From 37cfb0e1796badf301d83dc5e50377ad24825a66 Mon Sep 17 00:00:00 2001 From: till Date: Fri, 26 Apr 2024 15:21:39 +0200 Subject: [PATCH 1/3] Fix(auth): use crypto/subtle to compare strings Related: #37 Signed-off-by: till --- gateway/middleware.go | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/gateway/middleware.go b/gateway/middleware.go index d6b2469..e8d9340 100644 --- a/gateway/middleware.go +++ b/gateway/middleware.go @@ -1,6 +1,7 @@ package gateway import ( + "crypto/subtle" "net/http" "github.com/cortexproject/auth-gateway/middleware" @@ -53,14 +54,21 @@ func (tenant *Tenant) basicAuth(w http.ResponseWriter, r *http.Request) bool { return false } - if tenant.Username == username { - if tenant.Password == password { - r.Header.Set("X-Scope-OrgID", tenant.ID) - return true - } else { - return false - } + if !tenant.saveCompare(username, password) { + return false } + r.Header.Set("X-Scope-OrgID", tenant.ID) + + return true +} + +// attempt to mitigate timing attacks +func (tenant *Tenant) saveCompare(username, password string) bool { + userNameCheck := subtle.ConstantTimeCompare([]byte(tenant.Username), []byte(username)) + passwordCheck := subtle.ConstantTimeCompare([]byte(tenant.Password), []byte(password)) + if userNameCheck == 1 && passwordCheck == 1 { + return true + } return false } From 6fa89902f89da113da4035b3223c026061efc6ad Mon Sep 17 00:00:00 2001 From: till Date: Fri, 26 Apr 2024 16:09:12 +0200 Subject: [PATCH 2/3] Update(gateway): support passthrough For: #36 Signed-off-by: till --- gateway/config.go | 1 + gateway/gateway_test.go | 31 +++++++++++++++++++++++++++++++ gateway/middleware.go | 4 +++- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/gateway/config.go b/gateway/config.go index 4b9f0a7..aa23c5c 100644 --- a/gateway/config.go +++ b/gateway/config.go @@ -40,6 +40,7 @@ type Tenant struct { Username string `yaml:"username"` Password string `yaml:"password"` ID string `yaml:"id"` + Passthrough bool `yaml:"passthrough"` } func Init(filePath string) (Config, error) { diff --git a/gateway/gateway_test.go b/gateway/gateway_test.go index 866c15e..7c2dd1b 100644 --- a/gateway/gateway_test.go +++ b/gateway/gateway_test.go @@ -69,6 +69,7 @@ func TestStartGateway(t *testing.T) { testCases := []struct { name string authHeader string + orgID string config *Config paths []string expectedStatus int @@ -220,6 +221,31 @@ func TestStartGateway(t *testing.T) { authHeader: "Basic " + base64.StdEncoding.EncodeToString([]byte("username:password")), expectedStatus: http.StatusOK, }, + { + name: "passthrough config", + config: &Config{ + Tenants: []Tenant{ + { + Authentication: "basic", + Username: "username", + Password: "password", + Passthrough: true, + }, + }, + Distributor: Upstream{ + URL: distributorServer.URL, + Paths: []string{ + "/test/distributor", + }, + }, + }, + paths: []string{ + "/test/distributor", + }, + authHeader: "Basic " + base64.StdEncoding.EncodeToString([]byte("username:password")), + orgID: "orgID", + expectedStatus: http.StatusOK, + }, { name: "not found route", config: &Config{ @@ -348,6 +374,11 @@ func TestStartGateway(t *testing.T) { for _, path := range tc.paths { req, _ := http.NewRequest("GET", mockServer.URL+path, nil) req.Header.Set("Authorization", tc.authHeader) + + if tc.orgID != "" { + req.Header.Set("X-Scope-OrgID", tc.orgID) + } + resp, err := client.Do(req) if err != nil { t.Fatal(err) diff --git a/gateway/middleware.go b/gateway/middleware.go index e8d9340..97f189a 100644 --- a/gateway/middleware.go +++ b/gateway/middleware.go @@ -58,7 +58,9 @@ func (tenant *Tenant) basicAuth(w http.ResponseWriter, r *http.Request) bool { return false } - r.Header.Set("X-Scope-OrgID", tenant.ID) + if !tenant.Passthrough { + r.Header.Set("X-Scope-OrgID", tenant.ID) + } return true } From a025a3ebb1fee9aa6d252049e0f2831873d68a3e Mon Sep 17 00:00:00 2001 From: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Date: Sun, 9 Jun 2024 23:28:46 -0700 Subject: [PATCH 3/3] Update gateway/middleware.go --- gateway/middleware.go | 1 - 1 file changed, 1 deletion(-) diff --git a/gateway/middleware.go b/gateway/middleware.go index 7a45e1e..b46db5f 100644 --- a/gateway/middleware.go +++ b/gateway/middleware.go @@ -61,7 +61,6 @@ func (tenant *Tenant) basicAuth(w http.ResponseWriter, r *http.Request) bool { if !tenant.Passthrough { r.Header.Set("X-Scope-OrgID", tenant.ID) } - r.Header.Set("X-Scope-OrgID", tenant.ID) return true }