Skip to content

Commit

Permalink
disable Basic Auth to remove dependency on deprecated crypt library
Browse files Browse the repository at this point in the history
  • Loading branch information
peterbecich committed Jan 16, 2023
1 parent 7a1b0c4 commit b6080f3
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 53 deletions.
3 changes: 0 additions & 3 deletions hackage-server.cabal
Original file line number Diff line number Diff line change
Expand Up @@ -441,9 +441,6 @@ library lib-server
if flag(cabal-parsers)
build-depends: cabal-parsers ^>= 0

if !os(darwin)
extra-libraries: crypt

----------------------------------------------------------------------------

common exe-defaults
Expand Down
55 changes: 5 additions & 50 deletions src/Distribution/Server/Features/LegacyPasswds/Auth.hs
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,14 @@ module Distribution.Server.Features.LegacyPasswds.Auth (
import Distribution.Server.Framework.AuthTypes
import Distribution.Server.Framework.Error
import Distribution.Server.Framework.MemSize
import Distribution.Server.Users.Types (UserId, UserName(..), UserInfo)
import Distribution.Server.Users.Types (UserId, UserInfo)
import qualified Distribution.Server.Users.Users as Users
import Distribution.Server.Framework.AuthCrypt (BasicAuthInfo(..))

import Happstack.Server

import qualified Data.ByteString.Base64 as Base64
import Control.Monad
import Data.SafeCopy (base, deriveSafeCopy)
import Data.Typeable (Typeable)

import Foreign.C.String
import System.IO.Unsafe (unsafePerformIO)
import Control.Concurrent.MVar (MVar, newMVar, withMVar)

import qualified Data.ByteString.Char8 as BS -- TODO: Verify that we don't need to worry about UTF8 here

---------------------------
Expand All @@ -42,24 +35,6 @@ newtype HtPasswdHash = HtPasswdHash String

$(deriveSafeCopy 0 'base ''HtPasswdHash)

checkCryptAuthInfo :: HtPasswdHash -> BasicAuthInfo -> Bool
checkCryptAuthInfo (HtPasswdHash hash) (BasicAuthInfo _ _ (PasswdPlain passwd))
= crypt passwd hash == hash

foreign import ccall unsafe "crypt" cCrypt :: CString-> CString -> CString

crypt :: String -- ^ Payload
-> String -- ^ Salt
-> String -- ^ Hash
crypt key seed = unsafePerformIO $ withMVar cryptMVar $ \_ -> do
k <- newCAString key
s <- newCAString seed
peekCAString $ cCrypt k s

cryptMVar :: MVar ()
cryptMVar = unsafePerformIO $ newMVar ()
{-# NOINLINE cryptMVar #-}

--------------------
-- HTTP Basic auth
--
Expand All @@ -83,32 +58,12 @@ guardAuthenticated realm users getHtPasswdHash = do
| otherwise
= Nothing

-- basic auth is deprecated:
-- https://github.com/haskell/hackage-server/issues/1153#issuecomment-1370308832
checkBasicAuth :: Users.Users -> (UserId -> Maybe HtPasswdHash) -> RealmName -> BS.ByteString
-> Either AuthError (UserId, UserInfo, PasswdPlain)
checkBasicAuth users getHtPasswdHash realm ahdr = do
authInfo <- getBasicAuthInfo realm ahdr ?! UnrecognizedAuthError
let uname = basicUsername authInfo
(uid, uinfo) <- Users.lookupUserName uname users ?! NoSuchUserError
passwdhash <- getHtPasswdHash uid ?! NoSuchUserError
guard (checkCryptAuthInfo passwdhash authInfo) ?! PasswordMismatchError
return (uid, uinfo, basicPasswd authInfo)

getBasicAuthInfo :: RealmName -> BS.ByteString -> Maybe BasicAuthInfo
getBasicAuthInfo realm authHeader
| Just (username, pass) <- splitHeader authHeader
= Just BasicAuthInfo {
basicRealm = realm,
basicUsername = UserName username,
basicPasswd = PasswdPlain pass
}
| otherwise = Nothing
where
splitHeader h = case Base64.decode h of
Left _ -> Nothing
Right xs ->
case break (':' ==) $ BS.unpack xs of
(username, ':' : pass) -> Just (username, pass)
_ -> Nothing
checkBasicAuth _ _ _ _ =
Left UnrecognizedAuthError

setBasicAuthChallenge :: RealmName -> ServerPartE ()
setBasicAuthChallenge (RealmName realmName) = do
Expand Down

0 comments on commit b6080f3

Please sign in to comment.