Add auth with argon2i and sha256 hashed passwords

[gocheese.git] / gocheese.go

diff --git a/gocheese.go b/gocheese.go
index 9035e99ccca883e1422520f8c3ee580606c06ae3..cde862ab49d8ade28c5e1664e2962f8e4b5edae2 100644 (file)
--- a/gocheese.go
+++ b/gocheese.go
@@ -22,6 +22,7 @@ import (
        "bytes"
        "crypto/sha256"
        "encoding/hex"
+       "errors"
        "flag"
        "fmt"
        "io"
@@ -63,7 +64,7 @@ var (
        norefreshURLPath = flag.String("norefresh", "/norefresh/", "Non-refreshing URL path")
        refreshURLPath   = flag.String("refresh", "/simple/", "Auto-refreshing URL path")
        pypiURL          = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL")
-       passwdPath       = flag.String("passwd", "passwd", "Path to file with login:password lines")
+       passwdPath       = flag.String("passwd", "passwd", "Path to file with auth")
        fsck             = flag.Bool("fsck", false, "Check integrity of all packages")
        version          = flag.Bool("version", false, "Print version information")
        warranty         = flag.Bool("warranty", false, "Print warranty information")
@@ -71,9 +72,13 @@ var (
        pkgPyPI        = regexp.MustCompile(`^.*<a href="([^"]+)"[^>]*>(.+)</a><br/>.*$`)
        Version string = "UNKNOWN"
 
-       passwords map[string]string = make(map[string]string)
+       passwords map[string]Auther = make(map[string]Auther)
 )
 
+type Auther interface {
+       Auth(password string) bool
+}
+
 func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool {
        path := filepath.Join(*root, dir)
        if _, err := os.Stat(path); os.IsNotExist(err) {
@@ -259,9 +264,34 @@ func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) {
        http.ServeFile(w, r, path)
 }
 
+func strToAuther(verifier string) (string, Auther, error) {
+       st := strings.SplitN(verifier, "$", 3)
+       if len(st) != 3 || st[0] != "" {
+               return "", nil, errors.New("invalid verifier structure")
+       }
+       algorithm := st[1]
+       var auther Auther
+       var err error
+       switch algorithm {
+       case "argon2i":
+               auther, err = parseArgon2i(st[2])
+       case "sha256":
+               auther, err = parseSHA256(st[2])
+       default:
+               err = errors.New("unknown hashing algorithm")
+       }
+       return algorithm, auther, err
+}
+
 func serveUpload(w http.ResponseWriter, r *http.Request) {
        username, password, ok := r.BasicAuth()
-       if !ok || passwords[username] != password {
+       if !ok {
+               log.Println(r.RemoteAddr, "unauthenticated", username)
+               http.Error(w, "unauthenticated", http.StatusUnauthorized)
+               return
+       }
+       auther, ok := passwords[username]
+       if !ok || !auther.Auth(password) {
                log.Println(r.RemoteAddr, "unauthenticated", username)
                http.Error(w, "unauthenticated", http.StatusUnauthorized)
                return
@@ -434,7 +464,12 @@ func main() {
                if len(splitted) != 2 {
                        log.Fatal("Wrong login:password format")
                }
-               passwords[splitted[0]] = splitted[1]
+               _, auther, err := strToAuther(splitted[1])
+               if err != nil {
+                       log.Fatal(err)
+               }
+               passwords[splitted[0]] = auther
+               log.Println("Added password for " + splitted[0])
        }
        log.Println("root:", *root, "bind:", *bind)
        http.HandleFunc(*norefreshURLPath, handler)