basic auth: add option to exclude bcrypt at build time #258
Conversation
This add the option to exclude bcrypt during the build process by passing `-tags nobcrypt`. Currently this disables user authentication via basic_auth. If authorized users are configured but the server is build with `nobcrypt` the endpoint will respond with Unauthorized, even if the correct credentials are send. The goal is to be able to exclude bcrypt for compliance reasons. In the future we could add basic_auth using other hash functions. Signed-off-by: Jan Fajerski <[email protected]>
|
|
||
| func Validate(users map[string]config_util.Secret) error { | ||
| if len(users) > 0 { | ||
| slog.Info("basic auth via bcrypt hashes not implemented") |
There was a problem hiding this comment.
This cloud also return an error so a server without bcrypt support can not start with a config that includes authorized users.
There was a problem hiding this comment.
I think that would be better, if we know at startup time that a configuration cannot work, failing explicitly lets the operator figure out what they want to do about it.
|
Just as a note, this will have merge conflicts with #151 which also refactors how authentication happens. Can we get that one in before finishing up here? |
Sure no problem, I'm not in a rush. This might not be the best way anyway. |
This does actually target FIPS. Afaiu |
|
Hmm, yeah, TLS won't be an option then either. I guess in our case FIPS-mode would entail no encryption at all 😅 I think #151 will actually help in this because it adds the notion of chained authenticators, which adds a well contained point to control what is and isn't active, and then we can remove the relevant authenticators from the build altogether. |
This add the option to exclude bcrypt during the build process by passing
-tags nobcrypt. Currently this disables user authentication via basic_auth. If authorized users are configured but the server is build withnobcryptthe endpoint will respond with Unauthorized, even if the correct credentials are send.The goal is to be able to exclude bcrypt for compliance reasons. In the future we could add basic_auth using other hash functions.