Add basic authentication (prometheus#1683)

* Add basic authentication

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

Author: Julien Pivotto

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 * [CHANGE]
 * [FEATURE]
+* [FEATURE] Add basic authentication #1673
 * [ENHANCEMENT] Add model_name and stepping to node_cpu_info metric #1617
 * [ENHANCEMENT] Add metrics for IO errors and retires on Darwin. #1636
 * [BUGFIX] collector/systemd: use regexp to extract systemd version #1647

go.mod

@@ -23,6 +23,7 @@ require (
 	github.com/soundcloud/go-runit v0.0.0-20150630195641-06ad41a06c4a
 	go.uber.org/atomic v1.5.1 // indirect
 	go.uber.org/multierr v1.4.0 // indirect
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 	golang.org/x/lint v0.0.0-20200130185559-910be7a94367 // indirect
 	golang.org/x/sys v0.0.0-20200217220822-9197077df867
 	golang.org/x/tools v0.0.0-20200216192241-b320d3a0f5a2 // indirect

go.sum

@@ -208,6 +208,7 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223 h1:F9x/1yl3T2AeKLr2AMdilSD8+f9bvMnNN8VS5iDtovc=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg=
 github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
@@ -338,6 +339,7 @@ golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

https/README.md

@@ -25,4 +25,27 @@ tls_config:
 
   # CA certificate for client certificate authentication to the server
   [ client_ca_file: <filename> ]
+
+# List of usernames and hashed passwords that have full access to the web
+# server via basic authentication. If empty, no basic authentication is
+# required. Passwords are hashed with bcrypt.
+basic_auth_users:
+  [ <username>: <password> ... ]
 ```
+
+## About bcrypt
+
+There are several tools out there to generate bcrypt passwords, e.g.
+[htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html):
+
+`htpasswd -nBC 10 "" | tr -d ':\n`
+
+That command will prompt you for a password and output the hashed password,
+which will look something like:
+`$2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG`
+
+The cost (10 in the example) influences the time it takes for computing the
+hash. A higher cost will en up slowing down the authentication process.
+Depending on the machine, a cost of 10 will take about ~70ms where a cost of
+18 can take up to a few seconds. That hash will be computed on every
+password-protected request.

https/testdata/tls_config_auth_user_list_invalid.bad.yml

@@ -0,0 +1,5 @@
+tls_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+basic_auth_users:
+  john: doe

https/testdata/tls_config_junk_key.yml

@@ -0,0 +1,2 @@
+tls_config :
+  cert_filse: "testdata/server.crt"

https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml

@@ -1,3 +1,4 @@
 tls_config :
   cert_file : ""
-  key_file : ""
+  key_file : ""
+  client_auth_type: "x"

https/testdata/tls_config_users.good.yml

@@ -0,0 +1,8 @@
+tls_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq

https/testdata/tls_config_users_noTLS.good.yml

@@ -0,0 +1,5 @@
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq

https/tls_config.go

@@ -20,12 +20,20 @@ import (
 	"io/ioutil"
 	"net/http"
 
+	"github.com/go-kit/kit/log"
+	"github.com/go-kit/kit/log/level"
 	"github.com/pkg/errors"
+	config_util "github.com/prometheus/common/config"
 	"gopkg.in/yaml.v2"
 )
 
+var (
+	errNoTLSConfig = errors.New("TLS config is not present")
+)
+
 type Config struct {
-	TLSConfig TLSStruct `yaml:"tls_config"`
+	TLSConfig TLSStruct                     `yaml:"tls_config"`
+	Users     map[string]config_util.Secret `yaml:"basic_auth_users"`
 }
 
 type TLSStruct struct {
@@ -35,13 +43,18 @@ type TLSStruct struct {
 	ClientCAs   string `yaml:"client_ca_file"`
 }
 
-func getTLSConfig(configPath string) (*tls.Config, error) {
+func getConfig(configPath string) (*Config, error) {
 	content, err := ioutil.ReadFile(configPath)
 	if err != nil {
 		return nil, err
 	}
 	c := &Config{}
-	err = yaml.Unmarshal(content, c)
+	err = yaml.UnmarshalStrict(content, c)
+	return c, err
+}
+
+func getTLSConfig(configPath string) (*tls.Config, error) {
+	c, err := getConfig(configPath)
 	if err != nil {
 		return nil, err
 	}
@@ -50,14 +63,18 @@ func getTLSConfig(configPath string) (*tls.Config, error) {
 
 // ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config.
 func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
-	cfg := &tls.Config{
-		MinVersion: tls.VersionTLS12,
+	if c.TLSCertPath == "" && c.TLSKeyPath == "" && c.ClientAuth == "" && c.ClientCAs == "" {
+		return nil, errNoTLSConfig
 	}
-	if len(c.TLSCertPath) == 0 {
-		return nil, errors.New("missing TLSCertPath")
+
+	if c.TLSCertPath == "" {
+		return nil, errors.New("missing cert_file")
 	}
-	if len(c.TLSKeyPath) == 0 {
-		return nil, errors.New("missing TLSKeyPath")
+	if c.TLSKeyPath == "" {
+		return nil, errors.New("missing key_file")
+	}
+	cfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
 	}
 	loadCert := func() (*tls.Certificate, error) {
 		cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
@@ -74,7 +91,7 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
 		return loadCert()
 	}
 
-	if len(c.ClientCAs) > 0 {
+	if c.ClientCAs != "" {
 		clientCAPool := x509.NewCertPool()
 		clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
 		if err != nil {
@@ -83,40 +100,67 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
 		clientCAPool.AppendCertsFromPEM(clientCAFile)
 		cfg.ClientCAs = clientCAPool
 	}
-	if len(c.ClientAuth) > 0 {
-		switch s := (c.ClientAuth); s {
-		case "NoClientCert":
-			cfg.ClientAuth = tls.NoClientCert
-		case "RequestClientCert":
-			cfg.ClientAuth = tls.RequestClientCert
-		case "RequireClientCert":
-			cfg.ClientAuth = tls.RequireAnyClientCert
-		case "VerifyClientCertIfGiven":
-			cfg.ClientAuth = tls.VerifyClientCertIfGiven
-		case "RequireAndVerifyClientCert":
-			cfg.ClientAuth = tls.RequireAndVerifyClientCert
-		case "":
-			cfg.ClientAuth = tls.NoClientCert
-		default:
-			return nil, errors.New("Invalid ClientAuth: " + s)
-		}
+
+	switch c.ClientAuth {
+	case "RequestClientCert":
+		cfg.ClientAuth = tls.RequestClientCert
+	case "RequireClientCert":
+		cfg.ClientAuth = tls.RequireAnyClientCert
+	case "VerifyClientCertIfGiven":
+		cfg.ClientAuth = tls.VerifyClientCertIfGiven
+	case "RequireAndVerifyClientCert":
+		cfg.ClientAuth = tls.RequireAndVerifyClientCert
+	case "", "NoClientCert":
+		cfg.ClientAuth = tls.NoClientCert
+	default:
+		return nil, errors.New("Invalid ClientAuth: " + c.ClientAuth)
 	}
-	if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {
+
+	if c.ClientCAs != "" && cfg.ClientAuth == tls.NoClientCert {
 		return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
 	}
+
 	return cfg, nil
 }
 
 // Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
-func Listen(server *http.Server, tlsConfigPath string) error {
-	if (tlsConfigPath) == "" {
+func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
+	if tlsConfigPath == "" {
+		level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.")
 		return server.ListenAndServe()
 	}
-	var err error
-	server.TLSConfig, err = getTLSConfig(tlsConfigPath)
-	if err != nil {
+
+	if err := validateUsers(tlsConfigPath); err != nil {
 		return err
 	}
+
+	// Setup basic authentication.
+	var handler http.Handler = http.DefaultServeMux
+	if server.Handler != nil {
+		handler = server.Handler
+	}
+	server.Handler = &userAuthRoundtrip{
+		tlsConfigPath: tlsConfigPath,
+		logger:        logger,
+		handler:       handler,
+	}
+
+	config, err := getTLSConfig(tlsConfigPath)
+	switch err {
+	case nil:
+		// Valid TLS config.
+		level.Info(logger).Log("msg", "TLS is enabled and it cannot be disabled on the fly.")
+	case errNoTLSConfig:
+		// No TLS config, back to plain HTTP.
+		level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.")
+		return server.ListenAndServe()
+	default:
+		// Invalid TLS config.
+		return err
+	}
+
+	server.TLSConfig = config
+
 	// Set the GetConfigForClient method of the HTTPS server so that the config
 	// and certs are reloaded on new connections.
 	server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {