diff --git a/internal/archive/credentials.go b/internal/archive/credentials.go new file mode 100644 index 00000000..1f8c3289 --- /dev/null +++ b/internal/archive/credentials.go @@ -0,0 +1,303 @@ +package archive + +import ( + "bufio" + "errors" + "fmt" + "io" + "net/url" + "os" + "path/filepath" + "sort" + "strings" +) + +// credentials contains matched non-empty Username and Password. +// Username is left empty if the search is unsuccessful. +type credentials struct { + Username string + Password string +} + +// Empty checks whether c represents unsuccessful search. +func (c credentials) Empty() bool { + return c.Username == "" && c.Password == "" +} + +// credentialsQuery contains parsed input URL data used for search. +type credentialsQuery struct { + scheme string + host string + port string + path string + needScheme bool +} + +// parseRepoURL parses repoURL into credentialsQuery and fills provided +// credentials with username and password if they are specified in repoURL. +func parseRepoURL(repoURL string) (creds *credentials, query *credentialsQuery, err error) { + u, err := url.Parse(repoURL) + if err != nil { + return + } + + creds = &credentials{} + creds.Username = u.User.Username() + creds.Password, _ = u.User.Password() + + if !creds.Empty() { + return + } + + host := u.Host + port := u.Port() + if port != "" { + // u.Hostname() would remove brackets from IPv6 address but we + // need it verbatim for string search in netrc file. This is + // also faster because both u.Port() and u.Hostname() parse + // u.Host into port and hostname. + host = u.Host[0 : len(u.Host)-len(port)-1] + } + + query = &credentialsQuery{ + scheme: u.Scheme, + host: host, + port: port, + path: u.Path, + // If the input URL specifies unencrypted scheme, the scheme in + // machine declarations in netrc file is not optional and must + // also match. + needScheme: u.Scheme != "https" && u.Scheme != "tor+https", + } + + return +} + +const defaultCredsDir = "/etc/apt/auth.conf.d" + +var ErrCredentialsNotFound = errors.New("credentials not found") + +// findCredentials searches credentials for repoURL in configuration files in +// directory specified by CHISEL_AUTH_DIR environment variable if it's +// non-empty, otherwise /etc/apt/auth.conf.d. +func findCredentials(repoURL string) (*credentials, error) { + credsDir := defaultCredsDir + if v := os.Getenv("CHISEL_AUTH_DIR"); v != "" { + credsDir = v + } + return findCredentialsInDir(repoURL, credsDir) +} + +// findCredentialsInDir searches for credentials for repoURL in configuration +// files in credsDir directory. If the directory does not exist, empty +// credentials structure with nil err is returned. +// Only files that do not begin with dot and have either no or ".conf" +// extension are searched. The files are searched in ascending lexicographic +// order. The first file that contains machine declaration matching repoURL +// ends the search. If no file contain matching machine declaration, empty +// credentials structure with nil err is returned. +func findCredentialsInDir(repoURL string, credsDir string) (*credentials, error) { + contents, err := os.ReadDir(credsDir) + if err != nil { + logf("Cannot open credentials directory %q: %v", credsDir, err) + return nil, ErrCredentialsNotFound + } + + creds, query, err := parseRepoURL(repoURL) + if err != nil { + return nil, fmt.Errorf("cannot parse archive URL: %v", err) + } + if !creds.Empty() { + return creds, nil + } + + confFiles := make([]string, 0, len(contents)) + for _, entry := range contents { + name := entry.Name() + if strings.HasPrefix(name, ".") { + continue + } + if ext := filepath.Ext(name); ext != "" && ext != ".conf" { + continue + } + info, err := entry.Info() + if err != nil { + logf("Cannot stat credentials file %q: %v", filepath.Join(credsDir, name), err) + continue + } + if !info.Mode().IsRegular() { + continue + } + confFiles = append(confFiles, name) + } + if len(confFiles) == 0 { + return nil, ErrCredentialsNotFound + } + sort.Strings(confFiles) + + for _, file := range confFiles { + fpath := filepath.Join(credsDir, file) + f, err := os.Open(fpath) + if err != nil { + logf("Cannot open credentials file %q: %v", fpath, err) + continue + } + creds, err = findCredentialsInternal(query, f) + if closeErr := f.Close(); closeErr != nil { + logf("Cannot close credentials file %q: %v", fpath, err) + } + if err == nil { + return creds, nil + } else if err != ErrCredentialsNotFound { + logf("Cannot parse credentials file %q: %v", fpath, err) + } + } + + return nil, ErrCredentialsNotFound +} + +type netrcParser struct { + query *credentialsQuery + scanner *bufio.Scanner + creds *credentials +} + +// findCredentialsInternal searches for credentials in netrc file matching query +// and fills creds with matched credentials if there's a match. The first match +// ends the search. +// +// The format of the netrc file is described in [1]. The parser is adapted from +// the Apt parser (see [2]). When the parser is looking for a matching machine +// declaration it disregards the current context and only considers the input +// token. For example when given the following netrc file +// +// machine http://acme.com/foo login u1 password machine +// machine http://acme.com/bar login u2 password p2 +// +// and http://acme.com/bar input URL, the second line won't match, because the +// second "machine" will be treated as start of machine declaration. This also +// means unknown tokens are ignored, so comments are not treated specially. +// +// When a matching machine declaration is found the search stops on next +// machine token or on end of file. This means that arbitrary number of login +// and password declarations (or in fact, any tokens) can follow a machine +// declaration. The last username and password declaration overrides the +// previous ones. For example when given the following netrc file +// +// machine http://acme.com login a foo login b password c bar login d password e +// +// and the input URL is http://acme.com, the matched username and password will +// be "d" and "e" respectively. Tokens foo and bar will be ignored. +// +// This parser diverges from the Apt parser in the following ways: +// 1. The port specification in machine declaration is optional whether or +// not a path is specified. While the Apt documentation[1] implies the +// same behavior, the code adheres to it only when the machine declaration +// does not specify a path, see line 96 in [2]. +// 2. When the input URL has unencrypted scheme and the machine declaration +// does not specify a scheme, it is skipped silently. The Apt parser warns +// the user about it, see line 113 in [2]. +// +// References: +// +// [1] https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html +// [2] https://salsa.debian.org/apt-team/apt/-/blob/d9039b24/apt-pkg/contrib/netrc.cc +// [3] https://salsa.debian.org/apt-team/apt/-/blob/4e04cbaf/methods/aptmethod.h#L560 +// [4] https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html +// [5] https://daniel.haxx.se/blog/2022/05/31/netrc-pains/ +func findCredentialsInternal(query *credentialsQuery, netrc io.Reader) (*credentials, error) { + s := bufio.NewScanner(netrc) + s.Split(bufio.ScanWords) + p := netrcParser{ + query: query, + scanner: s, + creds: &credentials{}, + } + var err error + for state := netrcStart; err == nil && state != nil; { + state, err = state(&p) + err = errors.Join(err, p.scanner.Err()) + } + if err != nil { + return nil, err + } + if p.creds.Empty() { + return nil, ErrCredentialsNotFound + } + return p.creds, nil +} + +type netrcState func(*netrcParser) (netrcState, error) + +func netrcStart(p *netrcParser) (netrcState, error) { + for p.scanner.Scan() { + if p.scanner.Text() == "machine" { + return netrcMachine, nil + } + } + return nil, nil +} + +func netrcMachine(p *netrcParser) (netrcState, error) { + if !p.scanner.Scan() { + return nil, errors.New("syntax error: reached end of file while expecting machine text") + } + token := p.scanner.Text() + if i := strings.Index(token, "://"); i != -1 { + if token[0:i] != p.query.scheme { + return netrcStart, nil + } + token = token[i+3:] + } else if p.query.needScheme { + return netrcStart, nil + } + if !strings.HasPrefix(token, p.query.host) { + return netrcStart, nil + } + token = token[len(p.query.host):] + if len(token) > 0 && token[0] == ':' { + if p.query.port == "" { + return netrcStart, nil + } + token = token[1:] + if !strings.HasPrefix(token, p.query.port) { + return netrcStart, nil + } + token = token[len(p.query.port):] + } + if !strings.HasPrefix(p.query.path, token) { + return netrcStart, nil + } + return netrcGoodMachine, nil +} + +func netrcGoodMachine(p *netrcParser) (netrcState, error) { +loop: + for p.scanner.Scan() { + switch p.scanner.Text() { + case "login": + return netrcUsername, nil + case "password": + return netrcPassword, nil + case "machine": + break loop + } + } + return nil, nil +} + +func netrcUsername(p *netrcParser) (netrcState, error) { + if !p.scanner.Scan() { + return nil, errors.New("syntax error: reached end of file while expecting username text") + } + p.creds.Username = p.scanner.Text() + return netrcGoodMachine, nil +} + +func netrcPassword(p *netrcParser) (netrcState, error) { + if !p.scanner.Scan() { + return nil, errors.New("syntax error: reached end of file while expecting password text") + } + p.creds.Password = p.scanner.Text() + return netrcGoodMachine, nil +} diff --git a/internal/archive/credentials_test.go b/internal/archive/credentials_test.go new file mode 100644 index 00000000..9fe3e75b --- /dev/null +++ b/internal/archive/credentials_test.go @@ -0,0 +1,323 @@ +package archive_test + +import ( + "io/ioutil" + "os" + "path/filepath" + + . "gopkg.in/check.v1" + + "github.com/canonical/chisel/internal/archive" +) + +type matchTest struct { + url string + err string + username string + password string +} + +type credentialsTest struct { + summary string + credsFiles map[string]string + matchTests []matchTest +} + +var credentialsTests = []credentialsTest{{ + summary: "Parsing", + credsFiles: map[string]string{ + "50test-logins": ` +machine example.netter login bar password foo +machine example.net login foo password bar + +machine example.org:90 login apt password apt +machine example.org:8080 +login +example password foobar + +machine example.org +login anonymous +password pass + +machine example.com/foo login user1 unknown token password pass1 +machine example.com/bar password pass2 login user2 + unknown token +machine example.com/user login user +machine example.netter login unused password firstentry +machine socks5h://example.last/debian login debian password rules +`, + }, + matchTests: []matchTest{ + {"https://example.net/foo", "", "foo", "bar"}, + {"https://user:pass@example.net/foo", "", "user", "pass"}, + {"https://example.org:90/foo", "", "apt", "apt"}, + {"https://example.org:8080/foo", "", "example", "foobar"}, + {"https://example.net:42/foo", "", "foo", "bar"}, + {"https://example.org/foo", "", "anonymous", "pass"}, + {"https://example.com/apt", "^credentials not found$", "", ""}, + {"https://example.com/foo", "", "user1", "pass1"}, + {"https://example.com/fooo", "", "user1", "pass1"}, + {"https://example.com/fo", "^credentials not found$", "", ""}, + {"https://example.com/bar", "", "user2", "pass2"}, + {"https://example.com/user", "", "user", ""}, + {"socks5h://example.last/debian", "", "debian", "rules"}, + {"socks5h://example.debian/", "^credentials not found$", "", ""}, + {"socks5h://user:pass@example.debian/", "", "user", "pass"}, + }, +}, { + summary: "Bad file: No machine", + credsFiles: map[string]string{ + "50test-logins.conf": ` +foo example.org login foo1 password bar +machin example.org login foo2 password bar +machine2 example.org login foo3 password bar +`, + }, + matchTests: []matchTest{ + {"https://example.org/foo", "^credentials not found$", "", ""}, + }, +}, { + summary: "Bad file: Ends machine", + credsFiles: map[string]string{ + "50test-logins.conf": ` +machine example.org login foo1 password bar +machine`, + }, + matchTests: []matchTest{ + {"https://example.org/foo", "", "foo1", "bar"}, + {"https://example.net/foo", "^credentials not found$", "", ""}, + {"https://foo:bar@example.net/foo", "", "foo", "bar"}, + }, +}, { + summary: "Bad file: Ends login", + credsFiles: map[string]string{ + "50test-logins.conf": ` +machine example.org login foo1 password bar +machine example.net login +`, + }, + matchTests: []matchTest{ + {"https://example.org/foo", "", "foo1", "bar"}, + {"https://example.net/foo", "^credentials not found$", "", ""}, + {"https://foo:bar@example.net/foo", "", "foo", "bar"}, + }, +}, { + summary: "Matches only HTTPS", + credsFiles: map[string]string{ + "50test-logins.conf": ` +machine https.example login foo1 password bar +machine http://http.example login foo1 password bar +`, + }, + matchTests: []matchTest{ + {"https://https.example/foo", "", "foo1", "bar"}, + {"http://https.example/foo", "^credentials not found$", "", ""}, + {"http://http.example/foo", "", "foo1", "bar"}, + {"https://http.example/foo", "^credentials not found$", "", ""}, + }, +}, { + summary: "Password is machine", + credsFiles: map[string]string{ + "50test-logins.conf": ` +machine http://site1.com login u1 password machine +machine http://site2.com login u2 password p2 +`, + }, + matchTests: []matchTest{ + {"http://site1.com/foo", "", "u1", "machine"}, + {"http://site2.com/bar", "^credentials not found$", "", ""}, + }, +}, { + summary: "Multiple login and password tokens", + credsFiles: map[string]string{ + "50test-logins.conf": ` +machine http://site1.com login a login b password c login d password e +machine http://site2.com login f password g +`, + }, + matchTests: []matchTest{ + {"http://site1.com/foo", "", "d", "e"}, + {"http://site2.com/bar", "", "f", "g"}, + }, +}, { + summary: "Empty auth dir", + credsFiles: map[string]string{}, + matchTests: []matchTest{ + {"https://example.com/foo", "^credentials not found$", "", ""}, + {"http://zombo.com", "^credentials not found$", "", ""}, + }, +}, { + summary: "Invalid input URL", + credsFiles: map[string]string{ + "logins": ` +machine login foo password bar login baz +`, + }, + matchTests: []matchTest{ + {":http:foo", "cannot parse archive URL: parse \":http:foo\": missing protocol scheme", "", ""}, + {"", "^credentials not found$", "", ""}, // this is fine URL apparently, but won't ever match + {"https://login", "", "baz", "bar"}, + }, +}, { + summary: "First entry wins", + credsFiles: map[string]string{ + "logins": ` +machine http://example.com/foo login a password b +machine http://example.com/foo login c password d + +machine example.com/bar login e password f +machine http://example.com/bar login g password h + +machine http://example.com/baz login i password j +machine http://example.com/baz/qux login k password l +`, + }, + matchTests: []matchTest{ + {"http://example.com/foo", "", "a", "b"}, + {"http://example.com/bar", "", "g", "h"}, + {"http://example.com/baz/qux", "", "i", "j"}, + }, +}, { + summary: "First file wins", + credsFiles: map[string]string{ + "10first": ` +machine http://example.com/foo login a password b +machine example.com/bar login e password f +machine http://example.com/baz login i password j +`, + "50second": ` +machine http://example.com/foo login b password c +machine http://example.com/bar login g password h +machine http://example.com/baz/qux login k password l +`, + }, + matchTests: []matchTest{ + {"http://example.com/foo", "", "a", "b"}, + {"http://example.com/bar", "", "g", "h"}, + {"http://example.com/baz/qux", "", "i", "j"}, + }, +}, { + summary: "EOF while epxecting username", + credsFiles: map[string]string{ + "nouser": ` +machine http://example.com/foo login +`, + }, + matchTests: []matchTest{ + {"http://example.com/foo", "^credentials not found$", "", ""}, + }, +}, { + summary: "EOF while epxecting password", + credsFiles: map[string]string{ + "nopw": ` +machine http://example.com/foo login a password +`, + }, + matchTests: []matchTest{ + {"http://example.com/foo", "^credentials not found$", "a", ""}, + }, +}} + +func (s *S) TestFindCredentialsInDir(c *C) { + for _, t := range credentialsTests { + s.runFindCredentialsInDirTest(c, &t) + } +} + +func (s *S) runFindCredentialsInDirTest(c *C, t *credentialsTest) { + credsDir := c.MkDir() + + for filename, data := range t.credsFiles { + fpath := filepath.Join(credsDir, filename) + err := os.MkdirAll(filepath.Dir(fpath), 0755) + c.Assert(err, IsNil) + err = ioutil.WriteFile(fpath, []byte(data), 0644) + c.Assert(err, IsNil) + } + + for _, matchTest := range t.matchTests { + c.Logf("Summary: %s for URL %s", t.summary, matchTest.url) + creds, err := archive.FindCredentialsInDir(matchTest.url, credsDir) + if matchTest.err != "" { + c.Assert(err, ErrorMatches, matchTest.err) + } else { + c.Assert(err, IsNil) + c.Assert(creds, NotNil) + c.Assert(creds.Username, Equals, matchTest.username) + c.Assert(creds.Password, Equals, matchTest.password) + } + } +} + +func (s *S) TestFindCredentialsInDirMissingDir(c *C) { + var creds *archive.Credentials + var err error + + workDir := c.MkDir() + credsDir := filepath.Join(workDir, "auth.conf.d") + + creds, err = archive.FindCredentialsInDir("https://example.com/foo/bar", credsDir) + c.Assert(err, ErrorMatches, "^credentials not found$") + c.Assert(creds, IsNil) + + err = os.Mkdir(credsDir, 0755) + c.Assert(err, IsNil) + + creds, err = archive.FindCredentialsInDir("https://example.com/foo/bar", credsDir) + c.Assert(err, ErrorMatches, "^credentials not found$") + c.Assert(creds, IsNil) + + confFile := filepath.Join(credsDir, "example") + err = os.WriteFile(confFile, []byte("machine example.com login admin password swordfish"), 0600) + c.Assert(err, IsNil) + + creds, err = archive.FindCredentialsInDir("https://example.com/foo/bar", credsDir) + c.Assert(err, IsNil) + c.Assert(creds, NotNil) + c.Assert(creds.Username, Equals, "admin") + c.Assert(creds.Password, Equals, "swordfish") +} + +func fakeEnv(name, value string) (restore func()) { + origValue, origSet := os.LookupEnv(name) + os.Setenv(name, value) + return func() { + if origSet { + os.Setenv(name, origValue) + } else { + os.Unsetenv(name) + } + } +} + +func (s *S) TestFindCredentials(c *C) { + var creds *archive.Credentials + var err error + + workDir := c.MkDir() + credsDir := filepath.Join(workDir, "auth.conf.d") + + restore := fakeEnv("CHISEL_AUTH_DIR", credsDir) + defer restore() + + creds, err = archive.FindCredentials("http://example.com/my/site") + c.Assert(err, ErrorMatches, "^credentials not found$") + c.Assert(creds, IsNil) + + err = os.Mkdir(credsDir, 0755) + c.Assert(err, IsNil) + + creds, err = archive.FindCredentials("http://example.com/my/site") + c.Assert(err, ErrorMatches, "^credentials not found$") + c.Assert(creds, IsNil) + + confFile := filepath.Join(credsDir, "mysite") + err = os.WriteFile(confFile, []byte("machine http://example.com/my login johndoe password 12345"), 0600) + c.Assert(err, IsNil) + + creds, err = archive.FindCredentials("http://example.com/my/site") + c.Assert(err, IsNil) + c.Assert(creds, NotNil) + c.Assert(creds.Username, Equals, "johndoe") + c.Assert(creds.Password, Equals, "12345") +} diff --git a/internal/archive/export_test.go b/internal/archive/export_test.go index c2bffea3..fe7c62fb 100644 --- a/internal/archive/export_test.go +++ b/internal/archive/export_test.go @@ -14,3 +14,7 @@ func FakeDo(do func(req *http.Request) (*http.Response, error)) (restore func()) bulkDo = _bulkDo } } + +type Credentials = credentials +var FindCredentials = findCredentials +var FindCredentialsInDir = findCredentialsInDir