git-lfs/lfs/ntlm.go

package lfs

import (
	"bytes"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"strings"

	"github.com/github/git-lfs/vendor/_nuts/github.com/ThomsonReutersEikon/go-ntlm/ntlm"
)

func (c *Configuration) ntlmClientSession(creds Creds) (ntlm.ClientSession, error) {
	if c.ntlmSession != nil {
		return c.ntlmSession, nil
	}
	splits := strings.Split(creds["username"], "\\")

	if len(splits) != 2 {
		errorMessage := fmt.Sprintf("Your user name must be of the form DOMAIN\\user. It is currently %s", creds["username"], "string")
		return nil, errors.New(errorMessage)
	}

	session, err := ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)

	if err != nil {
		return nil, err
	}

	session.SetUserInfo(splits[1], creds["password"], strings.ToUpper(splits[0]))
	c.ntlmSession = session
	return session, nil
}

func DoNTLMRequest(request *http.Request, retry bool) (*http.Response, error) {
	handReq, err := cloneRequest(request)
	if err != nil {
		return nil, err
	}

	res, err := Config.HttpClient().Do(handReq)
	if err != nil && res == nil {
		return nil, err
	}

	//If the status is 401 then we need to re-authenticate, otherwise it was successful
	if res.StatusCode == 401 {

		creds, err := getCredsForAPI(request)
		if err != nil {
			return nil, err
		}

		negotiateReq, err := cloneRequest(request)
		if err != nil {
			return nil, err
		}

		challengeMessage, err := negotiate(negotiateReq, ntlmNegotiateMessage)
		if err != nil {
			return nil, err
		}

		challengeReq, err := cloneRequest(request)
		if err != nil {
			return nil, err
		}

		res, err := challenge(challengeReq, challengeMessage, creds)
		if err != nil {
			return nil, err
		}

		//If the status is 401 then we need to re-authenticate
		if res.StatusCode == 401 && retry == true {
			return DoNTLMRequest(challengeReq, false)
		}

		saveCredentials(creds, res)

		return res, nil
	}
	return res, nil
}

func negotiate(request *http.Request, message string) ([]byte, error) {
	request.Header.Add("Authorization", message)
	res, err := Config.HttpClient().Do(request)

	if res == nil && err != nil {
		return nil, err
	}

	io.Copy(ioutil.Discard, res.Body)
	res.Body.Close()

	ret, err := parseChallengeResponse(res)
	if err != nil {
		return nil, err
	}

	return ret, nil
}

func challenge(request *http.Request, challengeBytes []byte, creds Creds) (*http.Response, error) {
	challenge, err := ntlm.ParseChallengeMessage(challengeBytes)
	if err != nil {
		return nil, err
	}

	session, err := Config.ntlmClientSession(creds)
	if err != nil {
		return nil, err
	}

	session.ProcessChallengeMessage(challenge)
	authenticate, err := session.GenerateAuthenticateMessage()
	if err != nil {
		return nil, err
	}

	authMsg := base64.StdEncoding.EncodeToString(authenticate.Bytes())
	request.Header.Add("Authorization", "NTLM "+authMsg)
	return Config.HttpClient().Do(request)
}

func parseChallengeResponse(response *http.Response) ([]byte, error) {
	header := response.Header.Get("Www-Authenticate")
	if len(header) < 6 {
		return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)
	}

	//parse out the "NTLM " at the beginning of the response
	challenge := header[5:]
	val, err := base64.StdEncoding.DecodeString(challenge)

	if err != nil {
		return nil, err
	}
	return []byte(val), nil
}

func cloneRequest(request *http.Request) (*http.Request, error) {
	cloneReqBody, err := cloneRequestBody(request)
	if err != nil {
		return nil, err
	}

	clonedReq, err := http.NewRequest(request.Method, request.URL.String(), cloneReqBody)
	if err != nil {
		return nil, err
	}

	for k, _ := range request.Header {
		clonedReq.Header.Add(k, request.Header.Get(k))
	}

	clonedReq.TransferEncoding = request.TransferEncoding
	clonedReq.ContentLength = request.ContentLength

	return clonedReq, nil
}

func cloneRequestBody(req *http.Request) (io.ReadCloser, error) {
	if req.Body == nil {
		return nil, nil
	}

	buf, err := ioutil.ReadAll(req.Body)
	if err != nil {
		return nil, err
	}

	req.Body = ioutil.NopCloser(bytes.NewBuffer(buf))
	return ioutil.NopCloser(bytes.NewBuffer(buf)), nil
}

const ntlmNegotiateMessage = "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`package lfs`

			`import (`
			`"bytes"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"encoding/base64"`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`"errors"`
Add NTLM Unit Tests 2015-10-16 15:06:17 +00:00			`"fmt"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"io"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`"io/ioutil"`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00			`"net/http"`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`"strings"`
use a standard tracer msg when toggling the auth type 2015-11-06 17:53:56 +00:00
			`"github.com/github/git-lfs/vendor/_nuts/github.com/ThomsonReutersEikon/go-ntlm/ntlm"`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`)`

Response to PR Feedback 2015-10-07 18:30:53 +00:00			`func (c *Configuration) ntlmClientSession(creds Creds) (ntlm.ClientSession, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if c.ntlmSession != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return c.ntlmSession, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Adding Log To Split NTLM Domain and User 2015-10-05 19:38:16 +00:00			`splits := strings.Split(creds["username"], "\\")`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if len(splits) != 2 {`
Add NTLM Unit Tests 2015-10-16 15:06:17 +00:00			`errorMessage := fmt.Sprintf("Your user name must be of the form DOMAIN\\user. It is currently %s", creds["username"], "string")`
			`return nil, errors.New(errorMessage)`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`session, err := ntlm.CreateClientSession(ntlm.Version2, ntlm.ConnectionOrientedMode)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Fix NTLM Domain Handling Logic 2015-10-05 19:55:24 +00:00			`session.SetUserInfo(splits[1], creds["password"], strings.ToUpper(splits[0]))`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`c.ntlmSession = session`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return session, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func DoNTLMRequest(request http.Request, retry bool) (http.Response, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`handReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
remove some unnecessary helper funcs 2015-11-06 18:20:27 +00:00			`res, err := Config.HttpClient().Do(handReq)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil && res == nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Git Lfs NTLM Work * Switched the NTLM toggle to use the same url access pattern as private batch auth * Updated the NTLM session to pull the credentials from the cred helper 2015-10-05 19:26:39 +00:00
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`//If the status is 401 then we need to re-authenticate, otherwise it was successful`
			`if res.StatusCode == 401 {`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`creds, err := getCredsForAPI(request)`
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`negotiateReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
a const works just fine here for now 2015-11-06 18:24:17 +00:00			`challengeMessage, err := negotiate(negotiateReq, ntlmNegotiateMessage)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`challengeReq, err := cloneRequest(request)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`res, err := challenge(challengeReq, challengeMessage, creds)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Clean Up Debugging Traces 2015-09-01 14:28:43 +00:00			`//If the status is 401 then we need to re-authenticate`
			`if res.StatusCode == 401 && retry == true {`
			`return DoNTLMRequest(challengeReq, false)`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`saveCredentials(creds, res)`

			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return res, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func negotiate(request *http.Request, message string) ([]byte, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`request.Header.Add("Authorization", message)`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`res, err := Config.HttpClient().Do(request)`

Formatting 2015-10-16 15:41:28 +00:00			`if res == nil && err != nil {`
Fix Stream Close Ordering Bug 2015-10-08 20:18:24 +00:00			`return nil, err`
			`}`

no need to defer here 2015-11-06 18:20:46 +00:00			`io.Copy(ioutil.Discard, res.Body)`
			`res.Body.Close()`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
no need to defer here 2015-11-06 18:20:46 +00:00			`ret, err := parseChallengeResponse(res)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Formatting 2015-10-16 15:41:28 +00:00			`return ret, nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func challenge(request http.Request, challengeBytes []byte, creds Creds) (http.Response, error) {`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`challenge, err := ntlm.ParseChallengeMessage(challengeBytes)`
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`session, err := Config.ntlmClientSession(creds)`
			`if err != nil {`
			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`session.ProcessChallengeMessage(challenge)`
			`authenticate, err := session.GenerateAuthenticateMessage()`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
remove some unnecessary helper funcs 2015-11-06 18:20:27 +00:00			`authMsg := base64.StdEncoding.EncodeToString(authenticate.Bytes())`
			`request.Header.Add("Authorization", "NTLM "+authMsg)`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return Config.HttpClient().Do(request)`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Fix Auth Tests 2015-10-07 20:54:23 +00:00			`func parseChallengeResponse(response *http.Response) ([]byte, error) {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`header := response.Header.Get("Www-Authenticate")`
protect against potential go panic 2015-11-06 18:20:35 +00:00			`if len(header) < 6 {`
			`return nil, fmt.Errorf("Invalid NTLM challenge response: %q", header)`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`//parse out the "NTLM " at the beginning of the response`
			`challenge := header[5:]`
			`val, err := base64.StdEncoding.DecodeString(challenge)`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
			`if err != nil {`
Response to PR Feedback 2015-10-07 18:30:53 +00:00			`return nil, err`
			`}`
			`return []byte(val), nil`
NTLM Toggle Switch and Basic Challenge/Response Code 2015-08-27 20:38:35 +00:00			`}`

Response to PR Feedback 2015-10-07 18:30:53 +00:00			`func cloneRequest(request http.Request) (http.Request, error) {`
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`cloneReqBody, err := cloneRequestBody(request)`
			`if err != nil {`
			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`clonedReq, err := http.NewRequest(request.Method, request.URL.String(), cloneReqBody)`
			`if err != nil {`
			`return nil, err`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`for k, _ := range request.Header {`
			`clonedReq.Header.Add(k, request.Header.Get(k))`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
clone the transfer encoding property 2015-11-06 19:31:16 +00:00			`clonedReq.TransferEncoding = request.TransferEncoding`
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`clonedReq.ContentLength = request.ContentLength`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`return clonedReq, nil`
			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`func cloneRequestBody(req *http.Request) (io.ReadCloser, error) {`
			`if req.Body == nil {`
			`return nil, nil`
NTLM Fetch 2015-08-31 18:34:17 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`buf, err := ioutil.ReadAll(req.Body)`
			`if err != nil {`
			`return nil, err`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`
Fix Auth Tests 2015-10-07 20:54:23 +00:00
extract cloneRequestBody() 2015-11-06 18:49:13 +00:00			`req.Body = ioutil.NopCloser(bytes.NewBuffer(buf))`
			`return ioutil.NopCloser(bytes.NewBuffer(buf)), nil`
NTLM Push 2015-08-28 20:40:41 +00:00			`}`

a const works just fine here for now 2015-11-06 18:24:17 +00:00			`const ntlmNegotiateMessage = "NTLM TlRMTVNTUAABAAAAB7IIogwADAAzAAAACwALACgAAAAKAAAoAAAAD1dJTExISS1NQUlOTk9SVEhBTUVSSUNB"`