From d3b21e5adc27cbb472e688b7c602e3bd721dec31 Mon Sep 17 00:00:00 2001 From: "kali kaneko (leap communications)" Date: Fri, 24 Jan 2020 22:24:26 -0600 Subject: protect certificate handler --- Makefile | 2 +- cmd/vpnweb/vpnweb.go | 4 ++-- pkg/auth/middleware.go | 38 ++++++++++++++++++++++++++++++++++---- 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 50e53ab..b000de0 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ build: go build cmd/vpnweb/vpnweb.go demo: - . config/CONFIG && ./vpnweb -notls + . config/CONFIG && ./vpnweb -notls -auth=sip clean: rm -f public/1/* rm public/ca.crt diff --git a/cmd/vpnweb/vpnweb.go b/cmd/vpnweb/vpnweb.go index 86fc38c..2305d98 100644 --- a/cmd/vpnweb/vpnweb.go +++ b/cmd/vpnweb/vpnweb.go @@ -5,6 +5,7 @@ import ( "net/http" //"0xacab.org/leap/pkg/auth" + "0xacab.org/leap/vpnweb/pkg/auth" "0xacab.org/leap/vpnweb/pkg/config" "0xacab.org/leap/vpnweb/pkg/web" ) @@ -22,10 +23,9 @@ func main() { /* TODO ---- http.HandleFunc("/3/auth", auth.AuthMiddleware(opts.Auth)) http.HandleFunc("/3/refresh-token", auth.RefreshAuthMiddleware(opts.Auth)) - http.HandleFunc("/3/cert", jwtMiddleware.Handler(ch.certResponder)) */ - http.HandleFunc("/3/cert", ch.CertResponder) + http.Handle("/3/cert", auth.AuthMiddleware(opts.Auth, ch)) /* static files */ diff --git a/pkg/auth/middleware.go b/pkg/auth/middleware.go index a3a955c..5fe0ab7 100644 --- a/pkg/auth/middleware.go +++ b/pkg/auth/middleware.go @@ -1,12 +1,42 @@ package auth -import () - import ( + "0xacab.org/leap/vpnweb/pkg/web" "github.com/auth0/go-jwt-middleware" jwt "github.com/dgrijalva/jwt-go" + "log" + "net/http" ) -func getProtectedHandler() { - jwtMiddleware.Handler(CertHandler) +const anonAuth string = "anon" +const sipAuth string = "sip" + +var jwtSecret = []byte("somethingverysecret") + +func getHandler(ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) { + return ch.CertResponder +} + +//func AuthMiddleware(auth string, ch web.CertHandler) func(w http.ResponseWriter, r *http.Request) { +func AuthMiddleware(auth string, ch web.CertHandler) http.Handler { + + jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{ + ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) { + return jwtSecret, nil + }, + // When set, the middleware verifies that tokens are signed with the specific signing algorithm + // If the signing method is not constant the ValidationKeyGetter callback can be used to implement additional checks + // Important to avoid security issues described here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ + SigningMethod: jwt.SigningMethodHS256, + }) + + switch auth { + case anonAuth: + return http.HandlerFunc(ch.CertResponder) + case sipAuth: + return jwtMiddleware.Handler(http.HandlerFunc(ch.CertResponder)) + default: + log.Fatal("Unknown auth module: '", auth, "'. Should be one of: ", anonAuth, ", ", sipAuth, ".") + } + return nil } -- cgit v1.2.3