You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2023/02/21 08:18:19 UTC
[couchdb] branch upgrade-proxy-hash updated (b97bfe126 -> fd97536d9)
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a change to branch upgrade-proxy-hash
in repository https://gitbox.apache.org/repos/asf/couchdb.git
discard b97bfe126 Upgrade hash algorithm for proxy auth
new fd97536d9 Upgrade hash algorithm for proxy auth
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (b97bfe126)
\
N -- N -- N refs/heads/upgrade-proxy-hash (fd97536d9)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
src/docs/src/api/server/authn.rst | 16 +++++++++-------
src/docs/src/config/auth.rst | 3 ++-
2 files changed, 11 insertions(+), 8 deletions(-)
[couchdb] 01/01: Upgrade hash algorithm for proxy auth
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a commit to branch upgrade-proxy-hash
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit fd97536d9617e38488ed3708e4f2c2bca84c1843
Author: Ronny Berndt <ro...@apache.org>
AuthorDate: Wed Feb 15 10:29:48 2023 +0100
Upgrade hash algorithm for proxy auth
Proxy auth can now use one of the configured hash algorithms
from chttpd_auth/hash_algorithms to decode authentication tokens.
---
src/chttpd/test/eunit/chttpd_auth_tests.erl | 87 +++++++++++++++++++++++++++++
src/couch/src/couch_httpd_auth.erl | 15 +++--
src/docs/src/api/server/authn.rst | 16 +++---
src/docs/src/config/auth.rst | 3 +-
4 files changed, 107 insertions(+), 14 deletions(-)
diff --git a/src/chttpd/test/eunit/chttpd_auth_tests.erl b/src/chttpd/test/eunit/chttpd_auth_tests.erl
index 7beda9bc7..59ec83d2f 100644
--- a/src/chttpd/test/eunit/chttpd_auth_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_tests.erl
@@ -12,6 +12,9 @@
-module(chttpd_auth_tests).
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
+
-include_lib("couch/include/couch_eunit.hrl").
-include_lib("couch/include/couch_db.hrl").
@@ -24,6 +27,27 @@ setup() ->
teardown(_Url) ->
ok.
+setup_proxy_auth() ->
+ {StartCtx, ProxyCfgFile} = start_couch_with_cfg("{chttpd_auth, proxy_authentication_handler}"),
+ config:set("chttpd", "require_valid_user", "false", false),
+ config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+ config:set("chttpd_auth", "proxy_use_secret", "true", false),
+ config:set("chttpd_auth", "secret", "the_secret", false),
+ HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+ trim, {return, binary}
+ ]),
+ HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ {{StartCtx, ProxyCfgFile}, HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}.
+
+teardown_proxy_auth({{Ctx, ProxyCfgFile}, _, _, _}) ->
+ ok = file:delete(ProxyCfgFile),
+ config:delete("chttpd_auth", "hash_algorithms", false),
+ config:delete("chttpd_auth", "secret", false),
+ config:delete("chttpd_auth", "proxy_use_secret", false),
+ config:delete("chttpd", "require_valid_user", false),
+ test_util:stop_couch(Ctx).
+
require_valid_user_exception_test_() ->
{
"_up",
@@ -43,6 +67,20 @@ require_valid_user_exception_test_() ->
}
}.
+proxy_auth_test_() ->
+ {
+ "Testing hash algorithms for proxy auth",
+ {
+ setup,
+ fun setup_proxy_auth/0,
+ fun teardown_proxy_auth/1,
+ with([
+ ?TDEF(test_hash_algorithms_with_proxy_auth_should_work),
+ ?TDEF(test_hash_algorithms_with_proxy_auth_should_fail)
+ ])
+ }
+ }.
+
set_require_user_false() ->
ok = config:set("chttpd", "require_valid_user", "false", _Persist = false).
@@ -125,3 +163,52 @@ should_handle_require_valid_user_except_up_on_non_up_routes(_Url) ->
set_require_user_except_for_up_true(),
?assertThrow(ExpectAuth, chttpd_auth:party_mode_handler(NonUpRequest))
end).
+
+% Helper functions
+base_url() ->
+ Addr = config:get("chttpd", "bind_address", "127.0.0.1"),
+ Port = integer_to_list(mochiweb_socket_server:get(chttpd, port)),
+ "http://" ++ Addr ++ ":" ++ Port.
+
+append_to_cfg_chain(Cfg) ->
+ CfgDir = filename:dirname(lists:last(?CONFIG_CHAIN)),
+ CfgFile = filename:join([CfgDir, "chttpd_proxy_auth_cfg.ini"]),
+ CfgSect = io_lib:format("[chttpd]~nauthentication_handlers = ~s~n", [Cfg]),
+ ok = file:write_file(CfgFile, CfgSect),
+ ?CONFIG_CHAIN ++ [CfgFile].
+
+start_couch_with_cfg(Cfg) ->
+ CfgChain = append_to_cfg_chain(Cfg),
+ StartCtx = test_util:start_couch(CfgChain, [chttpd]),
+ ProxyCfgFile = lists:last(CfgChain),
+ {StartCtx, ProxyCfgFile}.
+
+% Test functions
+test_hash_algorithm([]) ->
+ ok;
+test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _) ->
+ Secret = chttpd_util:get_chttpd_auth_config("secret"),
+ Token = couch_util:to_hex(couch_util:hmac(DefaultHashAlgorithm, Secret, "PROXY-USER")),
+ Headers = [
+ {"X-Auth-CouchDB-UserName", "PROXY-USER"},
+ {"X-Auth-CouchDB-Roles", "PROXY-USER-ROLE1, PROXY-USER-ROLE2"},
+ {"X-Auth-CouchDB-Token", Token}
+ ],
+ {ok, _, _, ReqBody} = test_request:get(base_url() ++ "/_session", Headers),
+ IsAuthenticatedViaProxy = couch_util:get_nested_json_value(
+ jiffy:decode(ReqBody), [<<"info">>, <<"authenticated">>]
+ ),
+ ?assertEqual(IsAuthenticatedViaProxy, <<"proxy">>),
+ test_hash_algorithm(DecodingHashAlgorithmsList).
+
+test_hash_algorithms_with_proxy_auth_should_work(
+ {_Ctx, WorkingHashes, _FailingHashes, SupportedHashAlgorithms} = _
+) ->
+ Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes).
+
+test_hash_algorithms_with_proxy_auth_should_fail(
+ {_Ctx, _WorkingHashes, FailingHashes, SupportedHashAlgorithms} = _
+) ->
+ Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
+ ?assertThrow({not_found, _}, test_hash_algorithm(Hashes)).
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 4a7b217d1..72e0cd76f 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -201,18 +201,21 @@ proxy_auth_user(Req) ->
undefined ->
Req#httpd{user_ctx = #user_ctx{name = ?l2b(UserName), roles = Roles}};
Secret ->
- ExpectedToken = couch_util:to_hex(
- couch_util:hmac(sha, Secret, UserName)
- ),
- case header_value(Req, XHeaderToken) of
- Token when Token == ExpectedToken ->
+ HashAlgorithms = couch_util:get_config_hash_algorithms(),
+ Token = header_value(Req, XHeaderToken),
+ VerifyTokens = fun(HashAlg) ->
+ Hmac = couch_util:hmac(HashAlg, Secret, UserName),
+ couch_passwords:verify(couch_util:to_hex(Hmac), Token)
+ end,
+ case lists:any(VerifyTokens, HashAlgorithms) of
+ true ->
Req#httpd{
user_ctx = #user_ctx{
name = ?l2b(UserName),
roles = Roles
}
};
- _ ->
+ false ->
nil
end
end;
diff --git a/src/docs/src/api/server/authn.rst b/src/docs/src/api/server/authn.rst
index bffe0bf27..5d23ddb73 100644
--- a/src/docs/src/api/server/authn.rst
+++ b/src/docs/src/api/server/authn.rst
@@ -291,22 +291,24 @@ remotely authenticated user. By default, the client just needs to pass specific
headers to CouchDB with related requests:
- :config:option:`X-Auth-CouchDB-UserName <chttpd_auth/x_auth_username>`:
- username;
+ username
- :config:option:`X-Auth-CouchDB-Roles <chttpd_auth/x_auth_roles>`:
- comma-separated (``,``) list of user roles;
+ comma-separated (``,``) list of user roles
- :config:option:`X-Auth-CouchDB-Token <chttpd_auth/x_auth_token>`:
authentication token. When
:config:option:`proxy_use_secret <chttpd_auth/proxy_use_secret>`
is set (which is strongly recommended!), this header provides an HMAC of the
username to authenticate and the secret token to prevent requests from
- untrusted sources. (Use the SHA1 of the username and sign with the secret)
+ untrusted sources. (Use one of the configured hash algorithms in
+ :config:option:`chttpd_auth/hash_algorithms <chttpd_auth/hash_algorithms>`
+ and sign the username with the secret)
**Creating the token (example with openssl)**:
.. code-block:: sh
- echo -n "foo" | openssl dgst -sha1 -hmac "the_secret"
- # (stdin)= 22047ebd7c4ec67dfbcbad7213a693249dbfbf86
+ echo -n "foo" | openssl dgst -sha256 -hmac "the_secret"
+ # (stdin)= 3f0786e96b20b0102b77f1a49c041be6977cfb3bf78c41a12adc121cd9b4e68a
**Request**:
@@ -318,7 +320,7 @@ headers to CouchDB with related requests:
Content-Type: application/json; charset=utf-8
X-Auth-CouchDB-Roles: users,blogger
X-Auth-CouchDB-UserName: foo
- X-Auth-CouchDB-Token: 22047ebd7c4ec67dfbcbad7213a693249dbfbf86
+ X-Auth-CouchDB-Token: 3f0786e96b20b0102b77f1a49c041be6977cfb3bf78c41a12adc121cd9b4e68a
**Response**:
@@ -351,7 +353,7 @@ headers to CouchDB with related requests:
}
}
-Note that you don't need to request :ref:`session <api/auth/session>`
+Note that you don't need to request a :ref:`session <api/auth/session>`
to be authenticated by this method if all required HTTP headers are provided.
.. _api/auth/jwt:
diff --git a/src/docs/src/config/auth.rst b/src/docs/src/config/auth.rst
index d43810054..15adcf936 100644
--- a/src/docs/src/config/auth.rst
+++ b/src/docs/src/config/auth.rst
@@ -196,7 +196,8 @@ Authentication Configuration
[chttpd_auth]
authentication_redirect = /_utils/session.html
- .. config:option:: hash_algorithms :: Supported hash algorithms for cookie auth
+ .. config:option:: hash_algorithms :: Supported hash algorithms for cookie and \
+ proxy auth
.. versionadded:: 3.3