2022-07-25 19:17:52 +02:00
|
|
|
package controller
|
|
|
|
|
|
|
|
import (
|
2023-05-11 20:35:49 +02:00
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
"unicode"
|
|
|
|
|
2022-07-27 20:50:46 +02:00
|
|
|
errors2 "github.com/go-openapi/errors"
|
2022-10-20 20:16:18 +02:00
|
|
|
"github.com/jaevor/go-nanoid"
|
2023-03-13 19:19:38 +01:00
|
|
|
"github.com/openziti/zrok/controller/config"
|
2023-01-13 21:01:34 +01:00
|
|
|
"github.com/openziti/zrok/rest_model_zrok"
|
2023-01-30 17:43:28 +01:00
|
|
|
"github.com/sirupsen/logrus"
|
2022-07-25 19:17:52 +02:00
|
|
|
)
|
|
|
|
|
2022-12-01 20:48:23 +01:00
|
|
|
type zrokAuthenticator struct {
|
2023-03-13 19:19:38 +01:00
|
|
|
cfg *config.Config
|
2022-12-01 20:48:23 +01:00
|
|
|
}
|
|
|
|
|
2023-03-13 19:19:38 +01:00
|
|
|
func newZrokAuthenticator(cfg *config.Config) *zrokAuthenticator {
|
2022-12-01 20:48:23 +01:00
|
|
|
return &zrokAuthenticator{cfg}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (za *zrokAuthenticator) authenticate(token string) (*rest_model_zrok.Principal, error) {
|
2022-07-29 21:28:40 +02:00
|
|
|
tx, err := str.Begin()
|
2022-07-27 20:45:16 +02:00
|
|
|
if err != nil {
|
2023-01-30 17:43:28 +01:00
|
|
|
logrus.Errorf("error starting transaction for '%v': %v", token, err)
|
2022-07-27 20:45:16 +02:00
|
|
|
return nil, err
|
|
|
|
}
|
2022-07-29 21:54:13 +02:00
|
|
|
defer func() { _ = tx.Rollback() }()
|
2022-12-01 20:48:23 +01:00
|
|
|
|
2022-07-29 21:28:40 +02:00
|
|
|
if a, err := str.FindAccountWithToken(token, tx); err == nil {
|
2022-12-01 20:48:23 +01:00
|
|
|
principal := &rest_model_zrok.Principal{
|
2023-01-13 19:16:10 +01:00
|
|
|
ID: int64(a.Id),
|
|
|
|
Token: a.Token,
|
|
|
|
Email: a.Email,
|
|
|
|
Limitless: a.Limitless,
|
2022-07-28 18:12:50 +02:00
|
|
|
}
|
2022-12-01 20:48:23 +01:00
|
|
|
return principal, nil
|
2022-07-27 20:45:16 +02:00
|
|
|
} else {
|
2022-12-01 20:48:23 +01:00
|
|
|
// check for admin secret
|
|
|
|
if cfg.Admin != nil {
|
|
|
|
for _, secret := range cfg.Admin.Secrets {
|
|
|
|
if token == secret {
|
|
|
|
principal := &rest_model_zrok.Principal{
|
|
|
|
ID: int64(-1),
|
|
|
|
Admin: true,
|
|
|
|
}
|
|
|
|
return principal, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// no match
|
2023-01-30 17:43:28 +01:00
|
|
|
logrus.Warnf("invalid api key '%v'", token)
|
2022-07-27 20:50:46 +02:00
|
|
|
return nil, errors2.New(401, "invalid api key")
|
2022-07-27 20:45:16 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-04 19:43:37 +01:00
|
|
|
func createShareToken() (string, error) {
|
2022-10-20 20:16:18 +02:00
|
|
|
gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyz0123456789", 12)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return gen(), nil
|
2022-10-18 21:49:30 +02:00
|
|
|
}
|
|
|
|
|
2024-01-30 18:59:56 +01:00
|
|
|
func CreateToken() (string, error) {
|
2022-11-28 17:18:56 +01:00
|
|
|
gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 12)
|
2022-10-18 21:49:30 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2022-11-28 17:18:56 +01:00
|
|
|
return gen(), nil
|
2022-07-26 18:26:58 +02:00
|
|
|
}
|
2022-09-20 20:05:27 +02:00
|
|
|
|
2022-09-26 22:21:49 +02:00
|
|
|
func realRemoteAddress(req *http.Request) string {
|
|
|
|
ip := strings.Split(req.RemoteAddr, ":")[0]
|
|
|
|
fwdAddress := req.Header.Get("X-Forwarded-For")
|
|
|
|
if fwdAddress != "" {
|
|
|
|
ip = fwdAddress
|
|
|
|
|
|
|
|
ips := strings.Split(fwdAddress, ", ")
|
|
|
|
if len(ips) > 1 {
|
|
|
|
ip = ips[0]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ip
|
|
|
|
}
|
2022-11-22 21:31:02 +01:00
|
|
|
|
2023-01-04 20:21:23 +01:00
|
|
|
func proxyUrl(shrToken, template string) string {
|
|
|
|
return strings.Replace(template, "{token}", shrToken, -1)
|
2022-11-22 21:31:02 +01:00
|
|
|
}
|
2023-05-11 20:35:49 +02:00
|
|
|
|
|
|
|
func validatePassword(cfg *config.Config, password string) error {
|
2023-05-23 19:51:33 +02:00
|
|
|
if cfg.Passwords.Length > len(password) {
|
|
|
|
return fmt.Errorf("password length: expected (%d), got (%d)", cfg.Passwords.Length, len(password))
|
2023-05-11 20:35:49 +02:00
|
|
|
}
|
2023-05-23 19:51:33 +02:00
|
|
|
if cfg.Passwords.RequireCapital {
|
2023-05-11 20:35:49 +02:00
|
|
|
if !hasCapital(password) {
|
|
|
|
return fmt.Errorf("password requires capital, found none")
|
|
|
|
}
|
|
|
|
}
|
2023-05-23 19:51:33 +02:00
|
|
|
if cfg.Passwords.RequireNumeric {
|
2023-05-11 20:35:49 +02:00
|
|
|
if !hasNumeric(password) {
|
|
|
|
return fmt.Errorf("password requires numeric, found none")
|
|
|
|
}
|
|
|
|
}
|
2023-05-23 19:51:33 +02:00
|
|
|
if cfg.Passwords.RequireSpecial {
|
|
|
|
if !strings.ContainsAny(password, cfg.Passwords.ValidSpecialCharacters) {
|
2023-05-11 20:35:49 +02:00
|
|
|
return fmt.Errorf("password requires special character, found none")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func hasCapital(check string) bool {
|
|
|
|
for _, c := range check {
|
|
|
|
if unicode.IsUpper(c) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func hasNumeric(check string) bool {
|
|
|
|
for _, c := range check {
|
|
|
|
if unicode.IsDigit(c) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|