harbor/src/pkg/reg/util/challenge/authchallenge.go

// Copyright Project Harbor Authors
// Based on code from https://github.com/distribution/distribution.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package challenge

import (
	"fmt"
	"net/http"
	"net/url"
	"strings"
	"sync"
)

// Octet types from RFC 2616.
type octetType byte

var octetTypes [256]octetType

const (
	isToken octetType = 1 << iota
	isSpace
)

func init() {
	// OCTET      = <any 8-bit sequence of data>
	// CHAR       = <any US-ASCII character (octets 0 - 127)>
	// CTL        = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
	// CR         = <US-ASCII CR, carriage return (13)>
	// LF         = <US-ASCII LF, linefeed (10)>
	// SP         = <US-ASCII SP, space (32)>
	// HT         = <US-ASCII HT, horizontal-tab (9)>
	// <">        = <US-ASCII double-quote mark (34)>
	// CRLF       = CR LF
	// LWS        = [CRLF] 1*( SP | HT )
	// TEXT       = <any OCTET except CTLs, but including LWS>
	// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">
	//              | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
	// token      = 1*<any CHAR except CTLs or separators>
	// qdtext     = <any TEXT except <">>

	for c := 0; c < 256; c++ {
		var t octetType
		isCtl := c <= 31 || c == 127
		isChar := 0 <= c && c <= 127
		isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c))
		if strings.ContainsRune(" \t\r\n", rune(c)) {
			t |= isSpace
		}
		if isChar && !isCtl && !isSeparator {
			t |= isToken
		}
		octetTypes[c] = t
	}
}

// Challenge carries information from a WWW-Authenticate response header.
// See RFC 2617.
type Challenge struct {
	// Scheme is the auth-scheme according to RFC 2617
	Scheme string

	// Parameters are the auth-params according to RFC 2617
	Parameters map[string]string
}

// Manager manages the challenges for endpoints.
// The challenges are pulled out of HTTP responses. Only
// responses which expect challenges should be added to
// the manager, since a non-unauthorized request will be
// viewed as not requiring challenges.
type Manager interface {
	// GetChallenges returns the challenges for the given
	// endpoint URL.
	GetChallenges(endpoint url.URL) ([]Challenge, error)

	// AddResponse adds the response to the challenge
	// manager. The challenges will be parsed out of
	// the WWW-Authenicate headers and added to the
	// URL which was produced the response. If the
	// response was authorized, any challenges for the
	// endpoint will be cleared.
	AddResponse(resp *http.Response) error
}

// NewSimpleManager returns an instance of
// Manager which only maps endpoints to challenges
// based on the responses which have been added the
// manager. The simple manager will make no attempt to
// perform requests on the endpoints or cache the responses
// to a backend.
func NewSimpleManager() Manager {
	return &simpleManager{
		Challenges: make(map[string][]Challenge),
	}
}

type simpleManager struct {
	sync.RWMutex
	Challenges map[string][]Challenge
}

func normalizeURL(endpoint *url.URL) {
	endpoint.Host = strings.ToLower(endpoint.Host)
	endpoint.Host = canonicalAddr(endpoint)
}

func (m *simpleManager) GetChallenges(endpoint url.URL) ([]Challenge, error) {
	normalizeURL(&endpoint)

	m.RLock()
	defer m.RUnlock()
	challenges := m.Challenges[endpoint.String()]
	return challenges, nil
}

func (m *simpleManager) AddResponse(resp *http.Response) error {
	challenges := ResponseChallenges(resp)
	if resp.Request == nil {
		return fmt.Errorf("missing request reference")
	}
	urlCopy := url.URL{
		Path:   resp.Request.URL.Path,
		Host:   resp.Request.URL.Host,
		Scheme: resp.Request.URL.Scheme,
	}
	normalizeURL(&urlCopy)

	m.Lock()
	defer m.Unlock()
	m.Challenges[urlCopy.String()] = challenges
	return nil
}

// ResponseChallenges returns a list of authorization challenges
// for the given http Response. Challenges are only checked if
// the response status code was a 401.
func ResponseChallenges(resp *http.Response) []Challenge {
	if resp.StatusCode == http.StatusUnauthorized {
		// Parse the WWW-Authenticate Header and store the challenges
		// on this endpoint object.
		return parseAuthHeader(resp.Header)
	}

	return nil
}

func parseAuthHeader(header http.Header) []Challenge {
	challenges := []Challenge{}
	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
		v, p := parseValueAndParams(h)
		if v != "" {
			challenges = append(challenges, Challenge{Scheme: v, Parameters: p})
		}
	}
	return challenges
}

func parseValueAndParams(header string) (value string, params map[string]string) {
	params = make(map[string]string)
	value, s := expectToken(header)
	if value == "" {
		return
	}
	value = strings.ToLower(value)
	s = "," + skipSpace(s)
	for strings.HasPrefix(s, ",") {
		var pkey string
		pkey, s = expectToken(skipSpace(s[1:]))
		if pkey == "" {
			return
		}
		if !strings.HasPrefix(s, "=") {
			return
		}
		var pvalue string
		pvalue, s = expectTokenOrQuoted(s[1:])
		if pvalue == "" {
			return
		}
		pkey = strings.ToLower(pkey)
		params[pkey] = pvalue
		s = skipSpace(s)
	}
	return
}

func skipSpace(s string) (rest string) {
	i := 0
	for ; i < len(s); i++ {
		if octetTypes[s[i]]&isSpace == 0 {
			break
		}
	}
	return s[i:]
}

func expectToken(s string) (token, rest string) {
	i := 0
	for ; i < len(s); i++ {
		if octetTypes[s[i]]&isToken == 0 {
			break
		}
	}
	return s[:i], s[i:]
}

func expectTokenOrQuoted(s string) (value string, rest string) {
	if !strings.HasPrefix(s, "\"") {
		return expectToken(s)
	}
	s = s[1:]
	for i := 0; i < len(s); i++ {
		switch s[i] {
		case '"':
			return s[:i], s[i+1:]
		case '\\':
			p := make([]byte, len(s)-1)
			j := copy(p, s[:i])
			escape := true
			for i = i + 1; i < len(s); i++ {
				b := s[i]
				switch {
				case escape:
					escape = false
					p[j] = b
					j++
				case b == '\\':
					escape = true
				case b == '"':
					return string(p[:j]), s[i+1:]
				default:
					p[j] = b
					j++
				}
			}
			return "", ""
		}
	}
	return "", ""
}
Upgrade to distribution (registry) v3 alpha (#19784) * registryctl/api/registry/blob: fix dropped test error (#19721) Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com> * Remove robot account update quota permission (#19819) Signed-off-by: Yang Jiao <yang.jiao@broadcom.com> Co-authored-by: Yang Jiao <yang.jiao@broadcom.com> * Cache image list with digest key (#19801) fixes #19429 Signed-off-by: stonezdj <daojunz@vmware.com> Co-authored-by: stonezdj <daojunz@vmware.com> * Add quota permissions testcase (#19822) Signed-off-by: Yang Jiao <yang.jiao@broadcom.com> Co-authored-by: Yang Jiao <yang.jiao@broadcom.com> * deprecate gosec in makefile (#19828) remove the unused the part from makefile Signed-off-by: wang yan <wangyan@vmware.com> * Add verification that robot account duration is not 0 (#19829) Signed-off-by: Yang Jiao <yang.jiao@broadcom.com> * fix artifact page bug (#19807) * fix artifact page bug * update testcase * Upgrade to distribution (registry) v3 alpha This includes all the benefits of the v3 distribution, but also all breaking changes. Most notably, Image Manifest v2 Schema v1 support has been dropped, as well as the `oss` and `swift` storage drivers. Currently, this still relies on v2's github.com/docker/distribution/registry/client/auth/challenge, because that code has been removed from the public API in v3. Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com> --------- Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com> Signed-off-by: Yang Jiao <yang.jiao@broadcom.com> Signed-off-by: stonezdj <daojunz@vmware.com> Signed-off-by: wang yan <wangyan@vmware.com> Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com> Co-authored-by: Lars Lehtonen <lars.lehtonen@gmail.com> Co-authored-by: Yang Jiao <72076317+YangJiao0817@users.noreply.github.com> Co-authored-by: Yang Jiao <yang.jiao@broadcom.com> Co-authored-by: stonezdj(Daojun Zhang) <stonezdj@gmail.com> Co-authored-by: stonezdj <daojunz@vmware.com> Co-authored-by: Wang Yan <wangyan@vmware.com> Co-authored-by: ShengqiWang <124650040+ShengqiWang@users.noreply.github.com> 2024-01-26 22:48:06 +01:00			`// Copyright Project Harbor Authors`
			`// Based on code from https://github.com/distribution/distribution.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package challenge`

			`import (`
			`"fmt"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`"sync"`
			`)`

			`// Octet types from RFC 2616.`
			`type octetType byte`

			`var octetTypes [256]octetType`

			`const (`
			`isToken octetType = 1 << iota`
			`isSpace`
			`)`

			`func init() {`
			`// OCTET = <any 8-bit sequence of data>`
			`// CHAR = <any US-ASCII character (octets 0 - 127)>`
			`// CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)>`
			`// CR = <US-ASCII CR, carriage return (13)>`
			`// LF = <US-ASCII LF, linefeed (10)>`
			`// SP = <US-ASCII SP, space (32)>`
			`// HT = <US-ASCII HT, horizontal-tab (9)>`
			`// <"> = <US-ASCII double-quote mark (34)>`
			`// CRLF = CR LF`
			`// LWS = [CRLF] 1*( SP \| HT )`
			`// TEXT = <any OCTET except CTLs, but including LWS>`
			`// separators = "(" \| ")" \| "<" \| ">" \| "@" \| "," \| ";" \| ":" \| "\" \| <">`
			`// \| "/" \| "[" \| "]" \| "?" \| "=" \| "{" \| "}" \| SP \| HT`
			`// token = 1*<any CHAR except CTLs or separators>`
			`// qdtext = <any TEXT except <">>`

			`for c := 0; c < 256; c++ {`
			`var t octetType`
			`isCtl := c <= 31 \|\| c == 127`
			`isChar := 0 <= c && c <= 127`
			`isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c))`
			`if strings.ContainsRune(" \t\r\n", rune(c)) {`
			`t \|= isSpace`
			`}`
			`if isChar && !isCtl && !isSeparator {`
			`t \|= isToken`
			`}`
			`octetTypes[c] = t`
			`}`
			`}`

			`// Challenge carries information from a WWW-Authenticate response header.`
			`// See RFC 2617.`
			`type Challenge struct {`
			`// Scheme is the auth-scheme according to RFC 2617`
			`Scheme string`

			`// Parameters are the auth-params according to RFC 2617`
			`Parameters map[string]string`
			`}`

			`// Manager manages the challenges for endpoints.`
			`// The challenges are pulled out of HTTP responses. Only`
			`// responses which expect challenges should be added to`
			`// the manager, since a non-unauthorized request will be`
			`// viewed as not requiring challenges.`
			`type Manager interface {`
			`// GetChallenges returns the challenges for the given`
			`// endpoint URL.`
			`GetChallenges(endpoint url.URL) ([]Challenge, error)`

			`// AddResponse adds the response to the challenge`
			`// manager. The challenges will be parsed out of`
			`// the WWW-Authenicate headers and added to the`
			`// URL which was produced the response. If the`
			`// response was authorized, any challenges for the`
			`// endpoint will be cleared.`
			`AddResponse(resp *http.Response) error`
			`}`

			`// NewSimpleManager returns an instance of`
			`// Manager which only maps endpoints to challenges`
			`// based on the responses which have been added the`
			`// manager. The simple manager will make no attempt to`
			`// perform requests on the endpoints or cache the responses`
			`// to a backend.`
			`func NewSimpleManager() Manager {`
			`return &simpleManager{`
			`Challenges: make(map[string][]Challenge),`
			`}`
			`}`

			`type simpleManager struct {`
			`sync.RWMutex`
			`Challenges map[string][]Challenge`
			`}`

			`func normalizeURL(endpoint *url.URL) {`
			`endpoint.Host = strings.ToLower(endpoint.Host)`
			`endpoint.Host = canonicalAddr(endpoint)`
			`}`

			`func (m *simpleManager) GetChallenges(endpoint url.URL) ([]Challenge, error) {`
			`normalizeURL(&endpoint)`

			`m.RLock()`
			`defer m.RUnlock()`
			`challenges := m.Challenges[endpoint.String()]`
			`return challenges, nil`
			`}`

			`func (m simpleManager) AddResponse(resp http.Response) error {`
			`challenges := ResponseChallenges(resp)`
			`if resp.Request == nil {`
			`return fmt.Errorf("missing request reference")`
			`}`
			`urlCopy := url.URL{`
			`Path: resp.Request.URL.Path,`
			`Host: resp.Request.URL.Host,`
			`Scheme: resp.Request.URL.Scheme,`
			`}`
			`normalizeURL(&urlCopy)`

			`m.Lock()`
			`defer m.Unlock()`
			`m.Challenges[urlCopy.String()] = challenges`
			`return nil`
			`}`

			`// ResponseChallenges returns a list of authorization challenges`
			`// for the given http Response. Challenges are only checked if`
			`// the response status code was a 401.`
			`func ResponseChallenges(resp *http.Response) []Challenge {`
			`if resp.StatusCode == http.StatusUnauthorized {`
			`// Parse the WWW-Authenticate Header and store the challenges`
			`// on this endpoint object.`
			`return parseAuthHeader(resp.Header)`
			`}`

			`return nil`
			`}`

			`func parseAuthHeader(header http.Header) []Challenge {`
			`challenges := []Challenge{}`
			`for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {`
			`v, p := parseValueAndParams(h)`
			`if v != "" {`
			`challenges = append(challenges, Challenge{Scheme: v, Parameters: p})`
			`}`
			`}`
			`return challenges`
			`}`

			`func parseValueAndParams(header string) (value string, params map[string]string) {`
			`params = make(map[string]string)`
			`value, s := expectToken(header)`
			`if value == "" {`
			`return`
			`}`
			`value = strings.ToLower(value)`
			`s = "," + skipSpace(s)`
			`for strings.HasPrefix(s, ",") {`
			`var pkey string`
			`pkey, s = expectToken(skipSpace(s[1:]))`
			`if pkey == "" {`
			`return`
			`}`
			`if !strings.HasPrefix(s, "=") {`
			`return`
			`}`
			`var pvalue string`
			`pvalue, s = expectTokenOrQuoted(s[1:])`
			`if pvalue == "" {`
			`return`
			`}`
			`pkey = strings.ToLower(pkey)`
			`params[pkey] = pvalue`
			`s = skipSpace(s)`
			`}`
			`return`
			`}`

			`func skipSpace(s string) (rest string) {`
			`i := 0`
			`for ; i < len(s); i++ {`
			`if octetTypes[s[i]]&isSpace == 0 {`
			`break`
			`}`
			`}`
			`return s[i:]`
			`}`

			`func expectToken(s string) (token, rest string) {`
			`i := 0`
			`for ; i < len(s); i++ {`
			`if octetTypes[s[i]]&isToken == 0 {`
			`break`
			`}`
			`}`
			`return s[:i], s[i:]`
			`}`

			`func expectTokenOrQuoted(s string) (value string, rest string) {`
			`if !strings.HasPrefix(s, "\"") {`
			`return expectToken(s)`
			`}`
			`s = s[1:]`
			`for i := 0; i < len(s); i++ {`
			`switch s[i] {`
			`case '"':`
			`return s[:i], s[i+1:]`
			`case '\\':`
			`p := make([]byte, len(s)-1)`
			`j := copy(p, s[:i])`
			`escape := true`
			`for i = i + 1; i < len(s); i++ {`
			`b := s[i]`
			`switch {`
			`case escape:`
			`escape = false`
			`p[j] = b`
			`j++`
			`case b == '\\':`
			`escape = true`
			`case b == '"':`
			`return string(p[:j]), s[i+1:]`
			`default:`
			`p[j] = b`
			`j++`
			`}`
			`}`
			`return "", ""`
			`}`
			`}`
			`return "", ""`
			`}`