From 54c6d3fa3aada272839a431a45318d33dbc6b9e5 Mon Sep 17 00:00:00 2001 From: Ivan Lisenkov Date: Wed, 30 Jan 2013 00:30:05 +0400 Subject: Implement authorization header parsing Basic HTTP authorization according to RFC 2617 is implemented. Added an example of its usage with REST handler. --- examples/README.md | 3 ++ examples/basic_auth/README.md | 44 +++++++++++++++++++++ examples/basic_auth/rebar.config | 4 ++ examples/basic_auth/src/basic_auth.app.src | 15 ++++++++ examples/basic_auth/src/basic_auth.erl | 14 +++++++ examples/basic_auth/src/basic_auth_app.erl | 25 ++++++++++++ examples/basic_auth/src/basic_auth_sup.erl | 23 +++++++++++ examples/basic_auth/src/toppage_handler.erl | 32 ++++++++++++++++ examples/basic_auth/start.sh | 4 ++ src/cowboy_http.erl | 59 +++++++++++++++++++++++++++++ src/cowboy_req.erl | 5 +++ 11 files changed, 228 insertions(+) create mode 100644 examples/basic_auth/README.md create mode 100644 examples/basic_auth/rebar.config create mode 100644 examples/basic_auth/src/basic_auth.app.src create mode 100644 examples/basic_auth/src/basic_auth.erl create mode 100644 examples/basic_auth/src/basic_auth_app.erl create mode 100644 examples/basic_auth/src/basic_auth_sup.erl create mode 100644 examples/basic_auth/src/toppage_handler.erl create mode 100755 examples/basic_auth/start.sh diff --git a/examples/README.md b/examples/README.md index d50ebc9..f2b0c64 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,6 +1,9 @@ Cowboy Examples =============== + * [basic_auth](./examples/basic_auth): + basic HTTP authorization with REST + * [chunked_hello_world](./examples/chunked_hello_world): demonstrates chunked data transfer with two one-second delays diff --git a/examples/basic_auth/README.md b/examples/basic_auth/README.md new file mode 100644 index 0000000..74662cd --- /dev/null +++ b/examples/basic_auth/README.md @@ -0,0 +1,44 @@ +Cowboy Basic Authorization Rest Hello World. +============================================ + +To compile this example you need rebar in your PATH. + +Type the following command: +``` +$ rebar get-deps compile +``` + +You can then start the Erlang node with the following command: +``` +./start.sh +``` + +Then run any given command or point your browser to the indicated URL. + +Examples +-------- + +### Get 401 +``` bash +$ curl -i http://localhost:8080 +HTTP/1.1 401 Unauthorized +connection: keep-alive +server: Cowboy +date: Sun, 20 Jan 2013 14:10:27 GMT +content-length: 0 +www-authenticate: Restricted +``` + +### Get 200 +``` bash +$ curl -i -u "Alladin:open sesame" http://localhost:8080 +HTTP/1.1 200 OK +connection: keep-alive +server: Cowboy +date: Sun, 20 Jan 2013 14:11:12 GMT +content-length: 16 +content-type: text/plain + +Hello, Alladin! +``` + diff --git a/examples/basic_auth/rebar.config b/examples/basic_auth/rebar.config new file mode 100644 index 0000000..6ad3062 --- /dev/null +++ b/examples/basic_auth/rebar.config @@ -0,0 +1,4 @@ +{deps, [ + {cowboy, ".*", + {git, "git://github.com/extend/cowboy.git", "master"}} +]}. diff --git a/examples/basic_auth/src/basic_auth.app.src b/examples/basic_auth/src/basic_auth.app.src new file mode 100644 index 0000000..cbf4ea1 --- /dev/null +++ b/examples/basic_auth/src/basic_auth.app.src @@ -0,0 +1,15 @@ +%% Feel free to use, reuse and abuse the code in this file. + +{application, basic_auth, [ + {description, "Cowboy Basic HTTP Authorization example."}, + {vsn, "1"}, + {modules, []}, + {registered, []}, + {applications, [ + kernel, + stdlib, + cowboy + ]}, + {mod, {basic_auth_app, []}}, + {env, []} +]}. diff --git a/examples/basic_auth/src/basic_auth.erl b/examples/basic_auth/src/basic_auth.erl new file mode 100644 index 0000000..9294c77 --- /dev/null +++ b/examples/basic_auth/src/basic_auth.erl @@ -0,0 +1,14 @@ +%% Feel free to use, reuse and abuse the code in this file. + +-module(basic_auth). + +%% API. +-export([start/0]). + +%% API. + +start() -> + ok = application:start(crypto), + ok = application:start(ranch), + ok = application:start(cowboy), + ok = application:start(basic_auth). diff --git a/examples/basic_auth/src/basic_auth_app.erl b/examples/basic_auth/src/basic_auth_app.erl new file mode 100644 index 0000000..c60a574 --- /dev/null +++ b/examples/basic_auth/src/basic_auth_app.erl @@ -0,0 +1,25 @@ +%% Feel free to use, reuse and abuse the code in this file. + +%% @private +-module(basic_auth_app). +-behaviour(application). + +%% API. +-export([start/2]). +-export([stop/1]). + +%% API. + +start(_Type, _Args) -> + Dispatch = [ + {'_', [ + {[], toppage_handler, []} + ]} + ], + {ok, _} = cowboy:start_http(http, 100, [{port, 8080}], [ + {env, [{dispatch, Dispatch}]} + ]), + basic_auth_sup:start_link(). + +stop(_State) -> + ok. diff --git a/examples/basic_auth/src/basic_auth_sup.erl b/examples/basic_auth/src/basic_auth_sup.erl new file mode 100644 index 0000000..6219b5f --- /dev/null +++ b/examples/basic_auth/src/basic_auth_sup.erl @@ -0,0 +1,23 @@ +%% Feel free to use, reuse and abuse the code in this file. + +%% @private +-module(basic_auth_sup). +-behaviour(supervisor). + +%% API. +-export([start_link/0]). + +%% supervisor. +-export([init/1]). + +%% API. + +-spec start_link() -> {ok, pid()}. +start_link() -> + supervisor:start_link({local, ?MODULE}, ?MODULE, []). + +%% supervisor. + +init([]) -> + Procs = [], + {ok, {{one_for_one, 10, 10}, Procs}}. diff --git a/examples/basic_auth/src/toppage_handler.erl b/examples/basic_auth/src/toppage_handler.erl new file mode 100644 index 0000000..94383d4 --- /dev/null +++ b/examples/basic_auth/src/toppage_handler.erl @@ -0,0 +1,32 @@ +%% Feel free to use, reuse and abuse the code in this file. + +%% @doc Basic authorization Hello world handler. +-module(toppage_handler). + +-export([init/3]). +-export([content_types_provided/2]). +-export([is_authorized/2]). +-export([hello_to_text/2]). + +init(_Transport, _Req, []) -> + {upgrade, protocol, cowboy_rest}. + + +is_authorized(Req, S) -> + {ok, Auth, Req1} = cowboy_req:parse_header(<<"authorization">>, Req), + case Auth of + {<<"basic">>, {User = <<"Alladin">>, <<"open sesame">>}} -> + {true, Req1, User}; + _ -> + {{false, <<"Restricted">>}, Req1, S} + end. + +content_types_provided(Req, State) -> + {[ + {<<"text/plain">>, hello_to_text} + ], Req, State}. + + +hello_to_text(Req, User) -> + {<< <<"Hello, ">>/binary, User/binary, <<"!\n">>/binary >>, Req, User}. + diff --git a/examples/basic_auth/start.sh b/examples/basic_auth/start.sh new file mode 100755 index 0000000..9e8a30b --- /dev/null +++ b/examples/basic_auth/start.sh @@ -0,0 +1,4 @@ +#!/bin/sh +erl -pa ebin deps/*/ebin -s basic_auth \ + -eval "io:format(\"Get 401: curl -i http://localhost:8080~n\")." \ + -eval "io:format(\"Get 200: curl -i -u \\\"Alladin:open sesame\\\" http://localhost:8080~n\")." diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl index 6f42ab9..67d3f70 100644 --- a/src/cowboy_http.erl +++ b/src/cowboy_http.erl @@ -36,6 +36,7 @@ -export([token/2]). -export([token_ci/2]). -export([quoted_string/2]). +-export([authorization/2]). %% Decoding. -export([te_chunked/2]). @@ -801,6 +802,52 @@ qvalue(<< C, Rest/binary >>, Fun, Q, M) qvalue(Data, Fun, Q, _M) -> Fun(Data, Q). +%% @doc Parse user credentials. +-spec authorization_basic_userid(binary(), fun()) -> any(). +authorization_basic_userid(Data, Fun) -> + authorization_basic_userid(Data, Fun, <<>>). + +authorization_basic_userid(<<>>, _Fun, _Acc) -> + {error, badarg}; +authorization_basic_userid(<>, _Fun, Acc) + when C < 32; C =:= 127; (C =:=$: andalso Acc =:= <<>>) -> + {error, badarg}; +authorization_basic_userid(<<$:, Rest/binary>>, Fun, Acc) -> + Fun(Rest, Acc); +authorization_basic_userid(<>, Fun, Acc) -> + authorization_basic_userid(Rest, Fun, <>). + +-spec authorization_basic_password(binary(), fun()) -> any(). +authorization_basic_password(Data, Fun) -> + authorization_basic_password(Data, Fun, <<>>). + +authorization_basic_password(<<>>, _Fun, <<>>) -> + {error, badarg}; +authorization_basic_password(<>, _Fun, _Acc) + when C < 32; C=:= 127 -> + {error, badarg}; +authorization_basic_password(<<>>, Fun, Acc) -> + Fun(Acc); +authorization_basic_password(<>, Fun, Acc) -> + authorization_basic_password(Rest, Fun, <>). + +%% @doc Parse authorization value according rfc 2617. +%% Only Basic authorization is supported so far. +-spec authorization(binary(), binary()) -> {binary(), any()} | {error, badarg}. +authorization(UserPass, Type = <<"basic">>) -> + cowboy_http:whitespace(UserPass, + fun(D) -> + authorization_basic_userid(base64:mime_decode(D), + fun(Rest, Userid) -> + authorization_basic_password(Rest, + fun(Password) -> + {Type, {Userid, Password}} + end) + end) + end); +authorization(String, Type) -> + {Type, String}. + %% Decoding. %% @doc Decode a stream of chunks. @@ -1294,4 +1341,16 @@ urlencode_test_() -> ?_assertEqual(<<"%ff+">>, urlencode(<<255, " ">>)) ]. +http_authorization_test_() -> + [?_assertEqual({<<"basic">>, {<<"Alladin">>, <<"open sesame">>}}, + authorization(<<"QWxsYWRpbjpvcGVuIHNlc2FtZQ==">>, <<"basic">>)), + ?_assertEqual({error, badarg}, + authorization(<<"dXNlcm5hbWUK">>, <<"basic">>)), + ?_assertEqual({error, badarg}, + authorization(<<"_[]@#$%^&*()-AA==">>, <<"basic">>)), + ?_assertEqual({error, badarg}, + authorization(<<"dXNlcjpwYXNzCA==">>, <<"basic">>)) %% user:pass\010 + ]. + + -endif. diff --git a/src/cowboy_req.erl b/src/cowboy_req.erl index 4ae28e9..5cb7aa3 100644 --- a/src/cowboy_req.erl +++ b/src/cowboy_req.erl @@ -441,6 +441,11 @@ parse_header(Name, Req, Default) when Name =:= <<"accept-language">> -> fun (Value) -> cowboy_http:nonempty_list(Value, fun cowboy_http:language_range/2) end); +parse_header(Name, Req, Default) when Name =:= <<"authorization">> -> + parse_header(Name, Req, Default, + fun (Value) -> + cowboy_http:token_ci(Value, fun cowboy_http:authorization/2) + end); parse_header(Name, Req, Default) when Name =:= <<"content-length">> -> parse_header(Name, Req, Default, fun cowboy_http:digits/1); parse_header(Name, Req, Default) when Name =:= <<"content-type">> -> -- cgit v1.2.3