Merge pull request #85 from TIBCOSoftware/feature-basic-auth-on-gw

Added ability to perform basic auth against the gw

Author: jpark800

ext/flogo/trigger/gorillamuxtrigger/README.md

@@ -60,6 +60,10 @@ settings, outputs and handler:
     {
       "name": "trustStore",
       "type": "string"
+    },
+    {
+      "name": "basicAuthFile",
+      "type": "string"
     }
   ],
   "outputs": [
@@ -128,6 +132,7 @@ settings, outputs and handler:
 | serverKey | Server private key file in PEM format. Need to provide file name along with path. Path can be relative to gateway binary location. |
 | enableClientAuth | true - To enable client AUTH, false - Client AUTH is not enabled |
 | trustStore | Trust dir containing clinet CAs |
+| basicAuthFile | Path to a password file with username/passwords. An environment variable can be used here. |
 
 ### Outputs
 | Key    | Description   |
@@ -293,3 +298,45 @@ Follwing is the sample payload. Try changing the value of name ("CAT" to some ot
     ]
 }
 ```
+
+#### Basic Authentication
+
+To use basic authentication, the necessary descriptors must be in place. For example:
+
+```json
+"configurations": [
+  {
+      "name": "restConfig",
+      "type": "github.com/TIBCOSoftware/mashling/ext/flogo/trigger/gorillamuxtrigger",
+      "description": "Configuration for rest trigger",
+      "settings": {
+        "port": "9096",
+        "basicAuthFile": "${env.BASIC_AUTH_FILE}"
+      }
+  }
+],
+```
+
+This specifies that BASIC_AUTH_FILE is an environment variable whose value will be read into "basicAuthFile" when the gateway starts. This value should be a path to a password file.
+
+Plain username/password file: /home/test/password.txt
+```
+foo:bar
+moo:poo
+```
+
+Alternatively, you can also use a salted password file where the format is: username:salt:sha256(salt + password)
+```
+foo:5VvmQnTXZ10wGZu_Gkjb8umfUPIOQTQ3p1YFadAWTl8=:6267beb3f851b7fee14011f6aa236556f35b186a6791b80b48341e990c367643
+```
+
+Start the gateway:
+```
+BASIC_AUTH_FILE=/home/test/password.txt myApp
+```
+
+**NOTE**: It is important to limit access to the password.txt on your environment. 
+
+
+
+

ext/flogo/trigger/gorillamuxtrigger/auth.go

@@ -0,0 +1,187 @@
+/*
+* Copyright © 2017. TIBCO Software Inc.
+* This file is subject to the license terms contained
+* in the license file that is distributed with this file.
+ */
+package gorillamuxtrigger
+
+import (
+	"bufio"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/csv"
+	"encoding/hex"
+	"io"
+	"net/http"
+	"os"
+	"regexp"
+	"strings"
+	"sync"
+)
+
+type hashedCred struct {
+	salt     string
+	username string
+	password string
+}
+
+type plainCred struct {
+	username string
+	password string
+}
+
+type Auth interface {
+	authenticate(clientCred string) bool
+}
+
+type basic struct {
+}
+
+const (
+	basicAuthFile = "basicAuthFile"
+)
+
+var mu sync.Mutex
+var credMap map[string]hashedCred
+
+func basicAuth() Auth {
+	return &basic{}
+}
+
+// isAuthEnabled check if authentication is enabled
+func isAuthEnabled(settings map[string]interface{}) bool {
+	// Check if basic auth is in use
+	if _, ok := settings[basicAuthFile]; !ok {
+		return false
+	}
+
+	return true
+}
+
+// setupAuth setups up authentication.
+// This should be called to load the creds into a map once.
+func setupAuth(settings map[string]interface{}) {
+	err := loadCreds(settings[basicAuthFile].(string))
+	if err != nil {
+		log.Error(err)
+		panic("Unable to load creds file")
+	}
+}
+
+// loadCreds loads the file with the credentials.
+// The file may contain lines of the form username:password
+// or username:salt:sha256(salt + password)
+func loadCreds(pathToFile string) error {
+	mu.Lock()
+	if credMap != nil {
+		mu.Unlock()
+		return nil
+	}
+
+	credMap = make(map[string]hashedCred)
+
+	csvFile, err := os.Open(pathToFile)
+	if err != nil {
+		mu.Unlock()
+		return err
+	}
+	defer csvFile.Close()
+
+	reader := csv.NewReader(bufio.NewReader(csvFile))
+	reader.Comma = ':'
+
+	for {
+		line, error := reader.Read()
+		if error == io.EOF {
+			break
+		} else if error != nil {
+			log.Error(error)
+		}
+
+		if len(line) == 3 {
+			// hashed password
+			credMap[line[0]] = hashedCred{
+				salt:     line[1],
+				password: line[2],
+			}
+		} else if len(line) == 2 {
+			// plan text password
+			credMap[line[0]] = hashedCred{
+				password: line[1],
+			}
+		}
+	}
+	mu.Unlock()
+
+	return nil
+}
+
+// Authenticate check if the request is allowed
+func authenticate(r *http.Request, settings map[string]interface{}) bool {
+	// Authenticate using basic auth
+	clientCred := r.Header.Get("Authorization")
+	re, err := regexp.Compile(`(?i)Basic (.*)`)
+	if err != nil {
+		log.Error(err)
+		return false
+	}
+	result := re.FindStringSubmatch(clientCred)
+
+	auth := basicAuth()
+	if len(result) == 2 {
+		// Now verify the client creds
+		return auth.authenticate(result[1])
+	}
+
+	return false
+}
+
+// authenticate performs basic authentication against provided clientCred
+func (a *basic) authenticate(clientCred string) bool {
+	username, passwd := base64decode(clientCred)
+
+	credStruct, ok := credMap[username]
+	if !ok {
+		return false
+	}
+
+	if credStruct.salt == "" {
+		if credStruct.password == passwd {
+			return true
+		}
+	} else {
+		if sha(credStruct.salt+passwd) == credStruct.password {
+			return true
+		}
+	}
+
+	return false
+}
+
+// base64encode base64 encode the username and password
+func base64encode(username string, password string) string {
+	auth := username + ":" + password
+	encoded := base64.StdEncoding.EncodeToString([]byte(auth))
+	return encoded
+}
+
+// base64decode base64 decodes the creds
+// returns the username, password
+func base64decode(creds string) (string, string) {
+	decoded, _ := base64.StdEncoding.DecodeString(creds)
+
+	s := strings.Split(string(decoded), ":")
+	return s[0], s[1]
+}
+
+// sha applies sha256 to the string
+func sha(str string) string {
+	bytes := []byte(str)
+
+	h := sha256.New()
+	h.Write(bytes)
+	code := h.Sum(nil)
+	codestr := hex.EncodeToString(code)
+
+	return codestr
+}

ext/flogo/trigger/gorillamuxtrigger/auth_test.go

@@ -0,0 +1,103 @@
+/*
+* Copyright © 2017. TIBCO Software Inc.
+* This file is subject to the license terms contained
+* in the license file that is distributed with this file.
+ */
+package gorillamuxtrigger
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+const dataPlain string = `
+foo:bar
+moo:mar
+care:bear
+`
+
+const dataHashed string = `
+foo:5VvmQnTXZ10wGZu_Gkjb8umfUPIOQTQ3p1YFadAWTl8=:6267beb3f851b7fee14011f6aa236556f35b186a6791b80b48341e990c367643
+foobar:5VvmQnTXZ10wGZu_Gkjb8umfUPIOQTQ3p1YFadAWTl8=:6267beb3f851b7fee14011f6aa236556f35b186a6791b80b48341e990c367643
+`
+
+func TestBasicAuthVerify(t *testing.T) {
+	credMap = nil
+	b := basicAuth()
+
+	file, err := ioutil.TempFile(os.TempDir(), "prefix")
+	if err != nil {
+		panic(err)
+	}
+	defer os.Remove(file.Name())
+
+	if _, err := file.Write([]byte(dataPlain)); err != nil {
+		panic(err)
+	}
+	if err := file.Close(); err != nil {
+		panic(err)
+	}
+
+	path := file.Name()
+	loadCreds(path)
+
+	if !b.authenticate(base64encode("foo", "bar")) {
+		t.Error("Should authenticate the user.")
+	}
+
+	if b.authenticate(base64encode("foo", "badpass")) {
+		t.Error("Should not authenticate the user.")
+	}
+
+	if !b.authenticate(base64encode("care", "bear")) {
+		t.Error("Should authenticate the user.")
+	}
+
+	if b.authenticate(base64encode("foo2", "bar")) {
+		t.Error("User doesn't exist.")
+	}
+
+}
+
+func TestBasicAuthHashVerify(t *testing.T) {
+	credMap = nil
+	b := basicAuth()
+
+	file, err := ioutil.TempFile(os.TempDir(), "prefix")
+	if err != nil {
+		panic(err)
+	}
+	defer os.Remove(file.Name())
+
+	if _, err := file.Write([]byte(dataHashed)); err != nil {
+		panic(err)
+	}
+	if err := file.Close(); err != nil {
+		panic(err)
+	}
+
+	path := file.Name()
+	loadCreds(path)
+
+	if !b.authenticate(base64encode("foo", "bar")) {
+		t.Error("Should authenticate the user.")
+	}
+
+	if !b.authenticate(base64encode("foobar", "bar")) {
+		t.Error("Should authenticate the user.")
+	}
+
+	if !b.authenticate(base64encode("foo", "bar")) {
+		t.Error("Should authenticate the user.")
+	}
+
+	if b.authenticate(base64encode("foo", "badpass")) {
+		t.Error("Should not authenticate the user.")
+	}
+
+	if b.authenticate(base64encode("foo2", "bar")) {
+		t.Error("User doesn't exist")
+	}
+
+}

ext/flogo/trigger/gorillamuxtrigger/trigger.go

@@ -140,6 +140,10 @@ func (t *RestTrigger) Init(runner action.Runner) {
 
 	t.configureTracer()
 
+	if isAuthEnabled(t.config.Settings) {
+		setupAuth(t.config.Settings)
+	}
+
 	//Check whether TLS (Transport Layer Security) is enabled for the trigger
 	enableTLS := false
 	serverCert := ""
@@ -511,7 +515,22 @@ func newActionHandler(rt *RestTrigger, handler *OptimizedHandler, method, url st
 		log.Debugf("Found action' %+x'", action)
 
 		context := trigger.NewContextWithData(context.Background(), &trigger.ContextData{Attrs: startAttrs, HandlerCfg: handlerCfg})
-		replyCode, replyData, err := rt.runner.Run(context, action, actionId, nil)
+
+		var replyCode int
+		var replyData interface{}
+
+		allowed := true
+		if isAuthEnabled(rt.config.Settings) {
+			log.Debugf("Authenticating the request.")
+			if !authenticate(r, rt.config.Settings) {
+				replyCode = http.StatusForbidden
+				allowed = false
+			}
+		}
+
+		if allowed {
+			replyCode, replyData, err = rt.runner.Run(context, action, actionId, nil)
+		}
 
 		if err != nil {
 			serverSpan.SetTag("error", err.Error())