diff options
author | kali kaneko (leap communications) <kali@leap.se> | 2020-06-23 19:34:47 +0200 |
---|---|---|
committer | kali kaneko (leap communications) <kali@leap.se> | 2020-08-11 20:59:53 +0200 |
commit | 33b9ba9abadb8cea8f5840bb11fb9de489b120e3 (patch) | |
tree | 016d08673cefdedb58004a7bd5909d51d1770988 | |
parent | 0f8eab4e1157e83f39cd7298378bb5cc9ddb913a (diff) |
[feat] authentication token for webapi
-rw-r--r-- | pkg/backend/webapi.go | 38 | ||||
-rw-r--r-- | pkg/bitmask/auth.go | 52 |
2 files changed, 86 insertions, 4 deletions
diff --git a/pkg/backend/webapi.go b/pkg/backend/webapi.go index e3918c5..a8844e8 100644 --- a/pkg/backend/webapi.go +++ b/pkg/backend/webapi.go @@ -4,8 +4,35 @@ import ( "fmt" "log" "net/http" + "os" + + "0xacab.org/leap/bitmask-vpn/pkg/bitmask" ) +func Adapt(h http.Handler, adapters ...Adapter) http.Handler { + for _, adapter := range adapters { + h = adapter(h) + } + return h +} + +type Adapter func(http.Handler) http.Handler + +func CheckAuth(token string) Adapter { + return func(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + t := r.Header.Get("X-Auth-Token") + if t == token { + h.ServeHTTP(w, r) + } else { + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte("401 - Unauthorized")) + } + + }) + } +} + func webOn(w http.ResponseWriter, r *http.Request) { log.Println("Web UI: on") SwitchOn() @@ -24,12 +51,15 @@ func webStatus(w http.ResponseWriter, r *http.Request) { func webQuit(w http.ResponseWriter, r *http.Request) { log.Println("Web UI: quit") Quit() + os.Exit(0) } func enableWebAPI() { - http.HandleFunc("/vpn/start", webOn) - http.HandleFunc("/vpn/stop", webOff) - http.HandleFunc("/vpn/status", webStatus) - http.HandleFunc("/vpn/quit", webQuit) + bitmask.GenerateAuthToken() + auth := CheckAuth(bitmask.ReadAuthToken()) + http.Handle("/vpn/start", Adapt(http.HandlerFunc(webOn), auth)) + http.Handle("/vpn/stop", Adapt(http.HandlerFunc(webOff), auth)) + http.Handle("/vpn/status", Adapt(http.HandlerFunc(webStatus), auth)) + http.Handle("/vpn/quit", Adapt(http.HandlerFunc(webQuit), auth)) http.ListenAndServe(":8080", nil) } diff --git a/pkg/bitmask/auth.go b/pkg/bitmask/auth.go new file mode 100644 index 0000000..519eaf1 --- /dev/null +++ b/pkg/bitmask/auth.go @@ -0,0 +1,52 @@ +package bitmask + +import ( + "io/ioutil" + "log" + "math/rand" + "os" + "runtime" + "strings" + "time" +) + +/* functions for local authentication of control endpoints */ + +const tokenPath = "/dev/shm/bitmask-token" + +func GenerateAuthToken() { + if runtime.GOOS != "linux" { + log.Println("Authentication token only implemented in linux at the moment.") + return + } + t := getRandomString() + err := ioutil.WriteFile(tokenPath, []byte(t), os.FileMode(int(0600))) + if err != nil { + log.Println("Could not write authentication token.") + } +} + +func ReadAuthToken() string { + if runtime.GOOS != "linux" { + log.Println("Authentication token only implemented in linux at the moment.") + return "" + } + token, err := ioutil.ReadFile(tokenPath) + if err != nil { + log.Println("Error reading token:", err) + } + return string(token) +} + +func getRandomString() string { + rand.Seed(time.Now().UnixNano()) + chars := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZ" + + "abcdefghijklmnopqrstuvwxyz" + + "0123456789") + length := 40 + var b strings.Builder + for i := 0; i < length; i++ { + b.WriteRune(chars[rand.Intn(len(chars))]) + } + return b.String() +} |