mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
239021e759
As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
100 lines
2.8 KiB
Go
100 lines
2.8 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package passwordfile
|
|
|
|
import (
|
|
"context"
|
|
"encoding/csv"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/k3s-io/k3s/pkg/nodepassword"
|
|
"k8s.io/klog/v2"
|
|
|
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
)
|
|
|
|
// PasswordAuthenticator authenticates users by password
|
|
type PasswordAuthenticator struct {
|
|
users map[string]*userPasswordInfo
|
|
}
|
|
|
|
type userPasswordInfo struct {
|
|
info *user.DefaultInfo
|
|
hash string
|
|
}
|
|
|
|
// NewCSV returns a PasswordAuthenticator, populated from a CSV file.
|
|
// The CSV file must contain records in the format "password,username,useruid"
|
|
func NewCSV(path string) (*PasswordAuthenticator, error) {
|
|
file, err := os.Open(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer file.Close()
|
|
|
|
recordNum := 0
|
|
users := make(map[string]*userPasswordInfo)
|
|
reader := csv.NewReader(file)
|
|
reader.FieldsPerRecord = -1
|
|
for {
|
|
record, err := reader.Read()
|
|
if err == io.EOF {
|
|
break
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(record) < 3 {
|
|
return nil, fmt.Errorf("password file '%s' must have at least 3 columns (password, user name, user uid), found %d", path, len(record))
|
|
}
|
|
hash, err := nodepassword.Hasher.CreateHash(record[0])
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to hash password for username '%s' in password file '%s': %v", record[1], path, err)
|
|
}
|
|
obj := &userPasswordInfo{
|
|
info: &user.DefaultInfo{Name: record[1], UID: record[2]},
|
|
hash: hash,
|
|
}
|
|
if len(record) >= 4 {
|
|
obj.info.Groups = strings.Split(record[3], ",")
|
|
}
|
|
recordNum++
|
|
if _, exist := users[obj.info.Name]; exist {
|
|
klog.Warningf("duplicate username '%s' has been found in password file '%s', record number '%d'", obj.info.Name, path, recordNum)
|
|
}
|
|
users[obj.info.Name] = obj
|
|
}
|
|
|
|
return &PasswordAuthenticator{users}, nil
|
|
}
|
|
|
|
// AuthenticatePassword returns user info if authentication is successful, nil otherwise
|
|
func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, username, password string) (*authenticator.Response, bool, error) {
|
|
user, ok := a.users[username]
|
|
if !ok {
|
|
return nil, false, nil
|
|
}
|
|
if err := nodepassword.Hasher.VerifyHash(user.hash, password); err != nil {
|
|
return nil, false, nil
|
|
}
|
|
return &authenticator.Response{User: user.info}, true, nil
|
|
}
|