Google Git
Sign in
apache / couchdb / refs/tags/1.0.4 / . / src / couchdb / couch_httpd_auth.erl
blob: 752fbef1d2fd6e2fa6ef573a6897d17a97885489 [file] [log] [blame]
% Licensed under the Apache License, Version 2.0 (the "License"); you may not
% use this file except in compliance with the License. You may obtain a copy of
% the License at
%
% http://www.apache.org/licenses/LICENSE-2.0
%
% Unless required by applicable law or agreed to in writing, software
% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
% License for the specific language governing permissions and limitations under
% the License.
-module(couch_httpd_auth).
-include("couch_db.hrl").
-export([default_authentication_handler/1,special_test_authentication_handler/1]).
-export([cookie_authentication_handler/1]).
-export([null_authentication_handler/1]).
-export([proxy_authentification_handler/1]).
-export([cookie_auth_header/2]).
-export([handle_session_req/1]).
-import(couch_httpd, [header_value/2, send_json/2,send_json/4, send_method_not_allowed/2]).
special_test_authentication_handler(Req) ->
case header_value(Req, "WWW-Authenticate") of
"X-Couch-Test-Auth " ++ NamePass ->
% NamePass is a colon separated string: "joe schmoe:a password".
[Name, Pass] = re:split(NamePass, ":", [{return, list}]),
case {Name, Pass} of
{"Jan Lehnardt", "apple"} -> ok;
{"Christopher Lenz", "dog food"} -> ok;
{"Noah Slater", "biggiesmalls endian"} -> ok;
{"Chris Anderson", "mp3"} -> ok;
{"Damien Katz", "pecan pie"} -> ok;
{_, _} ->
throw({unauthorized, <<"Name or password is incorrect.">>})
end,
Req#httpd{user_ctx=#user_ctx{name=?l2b(Name)}};
_ ->
% No X-Couch-Test-Auth credentials sent, give admin access so the
% previous authentication can be restored after the test
Req#httpd{user_ctx=#user_ctx{roles=[<<"_admin">>]}}
end.
basic_name_pw(Req) ->
AuthorizationHeader = header_value(Req, "Authorization"),
case AuthorizationHeader of
"Basic " ++ Base64Value ->
case string:tokens(?b2l(base64:decode(Base64Value)),":") of
["_", "_"] ->
% special name and pass to be logged out
nil;
[User, Pass] ->
{User, Pass};
[User | Pass] ->
{User, string:join(Pass, ":")};
_ ->
nil
end;
_ ->
nil
end.
default_authentication_handler(Req) ->
case basic_name_pw(Req) of
{User, Pass} ->
case couch_auth_cache:get_user_creds(User) of
nil ->
throw({unauthorized, <<"Name or password is incorrect.">>});
UserProps ->
UserSalt = couch_util:get_value(<<"salt">>, UserProps, <<>>),
PasswordHash = hash_password(?l2b(Pass), UserSalt),
ExpectedHash = couch_util:get_value(<<"password_sha">>, UserProps, nil),
case couch_util:verify(ExpectedHash, PasswordHash) of
true ->
Req#httpd{user_ctx=#user_ctx{
name=?l2b(User),
roles=couch_util:get_value(<<"roles">>, UserProps, [])
}};
_Else ->
throw({unauthorized, <<"Name or password is incorrect.">>})
end
end;
nil ->
case couch_server:has_admins() of
true ->
Req;
false ->
case couch_config:get("couch_httpd_auth", "require_valid_user", "false") of
"true" -> Req;
% If no admins, and no user required, then everyone is admin!
% Yay, admin party!
_ -> Req#httpd{user_ctx=#user_ctx{roles=[<<"_admin">>]}}
end
end
end.
null_authentication_handler(Req) ->
Req#httpd{user_ctx=#user_ctx{roles=[<<"_admin">>]}}.
%% @doc proxy auth handler.
%
% This handler allows creation of a userCtx object from a user authenticated remotly.
% The client just pass specific headers to CouchDB and the handler create the userCtx.
% Headers name can be defined in local.ini. By thefault they are :
%
% * X-Auth-CouchDB-UserName : contain the username, (x_auth_username in
% couch_httpd_auth section)
% * X-Auth-CouchDB-Roles : contain the user roles, list of roles separated by a
% comma (x_auth_roles in couch_httpd_auth section)
% * X-Auth-CouchDB-Token : token to authenticate the authorization (x_auth_token
% in couch_httpd_auth section). This token is an hmac-sha1 created from secret key
% and username. The secret key should be the same in the client and couchdb node. s
% ecret key is the secret key in couch_httpd_auth section of ini. This token is optional
% if value of proxy_use_secret key in couch_httpd_auth section of ini isn't true.
%
proxy_authentification_handler(Req) ->
case proxy_auth_user(Req) of
nil -> Req;
Req2 -> Req2
end.
proxy_auth_user(Req) ->
XHeaderUserName = couch_config:get("couch_httpd_auth", "x_auth_username",
"X-Auth-CouchDB-UserName"),
XHeaderRoles = couch_config:get("couch_httpd_auth", "x_auth_roles",
"X-Auth-CouchDB-Roles"),
XHeaderToken = couch_config:get("couch_httpd_auth", "x_auth_token",
"X-Auth-CouchDB-Token"),
case header_value(Req, XHeaderUserName) of
undefined -> nil;
UserName ->
Roles = case header_value(Req, XHeaderRoles) of
undefined -> [];
Else ->
[?l2b(R) || R <- string:tokens(Else, ",")]
end,
case couch_config:get("couch_httpd_auth", "proxy_use_secret", "false") of
"true" ->
case couch_config:get("couch_httpd_auth", "secret", nil) of
nil ->
Req#httpd{user_ctx=#user_ctx{name=?l2b(UserName), roles=Roles}};
Secret ->
ExpectedToken = couch_util:to_hex(crypto:sha_mac(Secret, UserName)),
case header_value(Req, XHeaderToken) of
Token when Token == ExpectedToken ->
Req#httpd{user_ctx=#user_ctx{name=?l2b(UserName),
roles=Roles}};
_ -> nil
end
end;
_ ->
Req#httpd{user_ctx=#user_ctx{name=?l2b(UserName), roles=Roles}}
end
end.
cookie_authentication_handler(#httpd{mochi_req=MochiReq}=Req) ->
case MochiReq:get_cookie_value("AuthSession") of
undefined -> Req;
[] -> Req;
Cookie ->
[User, TimeStr | HashParts] = try
AuthSession = couch_util:decodeBase64Url(Cookie),
[_A, _B | _Cs] = string:tokens(?b2l(AuthSession), ":")
catch
_:_Error ->
Reason = <<"Malformed AuthSession cookie. Please clear your cookies.">>,
throw({bad_request, Reason})
end,
% Verify expiry and hash
CurrentTime = make_cookie_time(),
case couch_config:get("couch_httpd_auth", "secret", nil) of
nil ->
?LOG_ERROR("cookie auth secret is not set",[]),
Req;
SecretStr ->
Secret = ?l2b(SecretStr),
case couch_auth_cache:get_user_creds(User) of
nil -> Req;
UserProps ->
UserSalt = couch_util:get_value(<<"salt">>, UserProps, <<"">>),
FullSecret = <<Secret/binary, UserSalt/binary>>,
ExpectedHash = crypto:sha_mac(FullSecret, User ++ ":" ++ TimeStr),
Hash = ?l2b(string:join(HashParts, ":")),
Timeout = to_int(couch_config:get("couch_httpd_auth", "timeout", 600)),
?LOG_DEBUG("timeout ~p", [Timeout]),
case (catch erlang:list_to_integer(TimeStr, 16)) of
TimeStamp when CurrentTime < TimeStamp + Timeout ->
case couch_util:verify(ExpectedHash, Hash) of
true ->
TimeLeft = TimeStamp + Timeout - CurrentTime,
?LOG_DEBUG("Successful cookie auth as: ~p", [User]),
Req#httpd{user_ctx=#user_ctx{
name=?l2b(User),
roles=couch_util:get_value(<<"roles">>, UserProps, [])
}, auth={FullSecret, TimeLeft < Timeout*0.9}};
_Else ->
Req
end;
_Else ->
Req
end
end
end
end.
cookie_auth_header(#httpd{user_ctx=#user_ctx{name=null}}, _Headers) -> [];
cookie_auth_header(#httpd{user_ctx=#user_ctx{name=User}, auth={Secret, true}}, Headers) ->
% Note: we only set the AuthSession cookie if:
% * a valid AuthSession cookie has been received
% * we are outside a 10% timeout window
% * and if an AuthSession cookie hasn't already been set e.g. by a login
% or logout handler.
% The login and logout handlers need to set the AuthSession cookie
% themselves.
CookieHeader = couch_util:get_value("Set-Cookie", Headers, ""),
Cookies = mochiweb_cookies:parse_cookie(CookieHeader),
AuthSession = couch_util:get_value("AuthSession", Cookies),
if AuthSession == undefined ->
TimeStamp = make_cookie_time(),
[cookie_auth_cookie(?b2l(User), Secret, TimeStamp)];
true ->
[]
end;
cookie_auth_header(_Req, _Headers) -> [].
cookie_auth_cookie(User, Secret, TimeStamp) ->
SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
Hash = crypto:sha_mac(Secret, SessionData),
mochiweb_cookies:cookie("AuthSession",
couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)),
[{path, "/"}, {http_only, true}]). % TODO add {secure, true} when SSL is detected
hash_password(Password, Salt) ->
?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
ensure_cookie_auth_secret() ->
case couch_config:get("couch_httpd_auth", "secret", nil) of
nil ->
NewSecret = ?b2l(couch_uuids:random()),
couch_config:set("couch_httpd_auth", "secret", NewSecret),
NewSecret;
Secret -> Secret
end.
% session handlers
% Login handler with user db
% TODO this should also allow a JSON POST
handle_session_req(#httpd{method='POST', mochi_req=MochiReq}=Req) ->
ReqBody = MochiReq:recv_body(),
Form = case MochiReq:get_primary_header_value("content-type") of
% content type should be json
"application/x-www-form-urlencoded" ++ _ ->
mochiweb_util:parse_qs(ReqBody);
_ ->
[]
end,
UserName = ?l2b(couch_util:get_value("name", Form, "")),
Password = ?l2b(couch_util:get_value("password", Form, "")),
?LOG_DEBUG("Attempt Login: ~s",[UserName]),
User = case couch_auth_cache:get_user_creds(UserName) of
nil -> [];
Result -> Result
end,
UserSalt = couch_util:get_value(<<"salt">>, User, <<>>),
PasswordHash = hash_password(Password, UserSalt),
ExpectedHash = couch_util:get_value(<<"password_sha">>, User, nil),
case couch_util:verify(ExpectedHash, PasswordHash) of
true ->
% setup the session cookie
Secret = ?l2b(ensure_cookie_auth_secret()),
CurrentTime = make_cookie_time(),
Cookie = cookie_auth_cookie(?b2l(UserName), <<Secret/binary, UserSalt/binary>>, CurrentTime),
% TODO document the "next" feature in Futon
{Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of
nil ->
{200, [Cookie]};
Redirect ->
{302, [Cookie, {"Location", couch_httpd:absolute_uri(Req, Redirect)}]}
end,
send_json(Req#httpd{req_body=ReqBody}, Code, Headers,
{[
{ok, true},
{name, couch_util:get_value(<<"name">>, User, null)},
{roles, couch_util:get_value(<<"roles">>, User, [])}
]});
_Else ->
% clear the session
Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, {http_only, true}]),
send_json(Req, 401, [Cookie], {[{error, <<"unauthorized">>},{reason, <<"Name or password is incorrect.">>}]})
end;
% get user info
% GET /_session
handle_session_req(#httpd{method='GET', user_ctx=UserCtx}=Req) ->
Name = UserCtx#user_ctx.name,
ForceLogin = couch_httpd:qs_value(Req, "basic", "false"),
case {Name, ForceLogin} of
{null, "true"} ->
throw({unauthorized, <<"Please login.">>});
{Name, _} ->
send_json(Req, {[
% remove this ok
{ok, true},
{<<"userCtx">>, {[
{name, Name},
{roles, UserCtx#user_ctx.roles}
]}},
{info, {[
{authentication_db, ?l2b(couch_config:get("couch_httpd_auth", "authentication_db"))},
{authentication_handlers, [auth_name(H) || H <- couch_httpd:make_fun_spec_strs(
couch_config:get("httpd", "authentication_handlers"))]}
] ++ maybe_value(authenticated, UserCtx#user_ctx.handler, fun(Handler) ->
auth_name(?b2l(Handler))
end)}}
]})
end;
% logout by deleting the session
handle_session_req(#httpd{method='DELETE'}=Req) ->
Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, {http_only, true}]),
{Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of
nil ->
{200, [Cookie]};
Redirect ->
{302, [Cookie, {"Location", couch_httpd:absolute_uri(Req, Redirect)}]}
end,
send_json(Req, Code, Headers, {[{ok, true}]});
handle_session_req(Req) ->
send_method_not_allowed(Req, "GET,HEAD,POST,DELETE").
maybe_value(_Key, undefined, _Fun) -> [];
maybe_value(Key, Else, Fun) ->
[{Key, Fun(Else)}].
auth_name(String) when is_list(String) ->
[_,_,_,_,_,Name|_] = re:split(String, "[\\W_]", [{return, list}]),
?l2b(Name).
to_int(Value) when is_binary(Value) ->
to_int(?b2l(Value));
to_int(Value) when is_list(Value) ->
list_to_integer(Value);
to_int(Value) when is_integer(Value) ->
Value.
make_cookie_time() ->
{NowMS, NowS, _} = erlang:now(),
NowMS * 1000000 + NowS.