Move HTTP authentication middlware to http package

micromdm · Apr 3, 2022 · 6463c28 · 6463c28
1 parent 6e02355
commit 6463c28
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 19 deletions.
diff --git a/cmd/nanomdm/main.go b/cmd/nanomdm/main.go
@@ -2,7 +2,6 @@ package main
 
 import (
 	"context"
-	"crypto/subtle"
 	"crypto/x509"
 	"flag"
 	"fmt"
@@ -160,23 +159,23 @@ func main() {
 		// register API handler for push cert storage/upload.
 		var pushCertHandler http.Handler
 		pushCertHandler = mdmhttp.StorePushCertHandlerFunc(mdmStorage, logger.With("handler", "store-cert"))
-		pushCertHandler = basicAuth(pushCertHandler, apiUsername, *flAPIKey, "nanomdm")
+		pushCertHandler = mdmhttp.BasicAuth(pushCertHandler, apiUsername, *flAPIKey, "nanomdm")
 		mux.Handle(endpointAPIPushCert, pushCertHandler)
 
 		// register API handler for push notifications.
 		// we strip the prefix to use the path as an id.
 		var pushHandler http.Handler
 		pushHandler = mdmhttp.PushHandlerFunc(pushService, logger.With("handler", "push"))
 		pushHandler = http.StripPrefix(endpointAPIPush, pushHandler)
-		pushHandler = basicAuth(pushHandler, apiUsername, *flAPIKey, "nanomdm")
+		pushHandler = mdmhttp.BasicAuth(pushHandler, apiUsername, *flAPIKey, "nanomdm")
 		mux.Handle(endpointAPIPush, pushHandler)
 
 		// register API handler for new command queueing.
 		// we strip the prefix to use the path as an id.
 		var enqueueHandler http.Handler
 		enqueueHandler = mdmhttp.RawCommandEnqueueHandler(mdmStorage, pushService, logger.With("handler", "enqueue"))
 		enqueueHandler = http.StripPrefix(endpointAPIEnqueue, enqueueHandler)
-		enqueueHandler = basicAuth(enqueueHandler, apiUsername, *flAPIKey, "nanomdm")
+		enqueueHandler = mdmhttp.BasicAuth(enqueueHandler, apiUsername, *flAPIKey, "nanomdm")
 		mux.Handle(endpointAPIEnqueue, enqueueHandler)
 
 		if *flMigration {
@@ -190,7 +189,7 @@ func main() {
 			// migrate MDM enrollments between servers.
 			var migHandler http.Handler
 			migHandler = mdmhttp.CheckinHandlerFunc(nano, logger.With("handler", "migration"))
-			migHandler = basicAuth(migHandler, apiUsername, *flAPIKey, "nanomdm")
+			migHandler = mdmhttp.BasicAuth(migHandler, apiUsername, *flAPIKey, "nanomdm")
 			mux.Handle(endpointAPIMigration, migHandler)
 		}
 	}
@@ -211,20 +210,6 @@ func main() {
 	logger.Info(logs...)
 }
 
-func basicAuth(next http.Handler, username, password, realm string) http.HandlerFunc {
-	uBytes := []byte(username)
-	pBytes := []byte(password)
-	return func(w http.ResponseWriter, r *http.Request) {
-		u, p, ok := r.BasicAuth()
-		if !ok || subtle.ConstantTimeCompare([]byte(u), uBytes) != 1 || subtle.ConstantTimeCompare([]byte(p), pBytes) != 1 {
-			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
-			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-			return
-		}
-		next.ServeHTTP(w, r)
-	}
-}
-
 type ctxKeyTraceID struct{}
 
 // storeNewTraceID generates a new trace identifier and stores it on

diff --git a/http/http.go b/http/http.go
@@ -3,6 +3,7 @@ package http
 
 import (
 	"bytes"
+	"crypto/subtle"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -18,3 +19,18 @@ func ReadAllAndReplaceBody(r *http.Request) ([]byte, error) {
 	r.Body = io.NopCloser(bytes.NewBuffer(b))
 	return b, nil
 }
+
+// BasicAuth is a simple HTTP plain authentication middleware.
+func BasicAuth(next http.Handler, username, password, realm string) http.HandlerFunc {
+	uBytes := []byte(username)
+	pBytes := []byte(password)
+	return func(w http.ResponseWriter, r *http.Request) {
+		u, p, ok := r.BasicAuth()
+		if !ok || subtle.ConstantTimeCompare([]byte(u), uBytes) != 1 || subtle.ConstantTimeCompare([]byte(p), pBytes) != 1 {
+			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	}
+}