Add basic authentication without dependencies

This adds a rudimentary basic auth scheme without including dependencies.

utils/basic_auth.go

@@ -0,0 +1,98 @@
+/*
+Real-time Online/Offline Charging System (OCS) for Telecom & ISP environments
+Copyright (C) ITsysCOM GmbH
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+package utils
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+// use provides a cleaner interface for chaining middleware for single routes.
+// Middleware functions are simple HTTP handlers (w http.ResponseWriter, r *http.Request)
+//
+//  r.HandleFunc("/login", use(loginHandler, rateLimit, csrf))
+//  r.HandleFunc("/form", use(formHandler, csrf))
+//  r.HandleFunc("/about", aboutHandler)
+//
+// From https://gist.github.com/elithrar/9146306
+// See https://gist.github.com/elithrar/7600878#comment-955958 for how to extend it to suit simple http.Handler's
+func use(h http.HandlerFunc, middleware ...func(http.HandlerFunc) http.HandlerFunc) http.HandlerFunc {
+	for _, m := range middleware {
+		h = m(h)
+	}
+
+	return h
+}
+
+type basicAuthMiddleware func(h http.HandlerFunc) http.HandlerFunc
+
+// basicAuth returns a middleware function to intercept the request and validate
+func basicAuth(userList map[string]string) basicAuthMiddleware {
+	return func(h http.HandlerFunc) http.HandlerFunc {
+		return func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+
+			authHeader := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
+			if len(authHeader) != 2 {
+				Logger.Warning("<BasicAuth> Missing authorization header value")
+				http.Error(w, "Not authorized", 401)
+				return
+			}
+
+			authHeaderDecoded, err := base64.StdEncoding.DecodeString(authHeader[1])
+			if err != nil {
+				Logger.Warning("<BasicAuth> Unable to decode authorization header")
+				http.Error(w, err.Error(), 401)
+				return
+			}
+
+			userPass := strings.SplitN(string(authHeaderDecoded), ":", 2)
+			if len(userPass) != 2 {
+				Logger.Warning("<BasicAuth> Unauthorized API access. Missing or extra credential components")
+				http.Error(w, "Not authorized", 401)
+				return
+			}
+
+			valid := verifyCredential(userPass[0], userPass[1], userList)
+			if !valid {
+				Logger.Warning(fmt.Sprintf("<BasicAuth> Unauthorized API access by user '%s'", userPass[0]))
+				http.Error(w, "Not authorized", 401)
+				return
+			}
+
+			h.ServeHTTP(w, r)
+		}
+	}
+}
+
+// verifyCredential validates the incoming username and password against the authorized user list
+func verifyCredential(username string, password string, userList map[string]string) bool {
+	hash, ok := userList[username]
+	if !ok {
+		return false
+	}
+
+	storedPass, err := base64.StdEncoding.DecodeString(hash)
+	if err != nil {
+		return false
+	}
+
+	return string(storedPass[:]) == password
+}