auth.go

     1  // Copyright 2019 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package auth provides access to user-provided authentication credentials.
     6  package auth
     7  
     8  import (
     9  	"cmd/go/internal/base"
    10  	"cmd/go/internal/cfg"
    11  	"fmt"
    12  	"log"
    13  	"net/http"
    14  	"os"
    15  	"path/filepath"
    16  	"slices"
    17  	"strings"
    18  	"sync"
    19  )
    20  
    21  var (
    22  	credentialCache sync.Map // prefix → http.Header
    23  	authOnce        sync.Once
    24  )
    25  
    26  // AddCredentials populates the request header with the user's credentials
    27  // as specified by the GOAUTH environment variable.
    28  // It returns whether any matching credentials were found.
    29  // req must use HTTPS or this function will panic.
    30  // res is used for the custom GOAUTH command's stdin.
    31  func AddCredentials(client *http.Client, req *http.Request, res *http.Response, url string) bool {
    32  	if req.URL.Scheme != "https" {
    33  		panic("GOAUTH called without https")
    34  	}
    35  	if cfg.GOAUTH == "off" {
    36  		return false
    37  	}
    38  	// Run all GOAUTH commands at least once.
    39  	authOnce.Do(func() {
    40  		runGoAuth(client, res, "")
    41  	})
    42  	if url != "" {
    43  		// First fetch must have failed; re-invoke GOAUTH commands with url.
    44  		runGoAuth(client, res, url)
    45  	}
    46  	return loadCredential(req, req.URL.String())
    47  }
    48  
    49  // runGoAuth executes authentication commands specified by the GOAUTH
    50  // environment variable handling 'off', 'netrc', and 'git' methods specially,
    51  // and storing retrieved credentials for future access.
    52  func runGoAuth(client *http.Client, res *http.Response, url string) {
    53  	var cmdErrs []error // store GOAUTH command errors to log later.
    54  	goAuthCmds := strings.Split(cfg.GOAUTH, ";")
    55  	// The GOAUTH commands are processed in reverse order to prioritize
    56  	// credentials in the order they were specified.
    57  	slices.Reverse(goAuthCmds)
    58  	for _, command := range goAuthCmds {
    59  		command = strings.TrimSpace(command)
    60  		words := strings.Fields(command)
    61  		if len(words) == 0 {
    62  			base.Fatalf("go: GOAUTH encountered an empty command (GOAUTH=%s)", cfg.GOAUTH)
    63  		}
    64  		switch words[0] {
    65  		case "off":
    66  			if len(goAuthCmds) != 1 {
    67  				base.Fatalf("go: GOAUTH=off cannot be combined with other authentication commands (GOAUTH=%s)", cfg.GOAUTH)
    68  			}
    69  			return
    70  		case "netrc":
    71  			lines, err := readNetrc()
    72  			if err != nil {
    73  				cmdErrs = append(cmdErrs, fmt.Errorf("GOAUTH=%s: %v", command, err))
    74  				continue
    75  			}
    76  			// Process lines in reverse so that if the same machine is listed
    77  			// multiple times, we end up saving the earlier one
    78  			// (overwriting later ones). This matches the way the go command
    79  			// worked before GOAUTH.
    80  			for i := len(lines) - 1; i >= 0; i-- {
    81  				l := lines[i]
    82  				r := http.Request{Header: make(http.Header)}
    83  				r.SetBasicAuth(l.login, l.password)
    84  				storeCredential(l.machine, r.Header)
    85  			}
    86  		case "git":
    87  			if len(words) != 2 {
    88  				base.Fatalf("go: GOAUTH=git dir method requires an absolute path to the git working directory")
    89  			}
    90  			dir := words[1]
    91  			if !filepath.IsAbs(dir) {
    92  				base.Fatalf("go: GOAUTH=git dir method requires an absolute path to the git working directory, dir is not absolute")
    93  			}
    94  			fs, err := os.Stat(dir)
    95  			if err != nil {
    96  				base.Fatalf("go: GOAUTH=git encountered an error; cannot stat %s: %v", dir, err)
    97  			}
    98  			if !fs.IsDir() {
    99  				base.Fatalf("go: GOAUTH=git dir method requires an absolute path to the git working directory, dir is not a directory")
   100  			}
   101  
   102  			if url == "" {
   103  				// Skip the initial GOAUTH run since we need to provide an
   104  				// explicit url to runGitAuth.
   105  				continue
   106  			}
   107  			prefix, header, err := runGitAuth(client, dir, url)
   108  			if err != nil {
   109  				// Save the error, but don't print it yet in case another
   110  				// GOAUTH command might succeed.
   111  				cmdErrs = append(cmdErrs, fmt.Errorf("GOAUTH=%s: %v", command, err))
   112  			} else {
   113  				storeCredential(prefix, header)
   114  			}
   115  		default:
   116  			credentials, err := runAuthCommand(command, url, res)
   117  			if err != nil {
   118  				// Save the error, but don't print it yet in case another
   119  				// GOAUTH command might succeed.
   120  				cmdErrs = append(cmdErrs, fmt.Errorf("GOAUTH=%s: %v", command, err))
   121  				continue
   122  			}
   123  			for prefix := range credentials {
   124  				storeCredential(prefix, credentials[prefix])
   125  			}
   126  		}
   127  	}
   128  	// If no GOAUTH command provided a credential for the given url
   129  	// and an error occurred, log the error.
   130  	if cfg.BuildX && url != "" {
   131  		req := &http.Request{Header: make(http.Header)}
   132  		if ok := loadCredential(req, url); !ok && len(cmdErrs) > 0 {
   133  			log.Printf("GOAUTH encountered errors for %s:", url)
   134  			for _, err := range cmdErrs {
   135  				log.Printf("  %v", err)
   136  			}
   137  		}
   138  	}
   139  }
   140  
   141  // loadCredential retrieves cached credentials for the given url and adds
   142  // them to the request headers.
   143  func loadCredential(req *http.Request, url string) bool {
   144  	currentPrefix := strings.TrimPrefix(url, "https://")
   145  	// Iteratively try prefixes, moving up the path hierarchy.
   146  	for {
   147  		headers, ok := credentialCache.Load(currentPrefix)
   148  		if !ok {
   149  			currentPrefix, _, ok = strings.Cut(currentPrefix, "/")
   150  			if !ok {
   151  				return false
   152  			}
   153  			continue
   154  		}
   155  		for key, values := range headers.(http.Header) {
   156  			for _, value := range values {
   157  				req.Header.Add(key, value)
   158  			}
   159  		}
   160  		return true
   161  	}
   162  }
   163  
   164  // storeCredential caches or removes credentials (represented by HTTP headers)
   165  // associated with given URL prefixes.
   166  func storeCredential(prefix string, header http.Header) {
   167  	// Trim "https://" prefix to match the format used in .netrc files.
   168  	prefix = strings.TrimPrefix(prefix, "https://")
   169  	if len(header) == 0 {
   170  		credentialCache.Delete(prefix)
   171  	} else {
   172  		credentialCache.Store(prefix, header)
   173  	}
   174  }
   175
View as plain text