Log authentication attempts

Ampflower · Ampflower · commit bacba0f6eafe · 2023-09-18T22:24:11.000-05:00
Mainly so it's possible to block IPs outright for abuse reasons
diff --git a/src/main/java/gay/ampflower/maven/Maven.java b/src/main/java/gay/ampflower/maven/Maven.java
@@ -108,75 +108,107 @@ public static void main(String[] args) throws Exception {
 	@Override
 	public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
+		var host = request.getHeader("Host");
+		var maven = config.location(host);
+		var user = Passwd.user(request.getHeader("Authorization"));
+
+		logger.info("request: {} {}@{}{} from {}:{} ({}), real: {}, cf: {} / {}, agent: {}", request.getMethod(), user,
+				host, target, request.getRemoteAddr(), request.getRemotePort(), request.getRemoteHost(),
+				Utils.toString(request.getHeaders("X-Fowarded-For")), request.getHeader("CF-Connecting-IP"),
+				request.getHeader("True-Client-IP"), request.getHeader("User-Agent"));
+
+		// CF-Connecting-IP and X-Forwarded-For :blobfox_3c:
+		if (!checkPreconditions(user, baseRequest, request, response)) {
+			logger.info("invalid: {} {}@{}{} from {}:{} ({})", request.getMethod(), user, host, target,
+					request.getRemoteAddr(), request.getRemotePort(), request.getRemoteHost());
+			user.close();
+			return;
+		}
+
+		logger.info("authenticated: {} {}@{}{} from {}:{} ({})", request.getMethod(), user, host, target,
+				request.getRemoteAddr(), request.getRemotePort(), request.getRemoteHost());
+
+		var path = maven.resolve('.' + target);
+		if (Files.exists(path) && !target.contains("SNAPSHOT")
+				&& !target.regionMatches(target.lastIndexOf('/') + 1, "maven-metadata", 0, 14)) {
+			response.setStatus(HttpServletResponse.SC_CONFLICT);
+			response.getWriter().println("File cannot be replaced or deleted once uploaded.");
+
+			logger.info("attempted replacing: {} {}@{}{}", request.getMethod(), user, host, target);
+			return;
+		}
+		var parent = path.getParent();
+		if (Files.exists(parent) && !Files.isDirectory(parent)) {
+			response.setStatus(HttpServletResponse.SC_CONFLICT);
+			response.getWriter().println("Package is a file.");
+
+			logger.info("package is a file: {} {}@{}{}", request.getMethod(), user, host, target);
+			return;
+		}
+
+		Files.createDirectories(parent);
+		try (var srvIn = request.getInputStream()) {
+			Files.copy(srvIn, path, StandardCopyOption.REPLACE_EXISTING);
+		}
+
+		logger.info("successful upload: {} {}@{}{}", request.getMethod(), user, host, target);
+		response.setStatus(HttpServletResponse.SC_CREATED);
+	}
+
+	private boolean checkPreconditions(Passwd.User user, Request baseRequest, HttpServletRequest request,
+									   HttpServletResponse response) throws IOException {
 		boolean taint = "http".equals(request.getHeader("X-Forwarded-Proto"));
 		// No point in executing on any other.
 		baseRequest.setHandled(true);
 		if (!"PUT".equalsIgnoreCase(request.getMethod())) {
 			response.setStatus(HttpServletResponse.SC_NOT_IMPLEMENTED);
-			return;
+			return false;
 		}
 		int contentLength = request.getContentLength();
 		// Ignore any upload that is too small or is too large (24M)
 		if (contentLength < 0) {
 			response.setStatus(HttpServletResponse.SC_LENGTH_REQUIRED);
-			return;
+			return false;
 		}
 		if (contentLength > 1024 * 1024 * 24) {
 			response.setStatus(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE);
-			return;
+			return false;
 		}
 
 		var host = request.getHeader("Host");
 		var maven = config.location(host);
 		// Check to see if the host is valid.
 		if (maven == null) {
 			response.setStatus(HttpServletResponse.SC_NOT_FOUND);
-			return;
+			return false;
 		}
 		// Check to see if the IP was banned from uploading.
 		// if(checkObject(baseRequest.getRemoteInetSocketAddress().getAddress())) {
 		// response.setStatus(HttpServletResponse.SC_FORBIDDEN);
 		// return;
 		// }
-		var authorization = request.getHeader("Authorization");
-		if (authorization == null || !authorization.startsWith("Basic ") || checkObject(authorization)) {
+		if (checkObject(request.getHeader("Authorization"))) {
 			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 			response.getWriter().println("Unacceptable Authorization Method");
-			return;
+			return false;
 		}
 
 		try {
-			if (!Passwd.authorized(config, host, authorization, nonce, taint)) {
+			if (!Passwd.authorized(config, host, user, nonce, taint)) {
 				response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 				response.getWriter().println("Invalid credentials.");
-				return;
+				return false;
 			}
 		} catch (InterruptedException e) {
 			throw new RuntimeException(e);
 		}
 		if (taint) {
 			response.setStatus(HttpServletResponse.SC_FORBIDDEN);
 			response.getWriter().println("Use HTTPS next time. Password invalidated, contact sysadmin.");
-			return;
+			return false;
 		}
-		var path = maven.resolve('.' + target);
-		if (Files.exists(path) && !target.contains("SNAPSHOT")
-				&& !target.regionMatches(target.lastIndexOf('/') + 1, "maven-metadata", 0, 14)) {
-			response.setStatus(HttpServletResponse.SC_CONFLICT);
-			response.getWriter().println("File cannot be replaced or deleted once uploaded.");
-			return;
-		}
-		var parent = path.getParent();
-		if (Files.exists(parent) && !Files.isDirectory(parent)) {
-			response.setStatus(HttpServletResponse.SC_CONFLICT);
-			response.getWriter().println("Package is a file.");
-			return;
-		}
-		Files.createDirectories(parent);
-		try (var srvIn = request.getInputStream()) {
-			Files.copy(srvIn, path, StandardCopyOption.REPLACE_EXISTING);
-		}
-		response.setStatus(HttpServletResponse.SC_CREATED);
+
+		return true;
 	}
 
 	/**
diff --git a/src/main/java/gay/ampflower/maven/Passwd.java b/src/main/java/gay/ampflower/maven/Passwd.java
@@ -33,8 +33,11 @@ public final class Passwd {
 		Utils.scheduler.scheduleWithFixedDelay(map::clear, 30, 30, TimeUnit.SECONDS);
 	}
 
-	public static boolean authorized(Config config, String host, String authorization, byte[] nonce, boolean taint)
-			throws InterruptedException {
+	public static User user(String authorization) {
+		if (authorization == null || !authorization.startsWith("Basic ")) {
+			return null;
+		}
+
 		// A MIME decoder can decode regular and URL base64.
 		var rawAuthorization = Utils.DECODER.decode(authorization.substring(6));
 		int i = 0;
@@ -44,7 +47,14 @@ public static boolean authorized(Config config, String host, String authorizatio
 		}
 		var username = new String(rawAuthorization, 0, i);
 		byte[] password = Arrays.copyOfRange(rawAuthorization, i + 1, rawAuthorization.length);
+		Arrays.clear(rawAuthorization);
+		return new User(username, password);
+	}
 
+	public static boolean authorized(Config config, String host, User user, byte[] nonce, boolean taint)
+			throws InterruptedException {
+		var username = user.username();
+		var password = user.password();
 		boolean flag;
 
 		var hash = config.authHashKey(host, username, password, nonce);
@@ -56,7 +66,6 @@ public static boolean authorized(Config config, String host, String authorizatio
 			flag = either.b.complete(config.authorized(host, username, password), taint);
 		}
 
-		Arrays.clear(rawAuthorization);
 		Arrays.clear(password);
 
 		if (flag && taint) {
@@ -78,6 +87,18 @@ public static boolean verify(String input, byte[] password, byte[] secret) {
 		}
 	}
 
+	public record User(String username, byte[] password) implements AutoCloseable {
+		// #close() is only used to have the IDE nag if you don't "close" the record.
+		public void close() {
+			Arrays.clear(password);
+		}
+
+		@Override
+		public String toString() {
+			return username + ":???";
+		}
+	}
+
 	private static Either<Carrier, Carrier> tryLease(Sha256Hash key) {
 		final var current = map.get(key);
 		if (current != null) {
diff --git a/src/main/java/gay/ampflower/maven/Utils.java b/src/main/java/gay/ampflower/maven/Utils.java
@@ -27,10 +27,7 @@
 import java.nio.file.attribute.PosixFilePermissions;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.util.Base64;
-import java.util.HashMap;
-import java.util.Objects;
-import java.util.Set;
+import java.util.*;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ThreadFactory;
@@ -101,6 +98,15 @@ public static boolean contains(final Object[] array, Object obj) {
 		return false;
 	}
 
+	public static String toString(Enumeration<?> enumeration) {
+		var builder = new StringBuilder();
+		while (enumeration.hasMoreElements()) {
+			builder.append(enumeration.nextElement()).append(", ");
+		}
+
+		return builder.toString();
+	}
+
 	/**
 	 * Determines secure permissions for a new secret file.
 	 *
