mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-11-24 14:05:45 +03:00
3045da1742
Merge in DNS/adguard-home from 2271-handle-nolint to master Closes #2271. Squashed commit of the following: commit fde5c8795ac79e1f7d02ba8c8e369b5a724a000e Merge: fc2acd898642dcd647Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Nov 20 17:12:28 2020 +0300 Merge branch 'master' into 2271-handle-nolint commit fc2acd89871de08c39e80ace9e5bb8a7acb7afba Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 17 11:55:29 2020 +0300 dnsforward: fix test output strings commit c4ebae6ea9c293bad239519c44ca5a6c576bb921 Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Nov 16 22:43:20 2020 +0300 dnsfilter: make package pass tests commit f2d98c6acabd8977f3b1b361987eaa31eb6eb9ad Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Nov 16 20:05:00 2020 +0300 querylog: make decoding pass tests commit ab5850d24c50d53b8393f2de448cc340241351d7 Merge: 6ed2066bf8a9c6e8a0Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Nov 16 19:48:31 2020 +0300 Merge branch 'master' into 2271-handle-nolint commit 6ed2066bf567e13dd14cfa16fc7b109b59fa39ef Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Nov 16 18:13:45 2020 +0300 home: fix tests naming commit af691081fb02b7500a746b16492f01f7f9befe9a Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Nov 16 12:15:49 2020 +0300 home: impove code quality commit 2914cd3cd23ef2a1964116baab9187d89b377f86 Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Nov 11 15:46:39 2020 +0300 * querylog: remove useless check commit 9996840650e784ccc76d1f29964560435ba27dc7 Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Nov 11 13:18:34 2020 +0300 * all: fix noticed defects commit 2b15293e59337f70302fbc0db81ebb26bee0bed2 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 20:15:53 2020 +0300 * stats: remove last nolint directive commit b2e1ddf7b58196a2fdbf879f084edb41ca1aa1eb Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 18:35:41 2020 +0300 * all: remove another nolint directive commit c6fc5cfcc9c95ab9e570a95ab41c3e5c0125e62e Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 18:11:28 2020 +0300 * querylog: remove nolint directive commit 226ddbf2c92f737f085b44a4ddf6daec7b602153 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 16:35:26 2020 +0300 * home: remove nolint directive commit 2ea3086ad41e9003282add7e996ae722d72d878b Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 16:13:57 2020 +0300 * home: reduce cyclomatic complexity of run function commit f479b480c48e0bb832ddef8f57586f56b8a55bab Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 15:35:46 2020 +0300 * home: use crypto/rand instead of math/rand commit a28d4a53e3b930136b036606fc7e78404f1d208b Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 14:11:07 2020 +0300 * dnsforward: remove gocyclo nolint directive commit 64a0a324cc2b20614ceec3ccc6505e960fe526e9 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 10 11:45:49 2020 +0300 all *: remove some nolint directives Updates #2271.
553 lines
12 KiB
Go
553 lines
12 KiB
Go
package home
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/binary"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"math"
|
|
"math/big"
|
|
"net/http"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"go.etcd.io/bbolt"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
const (
|
|
cookieTTL = 365 * 24 // in hours
|
|
sessionCookieName = "agh_session"
|
|
)
|
|
|
|
type session struct {
|
|
userName string
|
|
expire uint32 // expiration time (in seconds)
|
|
}
|
|
|
|
func (s *session) serialize() []byte {
|
|
const (
|
|
expireLen = 4
|
|
nameLen = 2
|
|
)
|
|
data := make([]byte, expireLen+nameLen+len(s.userName))
|
|
binary.BigEndian.PutUint32(data[0:4], s.expire)
|
|
binary.BigEndian.PutUint16(data[4:6], uint16(len(s.userName)))
|
|
copy(data[6:], []byte(s.userName))
|
|
return data
|
|
}
|
|
|
|
func (s *session) deserialize(data []byte) bool {
|
|
if len(data) < 4+2 {
|
|
return false
|
|
}
|
|
s.expire = binary.BigEndian.Uint32(data[0:4])
|
|
nameLen := binary.BigEndian.Uint16(data[4:6])
|
|
data = data[6:]
|
|
|
|
if len(data) < int(nameLen) {
|
|
return false
|
|
}
|
|
s.userName = string(data)
|
|
return true
|
|
}
|
|
|
|
// Auth - global object
|
|
type Auth struct {
|
|
db *bbolt.DB
|
|
sessions map[string]*session // session name -> session data
|
|
lock sync.Mutex
|
|
users []User
|
|
sessionTTL uint32 // in seconds
|
|
}
|
|
|
|
// User object
|
|
type User struct {
|
|
Name string `yaml:"name"`
|
|
PasswordHash string `yaml:"password"` // bcrypt hash
|
|
}
|
|
|
|
// InitAuth - create a global object
|
|
func InitAuth(dbFilename string, users []User, sessionTTL uint32) *Auth {
|
|
log.Info("Initializing auth module: %s", dbFilename)
|
|
|
|
a := Auth{}
|
|
a.sessionTTL = sessionTTL
|
|
a.sessions = make(map[string]*session)
|
|
var err error
|
|
a.db, err = bbolt.Open(dbFilename, 0o644, nil)
|
|
if err != nil {
|
|
log.Error("Auth: open DB: %s: %s", dbFilename, err)
|
|
if err.Error() == "invalid argument" {
|
|
log.Error("AdGuard Home cannot be initialized due to an incompatible file system.\nPlease read the explanation here: https://github.com/AdguardTeam/AdGuardHome/internal/wiki/Getting-Started#limitations")
|
|
}
|
|
return nil
|
|
}
|
|
a.loadSessions()
|
|
a.users = users
|
|
log.Info("Auth: initialized. users:%d sessions:%d", len(a.users), len(a.sessions))
|
|
return &a
|
|
}
|
|
|
|
// Close - close module
|
|
func (a *Auth) Close() {
|
|
_ = a.db.Close()
|
|
}
|
|
|
|
func bucketName() []byte {
|
|
return []byte("sessions-2")
|
|
}
|
|
|
|
// load sessions from file, remove expired sessions
|
|
func (a *Auth) loadSessions() {
|
|
tx, err := a.db.Begin(true)
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Begin: %s", err)
|
|
return
|
|
}
|
|
defer func() {
|
|
_ = tx.Rollback()
|
|
}()
|
|
|
|
bkt := tx.Bucket(bucketName())
|
|
if bkt == nil {
|
|
return
|
|
}
|
|
|
|
removed := 0
|
|
|
|
if tx.Bucket([]byte("sessions")) != nil {
|
|
_ = tx.DeleteBucket([]byte("sessions"))
|
|
removed = 1
|
|
}
|
|
|
|
now := uint32(time.Now().UTC().Unix())
|
|
forEach := func(k, v []byte) error {
|
|
s := session{}
|
|
if !s.deserialize(v) || s.expire <= now {
|
|
err = bkt.Delete(k)
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Delete: %s", err)
|
|
} else {
|
|
removed++
|
|
}
|
|
return nil
|
|
}
|
|
|
|
a.sessions[hex.EncodeToString(k)] = &s
|
|
return nil
|
|
}
|
|
_ = bkt.ForEach(forEach)
|
|
if removed != 0 {
|
|
err = tx.Commit()
|
|
if err != nil {
|
|
log.Error("bolt.Commit(): %s", err)
|
|
}
|
|
}
|
|
log.Debug("Auth: loaded %d sessions from DB (removed %d expired)", len(a.sessions), removed)
|
|
}
|
|
|
|
// store session data in file
|
|
func (a *Auth) addSession(data []byte, s *session) {
|
|
name := hex.EncodeToString(data)
|
|
a.lock.Lock()
|
|
a.sessions[name] = s
|
|
a.lock.Unlock()
|
|
if a.storeSession(data, s) {
|
|
log.Debug("Auth: created session %s: expire=%d", name, s.expire)
|
|
}
|
|
}
|
|
|
|
// store session data in file
|
|
func (a *Auth) storeSession(data []byte, s *session) bool {
|
|
tx, err := a.db.Begin(true)
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Begin: %s", err)
|
|
return false
|
|
}
|
|
defer func() {
|
|
_ = tx.Rollback()
|
|
}()
|
|
|
|
bkt, err := tx.CreateBucketIfNotExists(bucketName())
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.CreateBucketIfNotExists: %s", err)
|
|
return false
|
|
}
|
|
err = bkt.Put(data, s.serialize())
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Put: %s", err)
|
|
return false
|
|
}
|
|
|
|
err = tx.Commit()
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Commit: %s", err)
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// remove session from file
|
|
func (a *Auth) removeSession(sess []byte) {
|
|
tx, err := a.db.Begin(true)
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Begin: %s", err)
|
|
return
|
|
}
|
|
defer func() {
|
|
_ = tx.Rollback()
|
|
}()
|
|
|
|
bkt := tx.Bucket(bucketName())
|
|
if bkt == nil {
|
|
log.Error("Auth: bbolt.Bucket")
|
|
return
|
|
}
|
|
err = bkt.Delete(sess)
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Put: %s", err)
|
|
return
|
|
}
|
|
|
|
err = tx.Commit()
|
|
if err != nil {
|
|
log.Error("Auth: bbolt.Commit: %s", err)
|
|
return
|
|
}
|
|
|
|
log.Debug("Auth: removed session from DB")
|
|
}
|
|
|
|
// CheckSession - check if session is valid
|
|
// Return 0 if OK; -1 if session doesn't exist; 1 if session has expired
|
|
func (a *Auth) CheckSession(sess string) int {
|
|
now := uint32(time.Now().UTC().Unix())
|
|
update := false
|
|
|
|
a.lock.Lock()
|
|
s, ok := a.sessions[sess]
|
|
if !ok {
|
|
a.lock.Unlock()
|
|
return -1
|
|
}
|
|
if s.expire <= now {
|
|
delete(a.sessions, sess)
|
|
key, _ := hex.DecodeString(sess)
|
|
a.removeSession(key)
|
|
a.lock.Unlock()
|
|
return 1
|
|
}
|
|
|
|
newExpire := now + a.sessionTTL
|
|
if s.expire/(24*60*60) != newExpire/(24*60*60) {
|
|
// update expiration time once a day
|
|
update = true
|
|
s.expire = newExpire
|
|
}
|
|
|
|
a.lock.Unlock()
|
|
|
|
if update {
|
|
key, _ := hex.DecodeString(sess)
|
|
if a.storeSession(key, s) {
|
|
log.Debug("Auth: updated session %s: expire=%d", sess, s.expire)
|
|
}
|
|
}
|
|
|
|
return 0
|
|
}
|
|
|
|
// RemoveSession - remove session
|
|
func (a *Auth) RemoveSession(sess string) {
|
|
key, _ := hex.DecodeString(sess)
|
|
a.lock.Lock()
|
|
delete(a.sessions, sess)
|
|
a.lock.Unlock()
|
|
a.removeSession(key)
|
|
}
|
|
|
|
type loginJSON struct {
|
|
Name string `json:"name"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
func getSession(u *User) ([]byte, error) {
|
|
maxSalt := big.NewInt(math.MaxUint32)
|
|
salt, err := rand.Int(rand.Reader, maxSalt)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
d := []byte(fmt.Sprintf("%s%s%s", salt, u.Name, u.PasswordHash))
|
|
hash := sha256.Sum256(d)
|
|
return hash[:], nil
|
|
}
|
|
|
|
func (a *Auth) httpCookie(req loginJSON) (string, error) {
|
|
u := a.UserFind(req.Name, req.Password)
|
|
if len(u.Name) == 0 {
|
|
return "", nil
|
|
}
|
|
|
|
sess, err := getSession(&u)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
expire := now.Add(cookieTTL * time.Hour)
|
|
expstr := expire.Format(time.RFC1123)
|
|
expstr = expstr[:len(expstr)-len("UTC")] // "UTC" -> "GMT"
|
|
expstr += "GMT"
|
|
|
|
s := session{}
|
|
s.userName = u.Name
|
|
s.expire = uint32(now.Unix()) + a.sessionTTL
|
|
a.addSession(sess, &s)
|
|
|
|
return fmt.Sprintf("%s=%s; Path=/; HttpOnly; Expires=%s",
|
|
sessionCookieName, hex.EncodeToString(sess), expstr), nil
|
|
}
|
|
|
|
func handleLogin(w http.ResponseWriter, r *http.Request) {
|
|
req := loginJSON{}
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
httpError(w, http.StatusBadRequest, "json decode: %s", err)
|
|
return
|
|
}
|
|
|
|
cookie, err := Context.auth.httpCookie(req)
|
|
if err != nil {
|
|
httpError(w, http.StatusBadRequest, "crypto rand reader: %s", err)
|
|
return
|
|
}
|
|
if len(cookie) == 0 {
|
|
log.Info("Auth: invalid user name or password: name=%q", req.Name)
|
|
time.Sleep(1 * time.Second)
|
|
http.Error(w, "invalid user name or password", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Set-Cookie", cookie)
|
|
|
|
w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
|
|
w.Header().Set("Pragma", "no-cache")
|
|
w.Header().Set("Expires", "0")
|
|
|
|
returnOK(w)
|
|
}
|
|
|
|
func handleLogout(w http.ResponseWriter, r *http.Request) {
|
|
cookie := r.Header.Get("Cookie")
|
|
sess := parseCookie(cookie)
|
|
|
|
Context.auth.RemoveSession(sess)
|
|
|
|
w.Header().Set("Location", "/login.html")
|
|
|
|
s := fmt.Sprintf("%s=; Path=/; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:00 GMT",
|
|
sessionCookieName)
|
|
w.Header().Set("Set-Cookie", s)
|
|
|
|
w.WriteHeader(http.StatusFound)
|
|
}
|
|
|
|
// RegisterAuthHandlers - register handlers
|
|
func RegisterAuthHandlers() {
|
|
http.Handle("/control/login", postInstallHandler(ensureHandler("POST", handleLogin)))
|
|
httpRegister("GET", "/control/logout", handleLogout)
|
|
}
|
|
|
|
func parseCookie(cookie string) string {
|
|
pairs := strings.Split(cookie, ";")
|
|
for _, pair := range pairs {
|
|
pair = strings.TrimSpace(pair)
|
|
kv := strings.SplitN(pair, "=", 2)
|
|
if len(kv) != 2 {
|
|
continue
|
|
}
|
|
if kv[0] == sessionCookieName {
|
|
return kv[1]
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// optionalAuthThird return true if user should authenticate first.
|
|
func optionalAuthThird(w http.ResponseWriter, r *http.Request) (authFirst bool) {
|
|
authFirst = false
|
|
|
|
// redirect to login page if not authenticated
|
|
ok := false
|
|
cookie, err := r.Cookie(sessionCookieName)
|
|
|
|
if glProcessCookie(r) {
|
|
log.Debug("Auth: authentification was handled by GL-Inet submodule")
|
|
ok = true
|
|
|
|
} else if err == nil {
|
|
r := Context.auth.CheckSession(cookie.Value)
|
|
if r == 0 {
|
|
ok = true
|
|
} else if r < 0 {
|
|
log.Debug("Auth: invalid cookie value: %s", cookie)
|
|
}
|
|
} else {
|
|
// there's no Cookie, check Basic authentication
|
|
user, pass, ok2 := r.BasicAuth()
|
|
if ok2 {
|
|
u := Context.auth.UserFind(user, pass)
|
|
if len(u.Name) != 0 {
|
|
ok = true
|
|
} else {
|
|
log.Info("Auth: invalid Basic Authorization value")
|
|
}
|
|
}
|
|
}
|
|
if !ok {
|
|
if r.URL.Path == "/" || r.URL.Path == "/index.html" {
|
|
if glProcessRedirect(w, r) {
|
|
log.Debug("Auth: redirected to login page by GL-Inet submodule")
|
|
} else {
|
|
w.Header().Set("Location", "/login.html")
|
|
w.WriteHeader(http.StatusFound)
|
|
}
|
|
} else {
|
|
w.WriteHeader(http.StatusForbidden)
|
|
_, _ = w.Write([]byte("Forbidden"))
|
|
}
|
|
authFirst = true
|
|
}
|
|
return authFirst
|
|
}
|
|
|
|
func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/login.html" {
|
|
// redirect to dashboard if already authenticated
|
|
authRequired := Context.auth != nil && Context.auth.AuthRequired()
|
|
cookie, err := r.Cookie(sessionCookieName)
|
|
if authRequired && err == nil {
|
|
r := Context.auth.CheckSession(cookie.Value)
|
|
if r == 0 {
|
|
w.Header().Set("Location", "/")
|
|
w.WriteHeader(http.StatusFound)
|
|
return
|
|
} else if r < 0 {
|
|
log.Debug("Auth: invalid cookie value: %s", cookie)
|
|
}
|
|
}
|
|
|
|
} else if strings.HasPrefix(r.URL.Path, "/assets/") ||
|
|
strings.HasPrefix(r.URL.Path, "/login.") {
|
|
// process as usual
|
|
// no additional auth requirements
|
|
} else if Context.auth != nil && Context.auth.AuthRequired() {
|
|
if optionalAuthThird(w, r) {
|
|
return
|
|
}
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
type authHandler struct {
|
|
handler http.Handler
|
|
}
|
|
|
|
func (a *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
optionalAuth(a.handler.ServeHTTP)(w, r)
|
|
}
|
|
|
|
func optionalAuthHandler(handler http.Handler) http.Handler {
|
|
return &authHandler{handler}
|
|
}
|
|
|
|
// UserAdd - add new user
|
|
func (a *Auth) UserAdd(u *User, password string) {
|
|
if len(password) == 0 {
|
|
return
|
|
}
|
|
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
log.Error("bcrypt.GenerateFromPassword: %s", err)
|
|
return
|
|
}
|
|
u.PasswordHash = string(hash)
|
|
|
|
a.lock.Lock()
|
|
a.users = append(a.users, *u)
|
|
a.lock.Unlock()
|
|
|
|
log.Debug("Auth: added user: %s", u.Name)
|
|
}
|
|
|
|
// UserFind - find a user
|
|
func (a *Auth) UserFind(login, password string) User {
|
|
a.lock.Lock()
|
|
defer a.lock.Unlock()
|
|
for _, u := range a.users {
|
|
if u.Name == login &&
|
|
bcrypt.CompareHashAndPassword([]byte(u.PasswordHash), []byte(password)) == nil {
|
|
return u
|
|
}
|
|
}
|
|
return User{}
|
|
}
|
|
|
|
// GetCurrentUser - get the current user
|
|
func (a *Auth) GetCurrentUser(r *http.Request) User {
|
|
cookie, err := r.Cookie(sessionCookieName)
|
|
if err != nil {
|
|
// there's no Cookie, check Basic authentication
|
|
user, pass, ok := r.BasicAuth()
|
|
if ok {
|
|
u := Context.auth.UserFind(user, pass)
|
|
return u
|
|
}
|
|
return User{}
|
|
}
|
|
|
|
a.lock.Lock()
|
|
s, ok := a.sessions[cookie.Value]
|
|
if !ok {
|
|
a.lock.Unlock()
|
|
return User{}
|
|
}
|
|
for _, u := range a.users {
|
|
if u.Name == s.userName {
|
|
a.lock.Unlock()
|
|
return u
|
|
}
|
|
}
|
|
a.lock.Unlock()
|
|
return User{}
|
|
}
|
|
|
|
// GetUsers - get users
|
|
func (a *Auth) GetUsers() []User {
|
|
a.lock.Lock()
|
|
users := a.users
|
|
a.lock.Unlock()
|
|
return users
|
|
}
|
|
|
|
// AuthRequired - if authentication is required
|
|
func (a *Auth) AuthRequired() bool {
|
|
if GLMode {
|
|
return true
|
|
}
|
|
|
|
a.lock.Lock()
|
|
r := (len(a.users) != 0)
|
|
a.lock.Unlock()
|
|
return r
|
|
}
|