git-lfs/lfsapi/ntlm.go

package lfsapi

import (
	"encoding/base64"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"

	"github.com/git-lfs/git-lfs/creds"
	"github.com/git-lfs/git-lfs/errors"
)

type ntmlCredentials struct {
	domain   string
	username string
	password string
}

func (c *Client) doWithNTLM(req *http.Request, credHelper creds.CredentialHelper, creds creds.Creds, credsURL *url.URL) (*http.Response, error) {
	res, err := c.do(req, "", nil)
	if err != nil && !errors.IsAuthError(err) {
		return res, err
	}

	if res.StatusCode != 401 {
		return res, nil
	}

	return c.ntlmReAuth(req, credHelper, creds, true)
}

// If the status is 401 then we need to re-authenticate
func (c *Client) ntlmReAuth(req *http.Request, credHelper creds.CredentialHelper, creds creds.Creds, retry bool) (*http.Response, error) {
	ntmlCreds, err := ntlmGetCredentials(creds)
	if err != nil {
		return nil, err
	}

	res, err := c.ntlmAuthenticateRequest(req, ntmlCreds)
	if err != nil && !errors.IsAuthError(err) {
		return res, err
	}

	switch res.StatusCode {
	case 401:
		credHelper.Reject(creds)
		if retry {
			return c.ntlmReAuth(req, credHelper, creds, false)
		}
	case 403:
		credHelper.Reject(creds)
	default:
		if res.StatusCode < 300 && res.StatusCode > 199 {
			credHelper.Approve(creds)
		}
	}

	return res, nil
}

func (c *Client) ntlmSendType1Message(req *http.Request, message []byte) (*http.Response, []byte, error) {
	res, err := c.ntlmSendMessage(req, message)
	if err != nil && !errors.IsAuthError(err) {
		return res, nil, err
	}

	io.Copy(ioutil.Discard, res.Body)
	res.Body.Close()

	by, err := parseChallengeResponse(res)
	return res, by, err
}

func (c *Client) ntlmSendType3Message(req *http.Request, authenticate []byte) (*http.Response, error) {
	return c.ntlmSendMessage(req, authenticate)
}

func (c *Client) ntlmSendMessage(req *http.Request, message []byte) (*http.Response, error) {
	body, err := rewoundRequestBody(req)
	if err != nil {
		return nil, err
	}
	req.Body = body

	msg := base64.StdEncoding.EncodeToString(message)
	req.Header.Set("Authorization", "NTLM "+msg)
	return c.do(req, "", nil)
}

func parseChallengeResponse(res *http.Response) ([]byte, error) {
	header := res.Header.Get("Www-Authenticate")
	if len(header) < 6 {
		return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)
	}

	//parse out the "NTLM " at the beginning of the response
	challenge := header[5:]
	val, err := base64.StdEncoding.DecodeString(challenge)

	if err != nil {
		return nil, err
	}
	return []byte(val), nil
}

func rewoundRequestBody(req *http.Request) (io.ReadCloser, error) {
	if req.Body == nil {
		return nil, nil
	}

	body, ok := req.Body.(ReadSeekCloser)
	if !ok {
		return nil, fmt.Errorf("Request body must implement io.ReadCloser and io.Seeker. Got: %T", body)
	}

	_, err := body.Seek(0, io.SeekStart)
	return body, err
}

func ntlmGetCredentials(creds creds.Creds) (*ntmlCredentials, error) {
	username := creds["username"]
	password := creds["password"]

	if username == "" && password == "" {
		return nil, nil
	}

	splits := strings.Split(username, "\\")
	if len(splits) != 2 {
		return nil, fmt.Errorf("Your user name must be of the form DOMAIN\\user. It is currently '%s'", username)
	}

	domain := strings.ToUpper(splits[0])
	username = splits[1]

	return &ntmlCredentials{domain: domain, username: username, password: password}, nil
}
add ntlm file 2016-12-20 19:23:04 +00:00			`package lfsapi`

			`import (`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`"encoding/base64"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
add ntlm file 2016-12-20 19:23:04 +00:00			`"net/http"`
			`"net/url"`
Use SSPI ntlm authentication on windows: This brings support for SingleSignOn on windows using the default credentials of the currently logged in user if an empty username and empty password is provided from gitcredentials. This plays well with the Git for windows implementation which stores an empty username and password if it should use the default credentials. 2018-02-16 06:54:34 +00:00			`"strings"`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00
Move credential handling to its own package In a future commit, we're going to be accessing credential handling from multiple packages. To avoid an import loop, move credential handling into its own package. Update all the callers of the credential handling code to use a qualified name. Where there is a local variable called "creds", which would conflict with our package name, rename it "cred" instead. 2018-09-19 15:05:48 +00:00			`"github.com/git-lfs/git-lfs/creds"`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`"github.com/git-lfs/git-lfs/errors"`
add ntlm file 2016-12-20 19:23:04 +00:00			`)`

Use SSPI ntlm authentication on windows: This brings support for SingleSignOn on windows using the default credentials of the currently logged in user if an empty username and empty password is provided from gitcredentials. This plays well with the Git for windows implementation which stores an empty username and password if it should use the default credentials. 2018-02-16 06:54:34 +00:00			`type ntmlCredentials struct {`
			`domain string`
			`username string`
			`password string`
			`}`

Move credential handling to its own package In a future commit, we're going to be accessing credential handling from multiple packages. To avoid an import loop, move credential handling into its own package. Update all the callers of the credential handling code to use a qualified name. Where there is a local variable called "creds", which would conflict with our package name, rename it "cred" instead. 2018-09-19 15:05:48 +00:00			`func (c Client) doWithNTLM(req http.Request, credHelper creds.CredentialHelper, creds creds.Creds, credsURL url.URL) (http.Response, error) {`
lfsapi: teach do() and friends 'remote' 2018-05-25 16:24:15 +00:00			`res, err := c.do(req, "", nil)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`if err != nil && !errors.IsAuthError(err) {`
			`return res, err`
			`}`

			`if res.StatusCode != 401 {`
			`return res, nil`
			`}`

			`return c.ntlmReAuth(req, credHelper, creds, true)`
			`}`

			`// If the status is 401 then we need to re-authenticate`
Move credential handling to its own package In a future commit, we're going to be accessing credential handling from multiple packages. To avoid an import loop, move credential handling into its own package. Update all the callers of the credential handling code to use a qualified name. Where there is a local variable called "creds", which would conflict with our package name, rename it "cred" instead. 2018-09-19 15:05:48 +00:00			`func (c Client) ntlmReAuth(req http.Request, credHelper creds.CredentialHelper, creds creds.Creds, retry bool) (*http.Response, error) {`
Use SSPI ntlm authentication on windows: This brings support for SingleSignOn on windows using the default credentials of the currently logged in user if an empty username and empty password is provided from gitcredentials. This plays well with the Git for windows implementation which stores an empty username and password if it should use the default credentials. 2018-02-16 06:54:34 +00:00			`ntmlCreds, err := ntlmGetCredentials(creds)`
			`if err != nil {`
			`return nil, err`
			`}`

			`res, err := c.ntlmAuthenticateRequest(req, ntmlCreds)`
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`if err != nil && !errors.IsAuthError(err) {`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`return res, err`
			`}`

			`switch res.StatusCode {`
			`case 401:`
			`credHelper.Reject(creds)`
			`if retry {`
			`return c.ntlmReAuth(req, credHelper, creds, false)`
			`}`
			`case 403:`
			`credHelper.Reject(creds)`
			`default:`
			`if res.StatusCode < 300 && res.StatusCode > 199 {`
			`credHelper.Approve(creds)`
			`}`
			`}`

			`return res, nil`
			`}`

Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`func (c Client) ntlmSendType1Message(req http.Request, message []byte) (*http.Response, []byte, error) {`
			`res, err := c.ntlmSendMessage(req, message)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`if err != nil && !errors.IsAuthError(err) {`
			`return res, nil, err`
			`}`

			`io.Copy(ioutil.Discard, res.Body)`
			`res.Body.Close()`

			`by, err := parseChallengeResponse(res)`
			`return res, by, err`
			`}`

Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`func (c Client) ntlmSendType3Message(req http.Request, authenticate []byte) (*http.Response, error) {`
			`return c.ntlmSendMessage(req, authenticate)`
add ntlm file 2016-12-20 19:23:04 +00:00			`}`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`func (c Client) ntlmSendMessage(req http.Request, message []byte) (*http.Response, error) {`
			`body, err := rewoundRequestBody(req)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`req.Body = body`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`msg := base64.StdEncoding.EncodeToString(message)`
			`req.Header.Set("Authorization", "NTLM "+msg)`
lfsapi: teach do() and friends 'remote' 2018-05-25 16:24:15 +00:00			`return c.do(req, "", nil)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`}`

			`func parseChallengeResponse(res *http.Response) ([]byte, error) {`
			`header := res.Header.Get("Www-Authenticate")`
			`if len(header) < 6 {`
			`return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)`
			`}`

			`//parse out the "NTLM " at the beginning of the response`
			`challenge := header[5:]`
			`val, err := base64.StdEncoding.DecodeString(challenge)`

			`if err != nil {`
			`return nil, err`
			`}`
			`return []byte(val), nil`
			`}`

			`func rewoundRequestBody(req *http.Request) (io.ReadCloser, error) {`
			`if req.Body == nil {`
			`return nil, nil`
			`}`

			`body, ok := req.Body.(ReadSeekCloser)`
			`if !ok {`
			`return nil, fmt.Errorf("Request body must implement io.ReadCloser and io.Seeker. Got: %T", body)`
			`}`

			`_, err := body.Seek(0, io.SeekStart)`
			`return body, err`
			`}`
Use SSPI ntlm authentication on windows: This brings support for SingleSignOn on windows using the default credentials of the currently logged in user if an empty username and empty password is provided from gitcredentials. This plays well with the Git for windows implementation which stores an empty username and password if it should use the default credentials. 2018-02-16 06:54:34 +00:00
Move credential handling to its own package In a future commit, we're going to be accessing credential handling from multiple packages. To avoid an import loop, move credential handling into its own package. Update all the callers of the credential handling code to use a qualified name. Where there is a local variable called "creds", which would conflict with our package name, rename it "cred" instead. 2018-09-19 15:05:48 +00:00			`func ntlmGetCredentials(creds creds.Creds) (*ntmlCredentials, error) {`
Use SSPI ntlm authentication on windows: This brings support for SingleSignOn on windows using the default credentials of the currently logged in user if an empty username and empty password is provided from gitcredentials. This plays well with the Git for windows implementation which stores an empty username and password if it should use the default credentials. 2018-02-16 06:54:34 +00:00			`username := creds["username"]`
			`password := creds["password"]`

			`if username == "" && password == "" {`
			`return nil, nil`
			`}`

			`splits := strings.Split(username, "\\")`
			`if len(splits) != 2 {`
			`return nil, fmt.Errorf("Your user name must be of the form DOMAIN\\user. It is currently '%s'", username)`
			`}`

			`domain := strings.ToUpper(splits[0])`
			`username = splits[1]`

			`return &ntmlCredentials{domain: domain, username: username, password: password}, nil`
			`}`