git-lfs/lfsapi/ntlm.go

package lfsapi

import (
	"encoding/base64"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/url"

	"github.com/git-lfs/git-lfs/errors"
)

func (c *Client) doWithNTLM(req *http.Request, credHelper CredentialHelper, creds Creds, credsURL *url.URL) (*http.Response, error) {
	res, err := c.do(req)
	if err != nil && !errors.IsAuthError(err) {
		return res, err
	}

	if res.StatusCode != 401 {
		return res, nil
	}

	return c.ntlmReAuth(req, credHelper, creds, true)
}

// If the status is 401 then we need to re-authenticate
func (c *Client) ntlmReAuth(req *http.Request, credHelper CredentialHelper, creds Creds, retry bool) (*http.Response, error) {
	res, err := c.ntlmAuthenticateRequest(req, creds)
	if err != nil && !errors.IsAuthError(err) {
		return res, err
	}

	switch res.StatusCode {
	case 401:
		credHelper.Reject(creds)
		if retry {
			return c.ntlmReAuth(req, credHelper, creds, false)
		}
	case 403:
		credHelper.Reject(creds)
	default:
		if res.StatusCode < 300 && res.StatusCode > 199 {
			credHelper.Approve(creds)
		}
	}

	return res, nil
}

func (c *Client) ntlmSendType1Message(req *http.Request, message []byte) (*http.Response, []byte, error) {
	res, err := c.ntlmSendMessage(req, message)
	if err != nil && !errors.IsAuthError(err) {
		return res, nil, err
	}

	io.Copy(ioutil.Discard, res.Body)
	res.Body.Close()

	by, err := parseChallengeResponse(res)
	return res, by, err
}

func (c *Client) ntlmSendType3Message(req *http.Request, authenticate []byte) (*http.Response, error) {
	return c.ntlmSendMessage(req, authenticate)
}

func (c *Client) ntlmSendMessage(req *http.Request, message []byte) (*http.Response, error) {
	body, err := rewoundRequestBody(req)
	if err != nil {
		return nil, err
	}
	req.Body = body

	msg := base64.StdEncoding.EncodeToString(message)
	req.Header.Set("Authorization", "NTLM "+msg)
	return c.do(req)
}

func parseChallengeResponse(res *http.Response) ([]byte, error) {
	header := res.Header.Get("Www-Authenticate")
	if len(header) < 6 {
		return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)
	}

	//parse out the "NTLM " at the beginning of the response
	challenge := header[5:]
	val, err := base64.StdEncoding.DecodeString(challenge)

	if err != nil {
		return nil, err
	}
	return []byte(val), nil
}

func rewoundRequestBody(req *http.Request) (io.ReadCloser, error) {
	if req.Body == nil {
		return nil, nil
	}

	body, ok := req.Body.(ReadSeekCloser)
	if !ok {
		return nil, fmt.Errorf("Request body must implement io.ReadCloser and io.Seeker. Got: %T", body)
	}

	_, err := body.Seek(0, io.SeekStart)
	return body, err
}
add ntlm file 2016-12-20 19:23:04 +00:00			`package lfsapi`

			`import (`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`"encoding/base64"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
add ntlm file 2016-12-20 19:23:04 +00:00			`"net/http"`
			`"net/url"`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00
			`"github.com/git-lfs/git-lfs/errors"`
add ntlm file 2016-12-20 19:23:04 +00:00			`)`

lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`func (c Client) doWithNTLM(req http.Request, credHelper CredentialHelper, creds Creds, credsURL url.URL) (http.Response, error) {`
lfsapi/{auth,client}: introduce do() method to circumvent header altering 2017-11-16 21:50:40 +00:00			`res, err := c.do(req)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`if err != nil && !errors.IsAuthError(err) {`
			`return res, err`
			`}`

			`if res.StatusCode != 401 {`
			`return res, nil`
			`}`

			`return c.ntlmReAuth(req, credHelper, creds, true)`
			`}`

			`// If the status is 401 then we need to re-authenticate`
			`func (c Client) ntlmReAuth(req http.Request, credHelper CredentialHelper, creds Creds, retry bool) (*http.Response, error) {`
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`res, err := c.ntlmAuthenticateRequest(req, creds)`
			`if err != nil && !errors.IsAuthError(err) {`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`return res, err`
			`}`

			`switch res.StatusCode {`
			`case 401:`
			`credHelper.Reject(creds)`
			`if retry {`
			`return c.ntlmReAuth(req, credHelper, creds, false)`
			`}`
			`case 403:`
			`credHelper.Reject(creds)`
			`default:`
			`if res.StatusCode < 300 && res.StatusCode > 199 {`
			`credHelper.Approve(creds)`
			`}`
			`}`

			`return res, nil`
			`}`

Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`func (c Client) ntlmSendType1Message(req http.Request, message []byte) (*http.Response, []byte, error) {`
			`res, err := c.ntlmSendMessage(req, message)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`if err != nil && !errors.IsAuthError(err) {`
			`return res, nil, err`
			`}`

			`io.Copy(ioutil.Discard, res.Body)`
			`res.Body.Close()`

			`by, err := parseChallengeResponse(res)`
			`return res, by, err`
			`}`

Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`func (c Client) ntlmSendType3Message(req http.Request, authenticate []byte) (*http.Response, error) {`
			`return c.ntlmSendMessage(req, authenticate)`
add ntlm file 2016-12-20 19:23:04 +00:00			`}`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`func (c Client) ntlmSendMessage(req http.Request, message []byte) (*http.Response, error) {`
			`body, err := rewoundRequestBody(req)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`req.Body = body`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00
Split ntlm implementation into a generic ntlm handling and a ntlm authentication process 2018-02-15 18:57:43 +00:00			`msg := base64.StdEncoding.EncodeToString(message)`
			`req.Header.Set("Authorization", "NTLM "+msg)`
			`return c.do(req)`
lfsapi: port ntlm support from httputil 2017-01-06 15:14:09 +00:00			`}`

			`func parseChallengeResponse(res *http.Response) ([]byte, error) {`
			`header := res.Header.Get("Www-Authenticate")`
			`if len(header) < 6 {`
			`return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)`
			`}`

			`//parse out the "NTLM " at the beginning of the response`
			`challenge := header[5:]`
			`val, err := base64.StdEncoding.DecodeString(challenge)`

			`if err != nil {`
			`return nil, err`
			`}`
			`return []byte(val), nil`
			`}`

			`func rewoundRequestBody(req *http.Request) (io.ReadCloser, error) {`
			`if req.Body == nil {`
			`return nil, nil`
			`}`

			`body, ok := req.Body.(ReadSeekCloser)`
			`if !ok {`
			`return nil, fmt.Errorf("Request body must implement io.ReadCloser and io.Seeker. Got: %T", body)`
			`}`

			`_, err := body.Seek(0, io.SeekStart)`
			`return body, err`
			`}`