syncthing/cmd/syncthing/gui_auth.go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at https://mozilla.org/MPL/2.0/.

package main

import (
	"bytes"
	"encoding/base64"
	"net/http"
	"strings"
	"time"

	"github.com/syncthing/syncthing/lib/config"
	"github.com/syncthing/syncthing/lib/events"
	"github.com/syncthing/syncthing/lib/rand"
	"github.com/syncthing/syncthing/lib/sync"
	"golang.org/x/crypto/bcrypt"
)

var (
	sessions    = make(map[string]bool)
	sessionsMut = sync.NewMutex()
)

func emitLoginAttempt(success bool, username string) {
	events.Default.Log(events.LoginAttempt, map[string]interface{}{
		"success":  success,
		"username": username,
	})
}

func basicAuthAndSessionMiddleware(cookieName string, cfg config.GUIConfiguration, next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if cfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {
			next.ServeHTTP(w, r)
			return
		}

		cookie, err := r.Cookie(cookieName)
		if err == nil && cookie != nil {
			sessionsMut.Lock()
			_, ok := sessions[cookie.Value]
			sessionsMut.Unlock()
			if ok {
				next.ServeHTTP(w, r)
				return
			}
		}

		httpl.Debugln("Sessionless HTTP request with authentication; this is expensive.")

		error := func() {
			time.Sleep(time.Duration(rand.Intn(100)+100) * time.Millisecond)
			w.Header().Set("WWW-Authenticate", "Basic realm=\"Authorization Required\"")
			http.Error(w, "Not Authorized", http.StatusUnauthorized)
		}

		hdr := r.Header.Get("Authorization")
		if !strings.HasPrefix(hdr, "Basic ") {
			error()
			return
		}

		hdr = hdr[6:]
		bs, err := base64.StdEncoding.DecodeString(hdr)
		if err != nil {
			error()
			return
		}

		fields := bytes.SplitN(bs, []byte(":"), 2)
		if len(fields) != 2 {
			error()
			return
		}

		// Check if the username is correct, assuming it was sent as UTF-8
		username := string(fields[0])
		if username == cfg.User {
			goto usernameOK
		}

		// ... check it again, converting it from assumed ISO-8859-1 to UTF-8
		username = string(iso88591ToUTF8(fields[0]))
		if username == cfg.User {
			goto usernameOK
		}

		// Neither of the possible interpretations match the configured username
		emitLoginAttempt(false, username)
		error()
		return

	usernameOK:
		// Check password as given (assumes UTF-8 encoding)
		password := fields[1]
		if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), password); err == nil {
			goto passwordOK
		}

		// ... check it again, converting it from assumed ISO-8859-1 to UTF-8
		password = iso88591ToUTF8(password)
		if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), password); err == nil {
			goto passwordOK
		}

		// Neither of the attempts to verify the password checked out
		emitLoginAttempt(false, username)
		error()
		return

	passwordOK:
		sessionid := rand.String(32)
		sessionsMut.Lock()
		sessions[sessionid] = true
		sessionsMut.Unlock()
		http.SetCookie(w, &http.Cookie{
			Name:   cookieName,
			Value:  sessionid,
			MaxAge: 0,
		})

		emitLoginAttempt(true, username)
		next.ServeHTTP(w, r)
	})
}

// Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the
// principle that ISO-8859-1 bytes are equivalent to unicode code points,
// that a rune slice is a list of code points, and that stringifying a slice
// of runes generates UTF-8 in Go.
func iso88591ToUTF8(s []byte) []byte {
	runes := make([]rune, len(s))
	for i := range s {
		runes[i] = rune(s[i])
	}
	return []byte(string(runes))
}
Use more inclusive copyright header 2014-11-16 21:13:20 +01:00			`// Copyright (C) 2014 The Syncthing Authors.`
Relicense to GPL 2014-09-29 21:43:32 +02:00			`//`
MPLv2 2015-03-07 21:36:35 +01:00			`// This Source Code Form is subject to the terms of the Mozilla Public`
			`// License, v. 2.0. If a copy of the MPL was not distributed with this file,`
all: Update license url to https (ref #3976) 2017-02-09 07:52:18 +01:00			`// You can obtain one at https://mozilla.org/MPL/2.0/.`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00
			`package main`

			`import (`
			`"bytes"`
			`"encoding/base64"`
			`"net/http"`
			`"strings"`
			`"time"`

mv internal lib 2015-08-06 11:29:25 +02:00			`"github.com/syncthing/syncthing/lib/config"`
Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 21:05:36 +01:00			`"github.com/syncthing/syncthing/lib/events"`
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 09:02:56 +02:00			`"github.com/syncthing/syncthing/lib/rand"`
mv internal lib 2015-08-06 11:29:25 +02:00			`"github.com/syncthing/syncthing/lib/sync"`
Dependency update, new golang.org/x package names 2014-11-30 00:17:00 +01:00			`"golang.org/x/crypto/bcrypt"`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`)`

			`var (`
Run vet and lint. Make us lint clean. 2015-04-28 22:32:10 +02:00			`sessions = make(map[string]bool)`
			`sessionsMut = sync.NewMutex()`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`)`

Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 21:05:36 +01:00			`func emitLoginAttempt(success bool, username string) {`
			`events.Default.Log(events.LoginAttempt, map[string]interface{}{`
			`"success": success,`
			`"username": username,`
			`})`
			`}`

Use different session cookies per device 2015-06-22 17:57:08 +02:00			`func basicAuthAndSessionMiddleware(cookieName string, cfg config.GUIConfiguration, next http.Handler) http.Handler {`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Support multiple API keys (command-line and config) (fixes #2747) 2016-01-29 18:16:01 +01:00			`if cfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`next.ServeHTTP(w, r)`
			`return`
			`}`

Use different session cookies per device 2015-06-22 17:57:08 +02:00			`cookie, err := r.Cookie(cookieName)`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`if err == nil && cookie != nil {`
			`sessionsMut.Lock()`
			`_, ok := sessions[cookie.Value]`
			`sessionsMut.Unlock()`
			`if ok {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`}`

Implement facility based logger, debugging via REST API This implements a new debug/trace infrastructure based on a slightly hacked up logger. Instead of the traditional "if debug { ... }" I've rewritten the logger to have no-op Debugln and Debugf, unless debugging has been enabled for a given "facility". The "facility" is just a string, typically a package name. This will be slightly slower than before; but not that much as it's mostly a function call that returns immediately. For the cases where it matters (the Debugln takes a hex.Dump() of something for example, and it's not in a very occasional "if err != nil" branch) there is an l.ShouldDebug(facility) that is fast enough to be used like the old "if debug". The point of all this is that we can now toggle debugging for the various packages on and off at runtime. There's a new method /rest/system/debug that can be POSTed a set of facilities to enable and disable debug for, or GET from to get a list of facilities with descriptions and their current debug status. Similarly a /rest/system/log?since=... can grab the latest log entries, up to 250 of them (hardcoded constant in main.go) plus the initial few. Not implemented in this commit (but planned) is a simple debug GUI available on /debug that shows the current log in an easily pasteable format and has checkboxes to enable the various debug facilities. The debug instructions to a user then becomes "visit this URL, check these boxes, reproduce your problem, copy and paste the log". The actual log viewer on the hypothetical /debug URL can poll regularly for new log entries and this bypass the 250 line limit. The existing STTRACE=foo variable is still obeyed and just sets the start state of the system. 2015-10-03 17:25:21 +02:00			`httpl.Debugln("Sessionless HTTP request with authentication; this is expensive.")`
Reminder in debug output to explain high CPU usage 2015-04-20 07:29:38 +02:00
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`error := func() {`
			`time.Sleep(time.Duration(rand.Intn(100)+100) * time.Millisecond)`
			`w.Header().Set("WWW-Authenticate", "Basic realm=\"Authorization Required\"")`
			`http.Error(w, "Not Authorized", http.StatusUnauthorized)`
			`}`

			`hdr := r.Header.Get("Authorization")`
			`if !strings.HasPrefix(hdr, "Basic ") {`
			`error()`
			`return`
			`}`

			`hdr = hdr[6:]`
			`bs, err := base64.StdEncoding.DecodeString(hdr)`
			`if err != nil {`
			`error()`
			`return`
			`}`

			`fields := bytes.SplitN(bs, []byte(":"), 2)`
			`if len(fields) != 2 {`
			`error()`
			`return`
			`}`

cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 22:24:38 +02:00			`// Check if the username is correct, assuming it was sent as UTF-8`
Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 21:05:36 +01:00			`username := string(fields[0])`
cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 22:24:38 +02:00			`if username == cfg.User {`
			`goto usernameOK`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`}`

cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 22:24:38 +02:00			`// ... check it again, converting it from assumed ISO-8859-1 to UTF-8`
			`username = string(iso88591ToUTF8(fields[0]))`
			`if username == cfg.User {`
			`goto usernameOK`
			`}`

			`// Neither of the possible interpretations match the configured username`
			`emitLoginAttempt(false, username)`
			`error()`
			`return`

			`usernameOK:`
			`// Check password as given (assumes UTF-8 encoding)`
			`password := fields[1]`
			`if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), password); err == nil {`
			`goto passwordOK`
			`}`

			`// ... check it again, converting it from assumed ISO-8859-1 to UTF-8`
			`password = iso88591ToUTF8(password)`
			`if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), password); err == nil {`
			`goto passwordOK`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`}`

cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 22:24:38 +02:00			`// Neither of the attempts to verify the password checked out`
			`emitLoginAttempt(false, username)`
			`error()`
			`return`

			`passwordOK:`
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 09:02:56 +02:00			`sessionid := rand.String(32)`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`sessionsMut.Lock()`
			`sessions[sessionid] = true`
			`sessionsMut.Unlock()`
			`http.SetCookie(w, &http.Cookie{`
Use different session cookies per device 2015-06-22 17:57:08 +02:00			`Name: cookieName,`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`Value: sessionid,`
			`MaxAge: 0,`
			`})`

Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 21:05:36 +01:00			`emitLoginAttempt(true, username)`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`next.ServeHTTP(w, r)`
			`})`
			`}`
cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 22:24:38 +02:00
			`// Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the`
			`// principle that ISO-8859-1 bytes are equivalent to unicode code points,`
			`// that a rune slice is a list of code points, and that stringifying a slice`
			`// of runes generates UTF-8 in Go.`
			`func iso88591ToUTF8(s []byte) []byte {`
			`runes := make([]rune, len(s))`
			`for i := range s {`
			`runes[i] = rune(s[i])`
			`}`
			`return []byte(string(runes))`
			`}`