cli password flag

master
Jordan Orelli 3 years ago
parent 2a1f972de6
commit 474d7f53da

@ -4,4 +4,7 @@ go 1.18
require golang.org/x/mod v0.5.1 require golang.org/x/mod v0.5.1
require golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect require (
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 // indirect
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect
)

@ -1,3 +1,5 @@
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38= golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e h1:aZzprAO9/8oim3qStq3wc1Xuxx4QmAGriC4VU4ojemQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e h1:aZzprAO9/8oim3qStq3wc1Xuxx4QmAGriC4VU4ojemQ=

@ -17,6 +17,7 @@ import (
"strings" "strings"
"time" "time"
"golang.org/x/crypto/bcrypt"
"golang.org/x/mod/semver" "golang.org/x/mod/semver"
) )
@ -35,6 +36,7 @@ type handler struct {
socketPath string socketPath string
root string root string
hostname string hostname string
auth map[string]string
} }
func (h handler) run() error { func (h handler) run() error {
@ -335,12 +337,23 @@ func (h handler) upload(modpath, modversion string, w http.ResponseWriter, r *ht
return return
} }
_, _, ok := r.BasicAuth() user, pass, ok := r.BasicAuth()
if !ok { if !ok {
writeError(w, apiError(http.StatusUnauthorized)) writeError(w, apiError(http.StatusUnauthorized))
return return
} }
hash := h.auth[user]
if hash == "" {
writeError(w, apiError(http.StatusUnauthorized))
return
}
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(pass)); err != nil {
writeError(w, fmt.Errorf("%v: %w", err, apiError(http.StatusUnauthorized)))
return
}
dest := h.zipPath(modpath, modversion) dest := h.zipPath(modpath, modversion)
if _, err := os.Stat(dest); !errors.Is(err, fs.ErrNotExist) { if _, err := os.Stat(dest); !errors.Is(err, fs.ErrNotExist) {
writeError(w, apiError(http.StatusConflict)) writeError(w, apiError(http.StatusConflict))

@ -0,0 +1,27 @@
package main
import (
"flag"
"fmt"
"golang.org/x/crypto/bcrypt"
)
// pwhashcmd is just a thing for generating bcrypt hashes for passwords. This
// is like using htpasswd from the apache-utils package but honestly adding
// that whole package to a system to compute a single bcrypt hash is ridiculous
func pwhashcmd(args []string) {
cost := bcrypt.DefaultCost
flags := flag.NewFlagSet("pwhash", flag.ExitOnError)
flags.IntVar(&cost, "cost", cost, "bcrypt cost difficulty")
flags.Parse(args)
for _, pw := range flags.Args() {
hash, err := bcrypt.GenerateFromPassword([]byte(pw), cost)
if err != nil {
bail(1, "hash failed: %v", err)
}
fmt.Println(string(hash))
}
}

@ -48,6 +48,8 @@ func main() {
serve(root.Args()[1:]) serve(root.Args()[1:])
case "zip": case "zip":
zipcmd(root.Args()[1:]) zipcmd(root.Args()[1:])
case "pwhash":
pwhashcmd(root.Args()[1:])
default: default:
bail(0, usage) bail(0, usage)
} }

@ -2,25 +2,30 @@ package main
import ( import (
"flag" "flag"
"fmt"
"strings"
"golang.org/x/crypto/bcrypt"
) )
func serve(args []string) { func serve(args []string) {
// listen on this unix domain socket // listen on this unix domain socket
socketPath := "" var socketPath string
// serve modules out of this root directory // serve modules out of this root directory
rootDir := "/srv/mir" rootDir := "/srv/mir"
// serve module traffic on this hostname // serve module traffic on this hostname
hostname := "" var hostname string
var httpAddr string
httpAddr := "" auth := make(authUsers)
serveFlags := flag.NewFlagSet("serve", flag.ExitOnError) serveFlags := flag.NewFlagSet("serve", flag.ExitOnError)
serveFlags.StringVar(&socketPath, "unix", socketPath, "path for a unix domain socket to listen on") serveFlags.StringVar(&socketPath, "unix", socketPath, "path for a unix domain socket to listen on")
serveFlags.StringVar(&httpAddr, "http", httpAddr, "http address to listen on") serveFlags.StringVar(&httpAddr, "http", httpAddr, "http address to listen on")
serveFlags.StringVar(&rootDir, "root", rootDir, "root directory for module storage") serveFlags.StringVar(&rootDir, "root", rootDir, "root directory for module storage")
serveFlags.StringVar(&hostname, "hostname", hostname, "domain name on which mir serves modules") serveFlags.StringVar(&hostname, "hostname", hostname, "domain name on which mir serves modules")
serveFlags.Var(&auth, "auth-users", "comma-separated list of usernames and bcrypt password hashes")
serveFlags.Parse(args) serveFlags.Parse(args)
h := handler{ h := handler{
@ -28,8 +33,48 @@ func serve(args []string) {
httpAddr: httpAddr, httpAddr: httpAddr,
root: rootDir, root: rootDir,
hostname: hostname, hostname: hostname,
auth: auth,
} }
if err := h.run(); err != nil { if err := h.run(); err != nil {
bail(1, err.Error()) bail(1, err.Error())
} }
} }
type authUsers map[string]string
func (a authUsers) String() string {
if len(a) == 0 {
return ""
}
var b strings.Builder
for k, v := range a {
fmt.Fprintf(&b, "%s:%s,", k, v)
}
s := b.String()
return s[:len(s)-1]
}
func (a authUsers) Set(v string) error {
pairs := strings.Split(v, ",")
if len(pairs) == 0 {
return fmt.Errorf("auth users string cannot be empty")
}
// Each pair is a colon-delimited username-hash pair
// username:$2a$10$8KTGhnP8Myh62wjdOqCsiO.zE.i9FQ1Y0PD9lfpvgR7GLtIbbcteG
for _, pair := range pairs {
parts := strings.Split(pair, ":")
if len(parts) != 2 {
return fmt.Errorf("invalid user/hash pair: %s", pair)
}
// check the cost to ensure it's a valid bcrypt hash
if _, err := bcrypt.Cost([]byte(parts[1])); err != nil {
return fmt.Errorf("invalid hash %q: %v", parts[1], err)
}
a[parts[0]] = parts[1]
}
return nil
}

@ -6,3 +6,4 @@ Usage:
Commands: Commands:
serve: live module server serve: live module server
zip: creates module zip files zip: creates module zip files
pwhash: bcrypt hash a password

Loading…
Cancel
Save