Add path exclusion support to BasicAuth authentication

Signed-off-by: Kacper Rzetelski <[email protected]>

Author: rzetelskik

docs/web-configuration.md

@@ -125,6 +125,10 @@ http_server_config:
 # required. Passwords are hashed with bcrypt.
 basic_auth_users:
   [ <string>: <secret> ... ]
+  
+# A list of HTTP paths to be excepted from authentication.
+auth_excluded_paths:
+[ - <string> ]
 ```
 
 [A sample configuration file](web-config.yml) is provided.

web/authentication/authenticator.go

@@ -0,0 +1,58 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authentication
+
+import (
+	"log/slog"
+	"net/http"
+)
+
+// HTTPChallenge contains information which can used by an HTTP server to challenge a client request using a challenge-response authentication framework.
+// https://datatracker.ietf.org/doc/html/rfc7235#section-2.1
+type HTTPChallenge struct {
+	Scheme string
+}
+
+type Authenticator interface {
+	Authenticate(*http.Request) (bool, string, *HTTPChallenge, error)
+}
+
+type AuthenticatorFunc func(r *http.Request) (bool, string, *HTTPChallenge, error)
+
+func (f AuthenticatorFunc) Authenticate(r *http.Request) (bool, string, *HTTPChallenge, error) {
+	return f(r)
+}
+
+func WithAuthentication(handler http.Handler, authenticator Authenticator, logger *slog.Logger) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ok, denyReason, httpChallenge, err := authenticator.Authenticate(r)
+		if err != nil {
+			logger.Error("Unable to authenticate", "URI", r.RequestURI, "err", err.Error())
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			return
+		}
+
+		if ok {
+			handler.ServeHTTP(w, r)
+			return
+		}
+
+		if httpChallenge != nil {
+			w.Header().Set("WWW-Authenticate", httpChallenge.Scheme)
+		}
+
+		logger.Warn("Unauthenticated request", "URI", r.RequestURI, "denyReason", denyReason)
+		http.Error(w, denyReason, http.StatusUnauthorized)
+	})
+}

web/authentication/authenticator_test.go

@@ -0,0 +1,116 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authentication
+
+import (
+	"errors"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"reflect"
+	"testing"
+
+	"github.com/prometheus/exporter-toolkit/web/authentication/testhelpers"
+)
+
+func TestWithAuthentication(t *testing.T) {
+	t.Parallel()
+
+	logger := testhelpers.NewNoOpLogger()
+
+	tt := []struct {
+		Name                          string
+		Authenticator                 Authenticator
+		ExpectedStatusCode            int
+		ExpectedBody                  string
+		ExpectedWWWAuthenticateHeader string
+	}{
+		{
+			Name: "Accepting authenticator",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, *HTTPChallenge, error) {
+				return true, "", nil, nil
+			}),
+			ExpectedStatusCode:            http.StatusOK,
+			ExpectedBody:                  "",
+			ExpectedWWWAuthenticateHeader: "",
+		},
+		{
+			Name: "Denying authenticator without http challenge",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, *HTTPChallenge, error) {
+				return false, "deny reason", nil, nil
+			}),
+			ExpectedStatusCode:            http.StatusUnauthorized,
+			ExpectedBody:                  "deny reason\n",
+			ExpectedWWWAuthenticateHeader: "",
+		},
+		{
+			Name: "Denying authenticator with http challenge",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, *HTTPChallenge, error) {
+				httpChallenge := &HTTPChallenge{
+					Scheme: "test",
+				}
+				return false, "deny reason", httpChallenge, nil
+			}),
+			ExpectedStatusCode:            http.StatusUnauthorized,
+			ExpectedBody:                  "deny reason\n",
+			ExpectedWWWAuthenticateHeader: "test",
+		},
+		{
+			Name: "Erroring authenticator",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, *HTTPChallenge, error) {
+				return false, "", nil, errors.New("error authenticating")
+			}),
+			ExpectedStatusCode:            http.StatusInternalServerError,
+			ExpectedBody:                  "Internal Server Error\n",
+			ExpectedWWWAuthenticateHeader: "",
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+
+			req := testhelpers.MakeDefaultRequest(t)
+
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			rr := httptest.NewRecorder()
+			authHandler := WithAuthentication(handler, tc.Authenticator, logger)
+			authHandler.ServeHTTP(rr, req)
+			gotResult := rr.Result()
+
+			gotBodyBytes, err := io.ReadAll(gotResult.Body)
+			if err != nil {
+				t.Fatalf("unexpected error reading response body: %v", err)
+			}
+			gotBody := string(gotBodyBytes)
+
+			gotWWWAuthenticateHeader := gotResult.Header.Get("WWW-Authenticate")
+
+			if tc.ExpectedStatusCode != gotResult.StatusCode {
+				t.Errorf("Expected status code %q, got %q", tc.ExpectedStatusCode, gotResult.StatusCode)
+			}
+
+			if tc.ExpectedBody != gotBody {
+				t.Errorf("Expected body %q, got %q", tc.ExpectedBody, gotBody)
+			}
+
+			if !reflect.DeepEqual(tc.ExpectedWWWAuthenticateHeader, gotWWWAuthenticateHeader) {
+				t.Errorf("Expected 'WWW-Authenticate' header %v, got %v", tc.ExpectedWWWAuthenticateHeader, gotWWWAuthenticateHeader)
+			}
+		})
+	}
+}

web/authentication/basicauth/basicauth.go

@@ -0,0 +1,91 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basicauth
+
+import (
+	"encoding/hex"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/prometheus/common/config"
+	"github.com/prometheus/exporter-toolkit/web/authentication"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const denyReasonUnauthorized = "Unauthorized"
+
+// BasicAuthAuthenticator authenticates requests using basic auth.
+type BasicAuthAuthenticator struct {
+	users map[string]config.Secret
+
+	cache *cache
+	// bcryptMtx is there to ensure that bcrypt.CompareHashAndPassword is run
+	// only once in parallel as this is CPU intensive.
+	bcryptMtx sync.Mutex
+}
+
+func (b *BasicAuthAuthenticator) Authenticate(r *http.Request) (bool, string, *authentication.HTTPChallenge, error) {
+	httpChallenge := &authentication.HTTPChallenge{
+		Scheme: "Basic",
+	}
+
+	user, pass, auth := r.BasicAuth()
+
+	if !auth {
+		return false, denyReasonUnauthorized, httpChallenge, nil
+	}
+
+	hashedPassword, validUser := b.users[user]
+
+	if !validUser {
+		// The user is not found. Use a fixed password hash to
+		// prevent user enumeration by timing requests.
+		// This is a bcrypt-hashed version of "fakepassword".
+		hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
+	}
+
+	cacheKey := strings.Join(
+		[]string{
+			hex.EncodeToString([]byte(user)),
+			hex.EncodeToString([]byte(hashedPassword)),
+			hex.EncodeToString([]byte(pass)),
+		}, ":")
+	authOk, ok := b.cache.get(cacheKey)
+
+	if !ok {
+		// This user, hashedPassword, password is not cached.
+		b.bcryptMtx.Lock()
+		err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
+		b.bcryptMtx.Unlock()
+
+		authOk = validUser && err == nil
+		b.cache.set(cacheKey, authOk)
+	}
+
+	if authOk && validUser {
+		return true, "", nil, nil
+	}
+
+	return false, denyReasonUnauthorized, httpChallenge, nil
+}
+
+func NewBasicAuthAuthenticator(users map[string]config.Secret) authentication.Authenticator {
+	return &BasicAuthAuthenticator{
+		cache: newCache(),
+		users: users,
+	}
+}
+
+var _ authentication.Authenticator = &BasicAuthAuthenticator{}