git-lfs/lfs/ntlm.go

package lfs

import (
	"bytes"
	"encoding/base64"
	"errors"
	"fmt"
	"github.com/github/git-lfs/vendor/_nuts/github.com/ThomsonReutersEikon/go-ntlm/ntlm"
	"io"
	"io/ioutil"
	"net/http"
	"strings"
)

func (c *Configuration) ntlmClientSession(creds Creds) (ntlm.ClientSession, error) {
	if c.ntlmSession != nil {
		return c.ntlmSession, nil
	}
	splits := strings.Split(creds["username"], "\\")

	if len(splits) != 2 {
		errorMessage := fmt.Sprintf("Your user name must be of the form DOMAIN\\user. It is currently %s", creds["username"], "string")
		return nil, errors.New(errorMessage)
	}

	session, err := ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)

	if err != nil {
		return nil, err
	}

	session.SetUserInfo(splits[1], creds["password"], strings.ToUpper(splits[0]))
	c.ntlmSession = session
	return session, nil
}

func DoNTLMRequest(request *http.Request, retry bool) (*http.Response, error) {
	handReq, err := cloneRequest(request)
	if err != nil {
		return nil, err
	}

	res, err := InitHandShake(handReq)

	if err != nil && res == nil {
		return nil, err
	}

	//If the status is 401 then we need to re-authenticate, otherwise it was successful
	if res.StatusCode == 401 {

		creds, err := getCredsForAPI(request)
		if err != nil {
			return nil, err
		}

		negotiateReq, err := cloneRequest(request)
		if err != nil {
			return nil, err
		}

		challengeMessage, err := negotiate(negotiateReq, getNegotiateMessage())
		if err != nil {
			return nil, err
		}

		challengeReq, err := cloneRequest(request)
		if err != nil {
			return nil, err
		}

		res, err := challenge(challengeReq, challengeMessage, creds)
		if err != nil {
			return nil, err
		}

		//If the status is 401 then we need to re-authenticate
		if res.StatusCode == 401 && retry == true {
			return DoNTLMRequest(challengeReq, false)
		}

		saveCredentials(creds, res)

		return res, nil
	}
	return res, nil
}

func InitHandShake(request *http.Request) (*http.Response, error) {
	return Config.HttpClient().Do(request)
}

func negotiate(request *http.Request, message string) ([]byte, error) {
	request.Header.Add("Authorization", message)
	res, err := Config.HttpClient().Do(request)

	if res == nil && err != nil {
		return nil, err
	}

	ret, err := parseChallengeResponse(res)

	if err != nil {
		return nil, err
	}

	defer res.Body.Close()
	defer io.Copy(ioutil.Discard, res.Body)

	return ret, nil
}

func challenge(request *http.Request, challengeBytes []byte, creds Creds) (*http.Response, error) {
	challenge, err := ntlm.ParseChallengeMessage(challengeBytes)

	if err != nil {
		return nil, err
	}

	session, err := Config.ntlmClientSession(creds)
	if err != nil {
		return nil, err
	}

	session.ProcessChallengeMessage(challenge)
	authenticate, err := session.GenerateAuthenticateMessage()

	if err != nil {
		return nil, err
	}

	authenticateMessage := concatS("NTLM ", base64.StdEncoding.EncodeToString(authenticate.Bytes()))
	request.Header.Add("Authorization", authenticateMessage)
	return Config.HttpClient().Do(request)
}

func parseChallengeResponse(response *http.Response) ([]byte, error) {
	header := response.Header.Get("Www-Authenticate")

	//parse out the "NTLM " at the beginning of the response
	challenge := header[5:]
	val, err := base64.StdEncoding.DecodeString(challenge)

	if err != nil {
		return nil, err
	}
	return []byte(val), nil
}

func cloneRequest(request *http.Request) (*http.Request, error) {
	var rdr1, rdr2 myReader
	var clonedReq *http.Request
	var err error

	if request.Body != nil {
		//If we have a body (POST/PUT etc.)
		//We need to do some magic to copy the request without closing the body stream

		buf, err := ioutil.ReadAll(request.Body)

		if err != nil {
			return nil, err
		}

		rdr1 = myReader{bytes.NewBuffer(buf)}
		rdr2 = myReader{bytes.NewBuffer(buf)}
		request.Body = rdr2 // OK since rdr2 implements the io.ReadCloser interface
		clonedReq, err = http.NewRequest(request.Method, request.URL.String(), rdr1)

		if err != nil {
			return nil, err
		}

	} else {
		clonedReq, err = http.NewRequest(request.Method, request.URL.String(), nil)

		if err != nil {
			return nil, err
		}
	}

	for k, v := range request.Header {
		clonedReq.Header.Add(k, v[0])
	}

	clonedReq.ContentLength = request.ContentLength

	return clonedReq, nil
}

func getNegotiateMessage() string {
	return "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"
}

func concatS(ar ...string) string {

	var buffer bytes.Buffer

	for _, s := range ar {
		buffer.WriteString(s)
	}

	return buffer.String()
}

func concat(ar ...[]byte) []byte {
	return bytes.Join(ar, nil)
}

type myReader struct {
	*bytes.Buffer
}

// So that myReader implements the io.ReadCloser interface
func (m myReader) Close() error { return nil }
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`package lfs`

			`import (`
			`"bytes"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"encoding/base64"`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`"errors"`
Add NTLM Unit Tests 2015-10-16 15:06:17 +00:00			`"fmt"`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`"github.com/github/git-lfs/vendor/_nuts/github.com/ThomsonReutersEikon/go-ntlm/ntlm"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"io"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`"io/ioutil"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"net/http"`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`"strings"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`)`

Response to PR Feedback 2015-10-07 18:30:53 +00:00			`func (c *Configuration) ntlmClientSession(creds Creds) (ntlm.ClientSession, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if c.ntlmSession != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return c.ntlmSession, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`splits := strings.Split(creds["username"], "\\")`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if len(splits) != 2 {`
Add NTLM Unit Tests 2015-10-16 15:06:17 +00:00			`errorMessage := fmt.Sprintf("Your user name must be of the form DOMAIN\\user. It is currently %s", creds["username"], "string")`
			`return nil, errors.New(errorMessage)`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`session, err := ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix NTLM Domain Handling Logic 2015-10-05 19:55:24 +00:00			`session.SetUserInfo(splits[1], creds["password"], strings.ToUpper(splits[0]))`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`c.ntlmSession = session`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return session, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func DoNTLMRequest(request http.Request, retry bool) (http.Response, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`handReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`res, err := InitHandShake(handReq)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil && res == nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`//If the status is 401 then we need to re-authenticate, otherwise it was successful`
			`if res.StatusCode == 401 {`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`creds, err := getCredsForAPI(request)`
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`negotiateReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`challengeMessage, err := negotiate(negotiateReq, getNegotiateMessage())`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`challengeReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`res, err := challenge(challengeReq, challengeMessage, creds)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//If the status is 401 then we need to re-authenticate`
			`if res.StatusCode == 401 && retry == true {`
			`return DoNTLMRequest(challengeReq, false)`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`saveCredentials(creds, res)`

			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func InitHandShake(request http.Request) (http.Response, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return Config.HttpClient().Do(request)`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func negotiate(request *http.Request, message string) ([]byte, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`request.Header.Add("Authorization", message)`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`res, err := Config.HttpClient().Do(request)`

Formatting 2015-10-16 15:41:28 +00:00			`if res == nil && err != nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
			`}`

			`ret, err := parseChallengeResponse(res)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`defer res.Body.Close()`
			`defer io.Copy(ioutil.Discard, res.Body)`

Formatting 2015-10-16 15:41:28 +00:00			`return ret, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func challenge(request http.Request, challengeBytes []byte, creds Creds) (http.Response, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`challenge, err := ntlm.ParseChallengeMessage(challengeBytes)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`session, err := Config.ntlmClientSession(creds)`
			`if err != nil {`
			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`session.ProcessChallengeMessage(challenge)`
			`authenticate, err := session.GenerateAuthenticateMessage()`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`authenticateMessage := concatS("NTLM ", base64.StdEncoding.EncodeToString(authenticate.Bytes()))`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`request.Header.Add("Authorization", authenticateMessage)`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return Config.HttpClient().Do(request)`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func parseChallengeResponse(response *http.Response) ([]byte, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`header := response.Header.Get("Www-Authenticate")`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`//parse out the "NTLM " at the beginning of the response`
			`challenge := header[5:]`
			`val, err := base64.StdEncoding.DecodeString(challenge)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
			`return []byte(val), nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Response to PR Feedback 2015-10-07 18:30:53 +00:00			`func cloneRequest(request http.Request) (http.Request, error) {`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`var rdr1, rdr2 myReader`
			`var clonedReq *http.Request`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`var err error`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
NTLM Fetch 2015-08-31 18:34:17 +00:00			`if request.Body != nil {`
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//If we have a body (POST/PUT etc.)`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`//We need to do some magic to copy the request without closing the body stream`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`buf, err := ioutil.ReadAll(request.Body)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
NTLM Fetch 2015-08-31 18:34:17 +00:00			`rdr1 = myReader{bytes.NewBuffer(buf)}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`rdr2 = myReader{bytes.NewBuffer(buf)}`
			`request.Body = rdr2 // OK since rdr2 implements the io.ReadCloser interface`
			`clonedReq, err = http.NewRequest(request.Method, request.URL.String(), rdr1)`

			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`} else {`
			`clonedReq, err = http.NewRequest(request.Method, request.URL.String(), nil)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
NTLM Push 2015-08-28 20:40:41 +00:00			`for k, v := range request.Header {`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`clonedReq.Header.Add(k, v[0])`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`clonedReq.ContentLength = request.ContentLength`

Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return clonedReq, nil`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func getNegotiateMessage() string {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`return "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"`
			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func concatS(ar ...string) string {`
NTLM Push 2015-08-28 20:40:41 +00:00
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`var buffer bytes.Buffer`

			`for _, s := range ar {`
			`buffer.WriteString(s)`
			`}`
NTLM Push 2015-08-28 20:40:41 +00:00
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`return buffer.String()`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`

Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`func concat(ar ...[]byte) []byte {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`return bytes.Join(ar, nil)`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`}`

			`type myReader struct {`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`*bytes.Buffer`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`}`

			`// So that myReader implements the io.ReadCloser interface`
Formatting 2015-10-16 15:41:28 +00:00			`func (m myReader) Close() error { return nil }`