From d6e9200cc35411f3f27426b608bcfdef9348e6d3 Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld Date: Tue, 14 Jan 2014 21:49:31 +0100 Subject: auth: add basic authentication filter framework This leverages the new lua support. See filters/simple-authentication.lua for explaination of how this works. There is also additional documentation in cgitrc.5.txt. Though this is a cookie-based approach, cgit's caching mechanism is preserved for authenticated pages. Very plugable and extendable depending on user needs. The sample script uses an HMAC-SHA1 based cookie to store the currently logged in user, with an expiration date. Signed-off-by: Jason A. Donenfeld --- cgit.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 94 insertions(+), 2 deletions(-) (limited to 'cgit.c') diff --git a/cgit.c b/cgit.c index f3fe56b..c52ef33 100644 --- a/cgit.c +++ b/cgit.c @@ -192,6 +192,8 @@ static void config_cb(const char *name, const char *value) ctx.cfg.commit_filter = cgit_new_filter(value, COMMIT); else if (!strcmp(name, "email-filter")) ctx.cfg.email_filter = cgit_new_filter(value, EMAIL); + else if (!strcmp(name, "auth-filter")) + ctx.cfg.auth_filter = cgit_new_filter(value, AUTH); else if (!strcmp(name, "embedded")) ctx.cfg.embedded = atoi(value); else if (!strcmp(name, "max-atom-items")) @@ -378,6 +380,10 @@ static void prepare_context(struct cgit_context *ctx) ctx->env.script_name = getenv("SCRIPT_NAME"); ctx->env.server_name = getenv("SERVER_NAME"); ctx->env.server_port = getenv("SERVER_PORT"); + ctx->env.http_cookie = getenv("HTTP_COOKIE"); + ctx->env.http_referer = getenv("HTTP_REFERER"); + ctx->env.content_length = getenv("CONTENT_LENGTH") ? strtoul(getenv("CONTENT_LENGTH"), NULL, 10) : 0; + ctx->env.authenticated = 0; ctx->page.mimetype = "text/html"; ctx->page.charset = PAGE_ENCODING; ctx->page.filename = NULL; @@ -593,11 +599,92 @@ static int prepare_repo_cmd(struct cgit_context *ctx) return 0; } +static inline void open_auth_filter(struct cgit_context *ctx, const char *function) +{ + cgit_open_filter(ctx->cfg.auth_filter, function, + ctx->env.http_cookie ? ctx->env.http_cookie : "", + ctx->env.request_method ? ctx->env.request_method : "", + ctx->env.query_string ? ctx->env.query_string : "", + ctx->env.http_referer ? ctx->env.http_referer : "", + ctx->env.path_info ? ctx->env.path_info : "", + ctx->env.http_host ? ctx->env.http_host : "", + ctx->env.https ? ctx->env.https : "", + ctx->qry.repo ? ctx->qry.repo : "", + ctx->qry.page ? ctx->qry.page : "", + ctx->qry.url ? ctx->qry.url : ""); +} + +#define MAX_AUTHENTICATION_POST_BYTES 4096 +static inline void authenticate_post(struct cgit_context *ctx) +{ + if (ctx->env.http_referer && strlen(ctx->env.http_referer) > 0) { + html("Status: 302 Redirect\n"); + html("Cache-Control: no-cache, no-store\n"); + htmlf("Location: %s\n", ctx->env.http_referer); + } else { + html("Status: 501 Missing Referer\n"); + html("Cache-Control: no-cache, no-store\n\n"); + exit(0); + } + + open_auth_filter(ctx, "authenticate-post"); + char buffer[MAX_AUTHENTICATION_POST_BYTES]; + int len; + len = ctx->env.content_length; + if (len > MAX_AUTHENTICATION_POST_BYTES) + len = MAX_AUTHENTICATION_POST_BYTES; + if (read(STDIN_FILENO, buffer, len) < 0) + die_errno("Could not read POST from stdin"); + if (write(STDOUT_FILENO, buffer, len) < 0) + die_errno("Could not write POST to stdout"); + /* The filter may now spit out a Set-Cookie: ... */ + cgit_close_filter(ctx->cfg.auth_filter); + + html("\n"); + exit(0); +} + +static inline void authenticate_cookie(struct cgit_context *ctx) +{ + /* If we don't have an auth_filter, consider all cookies valid, and thus return early. */ + if (!ctx->cfg.auth_filter) { + ctx->env.authenticated = 1; + return; + } + + /* If we're having something POST'd to /login, we're authenticating POST, + * instead of the cookie, so call authenticate_post and bail out early. + * This pattern here should match /?p=login with POST. */ + if (ctx->env.request_method && ctx->qry.page && !ctx->repo && \ + !strcmp(ctx->env.request_method, "POST") && !strcmp(ctx->qry.page, "login")) { + authenticate_post(ctx); + return; + } + + /* If we've made it this far, we're authenticating the cookie for real, so do that. */ + open_auth_filter(ctx, "authenticate-cookie"); + ctx->env.authenticated = cgit_close_filter(ctx->cfg.auth_filter); +} + static void process_request(void *cbdata) { struct cgit_context *ctx = cbdata; struct cgit_cmd *cmd; + /* If we're not yet authenticated, no matter what page we're on, + * display the authentication body from the auth_filter. This should + * never be cached. */ + if (!ctx->env.authenticated) { + ctx->page.title = "Authentication Required"; + cgit_print_http_headers(ctx); + cgit_print_docstart(ctx); + cgit_print_pageheader(ctx); + open_auth_filter(ctx, "body"); + cgit_close_filter(ctx->cfg.auth_filter); + cgit_print_docend(); + return; + } + cmd = cgit_get_cmd(ctx); if (!cmd) { ctx->page.title = "cgit error"; @@ -911,6 +998,7 @@ int main(int argc, const char **argv) int err, ttl; cgit_init_filters(); + atexit(cgit_cleanup_filters); prepare_context(&ctx); cgit_repolist.length = 0; @@ -948,18 +1036,22 @@ int main(int argc, const char **argv) cgit_parse_url(ctx.qry.url); } + /* Before we go any further, we set ctx.env.authenticated by checking to see + * if the supplied cookie is valid. All cookies are valid if there is no + * auth_filter. If there is an auth_filter, the filter decides. */ + authenticate_cookie(&ctx); + ttl = calc_ttl(); if (ttl < 0) ctx.page.expires += 10 * 365 * 24 * 60 * 60; /* 10 years */ else ctx.page.expires += ttl * 60; - if (ctx.env.request_method && !strcmp(ctx.env.request_method, "HEAD")) + if (!ctx.env.authenticated || (ctx.env.request_method && !strcmp(ctx.env.request_method, "HEAD"))) ctx.cfg.nocache = 1; if (ctx.cfg.nocache) ctx.cfg.cache_size = 0; err = cache_process(ctx.cfg.cache_size, ctx.cfg.cache_root, ctx.qry.raw, ttl, process_request, &ctx); - cgit_cleanup_filters(); if (err) cgit_print_error("Error processing page: %s (%d)", strerror(err), err); -- cgit v1.2.3-70-g09d2