Kea 3.1.1
basic_auth_config.cc
Go to the documentation of this file.
1// Copyright (C) 2020-2025 Internet Systems Consortium, Inc. ("ISC")
2//
3// This Source Code Form is subject to the terms of the Mozilla Public
4// License, v. 2.0. If a copy of the MPL was not distributed with this
5// file, You can obtain one at http://mozilla.org/MPL/2.0/.
6
7#include <config.h>
8
9#include <cc/default_credentials.h>
10#include <http/auth_log.h>
11#include <http/basic_auth_config.h>
12#include <util/filesystem.h>
13#include <util/str.h>
14
15using namespace isc;
16using namespace isc::data;
17using namespace isc::dhcp;
18using namespace isc::util;
19using namespace std;
20
21namespace isc {
22namespace http {
23
24BasicHttpAuthClient::BasicHttpAuthClient(const std::string& user,
25 const std::string& password,
26 const isc::data::ConstElementPtr& user_context)
27 : user_(user), user_file_(""), password_(password),
28 password_file_(""), password_file_only_(false) {
29 if (user_context) {
30 setContext(user_context);
31 }
32}
33
34BasicHttpAuthClient::BasicHttpAuthClient(const std::string& user,
35 const std::string& user_file,
36 const std::string& password,
37 const std::string& password_file,
38 bool password_file_only,
39 const isc::data::ConstElementPtr& user_context)
40 : user_(user), user_file_(user_file), password_(password),
41 password_file_(password_file), password_file_only_(password_file_only) {
42 if (user_context) {
43 setContext(user_context);
44 }
45}
46
47ElementPtr
48BasicHttpAuthClient::toElement() const {
49 ElementPtr result = Element::createMap();
50
51 // Set user-context
52 contextToElement(result);
53
54 // Set password file or password.
55 if (!password_file_.empty()) {
56 result->set("password-file", Element::create(password_file_));
57 } else {
58 result->set("password", Element::create(password_));
59 }
60
61 // Set user-file or user.
62 if (!password_file_only_) {
63 if (!user_file_.empty()) {
64 result->set("user-file", Element::create(user_file_));
65 } else {
66 result->set("user", Element::create(user_));
67 }
68 }
69
70 return (result);
71}
72
73void
74BasicHttpAuthConfig::add(const std::string& user,
75 const std::string& user_file,
76 const std::string& password,
77 const std::string& password_file,
78 bool password_file_only,
79 const ConstElementPtr& user_context) {
80 BasicHttpAuth basic_auth(user, password);
81 list_.push_back(BasicHttpAuthClient(user, user_file, password,
82 password_file, password_file_only,
83 user_context));
84 map_[basic_auth.getCredential()] = user;
85}
86
87void
88BasicHttpAuthConfig::clear() {
89 list_.clear();
90 map_.clear();
91}
92
93bool
94BasicHttpAuthConfig::empty() const {
95 return (map_.empty());
96}
97
98string
99BasicHttpAuthConfig::getFileContent(const std::string& file_name) const {
100 // Build path.
101 string path = getDirectory();
102 // Add a trailing '/' if the last character is not already a '/'.
103 if (path.empty() || (path[path.size() - 1] != '/')) {
104 path += "/";
105 }
106 // Don't add a second '/'.
107 if (file_name.empty() || (file_name[0] != '/')) {
108 path += file_name;
109 } else {
110 path += file_name.substr(1);
111 }
112
113 try {
114 return (file::getContent(path));
115 } catch (const isc::BadValue& ex) {
116 isc_throw(DhcpConfigError, ex.what());
117 }
118}
119
120ElementPtr
121BasicHttpAuthConfig::toElement() const {
122 ElementPtr result = Element::createMap();
123
124 // Set user-context
125 contextToElement(result);
126
127 // Set type
128 result->set("type", Element::create(string("basic")));
129
130 // Set realm
131 result->set("realm", Element::create(getRealm()));
132
133 // Set directory.
134 result->set("directory", Element::create(getDirectory()));
135
136 // Set clients
137 ElementPtr clients = Element::createList();
138 for (auto const& client : list_) {
139 clients->add(client.toElement());
140 }
141 result->set("clients", clients);
142
143 return (result);
144}
145
146void
147BasicHttpAuthConfig::parse(const ConstElementPtr& config) {
148 if (!config) {
149 return;
150 }
151 if (config->getType() != Element::map) {
152 isc_throw(DhcpConfigError, "authentication must be a map ("
153 << config->getPosition() << ")");
154 }
155
156 // Get and verify the type.
157 ConstElementPtr type = config->get("type");
158 if (!type) {
159 isc_throw(DhcpConfigError, "type is required in authentication ("
160 << config->getPosition() << ")");
161 }
162 if (type->getType() != Element::string) {
163 isc_throw(DhcpConfigError, "type must be a string ("
164 << type->getPosition() << ")");
165 }
166 if (type->stringValue() != "basic") {
167 isc_throw(DhcpConfigError, "only basic HTTP authentication is "
168 << "supported: type is '" << type->stringValue()
169 << "' not 'basic' (" << type->getPosition() << ")");
170 }
171
172 // Get the realm.
173 ConstElementPtr realm = config->get("realm");
174 if (realm) {
175 if (realm->getType() != Element::string) {
176 isc_throw(DhcpConfigError, "realm must be a string ("
177 << realm->getPosition() << ")");
178 }
179 setRealm(realm->stringValue());
180 }
181
182 // Get the directory.
183 ConstElementPtr directory = config->get("directory");
184 if (directory) {
185 if (directory->getType() != Element::string) {
186 isc_throw(DhcpConfigError, "directory must be a string ("
187 << directory->getPosition() << ")");
188 }
189 setDirectory(directory->stringValue());
190 }
191
192 // Get user context.
193 ConstElementPtr user_context_cfg = config->get("user-context");
194 if (user_context_cfg) {
195 if (user_context_cfg->getType() != Element::map) {
196 isc_throw(DhcpConfigError, "user-context must be a map ("
197 << user_context_cfg->getPosition() << ")");
198 }
199 setContext(user_context_cfg);
200 }
201
202 // Get clients.
203 ConstElementPtr clients = config->get("clients");
204 if (!clients) {
205 return;
206 }
207 if (clients->getType() != Element::list) {
208 isc_throw(DhcpConfigError, "clients must be a list ("
209 << clients->getPosition() << ")");
210 }
211
212 // Iterate on clients.
213 for (auto const& client : clients->listValue()) {
214 if (client->getType() != Element::map) {
215 isc_throw(DhcpConfigError, "clients items must be maps ("
216 << client->getPosition() << ")");
217 }
218
219 // password.
220 string password;
221 ConstElementPtr password_cfg = client->get("password");
222 if (password_cfg) {
223 if (password_cfg->getType() != Element::string) {
224 isc_throw(DhcpConfigError, "password must be a string ("
225 << password_cfg->getPosition() << ")");
226 }
227 password = password_cfg->stringValue();
228 try {
229 DefaultCredentials::check(password);
230 } catch (const DefaultCredential&) {
231 isc_throw(DhcpConfigError,
232 "password must not be a default one ("
233 << password_cfg->getPosition() << ")");
234 }
235
236 if (file::PathChecker::shouldEnforceSecurity()) {
237 isc_throw(DhcpConfigError, "use of clear text 'password' is NOT SECURE ("
238 << password_cfg->getPosition() << ")");
239 } else {
240 LOG_INFO(auth_logger, HTTP_CLIENT_PASSWORD_SECURITY_WARNING)
241 .arg(password_cfg->getPosition().str());
242 }
243 }
244
245 // password file.
246 string password_file;
247 ConstElementPtr password_file_cfg = client->get("password-file");
248 if (password_file_cfg) {
249 if (password_cfg) {
250 isc_throw(DhcpConfigError, "password ("
251 << password_cfg->getPosition()
252 << ") and password-file ("
253 << password_file_cfg->getPosition()
254 << ") are mutually exclusive");
255 }
256 if (password_file_cfg->getType() != Element::string) {
257 isc_throw(DhcpConfigError, "password-file must be a string ("
258 << password_file_cfg->getPosition() << ")");
259 }
260 password_file = password_file_cfg->stringValue();
261 }
262
263 ConstElementPtr user_cfg = client->get("user");
264 ConstElementPtr user_file_cfg = client->get("user-file");
265 bool password_file_only = false;
266 if (!user_cfg && !user_file_cfg) {
267 if (password_file_cfg) {
268 password_file_only = true;
269 } else {
270 isc_throw(DhcpConfigError, "user is required in clients "
271 << "items (" << client->getPosition() << ")");
272 }
273 }
274
275 // user.
276 string user;
277 if (user_cfg) {
278 if (user_file_cfg) {
279 isc_throw(DhcpConfigError, "user (" << user_cfg->getPosition()
280 << ") and user-file ("
281 << user_file_cfg->getPosition()
282 << ") are mutually exclusive");
283 }
284 if (user_cfg->getType() != Element::string) {
285 isc_throw(DhcpConfigError, "user must be a string ("
286 << user_cfg->getPosition() << ")");
287 }
288 user = user_cfg->stringValue();
289 if (user.empty()) {
290 isc_throw(DhcpConfigError, "user must not be empty ("
291 << user_cfg->getPosition() << ")");
292 }
293 if (user.find(':') != string::npos) {
294 isc_throw(DhcpConfigError, "user must not contain a ':': '"
295 << user << "' (" << user_cfg->getPosition() << ")");
296 }
297
298 if (file::PathChecker::shouldEnforceSecurity()) {
299 isc_throw(DhcpConfigError, "use of clear text 'user' is NOT SECURE ("
300 << user_cfg->getPosition() << ")");
301 } else {
302 LOG_INFO(auth_logger, HTTP_CLIENT_USER_SECURITY_WARNING)
303 .arg(user_cfg->getPosition().str());
304 }
305 }
306
307 // user file.
308 string user_file;
309 if (user_file_cfg) {
310 if (user_file_cfg->getType() != Element::string) {
311 isc_throw(DhcpConfigError, "user-file must be a string ("
312 << user_file_cfg->getPosition() << ")");
313 }
314 user_file = user_file_cfg->stringValue();
315 user = getFileContent(user_file);
316 if (user.empty()) {
317 isc_throw(DhcpConfigError, "user must not be empty "
318 << "from user-file '" << user_file << "' ("
319 << user_file_cfg->getPosition() << ")");
320 }
321 if (user.find(':') != string::npos) {
322 isc_throw(DhcpConfigError, "user must not contain a ':' "
323 << "from user-file '" << user_file << "' ("
324 << user_file_cfg->getPosition() << ")");
325 }
326 }
327
328 // Solve password file.
329 if (password_file_cfg) {
330 if (password_file_only) {
331 string content = getFileContent(password_file);
332 auto pos = content.find(':');
333 if (pos == string::npos) {
334 isc_throw(DhcpConfigError, "can't find the user id part "
335 << "in password-file '" << password_file << "' ("
336 << password_file_cfg->getPosition() << ")");
337 }
338 user = content.substr(0, pos);
339 password = content.substr(pos + 1);
340 } else {
341 password = getFileContent(password_file);
342 }
343 }
344
345 // user context.
346 ConstElementPtr user_context = client->get("user-context");
347 if (user_context) {
348 if (user_context->getType() != Element::map) {
349 isc_throw(DhcpConfigError, "user-context must be a map ("
350 << user_context->getPosition() << ")");
351 }
352 }
353
354 // add it.
355 try {
356 add(user, user_file, password, password_file, password_file_only,
357 user_context);
358 } catch (const std::exception& ex) {
359 isc_throw(DhcpConfigError, ex.what() << " ("
360 << client->getPosition() << ")");
361 }
362 }
363}
364
365HttpResponseJsonPtr
366BasicHttpAuthConfig::checkAuth(const HttpResponseCreator& creator,
367 const HttpRequestPtr& request) const {
368 const BasicHttpAuthMap& credentials = getCredentialMap();
369 bool authentic = false;
370 if (credentials.empty()) {
371 authentic = true;
372 } else try {
373 string value = request->getHeaderValue("Authorization");
374 // Trim space characters.
375 value = str::trim(value);
376 if (value.size() < 8) {
377 isc_throw(BadValue, "header content is too short");
378 }
379 // Get the authentication scheme which must be "basic".
380 string scheme = value.substr(0, 5);
381 str::lowercase(scheme);
382 if (scheme != "basic") {
383 isc_throw(BadValue, "not basic authentication");
384 }
385 // Skip the authentication scheme name and space characters.
386 value = value.substr(5);
387 value = str::trim(value);
388 // Verify the credential is in the list.
389 auto const it = credentials.find(value);
390 if (it != credentials.end()) {
391 LOG_INFO(auth_logger, HTTP_CLIENT_REQUEST_AUTHORIZED)
392 .arg(it->second);
393 if (HttpRequest::recordBasicAuth_) {
394 request->setBasicAuth(it->second);
395 }
396 authentic = true;
397 } else {
398 LOG_INFO(auth_logger, HTTP_CLIENT_REQUEST_NOT_AUTHORIZED);
399 authentic = false;
400 }
401 } catch (const HttpMessageNonExistingHeader&) {
402 LOG_INFO(auth_logger, HTTP_CLIENT_REQUEST_NO_AUTH_HEADER);
403 } catch (const BadValue& ex) {
404 LOG_INFO(auth_logger, HTTP_CLIENT_REQUEST_BAD_AUTH_HEADER)
405 .arg(ex.what());
406 }
407 if (authentic) {
408 return (HttpResponseJsonPtr());
409 }
410 const string& realm = getRealm();
411 const string& scheme = "Basic";
412 HttpResponsePtr response =
413 creator.createStockHttpResponse(request, HttpStatusCode::UNAUTHORIZED);
414 response->reset();
415 response->context()->headers_.push_back(
416 HttpHeaderContext("WWW-Authenticate",
417 scheme + " realm=\"" + realm + "\""));
418 response->finalize();
419 return (boost::dynamic_pointer_cast<HttpResponseJson>(response));
420}
421
422} // end of namespace isc::http
423} // end of namespace isc
auth_log.h
basic_auth_config.h
Element::create
static ElementPtr create(const Position &pos=ZERO_POSITION())
Definition data.cc:249
Element::map
@ map
Definition data.h:147
Element::list
@ list
Definition data.h:146
Element::string
@ string
Definition data.h:144
Element::createMap
static ElementPtr createMap(const Position &pos=ZERO_POSITION())
Creates an empty MapElement type ElementPtr.
Definition data.cc:304
Element::createList
static ElementPtr createList(const Position &pos=ZERO_POSITION())
Creates an empty ListElement type ElementPtr.
Definition data.cc:299
isc::BadValue
A generic exception that is thrown if a parameter given to a method is considered invalid in that con...
Definition exceptions/exceptions.h:132
isc::Exception::what
virtual const char * what() const
Returns a C-style character string of the cause of the exception.
Definition exceptions/exceptions.cc:32
isc::data::DefaultCredential
Exception thrown on attempt to use a default credential.
Definition default_credentials.h:18
isc::dhcp::DhcpConfigError
To be removed. Please use ConfigError instead.
Definition dhcp_config_error.h:58
isc::http::BasicHttpAuthClient
Basic HTTP authentication client configuration.
Definition basic_auth_config.h:27
isc::http::BasicHttpAuthClient::BasicHttpAuthClient
BasicHttpAuthClient(const std::string &user, const std::string &password, const isc::data::ConstElementPtr &user_context)
Constructor (legacy).
Definition basic_auth_config.cc:24
isc::http::BasicHttpAuthClient::toElement
virtual isc::data::ElementPtr toElement() const
Unparses basic HTTP authentication client configuration.
Definition basic_auth_config.cc:48
isc::http::BasicHttpAuthConfig::getFileContent
std::string getFileContent(const std::string &file_name) const
Get the content of {directory}/{file-name} regular file.
Definition basic_auth_config.cc:99
isc::http::BasicHttpAuthConfig::toElement
virtual isc::data::ElementPtr toElement() const
Unparses basic HTTP authentication configuration.
Definition basic_auth_config.cc:121
isc::http::BasicHttpAuthConfig::add
void add(const std::string &user, const std::string &user_file, const std::string &password, const std::string &password_file, bool password_file_only=false, const isc::data::ConstElementPtr &user_context=isc::data::ConstElementPtr())
Add a client configuration.
Definition basic_auth_config.cc:74
isc::http::BasicHttpAuthConfig::parse
void parse(const isc::data::ConstElementPtr &config)
Parses basic HTTP authentication configuration.
Definition basic_auth_config.cc:147
isc::http::BasicHttpAuthConfig::checkAuth
virtual isc::http::HttpResponseJsonPtr checkAuth(const isc::http::HttpResponseCreator &creator, const isc::http::HttpRequestPtr &request) const
Validate HTTP request.
Definition basic_auth_config.cc:366
isc::http::BasicHttpAuthConfig::clear
virtual void clear()
Clear configuration.
Definition basic_auth_config.cc:88
isc::http::BasicHttpAuthConfig::empty
virtual bool empty() const
Empty predicate.
Definition basic_auth_config.cc:94
isc::http::BasicHttpAuthConfig::getCredentialMap
const BasicHttpAuthMap & getCredentialMap() const
Returns the credential and user id map.
Definition basic_auth_config.h:164
isc::http::BasicHttpAuth
Represents a basic HTTP authentication.
Definition basic_auth.h:21
isc::http::BasicHttpAuth::getCredential
const std::string & getCredential() const
Returns the credential (base64 of the UTF-8 secret).
Definition basic_auth.h:43
isc::http::HttpAuthConfig::getRealm
const std::string & getRealm() const
Returns the realm.
Definition auth_config.h:39
isc::http::HttpAuthConfig::getDirectory
const std::string & getDirectory() const
Returns the common part for file paths (usually a directory).
Definition auth_config.h:53
isc::http::HttpAuthConfig::setDirectory
void setDirectory(const std::string &directory)
Set the common part for file paths (usually a directory).
Definition auth_config.h:46
isc::http::HttpAuthConfig::setRealm
void setRealm(const std::string &realm)
Set the realm.
Definition auth_config.h:32
isc::http::HttpMessageNonExistingHeader
Exception thrown when attempt is made to retrieve a non-existing header.
Definition http_message.h:30
isc::http::HttpRequest::recordBasicAuth_
static bool recordBasicAuth_
Record basic auth.
Definition request.h:258
isc::http::HttpResponseCreator
Specifies an interface for classes creating HTTP responses from HTTP requests.
Definition response_creator.h:38
isc::http::HttpResponseCreator::createStockHttpResponse
virtual HttpResponsePtr createStockHttpResponse(const HttpRequestPtr &request, const HttpStatusCode &status_code) const =0
Creates implementation specific HTTP response.
isc::util::file::PathChecker::shouldEnforceSecurity
static bool shouldEnforceSecurity()
Indicates security checks should be enforced.
Definition filesystem.cc:351
default_credentials.h
isc_throw
#define isc_throw(type, stream)
A shortcut macro to insert known values into exception arguments.
Definition exceptions/exceptions.h:210
LOG_INFO
#define LOG_INFO(LOGGER, MESSAGE)
Macro to conveniently test info output and log it.
Definition macros.h:20
isc::data::ConstElementPtr
boost::shared_ptr< const Element > ConstElementPtr
Definition data.h:29
isc::data::ElementPtr
boost::shared_ptr< Element > ElementPtr
Definition data.h:28
isc::http::BasicHttpAuthMap
std::unordered_map< std::string, std::string > BasicHttpAuthMap
Type of basic HTTP authentication credential and user id map, e.g.
Definition basic_auth_config.h:23
isc::http::HTTP_CLIENT_PASSWORD_SECURITY_WARNING
const isc::log::MessageID HTTP_CLIENT_PASSWORD_SECURITY_WARNING
Definition auth_messages.h:11
isc::http::HTTP_CLIENT_REQUEST_NOT_AUTHORIZED
const isc::log::MessageID HTTP_CLIENT_REQUEST_NOT_AUTHORIZED
Definition auth_messages.h:14
isc::http::HttpResponseJsonPtr
boost::shared_ptr< HttpResponseJson > HttpResponseJsonPtr
Pointer to the HttpResponseJson object.
Definition response_json.h:27
isc::http::HTTP_CLIENT_REQUEST_BAD_AUTH_HEADER
const isc::log::MessageID HTTP_CLIENT_REQUEST_BAD_AUTH_HEADER
Definition auth_messages.h:13
isc::http::HTTP_CLIENT_USER_SECURITY_WARNING
const isc::log::MessageID HTTP_CLIENT_USER_SECURITY_WARNING
Definition auth_messages.h:16
isc::http::HTTP_CLIENT_REQUEST_AUTHORIZED
const isc::log::MessageID HTTP_CLIENT_REQUEST_AUTHORIZED
Definition auth_messages.h:12
isc::http::HttpResponsePtr
boost::shared_ptr< HttpResponse > HttpResponsePtr
Pointer to the HttpResponse object.
Definition response.h:81
isc::http::HTTP_CLIENT_REQUEST_NO_AUTH_HEADER
const isc::log::MessageID HTTP_CLIENT_REQUEST_NO_AUTH_HEADER
Definition auth_messages.h:15
isc::http::HttpRequestPtr
boost::shared_ptr< HttpRequest > HttpRequestPtr
Pointer to the HttpRequest object.
Definition request.h:30
isc::http::auth_logger
isc::log::Logger auth_logger("auth")
Defines the logger used by the HTTP authentication.
Definition auth_log.h:18
isc::util::file::getContent
string getContent(string const &file_name)
Get the content of a regular file.
Definition filesystem.cc:33
isc::util::str::lowercase
void lowercase(string &text)
Convert string to lowercase.
Definition str.cc:134
isc::util::str::trim
string trim(const string &input)
Trim leading and trailing spaces.
Definition str.cc:32
isc
Defines the logger used by the top-level component of kea-lfc.
Definition agent_parser.cc:148
isc::data::DefaultCredentials::check
static void check(const std::string &value)
Check if the value is a default credential.
Definition default_credentials.cc:27
isc::data::UserContext::contextToElement
void contextToElement(data::ElementPtr map) const
Merge unparse a user_context object.
Definition user_context.cc:15
isc::data::UserContext::setContext
void setContext(const data::ConstElementPtr &ctx)
Sets user context.
Definition user_context.h:30