/* Copyright The ORAS Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package auth import ( "strconv" "strings" ) // Scheme define the authentication method. type Scheme byte const ( // SchemeUnknown represents unknown or unsupported schemes SchemeUnknown Scheme = iota // SchemeBasic represents the "Basic" HTTP authentication scheme. // Reference: https://tools.ietf.org/html/rfc7617 SchemeBasic // SchemeBearer represents the Bearer token in OAuth 2.0. // Reference: https://tools.ietf.org/html/rfc6750 SchemeBearer ) // parseScheme parse the authentication scheme from the given string // case-insensitively. func parseScheme(scheme string) Scheme { switch { case strings.EqualFold(scheme, "basic"): return SchemeBasic case strings.EqualFold(scheme, "bearer"): return SchemeBearer } return SchemeUnknown } // String return the string for the scheme. func (s Scheme) String() string { switch s { case SchemeBasic: return "Basic" case SchemeBearer: return "Bearer" } return "Unknown" } // parseChallenge parses the "WWW-Authenticate" header returned by the remote // registry, and extracts parameters if scheme is Bearer. // References: // - https://docs.docker.com/registry/spec/auth/token/#how-to-authenticate // - https://tools.ietf.org/html/rfc7235#section-2.1 func parseChallenge(header string) (scheme Scheme, params map[string]string) { // as defined in RFC 7235 section 2.1, we have // challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] // auth-scheme = token // auth-param = token BWS "=" BWS ( token / quoted-string ) // // since we focus parameters only on Bearer, we have // challenge = auth-scheme [ 1*SP #auth-param ] schemeString, rest := parseToken(header) scheme = parseScheme(schemeString) // fast path for non bearer challenge if scheme != SchemeBearer { return } // parse params for bearer auth. // combining RFC 7235 section 2.1 with RFC 7230 section 7, we have // #auth-param => auth-param *( OWS "," OWS auth-param ) var key, value string for { key, rest = parseToken(skipSpace(rest)) if key == "" { return } rest = skipSpace(rest) if rest == "" || rest[0] != '=' { return } rest = skipSpace(rest[1:]) if rest == "" { return } if rest[0] == '"' { prefix, err := strconv.QuotedPrefix(rest) if err != nil { return } value, err = strconv.Unquote(prefix) if err != nil { return } rest = rest[len(prefix):] } else { value, rest = parseToken(rest) if value == "" { return } } if params == nil { params = map[string]string{ key: value, } } else { params[key] = value } rest = skipSpace(rest) if rest == "" || rest[0] != ',' { return } rest = rest[1:] } } // isNotTokenChar reports whether rune is not a `tchar` defined in RFC 7230 // section 3.2.6. func isNotTokenChar(r rune) bool { // tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" // / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" // / DIGIT / ALPHA // ; any VCHAR, except delimiters return (r < 'A' || r > 'Z') && (r < 'a' || r > 'z') && (r < '0' || r > '9') && !strings.ContainsRune("!#$%&'*+-.^_`|~", r) } // parseToken finds the next token from the given string. If no token found, // an empty token is returned and the whole of the input is returned in rest. // Note: Since token = 1*tchar, empty string is not a valid token. func parseToken(s string) (token, rest string) { if i := strings.IndexFunc(s, isNotTokenChar); i != -1 { return s[:i], s[i:] } return s, "" } // skipSpace skips "bad" whitespace (BWS) defined in RFC 7230 section 3.2.3. func skipSpace(s string) string { // OWS = *( SP / HTAB ) // ; optional whitespace // BWS = OWS // ; "bad" whitespace if i := strings.IndexFunc(s, func(r rune) bool { return r != ' ' && r != '\t' }); i != -1 { return s[i:] } return s }