Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement support for http digest auth (resolve #352) #553

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

muety
Copy link

@muety muety commented Dec 14, 2023

Implements #352. I'd need this in blackbox exporter. Let me know what you think! :-)

Digest auth can be tested against https://httpbin.org/#/Auth.

@muety muety force-pushed the digest-auth branch 2 times, most recently from 25b2e9f to 1816b4b Compare December 14, 2023 12:27
@muety
Copy link
Author

muety commented Dec 14, 2023

Not sure about the linting errors, perhaps someone could give me some assistance with that?

config/http_config.go Outdated Show resolved Hide resolved
@muety
Copy link
Author

muety commented Dec 20, 2023

Any chances to get this merged? Should I tag someone in here?

@SuperQ
Copy link
Member

SuperQ commented Dec 20, 2023

I don't see any major issues. I do wonder about if github.com/icholy/digest is the best library option for this. I haven't done any evaluation of what the available options are.

Can you describe why you picked this implementation?

@muety
Copy link
Author

muety commented Dec 20, 2023

Yeah, I was expecting a bit of discussion around this. I don't know about your requirements for pulling in new dependencies. I was hoping Go's standard lib had an implementation of digest auth, but turns out it doesn't. I picked icholy/digest, because it was the only client implementation I could find.

@muety
Copy link
Author

muety commented Dec 28, 2023

Is there someone I could tag here who is in charge of merging my PR?

Copy link
Member

@SuperQ SuperQ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a rebase.

Signed-off-by: Ferdinand Mütsch <ferdinand@muetsch.io>
Signed-off-by: Ferdinand Mütsch <ferdinand@muetsch.io>
@muety
Copy link
Author

muety commented Jan 5, 2024

Rebase done, can this be merged now?

Comment on lines +392 to +395
if authHeader := r.Header.Get("Authorization"); authHeader == "" {
// first request
w.Header().Set("www-authenticate", "Digest realm=\""+realm+"\", nonce=\""+nonce+"\", qop=\"auth\", opaque=\"3bc9f19d8195721e24469ff255750f8c\", algorithm=MD5, stale=FALSE")
w.WriteHeader(401)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we refactor this test to allow varying the inputs?
There's a couple of cases I think this needs to be able to test:

  • qop=auth-int
  • different algorithms
  • algorithm=(alg)-sess vs algorithm=(alg) (all the way to include cnonces)

Later on, if we can keep some state: nextnonce support

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your review! I could include additional tests for different combinations of these values if requested. But I'm not sure if that's the way to go. The digest auth client library already includes tests for these (e.g. see here). While we surely want to test that digest auth works in general, I don't think it's our job to test the inner working of the library again.

Comment on lines +366 to +367
if c.BasicAuth != nil || c.OAuth2 != nil || c.DigestAuth != nil {
return fmt.Errorf("at most one of basic_auth, digest_auth, oauth2 & authorization must be configured")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these scattered checks to ensure only one type of auth is enabled bug me: more places to go wrong.
Maybe refactor them to a function that ensures only one type of auth is configured, and drop them in as needed.

auths_enabled := []bool{
  c.BasicAuth != nil,
  c.OAuth2 != nil,
  c.DigestAuth != nil,
  c.Authorization != nil,
}
if len(auths_enabled) > 1 {
  //  error
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree! I found these checks a bot strange as well and would vote for refactoring them (willing to do that!). Only wondering if this refactoring shall be included here or rather as part of another PR, so we can get this one merged preferably soon? Let me know what you think is better.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not the maintainer of this codebase, but if I had a choice, I'd say should be a separate PR that merges before this one.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who is a maintainer and could eventually be responsible for merging my PR?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry but I'm not maintainer here, just a contributor

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, sorry to bother you then. Who can I tag here to finally (!) get this finished?!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello??? @SuperQ

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?????

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This took me like half a day of work. Sorry, but I find it quite disrespectful that none of the maintainer even only bothers to reply.

@muety
Copy link
Author

muety commented Oct 1, 2024

After almost a year, I guess this is not gonna be merged then?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants