use go 1.12

Signed-off-by: hongming <talonwan@yunify.com>
2019-03-12 15:47:56 +08:00
parent b59c244ca2
commit 4144404b0b
1110 changed files with 161100 additions and 14519 deletions
--- a/vendor/github.com/mholt/caddy/caddyhttp/basicauth/basicauth.go
+++ b/vendor/github.com/mholt/caddy/caddyhttp/basicauth/basicauth.go
@@ -0,0 +1,204 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package basicauth implements HTTP Basic Authentication for Caddy.
+//
+// This is useful for simple protections on a website, like requiring
+// a password to access an admin interface. This package assumes a
+// fairly small threat model.
+package basicauth
+
+import (
+	"bufio"
+	"context"
+	"crypto/sha1"
+	"crypto/subtle"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/jimstudt/http-authentication/basic"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+// BasicAuth is middleware to protect resources with a username and password.
+// Note that HTTP Basic Authentication is not secure by itself and should
+// not be used to protect important assets without HTTPS. Even then, the
+// security of HTTP Basic Auth is disputed. Use discretion when deciding
+// what to protect with BasicAuth.
+type BasicAuth struct {
+	Next     httpserver.Handler
+	SiteRoot string
+	Rules    []Rule
+}
+
+// ServeHTTP implements the httpserver.Handler interface.
+func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+	var protected, isAuthenticated bool
+	var realm string
+	var username string
+	var password string
+	var ok bool
+
+	// do not check for basic auth on OPTIONS call
+	if r.Method == http.MethodOptions {
+		// Pass-through when no paths match
+		return a.Next.ServeHTTP(w, r)
+	}
+
+	for _, rule := range a.Rules {
+		for _, res := range rule.Resources {
+			if !httpserver.Path(r.URL.Path).Matches(res) {
+				continue
+			}
+
+			// path matches; this endpoint is protected
+			protected = true
+			realm = rule.Realm
+
+			// parse auth header
+			username, password, ok = r.BasicAuth()
+
+			// check credentials
+			if !ok ||
+				username != rule.Username ||
+				!rule.Password(password) {
+				continue
+			}
+
+			// by this point, authentication was successful
+			isAuthenticated = true
+
+			// let upstream middleware (e.g. fastcgi and cgi) know about authenticated
+			// user; this replaces the request with a wrapped instance
+			r = r.WithContext(context.WithValue(r.Context(),
+				httpserver.RemoteUserCtxKey, username))
+
+			// Provide username to be used in log by replacer
+			repl := httpserver.NewReplacer(r, nil, "-")
+			repl.Set("user", username)
+		}
+	}
+
+	if protected && !isAuthenticated {
+		// browsers show a message that says something like:
+		// "The website says: <realm>"
+		// which is kinda dumb, but whatever.
+		if realm == "" {
+			realm = "Restricted"
+		}
+		w.Header().Set("WWW-Authenticate", "Basic realm=\""+realm+"\"")
+
+		// Get a replacer so we can provide basic info for the authentication error.
+		repl := httpserver.NewReplacer(r, nil, "-")
+		repl.Set("user", username)
+		errstr := repl.Replace("BasicAuth: user \"{user}\" was not found or password was incorrect. {remote} {host} {uri} {proto}")
+		err := fmt.Errorf("%s", errstr)
+		return http.StatusUnauthorized, err
+	}
+
+	// Pass-through when no paths match
+	return a.Next.ServeHTTP(w, r)
+}
+
+// Rule represents a BasicAuth rule. A username and password
+// combination protect the associated resources, which are
+// file or directory paths.
+type Rule struct {
+	Username  string
+	Password  func(string) bool
+	Resources []string
+	Realm     string // See RFC 1945 and RFC 2617, default: "Restricted"
+}
+
+// PasswordMatcher determines whether a password matches a rule.
+type PasswordMatcher func(pw string) bool
+
+var (
+	htpasswords   map[string]map[string]PasswordMatcher
+	htpasswordsMu sync.Mutex
+)
+
+// GetHtpasswdMatcher matches password rules.
+func GetHtpasswdMatcher(filename, username, siteRoot string) (PasswordMatcher, error) {
+	filename = filepath.Join(siteRoot, filename)
+	htpasswordsMu.Lock()
+	if htpasswords == nil {
+		htpasswords = make(map[string]map[string]PasswordMatcher)
+	}
+	pm := htpasswords[filename]
+	if pm == nil {
+		fh, err := os.Open(filename)
+		if err != nil {
+			return nil, fmt.Errorf("open %q: %v", filename, err)
+		}
+		defer fh.Close()
+		pm = make(map[string]PasswordMatcher)
+		if err = parseHtpasswd(pm, fh); err != nil {
+			return nil, fmt.Errorf("parsing htpasswd %q: %v", fh.Name(), err)
+		}
+		htpasswords[filename] = pm
+	}
+	htpasswordsMu.Unlock()
+	if pm[username] == nil {
+		return nil, fmt.Errorf("username %q not found in %q", username, filename)
+	}
+	return pm[username], nil
+}
+
+func parseHtpasswd(pm map[string]PasswordMatcher, r io.Reader) error {
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.IndexByte(line, '#') == 0 {
+			continue
+		}
+		i := strings.IndexByte(line, ':')
+		if i <= 0 {
+			return fmt.Errorf("malformed line, no color: %q", line)
+		}
+		user, encoded := line[:i], line[i+1:]
+		for _, p := range basic.DefaultSystems {
+			matcher, err := p(encoded)
+			if err != nil {
+				return err
+			}
+			if matcher != nil {
+				pm[user] = matcher.MatchesPassword
+				break
+			}
+		}
+	}
+	return scanner.Err()
+}
+
+// PlainMatcher returns a PasswordMatcher that does a constant-time
+// byte comparison against the password passw.
+func PlainMatcher(passw string) PasswordMatcher {
+	// compare hashes of equal length instead of actual password
+	// to avoid leaking password length
+	passwHash := sha1.New()
+	passwHash.Write([]byte(passw))
+	passwSum := passwHash.Sum(nil)
+	return func(pw string) bool {
+		pwHash := sha1.New()
+		pwHash.Write([]byte(pw))
+		pwSum := pwHash.Sum(nil)
+		return subtle.ConstantTimeCompare([]byte(pwSum), []byte(passwSum)) == 1
+	}
+}
--- a/vendor/github.com/mholt/caddy/caddyhttp/basicauth/setup.go
+++ b/vendor/github.com/mholt/caddy/caddyhttp/basicauth/setup.go
@@ -0,0 +1,113 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basicauth
+
+import (
+	"strings"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("basicauth", caddy.Plugin{
+		ServerType: "http",
+		Action:     setup,
+	})
+}
+
+// setup configures a new BasicAuth middleware instance.
+func setup(c *caddy.Controller) error {
+	cfg := httpserver.GetConfig(c)
+	root := cfg.Root
+
+	rules, err := basicAuthParse(c)
+	if err != nil {
+		return err
+	}
+
+	basic := BasicAuth{Rules: rules}
+
+	cfg.AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		basic.Next = next
+		basic.SiteRoot = root
+		return basic
+	})
+
+	return nil
+}
+
+func basicAuthParse(c *caddy.Controller) ([]Rule, error) {
+	var rules []Rule
+	cfg := httpserver.GetConfig(c)
+
+	var err error
+	for c.Next() {
+		var rule Rule
+
+		args := c.RemainingArgs()
+
+		switch len(args) {
+		case 2:
+			rule.Username = args[0]
+			if rule.Password, err = passwordMatcher(rule.Username, args[1], cfg.Root); err != nil {
+				return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
+			}
+		case 3:
+			rule.Resources = append(rule.Resources, args[0])
+			rule.Username = args[1]
+			if rule.Password, err = passwordMatcher(rule.Username, args[2], cfg.Root); err != nil {
+				return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
+			}
+		default:
+			return rules, c.ArgErr()
+		}
+
+		// If nested block is present, process it here
+		for c.NextBlock() {
+			val := c.Val()
+			args = c.RemainingArgs()
+			switch len(args) {
+			case 0:
+				// Assume single argument is path resource
+				rule.Resources = append(rule.Resources, val)
+			case 1:
+				if val == "realm" {
+					if rule.Realm == "" {
+						rule.Realm = strings.Replace(args[0], `"`, `\"`, -1)
+					} else {
+						return rules, c.Errf("\"realm\" subdirective can only be specified once")
+					}
+				} else {
+					return rules, c.Errf("expecting \"realm\", got \"%s\"", val)
+				}
+			default:
+				return rules, c.ArgErr()
+			}
+		}
+
+		rules = append(rules, rule)
+	}
+
+	return rules, nil
+}
+
+func passwordMatcher(username, passw, siteRoot string) (PasswordMatcher, error) {
+	htpasswdPrefix := "htpasswd="
+	if !strings.HasPrefix(passw, htpasswdPrefix) {
+		return PlainMatcher(passw), nil
+	}
+	return GetHtpasswdMatcher(passw[len(htpasswdPrefix):], username, siteRoot)
+}