From 69de5bb828852ff4f0dfced8341d223bd556269f Mon Sep 17 00:00:00 2001 From: mpl Date: Wed, 25 Mar 2020 14:28:04 +0100 Subject: [PATCH] digest auth: use RequireAuthStale when appropriate --- go.mod | 2 +- go.sum | 6 ++-- pkg/middlewares/auth/basic_auth.go | 3 +- pkg/middlewares/auth/digest_auth.go | 47 +++++++++++++++++------------ 4 files changed, 35 insertions(+), 23 deletions(-) diff --git a/go.mod b/go.mod index 26ed7f528..f4816eeff 100644 --- a/go.mod +++ b/go.mod @@ -104,7 +104,7 @@ replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.2020020422 // Containous forks replace ( - github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f + github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e github.com/go-check/check => github.com/containous/check v0.0.0-20170915194414-ca0bf163426a github.com/gorilla/mux => github.com/containous/mux v0.0.0-20181024131434-c33f32e26898 github.com/mailgun/minheap => github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595 diff --git a/go.sum b/go.sum index ed7a16587..c602633c7 100644 --- a/go.sum +++ b/go.sum @@ -162,8 +162,8 @@ github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd h1:0n+lFLh5zU0l6K github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd/go.mod h1:BbQgeDS5i0tNvypwEoF1oNjOJw8knRAE1DnVvjDstcQ= github.com/containous/check v0.0.0-20170915194414-ca0bf163426a h1:8esAQaPKjfntQR1bag/mAOvWJd5HqSX5nsa+0KT63zo= github.com/containous/check v0.0.0-20170915194414-ca0bf163426a/go.mod h1:eQOqZ7GoFsLxI7jFKLs7+Nv2Rm1x4FyK8d2NV+yGjwQ= -github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f h1:AgXgJSqQmsiNFW268OGe/y7Mn4jiCWaMUk05qser3Bo= -github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f/go.mod h1:dCmRGidPSLagL8D/2u7yIO6Y/8D/yuYX9EdKrnrhpCA= +github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e h1:D+uTEzDZc1Fhmd0Pq06c+O9+KkAyExw0eVmu/NOqaHU= +github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e/go.mod h1:s8kLgBQolDbsJOPVIGCEEv9zGAKUUf/685Gi0Qqg8z8= github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595 h1:aPspFRO6b94To3gl4yTDOEtpjFwXI7V2W+z0JcNljQ4= github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595/go.mod h1:+lHFbEasIiQVGzhVDVw/cn0ZaOzde2OwNncp1NhXV4c= github.com/containous/multibuf v0.0.0-20190809014333-8b6c9a7e6bba h1:PhR03pep+5eO/9BSvCY9RyG8rjogB3uYS4X/WBYNTT8= @@ -796,6 +796,8 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6 h1:TjszyFsQsyZNHwdVdZ5m7bjmreu0znc2kRYsEml9/Ww= +golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= diff --git a/pkg/middlewares/auth/basic_auth.go b/pkg/middlewares/auth/basic_auth.go index ee857d05a..e03fb3f6a 100644 --- a/pkg/middlewares/auth/basic_auth.go +++ b/pkg/middlewares/auth/basic_auth.go @@ -49,7 +49,8 @@ func NewBasic(ctx context.Context, next http.Handler, authConfig dynamic.BasicAu if len(authConfig.Realm) > 0 { realm = authConfig.Realm } - ba.auth = goauth.NewBasicAuthenticator(realm, ba.secretBasic) + + ba.auth = &goauth.BasicAuth{Realm: realm, Secrets: ba.secretBasic} return ba, nil } diff --git a/pkg/middlewares/auth/digest_auth.go b/pkg/middlewares/auth/digest_auth.go index 0a43d45c1..70d1306ef 100644 --- a/pkg/middlewares/auth/digest_auth.go +++ b/pkg/middlewares/auth/digest_auth.go @@ -61,29 +61,38 @@ func (d *digestAuth) GetTracingInformation() (string, ext.SpanKindEnum) { func (d *digestAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) { logger := log.FromContext(middlewares.GetLoggerCtx(req.Context(), d.name, digestTypeName)) - if username, _ := d.auth.CheckAuth(req); username == "" { + username, authinfo := d.auth.CheckAuth(req) + if username == "" { + if authinfo != nil && *authinfo == "stale" { + logger.Debug("Digest authentication failed, possibly because out of order requests") + tracing.SetErrorWithEvent(req, "Digest authentication failed, possibly because out of order requests") + d.auth.RequireAuthStale(rw, req) + return + } + logger.Debug("Digest authentication failed") tracing.SetErrorWithEvent(req, "Digest authentication failed") d.auth.RequireAuth(rw, req) - } else { - logger.Debug("Digest authentication succeeded") - req.URL.User = url.User(username) - - logData := accesslog.GetLogData(req) - if logData != nil { - logData.Core[accesslog.ClientUsername] = username - } - - if d.headerField != "" { - req.Header[d.headerField] = []string{username} - } - - if d.removeHeader { - logger.Debug("Removing the Authorization header") - req.Header.Del(authorizationHeader) - } - d.next.ServeHTTP(rw, req) + return } + + logger.Debug("Digest authentication succeeded") + req.URL.User = url.User(username) + + logData := accesslog.GetLogData(req) + if logData != nil { + logData.Core[accesslog.ClientUsername] = username + } + + if d.headerField != "" { + req.Header[d.headerField] = []string{username} + } + + if d.removeHeader { + logger.Debug("Removing the Authorization header") + req.Header.Del(authorizationHeader) + } + d.next.ServeHTTP(rw, req) } func (d *digestAuth) secretDigest(user, realm string) string {