You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2023/02/20 14:58:06 UTC
[couchdb] branch upgrade-proxy-hash updated (9940ae70e -> d6a493c3e)
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a change to branch upgrade-proxy-hash
in repository https://gitbox.apache.org/repos/asf/couchdb.git
discard 9940ae70e Upgrade hash algorithm for proxy auth
new d6a493c3e Upgrade hash algorithm for proxy auth
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (9940ae70e)
\
N -- N -- N refs/heads/upgrade-proxy-hash (d6a493c3e)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
src/chttpd/test/eunit/chttpd_auth_tests.erl | 62 +++++++++++++++++------------
1 file changed, 36 insertions(+), 26 deletions(-)
[couchdb] 01/01: Upgrade hash algorithm for proxy auth
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a commit to branch upgrade-proxy-hash
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit d6a493c3e0252161b811276e25ad0cf25a1f3cd5
Author: Ronny Berndt <ro...@apache.org>
AuthorDate: Wed Feb 15 10:29:48 2023 +0100
Upgrade hash algorithm for proxy auth
Use configured hash algorithms for proxy auth.
---
src/chttpd/test/eunit/chttpd_auth_tests.erl | 137 ++++++++++++++++++++++++++++
src/couch/src/couch_httpd_auth.erl | 38 +++++---
2 files changed, 163 insertions(+), 12 deletions(-)
diff --git a/src/chttpd/test/eunit/chttpd_auth_tests.erl b/src/chttpd/test/eunit/chttpd_auth_tests.erl
index 7beda9bc7..7f9708a29 100644
--- a/src/chttpd/test/eunit/chttpd_auth_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_tests.erl
@@ -12,6 +12,11 @@
-module(chttpd_auth_tests).
+-define(ADM_USER, "adm_user").
+-define(ADM_PASS, "adm_pass").
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
+
-include_lib("couch/include/couch_eunit.hrl").
-include_lib("couch/include/couch_db.hrl").
@@ -24,6 +29,65 @@ setup() ->
teardown(_Url) ->
ok.
+setup_proxy_auth() ->
+ Hashed = couch_passwords:hash_admin_password(?ADM_PASS),
+ config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
+ config:set("chttpd", "require_valid_user", "false", false),
+ config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+ config:set("chttpd_auth", "proxy_use_secret", "true", false),
+ config:set("chttpd_auth", "secret", "the_secret", false),
+ ok = config:set(
+ "chttpd",
+ "authentication_handlers",
+ "{chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler}",
+ false
+ ),
+ HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+ trim, {return, binary}
+ ]),
+ HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}.
+
+teardown_proxy_auth(_) ->
+ config:delete("chttpd", "authentication_handlers", false),
+ config:delete("chttpd_auth", "hash_algorithms", false),
+ config:delete("chttpd_auth", "secret", false),
+ config:delete("chttpd_auth", "proxy_use_secret", false),
+ config:delete("chttpd", "require_valid_user", false),
+ config:delete("admins", ?ADM_USER, false),
+ ok.
+
+alt_setup_proxy_auth() ->
+ Ctx = test_util:start_couch([chttpd]),
+ Hashed = couch_passwords:hash_admin_password(?ADM_PASS),
+ config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
+ config:set("chttpd", "require_valid_user", "false", false),
+ config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+ config:set("chttpd_auth", "proxy_use_secret", "true", false),
+ config:set("chttpd_auth", "secret", "the_secret", false),
+ ok = config:set(
+ "chttpd",
+ "authentication_handlers",
+ "{chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler}",
+ false
+ ),
+ HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+ trim, {return, binary}
+ ]),
+ HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ {Ctx, HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}.
+
+alt_teardown_proxy_auth({Ctx, _, _, _}) ->
+ config:delete("chttpd", "authentication_handlers", true),
+ config:delete("chttpd_auth", "hash_algorithms", false),
+ config:delete("chttpd_auth", "secret", false),
+ config:delete("chttpd_auth", "proxy_use_secret", false),
+ config:delete("chttpd", "require_valid_user", false),
+ config:delete("admins", ?ADM_USER, false),
+ test_util:stop_couch(Ctx).
+
require_valid_user_exception_test_() ->
{
"_up",
@@ -43,6 +107,39 @@ require_valid_user_exception_test_() ->
}
}.
+alt_proxy_auth_test_() ->
+ {
+ "Testing hash algorithms for proxy auth",
+ {
+ setup,
+ fun alt_setup_proxy_auth/0,
+ fun alt_teardown_proxy_auth/1,
+ with([
+ ?TDEF(alt_test_hash_algorithms_with_proxy_auth_should_work),
+ ?TDEF(alt_test_hash_algorithms_with_proxy_auth_should_fail)
+ ])
+ }
+ }.
+
+proxy_auth_test_() ->
+ {
+ "Testing hash algorithms for proxy auth alternative",
+ {
+ setup,
+ fun chttpd_test_util:start_couch/0,
+ fun chttpd_test_util:stop_couch/1,
+ {
+ foreach,
+ fun setup_proxy_auth/0,
+ fun teardown_proxy_auth/1,
+ [
+ ?TDEF_FE(test_hash_algorithms_with_proxy_auth_should_work),
+ ?TDEF_FE(test_hash_algorithms_with_proxy_auth_should_fail)
+ ]
+ }
+ }
+ }.
+
set_require_user_false() ->
ok = config:set("chttpd", "require_valid_user", "false", _Persist = false).
@@ -125,3 +222,43 @@ should_handle_require_valid_user_except_up_on_non_up_routes(_Url) ->
set_require_user_except_for_up_true(),
?assertThrow(ExpectAuth, chttpd_auth:party_mode_handler(NonUpRequest))
end).
+
+% Helper functions
+base_url() ->
+ Addr = config:get("chttpd", "bind_address", "127.0.0.1"),
+ Port = integer_to_list(mochiweb_socket_server:get(chttpd, port)),
+ "http://" ++ Addr ++ ":" ++ Port.
+
+% Test functions
+test_hash_algorithm([]) ->
+ ok;
+test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _) ->
+ Secret = chttpd_util:get_chttpd_auth_config("secret"),
+ Token = couch_util:to_hex(couch_util:hmac(DefaultHashAlgorithm, Secret, "PROXY-USER")),
+ Headers = [
+ {"X-Auth-CouchDB-UserName", "PROXY-USER"},
+ {"X-Auth-CouchDB-Roles", "PROXY-USER-ROLE1, PROXY-USER-ROLE2"},
+ {"X-Auth-CouchDB-Token", Token}
+ ],
+ {ok, _, _, ReqBody} = test_request:get(base_url() ++ "/_session", Headers),
+ IsAuthenticatedViaProxy = couch_util:get_nested_json_value(
+ jiffy:decode(ReqBody), [<<"info">>, <<"authenticated">>]
+ ),
+ ?assertEqual(IsAuthenticatedViaProxy, <<"proxy">>),
+ test_hash_algorithm(DecodingHashAlgorithmsList).
+
+test_hash_algorithms_with_proxy_auth_should_work({WorkingHashes, _FailingHashes, SupportedHashAlgorithms} = _) ->
+ Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes).
+
+test_hash_algorithms_with_proxy_auth_should_fail({_WorkingHashes, FailingHashes, SupportedHashAlgorithms} = _) ->
+ Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
+ ?assertThrow({not_found, _}, test_hash_algorithm(Hashes)).
+
+alt_test_hash_algorithms_with_proxy_auth_should_work({_Ctx, WorkingHashes, _FailingHashes, SupportedHashAlgorithms} = _) ->
+ Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes).
+
+alt_test_hash_algorithms_with_proxy_auth_should_fail({_Ctx, _WorkingHashes, FailingHashes, SupportedHashAlgorithms} = _) ->
+ Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
+ ?assertThrow({not_found, _}, test_hash_algorithm(Hashes)).
\ No newline at end of file
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 4a7b217d1..767a1d398 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -201,20 +201,34 @@ proxy_auth_user(Req) ->
undefined ->
Req#httpd{user_ctx = #user_ctx{name = ?l2b(UserName), roles = Roles}};
Secret ->
- ExpectedToken = couch_util:to_hex(
- couch_util:hmac(sha, Secret, UserName)
- ),
- case header_value(Req, XHeaderToken) of
- Token when Token == ExpectedToken ->
- Req#httpd{
- user_ctx = #user_ctx{
- name = ?l2b(UserName),
- roles = Roles
- }
- };
- _ ->
+ HashAlgorithms = couch_util:get_config_hash_algorithms(),
+ Token = header_value(Req, XHeaderToken),
+ VerifyTokens = fun(HashAlg) ->
+ Hmac = couch_util:hmac(HashAlg, Secret, UserName),
+ couch_passwords:verify(couch_util:to_hex(Hmac), Token)
+ end,
+ case lists:any(VerifyTokens, HashAlgorithms) of
+ true -> Req#httpd{
+ user_ctx = #user_ctx{
+ name = ?l2b(UserName),
+ roles = Roles
+ }
+ };
+ false ->
nil
+
end
+%% case header_value(Req, XHeaderToken) of
+%% Token when Token == ExpectedToken ->
+%% Req#httpd{
+%% user_ctx = #user_ctx{
+%% name = ?l2b(UserName),
+%% roles = Roles
+%% }
+%% };
+%% _ ->
+%% nil
+%% end
end;
false ->
Req#httpd{user_ctx = #user_ctx{name = ?l2b(UserName), roles = Roles}}