Add Chef package registry (#22554)

This PR implements a [Chef registry](https://chef.io/) to manage cookbooks. This package type was a bit complicated because Chef uses RSA signed requests as authentication with the registry. ![grafik](https://user-images.githubusercontent.com/1666336/213747995-46819fd8-c3d6-45a2-afd4-a4c3c8505a4a.png) ![grafik](https://user-images.githubusercontent.com/1666336/213748145-d01c9e81-d4dd-41e3-a3cc-8241862c3166.png) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-06 02:49:21 +01:00 · 2023-02-06 02:49:21 +01:00 · d987ac6bf1
commit d987ac6bf1
parent ff18d17442
31 changed files with 1737 additions and 20 deletions
--- a/routers/api/packages/chef/auth.go
+++ b/routers/api/packages/chef/auth.go
@ -0,0 +1,270 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package chef
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"hash"
+	"math/big"
+	"net/http"
+	"path"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	user_model "code.gitea.io/gitea/models/user"
+	chef_module "code.gitea.io/gitea/modules/packages/chef"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/auth"
+)
+
+const (
+	maxTimeDifference = 10 * time.Minute
+)
+
+var (
+	algorithmPattern     = regexp.MustCompile(`algorithm=(\w+)`)
+	versionPattern       = regexp.MustCompile(`version=(\d+\.\d+)`)
+	authorizationPattern = regexp.MustCompile(`\AX-Ops-Authorization-(\d+)`)
+)
+
+// Documentation:
+// https://docs.chef.io/server/api_chef_server/#required-headers
+// https://github.com/chef-boneyard/chef-rfc/blob/master/rfc065-sign-v1.3.md
+// https://github.com/chef/mixlib-authentication/blob/bc8adbef833d4be23dc78cb23e6fe44b51ebc34f/lib/mixlib/authentication/signedheaderauth.rb
+
+type Auth struct{}
+
+func (a *Auth) Name() string {
+	return "chef"
+}
+
+// Verify extracts the user from the signed request
+// If the request is signed with the user private key the user is verified.
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
+	u, err := getUserFromRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if u == nil {
+		return nil, nil
+	}
+
+	pub, err := getUserPublicKey(u)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := verifyTimestamp(req); err != nil {
+		return nil, err
+	}
+
+	version, err := getSignVersion(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := verifySignedHeaders(req, version, pub.(*rsa.PublicKey)); err != nil {
+		return nil, err
+	}
+
+	return u, nil
+}
+
+func getUserFromRequest(req *http.Request) (*user_model.User, error) {
+	username := req.Header.Get("X-Ops-Userid")
+	if username == "" {
+		return nil, nil
+	}
+
+	return user_model.GetUserByName(req.Context(), username)
+}
+
+func getUserPublicKey(u *user_model.User) (crypto.PublicKey, error) {
+	pubKey, err := user_model.GetSetting(u.ID, chef_module.SettingPublicPem)
+	if err != nil {
+		return nil, err
+	}
+
+	pubPem, _ := pem.Decode([]byte(pubKey))
+
+	return x509.ParsePKIXPublicKey(pubPem.Bytes)
+}
+
+func verifyTimestamp(req *http.Request) error {
+	hdr := req.Header.Get("X-Ops-Timestamp")
+	if hdr == "" {
+		return util.NewInvalidArgumentErrorf("X-Ops-Timestamp header missing")
+	}
+
+	ts, err := time.Parse(time.RFC3339, hdr)
+	if err != nil {
+		return err
+	}
+
+	diff := time.Now().UTC().Sub(ts)
+	if diff < 0 {
+		diff = -diff
+	}
+
+	if diff > maxTimeDifference {
+		return fmt.Errorf("time difference")
+	}
+
+	return nil
+}
+
+func getSignVersion(req *http.Request) (string, error) {
+	hdr := req.Header.Get("X-Ops-Sign")
+	if hdr == "" {
+		return "", util.NewInvalidArgumentErrorf("X-Ops-Sign header missing")
+	}
+
+	m := versionPattern.FindStringSubmatch(hdr)
+	if len(m) != 2 {
+		return "", util.NewInvalidArgumentErrorf("invalid X-Ops-Sign header")
+	}
+
+	switch m[1] {
+	case "1.0", "1.1", "1.2", "1.3":
+	default:
+		return "", util.NewInvalidArgumentErrorf("unsupported version")
+	}
+
+	version := m[1]
+
+	m = algorithmPattern.FindStringSubmatch(hdr)
+	if len(m) == 2 && m[1] != "sha1" && !(m[1] == "sha256" && version == "1.3") {
+		return "", util.NewInvalidArgumentErrorf("unsupported algorithm")
+	}
+
+	return version, nil
+}
+
+func verifySignedHeaders(req *http.Request, version string, pub *rsa.PublicKey) error {
+	authorizationData, err := getAuthorizationData(req)
+	if err != nil {
+		return err
+	}
+
+	checkData := buildCheckData(req, version)
+
+	switch version {
+	case "1.3":
+		return verifyDataNew(authorizationData, checkData, pub, crypto.SHA256)
+	case "1.2":
+		return verifyDataNew(authorizationData, checkData, pub, crypto.SHA1)
+	default:
+		return verifyDataOld(authorizationData, checkData, pub)
+	}
+}
+
+func getAuthorizationData(req *http.Request) ([]byte, error) {
+	valueList := make(map[int]string)
+	for k, vs := range req.Header {
+		if m := authorizationPattern.FindStringSubmatch(k); m != nil {
+			index, _ := strconv.Atoi(m[1])
+			var v string
+			if len(vs) == 0 {
+				v = ""
+			} else {
+				v = vs[0]
+			}
+			valueList[index] = v
+		}
+	}
+
+	tmp := make([]string, len(valueList))
+	for k, v := range valueList {
+		if k > len(tmp) {
+			return nil, fmt.Errorf("invalid X-Ops-Authorization headers")
+		}
+		tmp[k-1] = v
+	}
+
+	return base64.StdEncoding.DecodeString(strings.Join(tmp, ""))
+}
+
+func buildCheckData(req *http.Request, version string) []byte {
+	username := req.Header.Get("X-Ops-Userid")
+	if version != "1.0" && version != "1.3" {
+		sum := sha1.Sum([]byte(username))
+		username = base64.StdEncoding.EncodeToString(sum[:])
+	}
+
+	var data string
+	if version == "1.3" {
+		data = fmt.Sprintf(
+			"Method:%s\nPath:%s\nX-Ops-Content-Hash:%s\nX-Ops-Sign:version=%s\nX-Ops-Timestamp:%s\nX-Ops-UserId:%s\nX-Ops-Server-API-Version:%s",
+			req.Method,
+			path.Clean(req.URL.Path),
+			req.Header.Get("X-Ops-Content-Hash"),
+			version,
+			req.Header.Get("X-Ops-Timestamp"),
+			username,
+			req.Header.Get("X-Ops-Server-Api-Version"),
+		)
+	} else {
+		sum := sha1.Sum([]byte(path.Clean(req.URL.Path)))
+		data = fmt.Sprintf(
+			"Method:%s\nHashed Path:%s\nX-Ops-Content-Hash:%s\nX-Ops-Timestamp:%s\nX-Ops-UserId:%s",
+			req.Method,
+			base64.StdEncoding.EncodeToString(sum[:]),
+			req.Header.Get("X-Ops-Content-Hash"),
+			req.Header.Get("X-Ops-Timestamp"),
+			username,
+		)
+	}
+
+	return []byte(data)
+}
+
+func verifyDataNew(signature, data []byte, pub *rsa.PublicKey, algo crypto.Hash) error {
+	var h hash.Hash
+	if algo == crypto.SHA256 {
+		h = sha256.New()
+	} else {
+		h = sha1.New()
+	}
+	if _, err := h.Write(data); err != nil {
+		return err
+	}
+
+	return rsa.VerifyPKCS1v15(pub, algo, h.Sum(nil), signature)
+}
+
+func verifyDataOld(signature, data []byte, pub *rsa.PublicKey) error {
+	c := new(big.Int)
+	m := new(big.Int)
+	m.SetBytes(signature)
+	e := big.NewInt(int64(pub.E))
+	c.Exp(m, e, pub.N)
+
+	out := c.Bytes()
+
+	skip := 0
+	for i := 2; i < len(out); i++ {
+		if i+1 >= len(out) {
+			break
+		}
+		if out[i] == 0xFF && out[i+1] == 0 {
+			skip = i + 2
+			break
+		}
+	}
+
+	if !util.SliceEqual(out[skip:], data) {
+		return fmt.Errorf("could not verify signature")
+	}
+
+	return nil
+}