TUN-528: Move cloudflared into a separate repo

vendor/github.com/mholt/caddy/caddyhttp/basicauth/basicauth.go

@@ -0,0 +1,189 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package basicauth implements HTTP Basic Authentication for Caddy.
+//
+// This is useful for simple protections on a website, like requiring
+// a password to access an admin interface. This package assumes a
+// fairly small threat model.
+package basicauth
+
+import (
+	"bufio"
+	"context"
+	"crypto/sha1"
+	"crypto/subtle"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/jimstudt/http-authentication/basic"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+// BasicAuth is middleware to protect resources with a username and password.
+// Note that HTTP Basic Authentication is not secure by itself and should
+// not be used to protect important assets without HTTPS. Even then, the
+// security of HTTP Basic Auth is disputed. Use discretion when deciding
+// what to protect with BasicAuth.
+type BasicAuth struct {
+	Next     httpserver.Handler
+	SiteRoot string
+	Rules    []Rule
+}
+
+// ServeHTTP implements the httpserver.Handler interface.
+func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+	var protected, isAuthenticated bool
+	var realm string
+
+	for _, rule := range a.Rules {
+		for _, res := range rule.Resources {
+			if !httpserver.Path(r.URL.Path).Matches(res) {
+				continue
+			}
+
+			// path matches; this endpoint is protected
+			protected = true
+			realm = rule.Realm
+
+			// parse auth header
+			username, password, ok := r.BasicAuth()
+
+			// check credentials
+			if !ok ||
+				username != rule.Username ||
+				!rule.Password(password) {
+				continue
+			}
+
+			// by this point, authentication was successful
+			isAuthenticated = true
+
+			// let upstream middleware (e.g. fastcgi and cgi) know about authenticated
+			// user; this replaces the request with a wrapped instance
+			r = r.WithContext(context.WithValue(r.Context(),
+				httpserver.RemoteUserCtxKey, username))
+
+			// Provide username to be used in log by replacer
+			repl := httpserver.NewReplacer(r, nil, "-")
+			repl.Set("user", username)
+		}
+	}
+
+	if protected && !isAuthenticated {
+		// browsers show a message that says something like:
+		// "The website says: <realm>"
+		// which is kinda dumb, but whatever.
+		if realm == "" {
+			realm = "Restricted"
+		}
+		w.Header().Set("WWW-Authenticate", "Basic realm=\""+realm+"\"")
+		return http.StatusUnauthorized, nil
+	}
+
+	// Pass-through when no paths match
+	return a.Next.ServeHTTP(w, r)
+}
+
+// Rule represents a BasicAuth rule. A username and password
+// combination protect the associated resources, which are
+// file or directory paths.
+type Rule struct {
+	Username  string
+	Password  func(string) bool
+	Resources []string
+	Realm     string // See RFC 1945 and RFC 2617, default: "Restricted"
+}
+
+// PasswordMatcher determines whether a password matches a rule.
+type PasswordMatcher func(pw string) bool
+
+var (
+	htpasswords   map[string]map[string]PasswordMatcher
+	htpasswordsMu sync.Mutex
+)
+
+// GetHtpasswdMatcher matches password rules.
+func GetHtpasswdMatcher(filename, username, siteRoot string) (PasswordMatcher, error) {
+	filename = filepath.Join(siteRoot, filename)
+	htpasswordsMu.Lock()
+	if htpasswords == nil {
+		htpasswords = make(map[string]map[string]PasswordMatcher)
+	}
+	pm := htpasswords[filename]
+	if pm == nil {
+		fh, err := os.Open(filename)
+		if err != nil {
+			return nil, fmt.Errorf("open %q: %v", filename, err)
+		}
+		defer fh.Close()
+		pm = make(map[string]PasswordMatcher)
+		if err = parseHtpasswd(pm, fh); err != nil {
+			return nil, fmt.Errorf("parsing htpasswd %q: %v", fh.Name(), err)
+		}
+		htpasswords[filename] = pm
+	}
+	htpasswordsMu.Unlock()
+	if pm[username] == nil {
+		return nil, fmt.Errorf("username %q not found in %q", username, filename)
+	}
+	return pm[username], nil
+}
+
+func parseHtpasswd(pm map[string]PasswordMatcher, r io.Reader) error {
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.IndexByte(line, '#') == 0 {
+			continue
+		}
+		i := strings.IndexByte(line, ':')
+		if i <= 0 {
+			return fmt.Errorf("malformed line, no color: %q", line)
+		}
+		user, encoded := line[:i], line[i+1:]
+		for _, p := range basic.DefaultSystems {
+			matcher, err := p(encoded)
+			if err != nil {
+				return err
+			}
+			if matcher != nil {
+				pm[user] = matcher.MatchesPassword
+				break
+			}
+		}
+	}
+	return scanner.Err()
+}
+
+// PlainMatcher returns a PasswordMatcher that does a constant-time
+// byte comparison against the password passw.
+func PlainMatcher(passw string) PasswordMatcher {
+	// compare hashes of equal length instead of actual password
+	// to avoid leaking password length
+	passwHash := sha1.New()
+	passwHash.Write([]byte(passw))
+	passwSum := passwHash.Sum(nil)
+	return func(pw string) bool {
+		pwHash := sha1.New()
+		pwHash.Write([]byte(pw))
+		pwSum := pwHash.Sum(nil)
+		return subtle.ConstantTimeCompare([]byte(pwSum), []byte(passwSum)) == 1
+	}
+}

vendor/github.com/mholt/caddy/caddyhttp/basicauth/basicauth_test.go

@@ -0,0 +1,196 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basicauth
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func TestBasicAuth(t *testing.T) {
+	var i int
+	// This handler is registered for tests in which the only authorized user is
+	// "okuser"
+	upstreamHandler := func(w http.ResponseWriter, r *http.Request) (int, error) {
+		remoteUser, _ := r.Context().Value(httpserver.RemoteUserCtxKey).(string)
+		if remoteUser != "okuser" {
+			t.Errorf("Test %d: expecting remote user 'okuser', got '%s'", i, remoteUser)
+		}
+		return http.StatusOK, nil
+	}
+	rws := []BasicAuth{
+		{
+			Next: httpserver.HandlerFunc(upstreamHandler),
+			Rules: []Rule{
+				{Username: "okuser", Password: PlainMatcher("okpass"),
+					Resources: []string{"/testing"}, Realm: "Resources"},
+			},
+		},
+		{
+			Next: httpserver.HandlerFunc(upstreamHandler),
+			Rules: []Rule{
+				{Username: "okuser", Password: PlainMatcher("okpass"),
+					Resources: []string{"/testing"}},
+			},
+		},
+	}
+
+	type testType struct {
+		from     string
+		result   int
+		user     string
+		password string
+	}
+
+	tests := []testType{
+		{"/testing", http.StatusOK, "okuser", "okpass"},
+		{"/testing", http.StatusUnauthorized, "baduser", "okpass"},
+		{"/testing", http.StatusUnauthorized, "okuser", "badpass"},
+		{"/testing", http.StatusUnauthorized, "OKuser", "okpass"},
+		{"/testing", http.StatusUnauthorized, "OKuser", "badPASS"},
+		{"/testing", http.StatusUnauthorized, "", "okpass"},
+		{"/testing", http.StatusUnauthorized, "okuser", ""},
+		{"/testing", http.StatusUnauthorized, "", ""},
+	}
+
+	var test testType
+	for _, rw := range rws {
+		expectRealm := rw.Rules[0].Realm
+		if expectRealm == "" {
+			expectRealm = "Restricted" // Default if Realm not specified in rule
+		}
+		for i, test = range tests {
+			req, err := http.NewRequest("GET", test.from, nil)
+			if err != nil {
+				t.Fatalf("Test %d: Could not create HTTP request: %v", i, err)
+			}
+			req.SetBasicAuth(test.user, test.password)
+
+			rec := httptest.NewRecorder()
+			result, err := rw.ServeHTTP(rec, req)
+			if err != nil {
+				t.Fatalf("Test %d: Could not ServeHTTP: %v", i, err)
+			}
+			if result != test.result {
+				t.Errorf("Test %d: Expected status code %d but was %d",
+					i, test.result, result)
+			}
+			if test.result == http.StatusUnauthorized {
+				headers := rec.Header()
+				if val, ok := headers["Www-Authenticate"]; ok {
+					if got, want := val[0], "Basic realm=\""+expectRealm+"\""; got != want {
+						t.Errorf("Test %d: Www-Authenticate header should be '%s', got: '%s'", i, want, got)
+					}
+				} else {
+					t.Errorf("Test %d: response should have a 'Www-Authenticate' header", i)
+				}
+			} else {
+				if req.Header.Get("Authorization") == "" {
+					// see issue #1508: https://github.com/mholt/caddy/issues/1508
+					t.Errorf("Test %d: Expected Authorization header to be retained after successful auth, but was empty", i)
+				}
+			}
+		}
+	}
+}
+
+func TestMultipleOverlappingRules(t *testing.T) {
+	rw := BasicAuth{
+		Next: httpserver.HandlerFunc(contentHandler),
+		Rules: []Rule{
+			{Username: "t", Password: PlainMatcher("p1"), Resources: []string{"/t"}},
+			{Username: "t1", Password: PlainMatcher("p2"), Resources: []string{"/t/t"}},
+		},
+	}
+
+	tests := []struct {
+		from   string
+		result int
+		cred   string
+	}{
+		{"/t", http.StatusOK, "t:p1"},
+		{"/t/t", http.StatusOK, "t:p1"},
+		{"/t/t", http.StatusOK, "t1:p2"},
+		{"/a", http.StatusOK, "t1:p2"},
+		{"/t/t", http.StatusUnauthorized, "t1:p3"},
+		{"/t", http.StatusUnauthorized, "t1:p2"},
+	}
+
+	for i, test := range tests {
+
+		req, err := http.NewRequest("GET", test.from, nil)
+		if err != nil {
+			t.Fatalf("Test %d: Could not create HTTP request %v", i, err)
+		}
+		auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(test.cred))
+		req.Header.Set("Authorization", auth)
+
+		rec := httptest.NewRecorder()
+		result, err := rw.ServeHTTP(rec, req)
+		if err != nil {
+			t.Fatalf("Test %d: Could not ServeHTTP %v", i, err)
+		}
+		if result != test.result {
+			t.Errorf("Test %d: Expected Header '%d' but was '%d'",
+				i, test.result, result)
+		}
+
+	}
+
+}
+
+func contentHandler(w http.ResponseWriter, r *http.Request) (int, error) {
+	fmt.Fprintf(w, r.URL.String())
+	return http.StatusOK, nil
+}
+
+func TestHtpasswd(t *testing.T) {
+	htpasswdPasswd := "IedFOuGmTpT8"
+	htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
+md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
+
+	htfh, err := ioutil.TempFile("", "basicauth-")
+	if err != nil {
+		t.Skip("Error creating temp file, will skip htpassword test")
+		return
+	}
+	defer os.Remove(htfh.Name())
+	if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
+		t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
+	}
+	htfh.Close()
+
+	for i, username := range []string{"sha1", "md5"} {
+		rule := Rule{Username: username, Resources: []string{"/testing"}}
+
+		siteRoot := filepath.Dir(htfh.Name())
+		filename := filepath.Base(htfh.Name())
+		if rule.Password, err = GetHtpasswdMatcher(filename, rule.Username, siteRoot); err != nil {
+			t.Fatalf("GetHtpasswdMatcher(%q, %q): %v", htfh.Name(), rule.Username, err)
+		}
+		t.Logf("%d. username=%q", i, rule.Username)
+		if !rule.Password(htpasswdPasswd) || rule.Password(htpasswdPasswd+"!") {
+			t.Errorf("%d (%s) password does not match.", i, rule.Username)
+		}
+	}
+}

vendor/github.com/mholt/caddy/caddyhttp/basicauth/setup.go

@@ -0,0 +1,113 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basicauth
+
+import (
+	"strings"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("basicauth", caddy.Plugin{
+		ServerType: "http",
+		Action:     setup,
+	})
+}
+
+// setup configures a new BasicAuth middleware instance.
+func setup(c *caddy.Controller) error {
+	cfg := httpserver.GetConfig(c)
+	root := cfg.Root
+
+	rules, err := basicAuthParse(c)
+	if err != nil {
+		return err
+	}
+
+	basic := BasicAuth{Rules: rules}
+
+	cfg.AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		basic.Next = next
+		basic.SiteRoot = root
+		return basic
+	})
+
+	return nil
+}
+
+func basicAuthParse(c *caddy.Controller) ([]Rule, error) {
+	var rules []Rule
+	cfg := httpserver.GetConfig(c)
+
+	var err error
+	for c.Next() {
+		var rule Rule
+
+		args := c.RemainingArgs()
+
+		switch len(args) {
+		case 2:
+			rule.Username = args[0]
+			if rule.Password, err = passwordMatcher(rule.Username, args[1], cfg.Root); err != nil {
+				return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
+			}
+		case 3:
+			rule.Resources = append(rule.Resources, args[0])
+			rule.Username = args[1]
+			if rule.Password, err = passwordMatcher(rule.Username, args[2], cfg.Root); err != nil {
+				return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
+			}
+		default:
+			return rules, c.ArgErr()
+		}
+
+		// If nested block is present, process it here
+		for c.NextBlock() {
+			val := c.Val()
+			args = c.RemainingArgs()
+			switch len(args) {
+			case 0:
+				// Assume single argument is path resource
+				rule.Resources = append(rule.Resources, val)
+			case 1:
+				if val == "realm" {
+					if rule.Realm == "" {
+						rule.Realm = strings.Replace(args[0], `"`, `\"`, -1)
+					} else {
+						return rules, c.Errf("\"realm\" subdirective can only be specified once")
+					}
+				} else {
+					return rules, c.Errf("expecting \"realm\", got \"%s\"", val)
+				}
+			default:
+				return rules, c.ArgErr()
+			}
+		}
+
+		rules = append(rules, rule)
+	}
+
+	return rules, nil
+}
+
+func passwordMatcher(username, passw, siteRoot string) (PasswordMatcher, error) {
+	htpasswdPrefix := "htpasswd="
+	if !strings.HasPrefix(passw, htpasswdPrefix) {
+		return PlainMatcher(passw), nil
+	}
+	return GetHtpasswdMatcher(passw[len(htpasswdPrefix):], username, siteRoot)
+}

vendor/github.com/mholt/caddy/caddyhttp/basicauth/setup_test.go

@@ -0,0 +1,178 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basicauth
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func TestSetup(t *testing.T) {
+	c := caddy.NewTestController("http", `basicauth user pwd`)
+	err := setup(c)
+	if err != nil {
+		t.Errorf("Expected no errors, but got: %v", err)
+	}
+	mids := httpserver.GetConfig(c).Middleware()
+	if len(mids) == 0 {
+		t.Fatal("Expected middleware, got 0 instead")
+	}
+
+	handler := mids[0](httpserver.EmptyNext)
+	myHandler, ok := handler.(BasicAuth)
+	if !ok {
+		t.Fatalf("Expected handler to be type BasicAuth, got: %#v", handler)
+	}
+
+	if !httpserver.SameNext(myHandler.Next, httpserver.EmptyNext) {
+		t.Error("'Next' field of handler was not set properly")
+	}
+}
+
+func TestBasicAuthParse(t *testing.T) {
+	htpasswdPasswd := "IedFOuGmTpT8"
+	htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
+md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
+
+	var skipHtpassword bool
+	htfh, err := ioutil.TempFile(".", "basicauth-")
+	if err != nil {
+		t.Logf("Error creating temp file (%v), will skip htpassword test", err)
+		skipHtpassword = true
+	} else {
+		if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
+			t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
+		}
+		htfh.Close()
+		defer os.Remove(htfh.Name())
+	}
+
+	tests := []struct {
+		input     string
+		shouldErr bool
+		password  string
+		expected  []Rule
+	}{
+		{`basicauth user pwd`, false, "pwd", []Rule{
+			{Username: "user"},
+		}},
+		{`basicauth user pwd {
+		}`, false, "pwd", []Rule{
+			{Username: "user"},
+		}},
+		{`basicauth /resource1 user pwd {
+		}`, false, "pwd", []Rule{
+			{Username: "user", Resources: []string{"/resource1"}},
+		}},
+		{`basicauth /resource1 user pwd {
+			realm Resources
+		}`, false, "pwd", []Rule{
+			{Username: "user", Resources: []string{"/resource1"}, Realm: "Resources"},
+		}},
+		{`basicauth user pwd {
+			/resource1
+			/resource2
+		}`, false, "pwd", []Rule{
+			{Username: "user", Resources: []string{"/resource1", "/resource2"}},
+		}},
+		{`basicauth user pwd {
+			/resource1
+			/resource2
+			realm "Secure resources"
+		}`, false, "pwd", []Rule{
+			{Username: "user", Resources: []string{"/resource1", "/resource2"}, Realm: "Secure resources"},
+		}},
+		{`basicauth user pwd {
+			/resource1
+			realm "Secure resources"
+			realm Extra
+			/resource2
+		}`, true, "pwd", []Rule{}},
+		{`basicauth user pwd {
+			/resource1
+			foo "Resources"
+			/resource2
+		}`, true, "pwd", []Rule{}},
+		{`basicauth /resource user pwd`, false, "pwd", []Rule{
+			{Username: "user", Resources: []string{"/resource"}},
+		}},
+		{`basicauth /res1 user1 pwd1
+		  basicauth /res2 user2 pwd2`, false, "pwd", []Rule{
+			{Username: "user1", Resources: []string{"/res1"}},
+			{Username: "user2", Resources: []string{"/res2"}},
+		}},
+		{`basicauth user`, true, "", []Rule{}},
+		{`basicauth`, true, "", []Rule{}},
+		{`basicauth /resource user pwd asdf`, true, "", []Rule{}},
+
+		{`basicauth sha1 htpasswd=` + htfh.Name(), false, htpasswdPasswd, []Rule{
+			{Username: "sha1"},
+		}},
+	}
+
+	for i, test := range tests {
+		actual, err := basicAuthParse(caddy.NewTestController("http", test.input))
+
+		if err == nil && test.shouldErr {
+			t.Errorf("Test %d didn't error, but it should have", i)
+		} else if err != nil && !test.shouldErr {
+			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
+		}
+
+		if len(actual) != len(test.expected) {
+			t.Fatalf("Test %d expected %d rules, but got %d",
+				i, len(test.expected), len(actual))
+		}
+
+		for j, expectedRule := range test.expected {
+			actualRule := actual[j]
+
+			if actualRule.Username != expectedRule.Username {
+				t.Errorf("Test %d, rule %d: Expected username '%s', got '%s'",
+					i, j, expectedRule.Username, actualRule.Username)
+			}
+
+			if actualRule.Realm != expectedRule.Realm {
+				t.Errorf("Test %d, rule %d: Expected realm '%s', got '%s'",
+					i, j, expectedRule.Realm, actualRule.Realm)
+			}
+
+			if strings.Contains(test.input, "htpasswd=") && skipHtpassword {
+				continue
+			}
+			pwd := test.password
+			if len(actual) > 1 {
+				pwd = fmt.Sprintf("%s%d", pwd, j+1)
+			}
+			if !actualRule.Password(pwd) || actualRule.Password(test.password+"!") {
+				t.Errorf("Test %d, rule %d: Expected password '%v', got '%v'",
+					i, j, test.password, actualRule.Password(""))
+			}
+
+			expectedRes := fmt.Sprintf("%v", expectedRule.Resources)
+			actualRes := fmt.Sprintf("%v", actualRule.Resources)
+			if actualRes != expectedRes {
+				t.Errorf("Test %d, rule %d: Expected resource list %s, but got %s",
+					i, j, expectedRes, actualRes)
+			}
+		}
+	}
+}