2022-06-05 09:16:14 +02:00
|
|
|
// Copyright 2021 The Gitea Authors. All rights reserved.
|
2022-11-27 19:20:29 +01:00
|
|
|
// SPDX-License-Identifier: MIT
|
2022-06-05 09:16:14 +02:00
|
|
|
|
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/base64"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
asymkey_model "code.gitea.io/gitea/models/asymkey"
|
2023-11-24 04:49:41 +01:00
|
|
|
"code.gitea.io/gitea/models/db"
|
2022-06-05 09:16:14 +02:00
|
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
|
2024-09-08 00:05:18 +02:00
|
|
|
"github.com/42wim/httpsig"
|
2022-06-05 09:16:14 +02:00
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Ensure the struct implements the interface.
|
|
|
|
var (
|
|
|
|
_ Method = &HTTPSign{}
|
|
|
|
)
|
|
|
|
|
|
|
|
// HTTPSign implements the Auth interface and authenticates requests (API requests
|
|
|
|
// only) by looking for http signature data in the "Signature" header.
|
|
|
|
// more information can be found on https://github.com/go-fed/httpsig
|
|
|
|
type HTTPSign struct{}
|
|
|
|
|
|
|
|
// Name represents the name of auth method
|
|
|
|
func (h *HTTPSign) Name() string {
|
|
|
|
return "httpsign"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify extracts and validates HTTPsign from the Signature header of the request and returns
|
|
|
|
// the corresponding user object on successful validation.
|
|
|
|
// Returns nil if header is empty or validation fails.
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
2022-06-05 09:16:14 +02:00
|
|
|
sigHead := req.Header.Get("Signature")
|
|
|
|
if len(sigHead) == 0 {
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
return nil, nil
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
publicKey *asymkey_model.PublicKey
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
if len(req.Header.Get("X-Ssh-Certificate")) != 0 {
|
|
|
|
// Handle Signature signed by SSH certificates
|
|
|
|
if len(setting.SSH.TrustedUserCAKeys) == 0 {
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
return nil, nil
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
publicKey, err = VerifyCert(req)
|
|
|
|
if err != nil {
|
|
|
|
log.Debug("VerifyCert on request from %s: failed: %v", req.RemoteAddr, err)
|
|
|
|
log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
return nil, nil
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Handle Signature signed by Public Key
|
|
|
|
publicKey, err = VerifyPubKey(req)
|
|
|
|
if err != nil {
|
|
|
|
log.Debug("VerifyPubKey on request from %s: failed: %v", req.RemoteAddr, err)
|
|
|
|
log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
return nil, nil
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-12-03 03:48:26 +01:00
|
|
|
u, err := user_model.GetUserByID(req.Context(), publicKey.OwnerID)
|
2022-06-05 09:16:14 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error("GetUserByID: %v", err)
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
return nil, err
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
store.GetData()["IsApiToken"] = true
|
|
|
|
|
|
|
|
log.Trace("HTTP Sign: Logged in user %-v", u)
|
|
|
|
|
refactor auth interface to return error when verify failure (#22119)
This PR changed the Auth interface signature from
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) *user_model.User`
to
`Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess
SessionStore) (*user_model.User, error)`.
There is a new return argument `error` which means the verification
condition matched but verify process failed, we should stop the auth
process.
Before this PR, when return a `nil` user, we don't know the reason why
it returned `nil`. If the match condition is not satisfied or it
verified failure? For these two different results, we should have
different handler. If the match condition is not satisfied, we should
try next auth method and if there is no more auth method, it's an
anonymous user. If the condition matched but verify failed, the auth
process should be stop and return immediately.
This will fix #20563
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
2022-12-28 06:53:28 +01:00
|
|
|
return u, nil
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func VerifyPubKey(r *http.Request) (*asymkey_model.PublicKey, error) {
|
|
|
|
verifier, err := httpsig.NewVerifier(r)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("httpsig.NewVerifier failed: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
keyID := verifier.KeyId()
|
|
|
|
|
2023-11-24 04:49:41 +01:00
|
|
|
publicKeys, err := db.Find[asymkey_model.PublicKey](r.Context(), asymkey_model.FindPublicKeyOptions{
|
|
|
|
Fingerprint: keyID,
|
|
|
|
})
|
2022-06-05 09:16:14 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(publicKeys) == 0 {
|
|
|
|
return nil, fmt.Errorf("no public key found for keyid %s", keyID)
|
|
|
|
}
|
|
|
|
|
|
|
|
sshPublicKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(publicKeys[0].Content))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := doVerify(verifier, []ssh.PublicKey{sshPublicKey}); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return publicKeys[0], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifyCert verifies the validity of the ssh certificate and returns the publickey of the signer
|
|
|
|
// We verify that the certificate is signed with the correct CA
|
|
|
|
// We verify that the http request is signed with the private key (of the public key mentioned in the certificate)
|
|
|
|
func VerifyCert(r *http.Request) (*asymkey_model.PublicKey, error) {
|
|
|
|
// Get our certificate from the header
|
|
|
|
bcert, err := base64.RawStdEncoding.DecodeString(r.Header.Get("x-ssh-certificate"))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
pk, err := ssh.ParsePublicKey(bcert)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if it's really a ssh certificate
|
|
|
|
cert, ok := pk.(*ssh.Certificate)
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("no certificate found")
|
|
|
|
}
|
|
|
|
|
|
|
|
c := &ssh.CertChecker{
|
|
|
|
IsUserAuthority: func(auth ssh.PublicKey) bool {
|
|
|
|
marshaled := auth.Marshal()
|
|
|
|
|
|
|
|
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
|
|
|
|
if bytes.Equal(marshaled, k.Marshal()) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// check the CA of the cert
|
|
|
|
if !c.IsUserAuthority(cert.SignatureKey) {
|
|
|
|
return nil, fmt.Errorf("CA check failed")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a verifier
|
|
|
|
verifier, err := httpsig.NewVerifier(r)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("httpsig.NewVerifier failed: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// now verify that this request was signed with the private key that matches the certificate public key
|
|
|
|
if err := doVerify(verifier, []ssh.PublicKey{cert.Key}); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now for each of the certificate valid principals
|
|
|
|
for _, principal := range cert.ValidPrincipals {
|
|
|
|
// Look in the db for the public key
|
|
|
|
publicKey, err := asymkey_model.SearchPublicKeyByContentExact(r.Context(), principal)
|
|
|
|
if asymkey_model.IsErrKeyNotExist(err) {
|
|
|
|
// No public key matches this principal - try the next principal
|
|
|
|
continue
|
|
|
|
} else if err != nil {
|
|
|
|
// this error will be a db error therefore we can't solve this and we should abort
|
|
|
|
log.Error("SearchPublicKeyByContentExact: %v", err)
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Validate the cert for this principal
|
|
|
|
if err := c.CheckCert(principal, cert); err != nil {
|
|
|
|
// however, because principal is a member of ValidPrincipals - if this fails then the certificate itself is invalid
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// OK we have a public key for a principal matching a valid certificate whose key has signed this request.
|
|
|
|
return publicKey, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// No public key matching a principal in the certificate is registered in gitea
|
|
|
|
return nil, fmt.Errorf("no valid principal found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// doVerify iterates across the provided public keys attempting the verify the current request against each key in turn
|
|
|
|
func doVerify(verifier httpsig.Verifier, sshPublicKeys []ssh.PublicKey) error {
|
|
|
|
for _, publicKey := range sshPublicKeys {
|
|
|
|
cryptoPubkey := publicKey.(ssh.CryptoPublicKey).CryptoPublicKey()
|
|
|
|
|
|
|
|
var algos []httpsig.Algorithm
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case strings.HasPrefix(publicKey.Type(), "ssh-ed25519"):
|
|
|
|
algos = []httpsig.Algorithm{httpsig.ED25519}
|
|
|
|
case strings.HasPrefix(publicKey.Type(), "ssh-rsa"):
|
2024-09-08 00:05:18 +02:00
|
|
|
algos = []httpsig.Algorithm{httpsig.RSA_SHA256, httpsig.RSA_SHA512}
|
2022-06-05 09:16:14 +02:00
|
|
|
}
|
|
|
|
for _, algo := range algos {
|
|
|
|
if err := verifier.Verify(cryptoPubkey, algo); err == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return errors.New("verification failed")
|
|
|
|
}
|