Merge pull request #397 from sum12/hashedpass

auth: Added cmdline option to specify passwords are bcrypted
7 years ago · dd4e494b23
parent f6672dd3dd 03dcfc47e0
commit dd4e494b23
2 changed files with 74 additions and 5 deletions
--- a/auth/credential_store.go
+++ b/auth/credential_store.go
@ -5,6 +5,8 @@ package auth
 import (
 	"encoding/json"
 	"io"
+
+	"golang.org/x/crypto/bcrypt"
 )

 // BasicAuther is the interface an object must support to return basic auth information.
@ -16,20 +18,23 @@ type BasicAuther interface {
 type Credential struct {
 	Username string   `json:"username,omitempty"`
 	Password string   `json:"password,omitempty"`
+	Hashed   *bool    `json:"hashed,omitempty"`
 	Perms    []string `json:"perms,omitempty"`
 }

 // CredentialsStore stores authentication and authorization information for all users.
 type CredentialsStore struct {
-	store map[string]string
-	perms map[string]map[string]bool
+	store      map[string]string
+	perms      map[string]map[string]bool
+	isbcrypted map[string]bool
 }

 // NewCredentialsStore returns a new instance of a CredentialStore.
 func NewCredentialsStore() *CredentialsStore {
 	return &CredentialsStore{
-		store: make(map[string]string),
-		perms: make(map[string]map[string]bool),
+		store:      make(map[string]string),
+		perms:      make(map[string]map[string]bool),
+		isbcrypted: make(map[string]bool),
 	}
 }

@ -53,6 +58,9 @@ func (c *CredentialsStore) Load(r io.Reader) error {
 		for _, p := range cred.Perms {
 			c.perms[cred.Username][p] = true
 		}
+		if cred.Hashed != nil && *cred.Hashed {
+			c.isbcrypted[cred.Username] = true
+		}
 	}

 	// Read closing bracket.
@ -67,7 +75,15 @@ func (c *CredentialsStore) Load(r io.Reader) error {
 // Check returns true if the password is correct for the given username.
 func (c *CredentialsStore) Check(username, password string) bool {
 	pw, ok := c.store[username]
-	return ok && password == pw
+	if !ok {
+		return false
+	}
+	if _, ok = c.isbcrypted[username]; ok {
+		err := bcrypt.CompareHashAndPassword([]byte(pw), []byte(password))
+		return err == nil
+	} else {
+		return password == pw
+	}
 }

 // CheckRequest returns true if b contains a valid username and password.
--- a/auth/credential_store_test.go
+++ b/auth/credential_store_test.go
@ -162,6 +162,59 @@ func Test_AuthPermsLoadSingle(t *testing.T) {
 	}
 }

+func Test_AuthLoadHashedSingleRequest(t *testing.T) {
+	const jsonStream = `
+		[
+			{
+				"username": "username1",
+				"password": "$2a$10$fKRHxrEuyDTP6tXIiDycr.nyC8Q7UMIfc31YMyXHDLgRDyhLK3VFS",
+				"hashed": true
+			},
+			{"username": "username2", "password": "password2", "hashed":false}
+		]
+	`
+
+	store := NewCredentialsStore()
+	if err := store.Load(strings.NewReader(jsonStream)); err != nil {
+		t.Fatalf("failed to load multiple credentials: %s", err.Error())
+	}
+
+	b1 := &testBasicAuther{
+		username: "username1",
+		password: "password1",
+		ok:       true,
+	}
+	b2 := &testBasicAuther{
+		username: "username2",
+		password: "password2",
+		ok:       true,
+	}
+
+	b3 := &testBasicAuther{
+		username: "username1",
+		password: "wrong",
+		ok:       true,
+	}
+	b4 := &testBasicAuther{
+		username: "username2",
+		password: "wrong",
+		ok:       true,
+	}
+
+	if check := store.CheckRequest(b1); !check {
+		t.Fatalf("username1 (b1) credential not checked correctly via request")
+	}
+	if check := store.CheckRequest(b2); !check {
+		t.Fatalf("username2 (b2) credential not checked correctly via request")
+	}
+	if check := store.CheckRequest(b3); check {
+		t.Fatalf("username1 (b3) credential not checked correctly via request")
+	}
+	if check := store.CheckRequest(b4); check {
+		t.Fatalf("username2 (b4) credential not checked correctly via request")
+	}
+}
+
 func Test_AuthPermsRequestLoadSingle(t *testing.T) {
 	const jsonStream = `
 		[