git-lfs/lfs/ntlm.go

package lfs

import (
	"bytes"
	"encoding/base64"
	"github.com/ThomsonReutersEikon/go-ntlm/ntlm"	
	"io"
	"io/ioutil"
	"net/http"
	"strings"
)

func (c *Configuration) NTLMSession(creds Creds) ntlm.ClientSession {
	
	if c.ntlmSession != nil {
		return c.ntlmSession
	}
	
	splits := strings.Split(creds["username"], "\\")
	
	var session, _  = ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)
	session.SetUserInfo(splits[0], creds["password"], splits[1])
	
	c.ntlmSession = session
	
	return session
}

func DoNTLMRequest(request *http.Request, retry bool) (*http.Response, error) {					
	handReq := cloneRequest(request)	
	res, nil := InitHandShake(handReq)

	//If the status is 401 then we need to re-authenticate, otherwise it was successful
	if res.StatusCode == 401 {
		
		creds, _ := getCredsForNTLM(request)
		
		negotiateReq := cloneRequest(request)
		challengeMessage := negotiate(negotiateReq, getNegotiateMessage())
		
		challengeReq := cloneRequest(request)
		res, _ := challenge(challengeReq, challengeMessage, creds)
		
		//If the status is 401 then we need to re-authenticate
		if res.StatusCode == 401 && retry == true {
			return DoNTLMRequest(challengeReq, false)
		}
		
		saveCredentials(creds, res)	
		
		return res, nil	
	}
	return res, nil	
}

func InitHandShake(request *http.Request) (*http.Response, error){
	var response, err = Config.HttpClient().Do(request)
	
	if err != nil {
		return nil, Error(err)
	}
	
	return response, nil
}

func negotiate(request *http.Request, message string) []byte{
	request.Header.Add("Authorization", message)
	var response, err = Config.HttpClient().Do(request)
	
	if err != nil{
		panic(err.Error())
	}
	
	ret := parseChallengeResponse(response)
	
	//Always close negotiate to keep the connection alive
	//We never return the response from negotiate so we 
	//can't trust decodeApiResponse to close it
	io.Copy(ioutil.Discard, response.Body)
	response.Body.Close()
	
	return ret;
}

func challenge(request *http.Request, challengeBytes []byte, creds Creds) (*http.Response, error){
	challenge, err := ntlm.ParseChallengeMessage(challengeBytes)
	
	if err != nil {
		return nil, Error(err)
	}
	
	Config.NTLMSession(creds).ProcessChallengeMessage(challenge)
	authenticate, err := Config.NTLMSession(creds).GenerateAuthenticateMessage()
	
	if err != nil {
		return nil, Error(err)
	}
	
	authenticateMessage := concatS("NTLM ", base64.StdEncoding.EncodeToString(authenticate.Bytes()))
	
	request.Header.Add("Authorization", authenticateMessage)
	response, err := Config.HttpClient().Do(request)
	
	return response, nil
}

func parseChallengeResponse(response *http.Response) []byte{
	if headers, ok := response.Header["Www-Authenticate"]; ok{
		
		//parse out the "NTLM " at the beginning of the response
		challenge := headers[0][5:]
		val, err := base64.StdEncoding.DecodeString(challenge)
		
		if err != nil{
			panic(err.Error())
		}
		return []byte(val)
	}
	
	panic("www-Authenticate header is not present")
}

func cloneRequest(request *http.Request) *http.Request {
	var rdr1, rdr2 myReader
	var clonedReq *http.Request
	
	if request.Body != nil {
		//If we have a body (POST/PUT etc.)
		//We need to do some magic to copy the request without closing the body stream
		
		buf, _ := ioutil.ReadAll(request.Body)
		rdr1 = myReader{bytes.NewBuffer(buf)}
		rdr2 = myReader{bytes.NewBuffer(buf)}	
		request.Body = rdr2 // OK since rdr2 implements the io.ReadCloser interface	
		clonedReq, _ = http.NewRequest(request.Method, request.URL.String(), rdr1)	
	}else{
		clonedReq, _ = http.NewRequest(request.Method, request.URL.String(), nil)
	}
	
	for k, v := range request.Header {
		clonedReq.Header.Add(k,v[0])
	}
	
	clonedReq.ContentLength = request.ContentLength	
	
	return clonedReq
}

func getNegotiateMessage() string{
	return "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"
}

func concatS(ar ...string) string {
	
    var buffer bytes.Buffer

    for _, s := range ar{
        buffer.WriteString(s)
    }

    return buffer.String()
}

func concat(ar ...[]byte) []byte {
	return bytes.Join(ar, nil)
}

type myReader struct {
    *bytes.Buffer
}

// So that myReader implements the io.ReadCloser interface
func (m myReader) Close() error { return nil }
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`package lfs`

			`import (`
			`"bytes"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"encoding/base64"`
			`"github.com/ThomsonReutersEikon/go-ntlm/ntlm"`
			`"io"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`"io/ioutil"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"net/http"`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`"strings"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`)`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func (c *Configuration) NTLMSession(creds Creds) ntlm.ClientSession {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
			`if c.ntlmSession != nil {`
			`return c.ntlmSession`
			`}`

Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`splits := strings.Split(creds["username"], "\\")`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`var session, _ = ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`session.SetUserInfo(splits[0], creds["password"], splits[1])`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
			`c.ntlmSession = session`

			`return session`
			`}`

Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`func DoNTLMRequest(request http.Request, retry bool) (http.Response, error) {`
NTLM Push 2015-08-28 20:40:41 +00:00			`handReq := cloneRequest(request)`
			`res, nil := InitHandShake(handReq)`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`//If the status is 401 then we need to re-authenticate, otherwise it was successful`
			`if res.StatusCode == 401 {`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`creds, _ := getCredsForNTLM(request)`

NTLM Push 2015-08-28 20:40:41 +00:00			`negotiateReq := cloneRequest(request)`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`challengeMessage := negotiate(negotiateReq, getNegotiateMessage())`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
NTLM Push 2015-08-28 20:40:41 +00:00			`challengeReq := cloneRequest(request)`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`res, _ := challenge(challengeReq, challengeMessage, creds)`
NTLM Push 2015-08-28 20:40:41 +00:00
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//If the status is 401 then we need to re-authenticate`
			`if res.StatusCode == 401 && retry == true {`
			`return DoNTLMRequest(challengeReq, false)`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`saveCredentials(creds, res)`

			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
NTLM Push 2015-08-28 20:40:41 +00:00			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

NTLM Push 2015-08-28 20:40:41 +00:00			`func InitHandShake(request http.Request) (http.Response, error){`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`var response, err = Config.HttpClient().Do(request)`
NTLM Fetch 2015-08-31 18:34:17 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if err != nil {`
			`return nil, Error(err)`
			`}`

			`return response, nil`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func negotiate(request *http.Request, message string) []byte{`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`request.Header.Add("Authorization", message)`
			`var response, err = Config.HttpClient().Do(request)`

			`if err != nil{`
More Trace Cleanup 2015-09-01 14:48:12 +00:00			`panic(err.Error())`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`ret := parseChallengeResponse(response)`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
NTLM Push 2015-08-28 20:40:41 +00:00			`//Always close negotiate to keep the connection alive`
			`//We never return the response from negotiate so we`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`//can't trust decodeApiResponse to close it`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`io.Copy(ioutil.Discard, response.Body)`
			`response.Body.Close()`

			`return ret;`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func challenge(request http.Request, challengeBytes []byte, creds Creds) (http.Response, error){`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`challenge, err := ntlm.ParseChallengeMessage(challengeBytes)`

			`if err != nil {`
			`return nil, Error(err)`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`Config.NTLMSession(creds).ProcessChallengeMessage(challenge)`
			`authenticate, err := Config.NTLMSession(creds).GenerateAuthenticateMessage()`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
			`if err != nil {`
			`return nil, Error(err)`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`authenticateMessage := concatS("NTLM ", base64.StdEncoding.EncodeToString(authenticate.Bytes()))`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00
			`request.Header.Add("Authorization", authenticateMessage)`
			`response, err := Config.HttpClient().Do(request)`

			`return response, nil`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func parseChallengeResponse(response *http.Response) []byte{`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if headers, ok := response.Header["Www-Authenticate"]; ok{`

Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//parse out the "NTLM " at the beginning of the response`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`challenge := headers[0][5:]`
			`val, err := base64.StdEncoding.DecodeString(challenge)`

			`if err != nil{`
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`panic(err.Error())`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
			`return []byte(val)`
			`}`

			`panic("www-Authenticate header is not present")`
			`}`

NTLM Push 2015-08-28 20:40:41 +00:00			`func cloneRequest(request http.Request) http.Request {`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`var rdr1, rdr2 myReader`
			`var clonedReq *http.Request`

			`if request.Body != nil {`
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//If we have a body (POST/PUT etc.)`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`//We need to do some magic to copy the request without closing the body stream`

			`buf, _ := ioutil.ReadAll(request.Body)`
			`rdr1 = myReader{bytes.NewBuffer(buf)}`
			`rdr2 = myReader{bytes.NewBuffer(buf)}`
			`request.Body = rdr2 // OK since rdr2 implements the io.ReadCloser interface`
			`clonedReq, _ = http.NewRequest(request.Method, request.URL.String(), rdr1)`
			`}else{`
			`clonedReq, _ = http.NewRequest(request.Method, request.URL.String(), nil)`
			`}`
NTLM Push 2015-08-28 20:40:41 +00:00
			`for k, v := range request.Header {`
			`clonedReq.Header.Add(k,v[0])`
			`}`

			`clonedReq.ContentLength = request.ContentLength`

			`return clonedReq`
			`}`

NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`func getNegotiateMessage() string{`
			`return "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func concatS(ar ...string) string {`
NTLM Push 2015-08-28 20:40:41 +00:00
			`var buffer bytes.Buffer`

			`for _, s := range ar{`
			`buffer.WriteString(s)`
			`}`

			`return buffer.String()`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func concat(ar ...[]byte) []byte {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`return bytes.Join(ar, nil)`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`}`

			`type myReader struct {`
			`*bytes.Buffer`
			`}`

			`// So that myReader implements the io.ReadCloser interface`
			`func (m myReader) Close() error { return nil }`