Add basic authentication (#1683)

* Add basic authentication

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

9 files changed, 297 insertions, 49 deletions

diff --git a/https/README.md b/https/README.md
index e8e4504..70b321e 100644
--- a/https/README.md
+++ b/https/README.md
@@ -25,4 +25,27 @@ tls_config:
 
   # CA certificate for client certificate authentication to the server
   [ client_ca_file: <filename> ]
+
+# List of usernames and hashed passwords that have full access to the web
+# server via basic authentication. If empty, no basic authentication is
+# required. Passwords are hashed with bcrypt.
+basic_auth_users:
+  [ <username>: <password> ... ]
 ```
+
+## About bcrypt
+
+There are several tools out there to generate bcrypt passwords, e.g.
+[htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html):
+
+`htpasswd -nBC 10 "" | tr -d ':\n`
+
+That command will prompt you for a password and output the hashed password,
+which will look something like:
+`$2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG`
+
+The cost (10 in the example) influences the time it takes for computing the
+hash. A higher cost will en up slowing down the authentication process.
+Depending on the machine, a cost of 10 will take about ~70ms where a cost of
+18 can take up to a few seconds. That hash will be computed on every
+password-protected request.
diff --git a/https/testdata/tls_config_auth_user_list_invalid.bad.yml b/https/testdata/tls_config_auth_user_list_invalid.bad.yml
new file mode 100644
index 0000000..90c1d95
--- /dev/null
+++ b/https/testdata/tls_config_auth_user_list_invalid.bad.yml
@@ -0,0 +1,5 @@
+tls_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+basic_auth_users:
+  john: doe
diff --git a/https/testdata/tls_config_junk_key.yml b/https/testdata/tls_config_junk_key.yml
new file mode 100644
index 0000000..acb2cc3
--- /dev/null
+++ b/https/testdata/tls_config_junk_key.yml
@@ -0,0 +1,2 @@
+tls_config :
+  cert_filse: "testdata/server.crt"
diff --git a/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
index 2ed9195..1511b5a 100644
--- a/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
+++ b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
@@ -1,3 +1,4 @@
 tls_config :
   cert_file : ""
-  key_file : ""
\ No newline at end of file
+  key_file : ""
+  client_auth_type: "x"
diff --git a/https/testdata/tls_config_users.good.yml b/https/testdata/tls_config_users.good.yml
new file mode 100644
index 0000000..278177d
--- /dev/null
+++ b/https/testdata/tls_config_users.good.yml
@@ -0,0 +1,8 @@
+tls_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff --git a/https/testdata/tls_config_users_noTLS.good.yml b/https/testdata/tls_config_users_noTLS.good.yml
new file mode 100644
index 0000000..d3a7987
--- /dev/null
+++ b/https/testdata/tls_config_users_noTLS.good.yml
@@ -0,0 +1,5 @@
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff --git a/https/tls_config.go b/https/tls_config.go
index 4b29862..44e57e9 100644
--- a/https/tls_config.go
+++ b/https/tls_config.go
@@ -20,12 +20,20 @@ import (
         "io/ioutil"
         "net/http"
 
+        "github.com/go-kit/kit/log"
+        "github.com/go-kit/kit/log/level"
         "github.com/pkg/errors"
+        config_util "github.com/prometheus/common/config"
         "gopkg.in/yaml.v2"
 )
 
+var (
+        errNoTLSConfig = errors.New("TLS config is not present")
+)
+
 type Config struct {
-        TLSConfig TLSStruct `yaml:"tls_config"`
+        TLSConfig TLSStruct                     `yaml:"tls_config"`
+        Users     map[string]config_util.Secret `yaml:"basic_auth_users"`
 }
 
 type TLSStruct struct {
@@ -35,13 +43,18 @@ type TLSStruct struct {
         ClientCAs   string `yaml:"client_ca_file"`
 }
 
-func getTLSConfig(configPath string) (*tls.Config, error) {
+func getConfig(configPath string) (*Config, error) {
         content, err := ioutil.ReadFile(configPath)
         if err != nil {
                 return nil, err
         }
         c := &Config{}
-        err = yaml.Unmarshal(content, c)
+        err = yaml.UnmarshalStrict(content, c)
+        return c, err
+}
+
+func getTLSConfig(configPath string) (*tls.Config, error) {
+        c, err := getConfig(configPath)
         if err != nil {
                 return nil, err
         }
@@ -50,14 +63,18 @@ func getTLSConfig(configPath string) (*tls.Config, error) {
 
 // ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config.
 func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
-        cfg := &tls.Config{
-                MinVersion: tls.VersionTLS12,
+        if c.TLSCertPath == "" && c.TLSKeyPath == "" && c.ClientAuth == "" && c.ClientCAs == "" {
+                return nil, errNoTLSConfig
         }
-        if len(c.TLSCertPath) == 0 {
-                return nil, errors.New("missing TLSCertPath")
+
+        if c.TLSCertPath == "" {
+                return nil, errors.New("missing cert_file")
         }
-        if len(c.TLSKeyPath) == 0 {
-                return nil, errors.New("missing TLSKeyPath")
+        if c.TLSKeyPath == "" {
+                return nil, errors.New("missing key_file")
+        }
+        cfg := &tls.Config{
+                MinVersion: tls.VersionTLS12,
         }
         loadCert := func() (*tls.Certificate, error) {
                 cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
@@ -74,7 +91,7 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
                 return loadCert()
         }
 
-        if len(c.ClientCAs) > 0 {
+        if c.ClientCAs != "" {
                 clientCAPool := x509.NewCertPool()
                 clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
                 if err != nil {
@@ -83,40 +100,67 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
                 clientCAPool.AppendCertsFromPEM(clientCAFile)
                 cfg.ClientCAs = clientCAPool
         }
-        if len(c.ClientAuth) > 0 {
-                switch s := (c.ClientAuth); s {
-                case "NoClientCert":
-                        cfg.ClientAuth = tls.NoClientCert
-                case "RequestClientCert":
-                        cfg.ClientAuth = tls.RequestClientCert
-                case "RequireClientCert":
-                        cfg.ClientAuth = tls.RequireAnyClientCert
-                case "VerifyClientCertIfGiven":
-                        cfg.ClientAuth = tls.VerifyClientCertIfGiven
-                case "RequireAndVerifyClientCert":
-                        cfg.ClientAuth = tls.RequireAndVerifyClientCert
-                case "":
-                        cfg.ClientAuth = tls.NoClientCert
-                default:
-                        return nil, errors.New("Invalid ClientAuth: " + s)
-                }
+
+        switch c.ClientAuth {
+        case "RequestClientCert":
+                cfg.ClientAuth = tls.RequestClientCert
+        case "RequireClientCert":
+                cfg.ClientAuth = tls.RequireAnyClientCert
+        case "VerifyClientCertIfGiven":
+                cfg.ClientAuth = tls.VerifyClientCertIfGiven
+        case "RequireAndVerifyClientCert":
+                cfg.ClientAuth = tls.RequireAndVerifyClientCert
+        case "", "NoClientCert":
+                cfg.ClientAuth = tls.NoClientCert
+        default:
+                return nil, errors.New("Invalid ClientAuth: " + c.ClientAuth)
         }
-        if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {
+
+        if c.ClientCAs != "" && cfg.ClientAuth == tls.NoClientCert {
                 return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
         }
+
         return cfg, nil
 }
 
 // Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
-func Listen(server *http.Server, tlsConfigPath string) error {
-        if (tlsConfigPath) == "" {
+func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
+        if tlsConfigPath == "" {
+                level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.")
                 return server.ListenAndServe()
         }
-        var err error
-        server.TLSConfig, err = getTLSConfig(tlsConfigPath)
-        if err != nil {
+
+        if err := validateUsers(tlsConfigPath); err != nil {
                 return err
         }
+
+        // Setup basic authentication.
+        var handler http.Handler = http.DefaultServeMux
+        if server.Handler != nil {
+                handler = server.Handler
+        }
+        server.Handler = &userAuthRoundtrip{
+                tlsConfigPath: tlsConfigPath,
+                logger:        logger,
+                handler:       handler,
+        }
+
+        config, err := getTLSConfig(tlsConfigPath)
+        switch err {
+        case nil:
+                // Valid TLS config.
+                level.Info(logger).Log("msg", "TLS is enabled and it cannot be disabled on the fly.")
+        case errNoTLSConfig:
+                // No TLS config, back to plain HTTP.
+                level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.")
+                return server.ListenAndServe()
+        default:
+                // Invalid TLS config.
+                return err
+        }
+
+        server.TLSConfig = config
+
         // Set the GetConfigForClient method of the HTTPS server so that the config
         // and certs are reloaded on new connections.
         server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
diff --git a/https/tls_config_test.go b/https/tls_config_test.go
index 4b1b4e0..07f412a 100644
--- a/https/tls_config_test.go
+++ b/https/tls_config_test.go
@@ -28,7 +28,8 @@ import (
 )
 
 var (
-        port = getPort()
+        port       = getPort()
+        testlogger = &testLogger{}
 
         ErrorMap = map[string]*regexp.Regexp{
                 "HTTP Response to HTTPS":       regexp.MustCompile(`server gave HTTP response to HTTPS client`),
@@ -38,12 +39,21 @@ var (
                 "Invalid ClientAuth":           regexp.MustCompile(`invalid ClientAuth`),
                 "TLS handshake":                regexp.MustCompile(`tls`),
                 "HTTP Request to HTTPS server": regexp.MustCompile(`HTTP`),
-                "Invalid CertPath":             regexp.MustCompile(`missing TLSCertPath`),
-                "Invalid KeyPath":              regexp.MustCompile(`missing TLSKeyPath`),
+                "Invalid CertPath":             regexp.MustCompile(`missing cert_file`),
+                "Invalid KeyPath":              regexp.MustCompile(`missing key_file`),
                 "ClientCA set without policy":  regexp.MustCompile(`Client CA's have been configured without a Client Auth Policy`),
+                "Bad password":                 regexp.MustCompile(`hashedSecret too short to be a bcrypted password`),
+                "Unauthorized":                 regexp.MustCompile(`Unauthorized`),
+                "Forbidden":                    regexp.MustCompile(`Forbidden`),
         }
 )
 
+type testLogger struct{}
+
+func (t *testLogger) Log(keyvals ...interface{}) error {
+        return nil
+}
+
 func getPort() string {
         listener, err := net.Listen("tcp", ":0")
         if err != nil {
@@ -61,6 +71,8 @@ type TestInputs struct {
         YAMLConfigPath string
         ExpectedError  *regexp.Regexp
         UseTLSClient   bool
+        Username       string
+        Password       string
 }
 
 func TestYAMLFiles(t *testing.T) {
@@ -73,7 +85,7 @@ func TestYAMLFiles(t *testing.T) {
                 {
                         Name:           `empty config yml`,
                         YAMLConfigPath: "testdata/tls_config_empty.yml",
-                        ExpectedError:  ErrorMap["Invalid CertPath"],
+                        ExpectedError:  nil,
                 },
                 {
                         Name:           `invalid config yml (invalid structure)`,
@@ -81,6 +93,11 @@ func TestYAMLFiles(t *testing.T) {
                         ExpectedError:  ErrorMap["YAML error"],
                 },
                 {
+                        Name:           `invalid config yml (invalid key)`,
+                        YAMLConfigPath: "testdata/tls_config_junk_key.yml",
+                        ExpectedError:  ErrorMap["YAML error"],
+                },
+                {
                         Name:           `invalid config yml (cert path empty)`,
                         YAMLConfigPath: "testdata/tls_config_noAuth_certPath_empty.bad.yml",
                         ExpectedError:  ErrorMap["Invalid CertPath"],
@@ -120,6 +137,11 @@ func TestYAMLFiles(t *testing.T) {
                         YAMLConfigPath: "testdata/tls_config_auth_clientCAs_invalid.bad.yml",
                         ExpectedError:  ErrorMap["No such file"],
                 },
+                {
+                        Name:           `invalid config yml (invalid user list)`,
+                        YAMLConfigPath: "testdata/tls_config_auth_user_list_invalid.bad.yml",
+                        ExpectedError:  ErrorMap["Bad password"],
+                },
         }
         for _, testInputs := range testTables {
                 t.Run(testInputs.Name, testInputs.Test)
@@ -189,7 +211,7 @@ func TestConfigReloading(t *testing.T) {
                                 recordConnectionError(errors.New("Panic starting server"))
                         }
                 }()
-                err := Listen(server, badYAMLPath)
+                err := Listen(server, badYAMLPath, testlogger)
                 recordConnectionError(err)
         }()
 
@@ -266,21 +288,28 @@ func (test *TestInputs) Test(t *testing.T) {
                                 recordConnectionError(errors.New("Panic starting server"))
                         }
                 }()
-                err := Listen(server, test.YAMLConfigPath)
+                err := Listen(server, test.YAMLConfigPath, testlogger)
                 recordConnectionError(err)
         }()
 
-        var ClientConnection func() (*http.Response, error)
-        if test.UseTLSClient {
-                ClientConnection = func() (*http.Response, error) {
-                        client := getTLSClient()
-                        return client.Get("https://localhost" + port)
+        ClientConnection := func() (*http.Response, error) {
+                var client *http.Client
+                var proto string
+                if test.UseTLSClient {
+                        client = getTLSClient()
+                        proto = "https"
+                } else {
+                        client = http.DefaultClient
+                        proto = "http"
                 }
-        } else {
-                ClientConnection = func() (*http.Response, error) {
-                        client := http.DefaultClient
-                        return client.Get("http://localhost" + port)
+                req, err := http.NewRequest("GET", proto+"://localhost"+port, nil)
+                if err != nil {
+                        t.Error(err)
                 }
+                if test.Username != "" {
+                        req.SetBasicAuth(test.Username, test.Password)
+                }
+                return client.Do(req)
         }
         go func() {
                 time.Sleep(250 * time.Millisecond)
@@ -360,3 +389,61 @@ func swapFileContents(file1, file2 string) error {
         }
         return nil
 }
+
+func TestUsers(t *testing.T) {
+        testTables := []*TestInputs{
+                {
+                        Name:           `without basic auth`,
+                        YAMLConfigPath: "testdata/tls_config_users_noTLS.good.yml",
+                        ExpectedError:  ErrorMap["Unauthorized"],
+                },
+                {
+                        Name:           `with correct basic auth`,
+                        YAMLConfigPath: "testdata/tls_config_users_noTLS.good.yml",
+                        Username:       "dave",
+                        Password:       "dave123",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `without basic auth and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        ExpectedError:  ErrorMap["Unauthorized"],
+                },
+                {
+                        Name:           `with correct basic auth and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "dave",
+                        Password:       "dave123",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `with another correct basic auth and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "carol",
+                        Password:       "carol123",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `with bad password and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "dave",
+                        Password:       "bad",
+                        ExpectedError:  ErrorMap["Forbidden"],
+                },
+                {
+                        Name:           `with bad username and TLS`,
+                        YAMLConfigPath: "testdata/tls_config_users.good.yml",
+                        UseTLSClient:   true,
+                        Username:       "nonexistent",
+                        Password:       "nonexistent",
+                        ExpectedError:  ErrorMap["Forbidden"],
+                },
+        }
+        for _, testInputs := range testTables {
+                t.Run(testInputs.Name, testInputs.Test)
+        }
+}
diff --git a/https/users.go b/https/users.go
new file mode 100644
index 0000000..170c87b
--- /dev/null
+++ b/https/users.go
@@ -0,0 +1,73 @@
+// Copyright 2020 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package https
+
+import (
+        "net/http"
+
+        "github.com/go-kit/kit/log"
+        "golang.org/x/crypto/bcrypt"
+)
+
+func validateUsers(configPath string) error {
+        c, err := getConfig(configPath)
+        if err != nil {
+                return err
+        }
+
+        for _, p := range c.Users {
+                _, err = bcrypt.Cost([]byte(p))
+                if err != nil {
+                        return err
+                }
+        }
+
+        return nil
+}
+
+type userAuthRoundtrip struct {
+        tlsConfigPath string
+        handler       http.Handler
+        logger        log.Logger
+}
+
+func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+        c, err := getConfig(u.tlsConfigPath)
+        if err != nil {
+                u.logger.Log("msg", "Unable to parse configuration", "err", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
+        }
+
+        if len(c.Users) == 0 {
+                u.handler.ServeHTTP(w, r)
+                return
+        }
+
+        user, pass, ok := r.BasicAuth()
+        if !ok {
+                w.Header().Set("WWW-Authenticate", "Basic")
+                http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+                return
+        }
+
+        if hashedPassword, ok := c.Users[user]; ok {
+                if err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)); err == nil {
+                        u.handler.ServeHTTP(w, r)
+                        return
+                }
+        }
+
+        http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+}