Merge branch 'main' into lm/restrict-content-type

2 files changed, 232 insertions, 0 deletions

diff --git a/src/zenhttp/security/passwordsecurity.cpp b/src/zenhttp/security/passwordsecurity.cpp
new file mode 100644
index 000000000..0e3a743c3
--- /dev/null
+++ b/src/zenhttp/security/passwordsecurity.cpp
@@ -0,0 +1,176 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#include "zenhttp/security/passwordsecurity.h"
+#include <zencore/compactbinaryutil.h>
+#include <zencore/fmtutils.h>
+#include <zencore/string.h>
+
+#if ZEN_WITH_TESTS
+#	include <zencore/compactbinarybuilder.h>
+#	include <zencore/testing.h>
+#endif	// ZEN_WITH_TESTS
+
+namespace zen {
+using namespace std::literals;
+
+PasswordSecurity::PasswordSecurity(const Configuration& Config) : m_Config(Config)
+{
+	m_UnprotectedUriHashes.reserve(m_Config.UnprotectedUris.size());
+	for (uint32_t Index = 0; Index < m_Config.UnprotectedUris.size(); Index++)
+	{
+		const std::string& UnprotectedUri = m_Config.UnprotectedUris[Index];
+		if (auto Result = m_UnprotectedUriHashes.insert({HashStringDjb2(UnprotectedUri), Index}); !Result.second)
+		{
+			throw std::runtime_error(fmt::format(
+				"password security unprotected uris does not generate unique hashes. Uri #{} ('{}') collides with uri #{} ('{}')",
+				Index + 1,
+				UnprotectedUri,
+				Result.first->second + 1,
+				m_Config.UnprotectedUris[Result.first->second]));
+		}
+	}
+}
+
+bool
+PasswordSecurity::IsUnprotectedUri(std::string_view BaseUri, std::string_view RelativeUri) const
+{
+	if (!m_Config.UnprotectedUris.empty())
+	{
+		uint32_t UriHash = HashStringDjb2(std::array<const std::string_view, 2>{BaseUri, RelativeUri});
+		if (auto It = m_UnprotectedUriHashes.find(UriHash); It != m_UnprotectedUriHashes.end())
+		{
+			const std::string_view& UnprotectedUri = m_Config.UnprotectedUris[It->second];
+			if (UnprotectedUri.length() == BaseUri.length() + RelativeUri.length())
+			{
+				if (UnprotectedUri.substr(0, BaseUri.length()) == BaseUri && UnprotectedUri.substr(BaseUri.length()) == RelativeUri)
+				{
+					return true;
+				}
+			}
+		}
+	}
+	return false;
+}
+
+bool
+PasswordSecurity::IsAllowed(std::string_view InPassword, std::string_view BaseUri, std::string_view RelativeUri, bool IsMachineLocalRequest)
+{
+	if (IsUnprotectedUri(BaseUri, RelativeUri))
+	{
+		return true;
+	}
+	if (!ProtectMachineLocalRequests() && IsMachineLocalRequest)
+	{
+		return true;
+	}
+	if (Password().empty())
+	{
+		return true;
+	}
+	if (Password() == InPassword)
+	{
+		return true;
+	}
+	return false;
+}
+
+#if ZEN_WITH_TESTS
+
+TEST_SUITE_BEGIN("http.passwordsecurity");
+
+TEST_CASE("passwordsecurity.allowanything")
+{
+	PasswordSecurity Anything({});
+	CHECK(Anything.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(Anything.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(Anything.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(Anything.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+}
+
+TEST_CASE("passwordsecurity.allowalllocal")
+{
+	PasswordSecurity AllLocal({.Password = "123456"});
+	CHECK(AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+}
+
+TEST_CASE("passwordsecurity.allowonlypassword")
+{
+	PasswordSecurity AllLocal({.Password = "123456", .ProtectMachineLocalRequests = true});
+	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+}
+
+TEST_CASE("passwordsecurity.allowsomeexternaluris")
+{
+	PasswordSecurity AllLocal(
+		{.Password = "123456", .ProtectMachineLocalRequests = false, .UnprotectedUris = std::vector<std::string>({"/free/access", "/ok"})});
+	CHECK(AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed(""sv, "/free", "/access", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed(""sv, "/ok", "", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free", "/access", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", "", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed(""sv, "/free", "/access", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed(""sv, "/ok", "", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free", "/access", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", "", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+}
+
+TEST_CASE("passwordsecurity.allowsomelocaluris")
+{
+	PasswordSecurity AllLocal(
+		{.Password = "123456", .ProtectMachineLocalRequests = true, .UnprotectedUris = std::vector<std::string>({"/free/access", "/ok"})});
+	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ true));
+	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed(""sv, "/free", "/access", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed(""sv, "/ok", "", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free", "/access", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", "", /*IsMachineLocalRequest*/ true));
+	CHECK(AllLocal.IsAllowed(""sv, "/free", "/access", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed(""sv, "/ok", "", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free", "/access", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", "", /*IsMachineLocalRequest*/ false));
+	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret", "/uri", /*IsMachineLocalRequest*/ false));
+}
+
+TEST_CASE("passwordsecurity.conflictingunprotecteduris")
+{
+	try
+	{
+		PasswordSecurity AllLocal({.Password					= "123456",
+								   .ProtectMachineLocalRequests = true,
+								   .UnprotectedUris				= std::vector<std::string>({"/free/access", "/free/access"})});
+		CHECK(false);
+	}
+	catch (const std::runtime_error& Ex)
+	{
+		CHECK_EQ(Ex.what(),
+				 std::string("password security unprotected uris does not generate unique hashes. Uri #2 ('/free/access') collides with "
+							 "uri #1 ('/free/access')"));
+	}
+}
+
+TEST_SUITE_END();
+
+void
+passwordsecurity_forcelink()
+{
+}
+#endif	// ZEN_WITH_TESTS
+
+}  // namespace zen
diff --git a/src/zenhttp/security/passwordsecurityfilter.cpp b/src/zenhttp/security/passwordsecurityfilter.cpp
new file mode 100644
index 000000000..87d8cc275
--- /dev/null
+++ b/src/zenhttp/security/passwordsecurityfilter.cpp
@@ -0,0 +1,56 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#include "zenhttp/security/passwordsecurityfilter.h"
+
+#include <zencore/base64.h>
+#include <zencore/compactbinaryutil.h>
+#include <zencore/fmtutils.h>
+
+namespace zen {
+
+using namespace std::literals;
+
+PasswordHttpFilter::Configuration
+PasswordHttpFilter::ReadConfiguration(CbObjectView Config)
+{
+	Configuration Result;
+	if (CbObjectView PasswordType = Config["basic"sv].AsObjectView(); PasswordType)
+	{
+		Result.AuthenticationTypeString	  = "Basic ";
+		std::string_view Username		  = PasswordType["username"sv].AsString();
+		std::string_view Password		  = PasswordType["password"sv].AsString();
+		std::string		 UsernamePassword = fmt::format("{}:{}", Username, Password);
+		Result.PasswordConfig.Password.resize(Base64::GetEncodedDataSize(uint32_t(UsernamePassword.length())));
+		Base64::Encode(reinterpret_cast<const uint8_t*>(UsernamePassword.data()),
+					   uint32_t(UsernamePassword.size()),
+					   const_cast<char*>(Result.PasswordConfig.Password.data()));
+	}
+	Result.PasswordConfig.ProtectMachineLocalRequests = Config["protect-machine-local-requests"sv].AsBool();
+	Result.PasswordConfig.UnprotectedUris			  = compactbinary_helpers::ReadArray<std::string>("unprotected-uris"sv, Config);
+	return Result;
+}
+
+IHttpRequestFilter::Result
+PasswordHttpFilter::FilterRequest(HttpServerRequest& Request)
+{
+	std::string_view Password;
+	std::string_view AuthorizationHeader	   = Request.GetAuthorizationHeader();
+	size_t			 AuthorizationHeaderLength = AuthorizationHeader.length();
+	if (AuthorizationHeaderLength > m_AuthenticationTypeString.length())
+	{
+		if (StrCaseCompare(AuthorizationHeader.data(), m_AuthenticationTypeString.c_str(), m_AuthenticationTypeString.length()) == 0)
+		{
+			Password = AuthorizationHeader.substr(m_AuthenticationTypeString.length());
+		}
+	}
+
+	bool IsAllowed =
+		m_PasswordSecurity.IsAllowed(Password, Request.Service().BaseUri(), Request.RelativeUri(), Request.IsLocalMachineRequest());
+	if (IsAllowed)
+	{
+		return Result::Accepted;
+	}
+	return Result::Forbidden;
+}
+
+}  // namespace zen