 @@
+// @author Couchbase <info@couchbase.com>
+// @copyright 2018 Couchbase, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package scramsha provides implementation of client side SCRAM-SHA
+// according to https://tools.ietf.org/html/rfc5802
+package scramsha
+
+import (
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
+	"fmt"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/pbkdf2"
+	"hash"
+	"strconv"
+	"strings"
+)
+
+func hmacHash(message []byte, secret []byte, hashFunc func() hash.Hash) []byte {
+	h := hmac.New(hashFunc, secret)
+	h.Write(message)
+	return h.Sum(nil)
+}
+
+func shaHash(message []byte, hashFunc func() hash.Hash) []byte {
+	h := hashFunc()
+	h.Write(message)
+	return h.Sum(nil)
+}
+
+func generateClientNonce(size int) (string, error) {
+	randomBytes := make([]byte, size)
+	_, err := rand.Read(randomBytes)
+	if err != nil {
+		return "", errors.Wrap(err, "Unable to generate nonce")
+	}
+	return base64.StdEncoding.EncodeToString(randomBytes), nil
+}
+
+// ScramSha provides context for SCRAM-SHA handling
+type ScramSha struct {
+	hashSize       int
+	hashFunc       func() hash.Hash
+	clientNonce    string
+	serverNonce    string
+	salt           []byte
+	i              int
+	saltedPassword []byte
+	authMessage    string
+}
+
+var knownMethods = []string{"SCRAM-SHA512", "SCRAM-SHA256", "SCRAM-SHA1"}
+
+// BestMethod returns SCRAM-SHA method we consider the best out of suggested
+// by server
+func BestMethod(methods string) (string, error) {
+	for _, m := range knownMethods {
+		if strings.Index(methods, m) != -1 {
+			return m, nil
+		}
+	}
+	return "", errors.Errorf(
+		"None of the server suggested methods [%s] are supported",
+		methods)
+}
+
+// NewScramSha creates context for SCRAM-SHA handling
+func NewScramSha(method string) (*ScramSha, error) {
+	s := &ScramSha{}
+
+	if method == knownMethods[0] {
+		s.hashFunc = sha512.New
+		s.hashSize = 64
+	} else if method == knownMethods[1] {
+		s.hashFunc = sha256.New
+		s.hashSize = 32
+	} else if method == knownMethods[2] {
+		s.hashFunc = sha1.New
+		s.hashSize = 20
+	} else {
+		return nil, errors.Errorf("Unsupported method %s", method)
+	}
+	return s, nil
+}
+
+// GetStartRequest builds start SCRAM-SHA request to be sent to server
+func (s *ScramSha) GetStartRequest(user string) (string, error) {
+	var err error
+	s.clientNonce, err = generateClientNonce(24)
+	if err != nil {
+		return "", errors.Wrapf(err, "Unable to generate SCRAM-SHA "+
+			"start request for user %s", user)
+	}
+
+	message := fmt.Sprintf("n,,n=%s,r=%s", user, s.clientNonce)
+	s.authMessage = message[3:]
+	return message, nil
+}
+
+// HandleStartResponse handles server response on start SCRAM-SHA request
+func (s *ScramSha) HandleStartResponse(response string) error {
+	parts := strings.Split(response, ",")
+	if len(parts) != 3 {
+		return errors.Errorf("expected 3 fields in first SCRAM-SHA-1 "+
+			"server message %s", response)
+	}
+	if !strings.HasPrefix(parts[0], "r=") || len(parts[0]) < 3 {
+		return errors.Errorf("Server sent an invalid nonce %s",
+			parts[0])
+	}
+	if !strings.HasPrefix(parts[1], "s=") || len(parts[1]) < 3 {
+		return errors.Errorf("Server sent an invalid salt %s", parts[1])
+	}
+	if !strings.HasPrefix(parts[2], "i=") || len(parts[2]) < 3 {
+		return errors.Errorf("Server sent an invalid iteration count %s",
+			parts[2])
+	}
+
+	s.serverNonce = parts[0][2:]
+	encodedSalt := parts[1][2:]
+	var err error
+	s.i, err = strconv.Atoi(parts[2][2:])
+	if err != nil {
+		return errors.Errorf("Iteration count %s must be integer.",
+			parts[2][2:])
+	}
+
+	if s.i < 1 {
+		return errors.New("Iteration count should be positive")
+	}
+
+	if !strings.HasPrefix(s.serverNonce, s.clientNonce) {
+		return errors.Errorf("Server nonce %s doesn't contain client"+
+			" nonce %s", s.serverNonce, s.clientNonce)
+	}
+
+	s.salt, err = base64.StdEncoding.DecodeString(encodedSalt)
+	if err != nil {
+		return errors.Wrapf(err, "Unable to decode salt %s",
+			encodedSalt)
+	}
+
+	s.authMessage = s.authMessage + "," + response
+	return nil
+}
+
+// GetFinalRequest builds final SCRAM-SHA request to be sent to server
+func (s *ScramSha) GetFinalRequest(pass string) string {
+	clientFinalMessageBare := "c=biws,r=" + s.serverNonce
+	s.authMessage = s.authMessage + "," + clientFinalMessageBare
+
+	s.saltedPassword = pbkdf2.Key([]byte(pass), s.salt, s.i,
+		s.hashSize, s.hashFunc)
+
+	clientKey := hmacHash([]byte("Client Key"), s.saltedPassword, s.hashFunc)
+	storedKey := shaHash(clientKey, s.hashFunc)
+	clientSignature := hmacHash([]byte(s.authMessage), storedKey, s.hashFunc)
+
+	clientProof := make([]byte, len(clientSignature))
+	for i := 0; i < len(clientSignature); i++ {
+		clientProof[i] = clientKey[i] ^ clientSignature[i]
+	}
+
+	return clientFinalMessageBare + ",p=" +
+		base64.StdEncoding.EncodeToString(clientProof)
+}
+
+// HandleFinalResponse handles server's response on final SCRAM-SHA request
+func (s *ScramSha) HandleFinalResponse(response string) error {
+	if strings.Contains(response, ",") ||
+		!strings.HasPrefix(response, "v=") {
+		return errors.Errorf("Server sent an invalid final message %s",
+			response)
+	}
+
+	decodedMessage, err := base64.StdEncoding.DecodeString(response[2:])
+	if err != nil {
+		return errors.Wrapf(err, "Unable to decode server message %s",
+			response[2:])
+	}
+	serverKey := hmacHash([]byte("Server Key"), s.saltedPassword,
+		s.hashFunc)
+	serverSignature := hmacHash([]byte(s.authMessage), serverKey,
+		s.hashFunc)
+	if string(decodedMessage) != string(serverSignature) {
+		return errors.Errorf("Server proof %s doesn't match "+
+			"the expected: %s",
+			string(decodedMessage), string(serverSignature))
+	}
+	return nil
+}
--- a/vendor/github.com/couchbase/goutils/scramsha/scramsha_http.go
+++ b/vendor/github.com/couchbase/goutils/scramsha/scramsha_http.go
@ -0,0 +1,252 @@
+// @author Couchbase <info@couchbase.com>
+// @copyright 2018 Couchbase, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package scramsha provides implementation of client side SCRAM-SHA
+// via Http according to https://tools.ietf.org/html/rfc7804
+package scramsha
+
+import (
+	"encoding/base64"
+	"github.com/pkg/errors"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+// consts used to parse scramsha response from target
+const (
+	WWWAuthenticate    = "WWW-Authenticate"
+	AuthenticationInfo = "Authentication-Info"
+	Authorization      = "Authorization"
+	DataPrefix         = "data="
+	SidPrefix          = "sid="
+)
+
+// Request provides implementation of http request that can be retried
+type Request struct {
+	body io.ReadSeeker
+
+	// Embed an HTTP request directly. This makes a *Request act exactly
+	// like an *http.Request so that all meta methods are supported.
+	*http.Request
+}
+
+type lenReader interface {
+	Len() int
+}
+
+// NewRequest creates http request that can be retried
+func NewRequest(method, url string, body io.ReadSeeker) (*Request, error) {
+	// Wrap the body in a noop ReadCloser if non-nil. This prevents the
+	// reader from being closed by the HTTP client.
+	var rcBody io.ReadCloser
+	if body != nil {
+		rcBody = ioutil.NopCloser(body)
+	}
+
+	// Make the request with the noop-closer for the body.
+	httpReq, err := http.NewRequest(method, url, rcBody)
+	if err != nil {
+		return nil, err
+	}
+
+	// Check if we can set the Content-Length automatically.
+	if lr, ok := body.(lenReader); ok {
+		httpReq.ContentLength = int64(lr.Len())
+	}
+
+	return &Request{body, httpReq}, nil
+}
+
+func encode(str string) string {
+	return base64.StdEncoding.EncodeToString([]byte(str))
+}
+
+func decode(str string) (string, error) {
+	bytes, err := base64.StdEncoding.DecodeString(str)
+	if err != nil {
+		return "", errors.Errorf("Cannot base64 decode %s",
+			str)
+	}
+	return string(bytes), err
+}
+
+func trimPrefix(s, prefix string) (string, error) {
+	l := len(s)
+	trimmed := strings.TrimPrefix(s, prefix)
+	if l == len(trimmed) {
+		return trimmed, errors.Errorf("Prefix %s not found in %s",
+			prefix, s)
+	}
+	return trimmed, nil
+}
+
+func drainBody(resp *http.Response) {
+	defer resp.Body.Close()
+	io.Copy(ioutil.Discard, resp.Body)
+}
+
+// DoScramSha performs SCRAM-SHA handshake via Http
+func DoScramSha(req *Request,
+	username string,
+	password string,
+	client *http.Client) (*http.Response, error) {
+
+	method := "SCRAM-SHA-512"
+	s, err := NewScramSha("SCRAM-SHA512")
+	if err != nil {
+		return nil, errors.Wrap(err,
+			"Unable to initialize SCRAM-SHA handler")
+	}
+
+	message, err := s.GetStartRequest(username)
+	if err != nil {
+		return nil, err
+	}
+
+	encodedMessage := method + " " + DataPrefix + encode(message)
+
+	req.Header.Set(Authorization, encodedMessage)
+
+	res, err := client.Do(req.Request)
+	if err != nil {
+		return nil, errors.Wrap(err, "Problem sending SCRAM-SHA start"+
+			"request")
+	}
+
+	if res.StatusCode != http.StatusUnauthorized {
+		return res, nil
+	}
+
+	authHeader := res.Header.Get(WWWAuthenticate)
+	if authHeader == "" {
+		drainBody(res)
+		return nil, errors.Errorf("Header %s is not populated in "+
+			"SCRAM-SHA start response", WWWAuthenticate)
+	}
+
+	authHeader, err = trimPrefix(authHeader, method+" ")
+	if err != nil {
+		if strings.HasPrefix(authHeader, "Basic ") {
+			// user not found
+			return res, nil
+		}
+		drainBody(res)
+		return nil, errors.Wrapf(err, "Error while parsing SCRAM-SHA "+
+			"start response %s", authHeader)
+	}
+
+	drainBody(res)
+
+	sid, response, err := parseSidAndData(authHeader)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error while parsing SCRAM-SHA "+
+			"start response %s", authHeader)
+	}
+
+	err = s.HandleStartResponse(response)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error parsing SCRAM-SHA start "+
+			"response %s", response)
+	}
+
+	message = s.GetFinalRequest(password)
+	encodedMessage = method + " " + SidPrefix + sid + "," + DataPrefix +
+		encode(message)
+
+	req.Header.Set(Authorization, encodedMessage)
+
+	// rewind request body so it can be resent again
+	if req.body != nil {
+		if _, err = req.body.Seek(0, 0); err != nil {
+			return nil, errors.Errorf("Failed to seek body: %v",
+				err)
+		}
+	}
+
+	res, err = client.Do(req.Request)
+	if err != nil {
+		return nil, errors.Wrap(err, "Problem sending SCRAM-SHA final"+
+			"request")
+	}
+
+	if res.StatusCode == http.StatusUnauthorized {
+		// TODO retrieve and return error
+		return res, nil
+	}
+
+	if res.StatusCode >= http.StatusInternalServerError {
+		// in this case we cannot expect server to set headers properly
+		return res, nil
+	}
+
+	authHeader = res.Header.Get(AuthenticationInfo)
+	if authHeader == "" {
+		drainBody(res)
+		return nil, errors.Errorf("Header %s is not populated in "+
+			"SCRAM-SHA final response", AuthenticationInfo)
+	}
+
+	finalSid, response, err := parseSidAndData(authHeader)
+	if err != nil {
+		drainBody(res)
+		return nil, errors.Wrapf(err, "Error while parsing SCRAM-SHA "+
+			"final response %s", authHeader)
+	}
+
+	if finalSid != sid {
+		drainBody(res)
+		return nil, errors.Errorf("Sid %s returned by server "+
+			"doesn't match the original sid %s", finalSid, sid)
+	}
+
+	err = s.HandleFinalResponse(response)
+	if err != nil {
+		drainBody(res)
+		return nil, errors.Wrapf(err,
+			"Error handling SCRAM-SHA final server response %s",
+			response)
+	}
+	return res, nil
+}
+
+func parseSidAndData(authHeader string) (string, string, error) {
+	sidIndex := strings.Index(authHeader, SidPrefix)
+	if sidIndex < 0 {
+		return "", "", errors.Errorf("Cannot find %s in %s",
+			SidPrefix, authHeader)
+	}
+
+	sidEndIndex := strings.Index(authHeader, ",")
+	if sidEndIndex < 0 {
+		return "", "", errors.Errorf("Cannot find ',' in %s",
+			authHeader)
+	}
+
+	sid := authHeader[sidIndex+len(SidPrefix) : sidEndIndex]
+
+	dataIndex := strings.Index(authHeader, DataPrefix)
+	if dataIndex < 0 {
+		return "", "", errors.Errorf("Cannot find %s in %s",
+			DataPrefix, authHeader)
+	}
+
+	data, err := decode(authHeader[dataIndex+len(DataPrefix):])
+	if err != nil {
+		return "", "", err
+	}
+	return sid, data, nil
+}