Merge pull request #42 from cerberauth/strong-http-basic-challenge

Add strong HTTP Basic challenge
cerberauth · Dec 2, 2024 · f281ad8 · f281ad8
2 parents 89f9aea + 8bb3a55
commit f281ad8
Show file tree

Hide file tree

Showing 8 changed files with 176 additions and 0 deletions.
diff --git a/challenges/strong-http-basic/.gitignore b/challenges/strong-http-basic/.gitignore
@@ -0,0 +1,14 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+jwt-null-signature
diff --git a/challenges/strong-http-basic/Dockerfile b/challenges/strong-http-basic/Dockerfile
@@ -0,0 +1,23 @@
+FROM golang:1.23 AS builder
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . ./
+
+RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -o /strong-http-basic .
+
+FROM gcr.io/distroless/static-debian11:nonroot AS runner
+
+WORKDIR /
+
+COPY --from=builder --chown=nonroot:nonroot /strong-http-basic /usr/bin/strong-http-basic
+
+EXPOSE 8080
+
+USER nonroot:nonroot
+
+ENTRYPOINT ["strong-http-basic"]
+CMD ["serve"]
diff --git a/challenges/strong-http-basic/cmd/root.go b/challenges/strong-http-basic/cmd/root.go
@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/cerberauth/api-vulns-challenges/challenges/strong-http-basic/cmd/serve"
+
+	"github.com/spf13/cobra"
+)
+
+func NewRootCmd() (cmd *cobra.Command) {
+	var rootCmd = &cobra.Command{}
+	rootCmd.AddCommand(serve.NewServeCmd())
+	return rootCmd
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the RootCmd.
+func Execute() {
+	c := NewRootCmd()
+
+	if err := c.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
diff --git a/challenges/strong-http-basic/cmd/serve/root.go b/challenges/strong-http-basic/cmd/serve/root.go
@@ -0,0 +1,24 @@
+package serve
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/cerberauth/api-vulns-challenges/challenges/strong-http-basic/serve"
+)
+
+var (
+	port string
+)
+
+func NewServeCmd() (serveCmd *cobra.Command) {
+	serveCmd = &cobra.Command{
+		Use: "serve",
+		Run: func(cmd *cobra.Command, args []string) {
+			serve.RunServer(port)
+		},
+	}
+
+	serveCmd.Flags().StringVarP(&port, "port", "p", "8080", "Port to listen on")
+
+	return serveCmd
+}
diff --git a/challenges/strong-http-basic/go.mod b/challenges/strong-http-basic/go.mod
@@ -0,0 +1,13 @@
+module github.com/cerberauth/api-vulns-challenges/challenges/strong-http-basic
+
+go 1.22
+
+require (
+	github.com/brianvoe/gofakeit/v7 v7.1.2
+	github.com/spf13/cobra v1.8.1
+)
+
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+)
diff --git a/challenges/strong-http-basic/go.sum b/challenges/strong-http-basic/go.sum
@@ -0,0 +1,12 @@
+github.com/brianvoe/gofakeit/v7 v7.1.2 h1:vSKaVScNhWVpf1rlyEKSvO8zKZfuDtGqoIHT//iNNb8=
+github.com/brianvoe/gofakeit/v7 v7.1.2/go.mod h1:QXuPeBw164PJCzCUZVmgpgHJ3Llj49jSLVkKPMtxtxA=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/challenges/strong-http-basic/main.go b/challenges/strong-http-basic/main.go
@@ -0,0 +1,7 @@
+package main
+
+import "github.com/cerberauth/api-vulns-challenges/challenges/strong-http-basic/cmd"
+
+func main() {
+	cmd.Execute()
+}
diff --git a/challenges/strong-http-basic/serve/server.go b/challenges/strong-http-basic/serve/server.go
@@ -0,0 +1,58 @@
+package serve
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/brianvoe/gofakeit/v7"
+)
+
+func generateRandomBasicUsername() string {
+	return gofakeit.Username()
+}
+
+func generateBasicPassword() string {
+	length := 16
+	bytes := make([]byte, length)
+	if _, err := rand.Read(bytes); err != nil {
+		log.Fatal(err)
+	}
+	return base64.URLEncoding.EncodeToString(bytes)
+}
+
+func RunServer(port string) {
+	username := generateRandomBasicUsername()
+	fmt.Println("Username:", username)
+	password := generateBasicPassword()
+	fmt.Println("Password:", password)
+
+	expectedUsernameHash := sha256.Sum256([]byte(username))
+	expectedPasswordHash := sha256.Sum256([]byte(password))
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		username, password, ok := r.BasicAuth()
+		if ok {
+			usernameHash := sha256.Sum256([]byte(username))
+			passwordHash := sha256.Sum256([]byte(password))
+
+			usernameMatch := (subtle.ConstantTimeCompare(usernameHash[:], expectedUsernameHash[:]) == 1)
+			passwordMatch := (subtle.ConstantTimeCompare(passwordHash[:], expectedPasswordHash[:]) == 1)
+
+			if usernameMatch && passwordMatch {
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+		}
+
+		w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+	})
+
+	log.Println("Server started at port", port)
+	log.Fatal(http.ListenAndServe(":"+port, nil))
+}