1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
use actix_web::http::header;
use actix_web::middleware::{Middleware, Response};
use actix_web::{HttpRequest, HttpResponse, Result};
use sha2::{Sha256, Digest};
pub struct Auth;
/// HTTP Basic authentication errors
pub enum BasicAuthError {
Base64DecodeError,
}
#[derive(Clone, Debug)]
/// HTTP Basic authentication parameters
pub struct BasicAuthParams {
pub username: String,
pub password: String,
}
#[derive(Clone, Debug)]
pub enum RequiredAuthPassword {
Plain(String),
Sha256(String),
}
#[derive(Clone, Debug)]
/// Authentication structure to match BasicAuthParams against
pub struct RequiredAuth {
pub username: String,
pub password: RequiredAuthPassword,
}
/// Decode a HTTP basic auth string into a tuple of username and password.
pub fn parse_basic_auth(
authorization_header: &header::HeaderValue,
) -> Result<BasicAuthParams, BasicAuthError> {
let basic_removed = authorization_header.to_str().unwrap().replace("Basic ", "");
let decoded = base64::decode(&basic_removed).map_err(|_| BasicAuthError::Base64DecodeError)?;
let decoded_str = String::from_utf8_lossy(&decoded);
let credentials: Vec<&str> = decoded_str.splitn(2, ':').collect();
// If argument parsing went fine, it means the HTTP credentials string is well formatted
// So we can safely unpack the username and the password
Ok(BasicAuthParams {
username: credentials[0].to_owned(),
password: credentials[1].to_owned(),
})
}
pub fn match_auth(basic_auth: BasicAuthParams, required_auth: &RequiredAuth) -> bool {
if basic_auth.username != required_auth.username {
return false;
}
match &required_auth.password {
RequiredAuthPassword::Plain(ref required_password) => basic_auth.password == *required_password,
RequiredAuthPassword::Sha256(password_hash) => {
let mut hasher = Sha256::new();
hasher.input(basic_auth.password);
let received_hash = hex::encode(hasher.result());
received_hash == *password_hash
}
}
}
impl Middleware<crate::MiniserveConfig> for Auth {
fn response(
&self,
req: &HttpRequest<crate::MiniserveConfig>,
resp: HttpResponse,
) -> Result<Response> {
if let Some(ref required_auth) = req.state().auth {
if let Some(auth_headers) = req.headers().get(header::AUTHORIZATION) {
let auth_req = match parse_basic_auth(auth_headers) {
Ok(auth_req) => auth_req,
Err(BasicAuthError::Base64DecodeError) => {
return Ok(Response::Done(HttpResponse::BadRequest().body(format!(
"Error decoding basic auth base64: '{}'",
auth_headers.to_str().unwrap()
))));
}
};
if match_auth(auth_req, required_auth) {
let new_resp = HttpResponse::Unauthorized().finish();
return Ok(Response::Done(new_resp));
}
} else {
let new_resp = HttpResponse::Unauthorized()
.header(
header::WWW_AUTHENTICATE,
header::HeaderValue::from_static("Basic realm=\"miniserve\""),
)
.finish();
return Ok(Response::Done(new_resp));
}
}
Ok(Response::Done(resp))
}
}
|
