Add path exclusion support to BasicAuth authentication

Signed-off-by: Kacper Rzetelski <[email protected]>

Author: rzetelskik

docs/web-configuration.md

@@ -125,6 +125,10 @@ http_server_config:
 # required. Passwords are hashed with bcrypt.
 basic_auth_users:
   [ <string>: <secret> ... ]
+  
+# A list of HTTP paths to be excepted from authentication.
+auth_excluded_paths:
+[ - <string> ]
 ```
 
 [A sample configuration file](web-config.yml) is provided.

web/authentication/authenticator.go

@@ -0,0 +1,48 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authentication
+
+import (
+	"log/slog"
+	"net/http"
+)
+
+type Authenticator interface {
+	Authenticate(*http.Request) (bool, string, error)
+}
+
+type AuthenticatorFunc func(r *http.Request) (bool, string, error)
+
+func (f AuthenticatorFunc) Authenticate(r *http.Request) (bool, string, error) {
+	return f(r)
+}
+
+func WithAuthentication(handler http.Handler, authenticator Authenticator, logger *slog.Logger) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ok, reason, err := authenticator.Authenticate(r)
+		if err != nil {
+			logger.Error("Unable to authenticate", "URI", r.RequestURI, "err", err.Error())
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			return
+		}
+
+		if ok {
+			handler.ServeHTTP(w, r)
+			return
+		}
+
+		logger.Warn("Unauthenticated request", "URI", r.RequestURI, "reason", reason)
+		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+	})
+}

web/authentication/authenticator_test.go

@@ -0,0 +1,78 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authentication
+
+import (
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/prometheus/exporter-toolkit/web/authentication/testhelpers"
+)
+
+func TestWithAuthentication(t *testing.T) {
+	t.Parallel()
+
+	logger := testhelpers.NewNoOpLogger()
+
+	tt := []struct {
+		Name               string
+		Authenticator      Authenticator
+		ExpectedStatusCode int
+	}{
+		{
+			Name: "Accepting authenticator",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, error) {
+				return true, "", nil
+			}),
+			ExpectedStatusCode: http.StatusOK,
+		},
+		{
+			Name: "Denying authenticator",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, error) {
+				return false, "", nil
+			}),
+			ExpectedStatusCode: http.StatusUnauthorized,
+		},
+		{
+			Name: "Erroring authenticator",
+			Authenticator: AuthenticatorFunc(func(_ *http.Request) (bool, string, error) {
+				return false, "", errors.New("error authenticating")
+			}),
+			ExpectedStatusCode: http.StatusInternalServerError,
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+
+			req := testhelpers.MakeDefaultRequest(t)
+
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			rr := httptest.NewRecorder()
+			authHandler := WithAuthentication(handler, tc.Authenticator, logger)
+			authHandler.ServeHTTP(rr, req)
+			got := rr.Result()
+
+			if tc.ExpectedStatusCode != got.StatusCode {
+				t.Errorf("Expected status code %q, got %q", tc.ExpectedStatusCode, got.Status)
+			}
+		})
+	}
+}

web/authentication/basicauth/basicauth.go

@@ -0,0 +1,84 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basicauth
+
+import (
+	"encoding/hex"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/prometheus/common/config"
+	"github.com/prometheus/exporter-toolkit/web/authentication"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type BasicAuthAuthenticator struct {
+	users map[string]config.Secret
+
+	cache *cache
+	// bcryptMtx is there to ensure that bcrypt.CompareHashAndPassword is run
+	// only once in parallel as this is CPU intensive.
+	bcryptMtx sync.Mutex
+}
+
+func (b *BasicAuthAuthenticator) Authenticate(r *http.Request) (bool, string, error) {
+	user, pass, auth := r.BasicAuth()
+
+	if !auth {
+		return false, "No credentials in request", nil
+	}
+
+	hashedPassword, validUser := b.users[user]
+
+	if !validUser {
+		// The user is not found. Use a fixed password hash to
+		// prevent user enumeration by timing requests.
+		// This is a bcrypt-hashed version of "fakepassword".
+		hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
+	}
+
+	cacheKey := strings.Join(
+		[]string{
+			hex.EncodeToString([]byte(user)),
+			hex.EncodeToString([]byte(hashedPassword)),
+			hex.EncodeToString([]byte(pass)),
+		}, ":")
+	authOk, ok := b.cache.get(cacheKey)
+
+	if !ok {
+		// This user, hashedPassword, password is not cached.
+		b.bcryptMtx.Lock()
+		err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
+		b.bcryptMtx.Unlock()
+
+		authOk = validUser && err == nil
+		b.cache.set(cacheKey, authOk)
+	}
+
+	if authOk && validUser {
+		return true, "", nil
+	}
+
+	return false, "Invalid credentials", nil
+}
+
+func NewBasicAuthAuthenticator(users map[string]config.Secret) authentication.Authenticator {
+	return &BasicAuthAuthenticator{
+		cache: newCache(),
+		users: users,
+	}
+}
+
+var _ authentication.Authenticator = &BasicAuthAuthenticator{}