diff --git a/accounts/pkg/service/v0/accounts.go b/accounts/pkg/service/v0/accounts.go index 2d88c313f4..6627e3e358 100644 --- a/accounts/pkg/service/v0/accounts.go +++ b/accounts/pkg/service/v0/accounts.go @@ -2,7 +2,9 @@ package service import ( "context" + "crypto/sha256" "fmt" + "github.com/owncloud/ocis/ocis-pkg/cache" "golang.org/x/crypto/bcrypt" "path" "regexp" @@ -32,6 +34,12 @@ import ( // accLock mutually exclude readers from writers on account files var accLock sync.Mutex +// passwordValidCache caches basic auth password validations +var passwordValidCache = cache.NewCache(cache.Size(1024)) + +// passwordValidCacheExpiration defines the entry lifetime +const passwordValidCacheExpiration = 10 * time.Minute + // an auth request is currently hardcoded and has to match this regex // login eq \"teddy\" and password eq \"F&1!b90t111!\" var authQuery = regexp.MustCompile(`^login eq '(.*)' and password eq '(.*)'$`) // TODO how is ' escaped in the password? @@ -128,7 +136,6 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest teardownServiceUser := s.serviceUserToIndex() defer teardownServiceUser() - match, authRequest := getAuthQueryMatch(in.Query) if authRequest { password := match[2] @@ -152,9 +159,22 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest if err != nil || a.PasswordProfile == nil || len(a.PasswordProfile.Password) == 0 { return merrors.Unauthorized(s.id, "account not found or invalid credentials") } - if !isPasswordValid(s.log, a.PasswordProfile.Password, password) { - return merrors.Unauthorized(s.id, "account not found or invalid credentials") + + h := sha256.New() + h.Write([]byte(a.PasswordProfile.Password)) + + k := fmt.Sprintf("%x", h.Sum([]byte(password))) + + if hit := passwordValidCache.Get(k); hit == nil || !hit.V.(bool) { + var ok bool + + if ok = isPasswordValid(s.log, a.PasswordProfile.Password, password); !ok { + return merrors.Unauthorized(s.id, "account not found or invalid credentials") + } + + passwordValidCache.Set(k, ok, time.Now().Add(passwordValidCacheExpiration)) } + a.PasswordProfile.Password = "" out.Accounts = []*proto.Account{a} return nil diff --git a/changelog/unreleased/proxy-cache-basic-auth.md b/changelog/unreleased/proxy-cache-basic-auth.md deleted file mode 100644 index b7c6ff87c9..0000000000 --- a/changelog/unreleased/proxy-cache-basic-auth.md +++ /dev/null @@ -1,8 +0,0 @@ -Enhancement: Cache basic auth account id in proxy - -Tags: proxy - -The basic auth middleware now caches account ids. The entry cache gets invalidated after 10 Minutes. -This is useful for scenarios where a lot of basic auth requests with the same username and password happens, for example tests. - -https://github.com/owncloud/ocis/pull/958 diff --git a/proxy/pkg/cache/cache.go b/ocis-pkg/cache/cache.go similarity index 100% rename from proxy/pkg/cache/cache.go rename to ocis-pkg/cache/cache.go diff --git a/proxy/pkg/cache/option.go b/ocis-pkg/cache/option.go similarity index 100% rename from proxy/pkg/cache/option.go rename to ocis-pkg/cache/option.go diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go index 19f0a63e44..22c894a41f 100644 --- a/proxy/pkg/middleware/basic_auth.go +++ b/proxy/pkg/middleware/basic_auth.go @@ -1,13 +1,10 @@ package middleware import ( - "crypto/sha1" "fmt" - "github.com/owncloud/ocis/proxy/pkg/cache" "net/http" "strings" "sync" - "time" accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0" "github.com/owncloud/ocis/ocis-pkg/log" @@ -21,7 +18,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { options := newOptions(optionSetters...) logger := options.Logger oidcIss := options.OIDCIss - accountsCache := cache.NewCache(cache.Size(5000)) + if options.EnableBasicAuth { options.Logger.Warn().Msg("basic auth enabled, use only for testing or development") } @@ -30,7 +27,6 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { logger: logger, enabled: options.EnableBasicAuth, accountsClient: options.AccountsClient, - accountsCache: &accountsCache, } return func(next http.Handler) http.Handler { @@ -63,7 +59,6 @@ type basicAuth struct { logger log.Logger enabled bool accountsClient accounts.AccountsService - accountsCache *cache.Cache m sync.Mutex } @@ -80,38 +75,17 @@ func (m *basicAuth) isBasicAuth(req *http.Request) bool { } func (m *basicAuth) getAccount(req *http.Request) (*accounts.Account, bool) { - var ok bool - var hit *cache.Entry - login, password, _ := req.BasicAuth() - h := sha1.New() - h.Write([]byte(login)) + account, status := getAccount( + m.logger, + m.accountsClient, + fmt.Sprintf( + "login eq '%s' and password eq '%s'", + strings.ReplaceAll(login, "'", "''"), + strings.ReplaceAll(password, "'", "''"), + ), + ) - lookup := fmt.Sprintf("%x", h.Sum([]byte(password))) - - m.m.Lock() - defer m.m.Unlock() - - if hit = m.accountsCache.Get(lookup); hit == nil { - account, status := getAccount( - m.logger, - m.accountsClient, - fmt.Sprintf( - "login eq '%s' and password eq '%s'", - strings.ReplaceAll(login, "'", "''"), - strings.ReplaceAll(password, "'", "''"), - ), - ) - - if ok = status == 0; ok { - m.accountsCache.Set(lookup, account, time.Now().Add(10*time.Minute)) - } - - return account, ok - } - - account, ok := hit.V.(*accounts.Account) - - return account, ok + return account, status == 0 } diff --git a/proxy/pkg/middleware/oidc_auth.go b/proxy/pkg/middleware/oidc_auth.go index de44511e7d..2033d0fa5c 100644 --- a/proxy/pkg/middleware/oidc_auth.go +++ b/proxy/pkg/middleware/oidc_auth.go @@ -10,9 +10,9 @@ import ( "github.com/dgrijalva/jwt-go" gOidc "github.com/coreos/go-oidc" + "github.com/owncloud/ocis/ocis-pkg/cache" "github.com/owncloud/ocis/ocis-pkg/log" "github.com/owncloud/ocis/ocis-pkg/oidc" - "github.com/owncloud/ocis/proxy/pkg/cache" "golang.org/x/oauth2" )