github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
copilot/add-discussion-requirements
zot/pkg/api/htpasswd.go
T
Ramkumar Chinchani 04ae0a9409 fix: add support for sha256 and sha512 in htpasswd (#3497) 
feat: add support for sha256 and sha512 htpasswd formats

Fixes issue #3495

We currently support only bcrypt htpasswd hashes, however bcrypt is not
FIPS-140 approved since it uses Blowfish.

This PR adds support for sha256 and sha512 formats and enforces that
bcrypt be disabled when fips140 mode is enabled.

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
2025-11-09 15:28:29 +02:00

304 lines
6.9 KiB
Go
Raw Permalink Blame History

package api
import (
"bufio"
"context"
"crypto/fips140"
"errors"
"os"
"os/signal"
"strings"
"sync"
"syscall"
"github.com/fsnotify/fsnotify"
cpass "github.com/nathanaelle/password"
"golang.org/x/crypto/bcrypt"
"zotregistry.dev/zot/v2/pkg/log"
)
// HTPasswd user auth store
//
// Currently supports only bcrypt hashes.
type HTPasswd struct {
mu sync.RWMutex
credMap map[string]string
log log.Logger
}
func NewHTPasswd(log log.Logger) *HTPasswd {
return &HTPasswd{
credMap: make(map[string]string),
log: log,
}
}
func (s *HTPasswd) Reload(filePath string) error {
credMap := make(map[string]string)
credsFile, err := os.Open(filePath)
if err != nil {
s.log.Error().Err(err).Str("htpasswd-file", filePath).Msg("failed to reload htpasswd")
return err
}
defer credsFile.Close()
scanner := bufio.NewScanner(credsFile)
for scanner.Scan() {
user, hash, ok := strings.Cut(scanner.Text(), ":")
if ok {
credMap[user] = hash
}
}
if len(credMap) == 0 {
s.log.Warn().Str("htpasswd-file", filePath).Msg("loaded htpasswd file appears to have zero users")
} else {
s.log.Info().Str("htpasswd-file", filePath).Int("users", len(credMap)).Msg("loaded htpasswd file")
}
s.mu.Lock()
defer s.mu.Unlock()
s.credMap = credMap
return nil
}
func (s *HTPasswd) Get(username string) (passphraseHash string, present bool) { //nolint: nonamedreturns
s.mu.RLock()
defer s.mu.RUnlock()
passphraseHash, present = s.credMap[username]
return
}
func (s *HTPasswd) Clear() {
s.mu.Lock()
defer s.mu.Unlock()
s.credMap = make(map[string]string)
}
func (s *HTPasswd) Authenticate(username, passphrase string) (ok, present bool) { //nolint: nonamedreturns
passphraseHash, present := s.Get(username)
if !present {
return false, false
}
// first try bcrypt (although disabled if fips140 mode is enabled)
if strings.HasPrefix(passphraseHash, "$2a$") || strings.HasPrefix(passphraseHash, "$2b$") ||
strings.HasPrefix(passphraseHash, "$2y$") {
if fips140.Enabled() {
s.log.Warn().Str("username", username).Msg("htpasswd bcrypt failed since fips140 is enabled")
return false, present
}
err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase))
if err != nil {
// Log that user's hash has unsupported format. Better than silently return 401.
s.log.Warn().Err(err).Str("username", username).Msg("htpasswd bcrypt compare failed")
return false, present
}
return true, present // success: bcrypt
}
var crypter cpass.Crypter
if strings.HasPrefix(passphraseHash, "$5$") { //nolint:gocritic // errorslint conflicts with gocritic:IfElseChain
crypter, ok = cpass.SHA256.CrypterFound(passphraseHash)
} else if strings.HasPrefix(passphraseHash, "$6$") {
crypter, ok = cpass.SHA512.CrypterFound(passphraseHash)
} else {
s.log.Warn().Str("username", username).Msg("htpasswd entry has unsupported hash type")
return false, present
}
if !ok {
s.log.Warn().Str("username", username).Msg("htpasswd entry parsing failed")
return false, present
}
if !crypter.Verify([]byte(passphrase)) {
s.log.Warn().Str("username", username).Msg("htpasswd sha compare failed")
return false, present
}
return true, present // success: sha
}
// HTPasswdWatcher helper which triggers htpasswd reload on file change event.
//
// Can be restarted by calling Run() again after Close().
type HTPasswdWatcher struct {
htp *HTPasswd
filePath string
watcher *fsnotify.Watcher
ctx context.Context //nolint:containedctx // Context is needed for watcher lifecycle management
cancel context.CancelFunc
log log.Logger
mu sync.Mutex
}
// NewHTPasswdWatcher creates a new watcher instance.
func NewHTPasswdWatcher(htp *HTPasswd, filePath string) (*HTPasswdWatcher, error) {
ret := &HTPasswdWatcher{
htp: htp,
filePath: filePath,
log: htp.log,
}
return ret, nil
}
// Run starts the watcher goroutine.
func (s *HTPasswdWatcher) Run() {
s.mu.Lock()
defer s.mu.Unlock()
if s.ctx != nil {
return // Already running
}
// Create fresh fsnotify watcher for this run
watcher, err := fsnotify.NewWatcher()
if err != nil {
s.log.Error().Err(err).Msg("failed to create fsnotify watcher")
return
}
// Only add file to watcher if we have a file to watch
if s.filePath != "" {
err = watcher.Add(s.filePath)
if err != nil {
s.log.Error().Err(err).Str("htpasswd-file", s.filePath).Msg("failed to add file to watcher")
watcher.Close() //nolint: errcheck
return
}
}
// Create context and start goroutine
ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGTERM, syscall.SIGINT)
s.ctx = ctx
s.cancel = cancel
s.watcher = watcher
go func() {
defer func() {
s.mu.Lock()
defer s.mu.Unlock()
// Clean up watcher
if s.watcher != nil {
s.watcher.Close() //nolint: errcheck
s.watcher = nil
}
// Clear context to indicate not running
s.ctx = nil
s.cancel = nil
}()
for {
select {
case <-ctx.Done():
s.log.Debug().Msg("htpasswd watcher terminating...")
return
case ev := <-watcher.Events:
if ev.Op != fsnotify.Write {
continue
}
s.log.Info().Str("htpasswd-file", s.filePath).Msg("htpasswd file changed, trying to reload config")
err := s.htp.Reload(s.filePath)
if err != nil {
s.log.Warn().Err(err).Str("htpasswd-file", s.filePath).Msg("failed to reload file")
}
case err := <-watcher.Errors:
// Only log errors if we're actually watching a file
if s.filePath != "" {
s.log.Error().Err(err).Str("htpasswd-file", s.filePath).Msg("failed to fsnotfy, got error while watching file")
}
}
}
}()
}
// ChangeFile changes monitored file. Empty string clears store.
func (s *HTPasswdWatcher) ChangeFile(filePath string) error {
s.mu.Lock()
defer s.mu.Unlock()
// If watcher is not running, just update the filePath for when Run() is called
if s.watcher == nil {
s.filePath = filePath
if filePath == "" {
s.htp.Clear()
} else {
return s.htp.Reload(filePath)
}
return nil
}
// Remove old file if it exists
if s.filePath != "" {
if err := s.watcher.Remove(s.filePath); err != nil && !errors.Is(err, fsnotify.ErrNonExistentWatch) {
// Ignore "can't remove non-existent watch" errors as they can happen
// due to race conditions or files being removed externally
return err
}
}
if filePath == "" {
s.filePath = filePath
s.htp.Clear()
return nil
}
err := s.watcher.Add(filePath)
if err != nil {
return err
}
s.filePath = filePath
return s.htp.Reload(filePath)
}
func (s *HTPasswdWatcher) Close() error {
s.mu.Lock()
defer s.mu.Unlock()
if s.ctx == nil {
return nil // Already closed/not running
}
// Cancel context to signal goroutine to stop
if s.cancel != nil {
s.cancel()
}
// The goroutine will clean up s.ctx, s.cancel, and s.watcher in its defer
// We just need to wait for it to finish by checking if s.ctx becomes nil
// This is safe because the goroutine sets s.ctx = nil in its defer
return nil
}
Reference in New Issue View Git Blame Copy Permalink