From 68e3119bf48b34821bdb62a7380e65be989f0f03 Mon Sep 17 00:00:00 2001 From: Peter Becich Date: Sun, 15 Jan 2023 19:30:13 -0800 Subject: [PATCH] disable Basic Auth to remove dependency on deprecated `crypt` library https://github.com/haskell/hackage-server/issues/1153#issuecomment-1370308832 --- hackage-server.cabal | 3 - .../Server/Features/LegacyPasswds/Auth.hs | 55 ++----------------- 2 files changed, 5 insertions(+), 53 deletions(-) diff --git a/hackage-server.cabal b/hackage-server.cabal index e1e752959..715b92fcf 100644 --- a/hackage-server.cabal +++ b/hackage-server.cabal @@ -444,9 +444,6 @@ library lib-server if flag(cabal-parsers) build-depends: cabal-parsers ^>= 0 - if !os(darwin) - extra-libraries: crypt - ---------------------------------------------------------------------------- common exe-defaults diff --git a/src/Distribution/Server/Features/LegacyPasswds/Auth.hs b/src/Distribution/Server/Features/LegacyPasswds/Auth.hs index 931636507..ad848d9a1 100644 --- a/src/Distribution/Server/Features/LegacyPasswds/Auth.hs +++ b/src/Distribution/Server/Features/LegacyPasswds/Auth.hs @@ -8,21 +8,14 @@ module Distribution.Server.Features.LegacyPasswds.Auth ( import Distribution.Server.Framework.AuthTypes import Distribution.Server.Framework.Error import Distribution.Server.Framework.MemSize -import Distribution.Server.Users.Types (UserId, UserName(..), UserInfo) +import Distribution.Server.Users.Types (UserId, UserInfo) import qualified Distribution.Server.Users.Users as Users -import Distribution.Server.Framework.AuthCrypt (BasicAuthInfo(..)) import Happstack.Server -import qualified Data.ByteString.Base64 as Base64 -import Control.Monad import Data.SafeCopy (base, deriveSafeCopy) import Data.Typeable (Typeable) -import Foreign.C.String -import System.IO.Unsafe (unsafePerformIO) -import Control.Concurrent.MVar (MVar, newMVar, withMVar) - import qualified Data.ByteString.Char8 as BS -- TODO: Verify that we don't need to worry about UTF8 here --------------------------- @@ -42,24 +35,6 @@ newtype HtPasswdHash = HtPasswdHash String $(deriveSafeCopy 0 'base ''HtPasswdHash) -checkCryptAuthInfo :: HtPasswdHash -> BasicAuthInfo -> Bool -checkCryptAuthInfo (HtPasswdHash hash) (BasicAuthInfo _ _ (PasswdPlain passwd)) - = crypt passwd hash == hash - -foreign import ccall unsafe "crypt" cCrypt :: CString-> CString -> CString - -crypt :: String -- ^ Payload - -> String -- ^ Salt - -> String -- ^ Hash -crypt key seed = unsafePerformIO $ withMVar cryptMVar $ \_ -> do - k <- newCAString key - s <- newCAString seed - peekCAString $ cCrypt k s - -cryptMVar :: MVar () -cryptMVar = unsafePerformIO $ newMVar () -{-# NOINLINE cryptMVar #-} - -------------------- -- HTTP Basic auth -- @@ -83,32 +58,12 @@ guardAuthenticated realm users getHtPasswdHash = do | otherwise = Nothing +-- basic auth is deprecated: +-- https://github.com/haskell/hackage-server/issues/1153#issuecomment-1370308832 checkBasicAuth :: Users.Users -> (UserId -> Maybe HtPasswdHash) -> RealmName -> BS.ByteString -> Either AuthError (UserId, UserInfo, PasswdPlain) -checkBasicAuth users getHtPasswdHash realm ahdr = do - authInfo <- getBasicAuthInfo realm ahdr ?! UnrecognizedAuthError - let uname = basicUsername authInfo - (uid, uinfo) <- Users.lookupUserName uname users ?! NoSuchUserError - passwdhash <- getHtPasswdHash uid ?! NoSuchUserError - guard (checkCryptAuthInfo passwdhash authInfo) ?! PasswordMismatchError - return (uid, uinfo, basicPasswd authInfo) - -getBasicAuthInfo :: RealmName -> BS.ByteString -> Maybe BasicAuthInfo -getBasicAuthInfo realm authHeader - | Just (username, pass) <- splitHeader authHeader - = Just BasicAuthInfo { - basicRealm = realm, - basicUsername = UserName username, - basicPasswd = PasswdPlain pass - } - | otherwise = Nothing - where - splitHeader h = case Base64.decode h of - Left _ -> Nothing - Right xs -> - case break (':' ==) $ BS.unpack xs of - (username, ':' : pass) -> Just (username, pass) - _ -> Nothing +checkBasicAuth _ _ _ _ = + Left UnrecognizedAuthError setBasicAuthChallenge :: RealmName -> ServerPartE () setBasicAuthChallenge (RealmName realmName) = do