1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
package main
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/csv"
"flag"
"fmt"
"log"
"math/big"
"net/http"
"net/http/cgi"
"os"
"github.com/casbin/casbin/v2"
"golang.org/x/crypto/bcrypt"
)
var (
reposDir = flag.String("r", "./repos", "Directory containing git repositories")
backendCommand = flag.String("c", "git http-backend", "CGI binary to execute")
addr = flag.String("l", ":8080", "Address/port to listen on")
newToken = flag.Bool("t", false, "make a new token")
)
// LoadTokens load tokens from a csv into a map
func LoadTokens() (map[string]string, error) {
tokenMap := make(map[string]string)
// TODO this should be configurable
contents, err := os.Open("tokens.csv")
if err != nil {
fmt.Println("File reading error", err)
return tokenMap, err
}
defer contents.Close()
r := csv.NewReader(contents)
tokens, err := r.ReadAll()
if err != nil {
fmt.Println("File reading error", err)
return tokenMap, err
}
for _, acctToken := range tokens {
acct, hash := acctToken[0], acctToken[1]
tokenMap[acct] = hash
}
return tokenMap, err
}
// NewToken generate a new token
func NewToken() (string, string, error) {
tokenBytes := make([]byte, 28)
for i := range tokenBytes {
max := big.NewInt(int64(255))
randInt, err := rand.Int(rand.Reader, max)
if err != nil {
return "", "", err
}
tokenBytes[i] = uint8(randInt.Int64())
}
hashBytes, err := bcrypt.GenerateFromPassword(tokenBytes, bcrypt.DefaultCost)
if err != nil {
return "", "", err
}
token := base64.URLEncoding.EncodeToString(tokenBytes)
hash := string(hashBytes)
return token, hash, nil
}
// GitHttpBackendHandler a handler for git cgi
func GitHttpBackendHandler(reposDir, backendCommand string) http.Handler {
projectDirEnv := fmt.Sprintf("GIT_PROJECT_ROOT=%v", reposDir)
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
ctx := req.Context()
uid := ctx.Value("urn")
git := &cgi.Handler{
Path: "/bin/sh",
Args: []string{"-c", backendCommand},
Dir: ".",
Env: []string{
projectDirEnv,
"GIT_HTTP_EXPORT_ALL=1",
fmt.Sprintf("REMOTE_USER=%s", uid),
},
}
git.ServeHTTP(rw, req)
})
}
// Authentication middleware to enforce authentication of all requests.
func Authentication(authMap map[string]string, next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
u, p, ok := req.BasicAuth()
if !ok {
rw.Header().Set("WWW-Authenticate", `Basic realm="git"`)
http.Error(rw, "Authentication Required", 401)
return
}
urn := fmt.Sprintf("uid:%s", u)
hash, ok := authMap[urn]
if !ok {
http.Error(rw, "Bad Request", 400)
return
}
token, err := base64.URLEncoding.DecodeString(p)
if err != nil {
http.Error(rw, "Bad Request", 400)
return
}
if err := bcrypt.CompareHashAndPassword([]byte(hash), token); err != nil {
http.Error(rw, "Bad Request", 400)
return
}
ctx := context.WithValue(req.Context(), "urn", urn)
next.ServeHTTP(rw, req.WithContext(ctx))
})
}
func Authorization(enf *casbin.Enforcer, next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
ctx := req.Context()
urn := ctx.Value("urn")
repo := req.URL.Path
action := req.Method
// defer req.Body.Close()
// body, _ := io.ReadAll(req.Body)
// log.Printf("%s", body)
ok, err := enf.Enforce(urn, repo, action)
if err != nil {
log.Printf("error running enforce %s", err)
http.Error(rw, "Bad Request", http.StatusBadRequest)
}
if !ok {
log.Printf("Access denied")
http.Error(rw, "Access denied", http.StatusUnauthorized)
}
log.Printf("Method %s Url %s", action, repo)
next.ServeHTTP(rw, req.WithContext(ctx))
})
}
func main() {
// TODO this should be configurable
enf, _ := casbin.NewEnforcer("./auth_model.ini", "./policy.csv")
flag.Parse()
if *newToken {
token, hash, err := NewToken()
if err != nil {
log.Fatal(err)
}
fmt.Printf("token: %s\nhash: %s\n", token, hash)
return
}
tokens, err := LoadTokens()
if err != nil {
log.Fatal(err)
}
router := http.NewServeMux()
// TODO we don't want to use a global
// de-reference args
router.Handle("/", GitHttpBackendHandler(*reposDir, *backendCommand))
mux := Authentication(tokens, Authorization(enf, router))
log.Fatal(http.ListenAndServe(":8080", mux))
}
|
