package controller import ( "fmt" "net/http" "strings" "unicode" errors2 "github.com/go-openapi/errors" "github.com/jaevor/go-nanoid" "github.com/openziti/zrok/controller/config" "github.com/openziti/zrok/rest_model_zrok" "github.com/sirupsen/logrus" ) type zrokAuthenticator struct { cfg *config.Config } func newZrokAuthenticator(cfg *config.Config) *zrokAuthenticator { return &zrokAuthenticator{cfg} } func (za *zrokAuthenticator) authenticate(token string) (*rest_model_zrok.Principal, error) { tx, err := str.Begin() if err != nil { logrus.Errorf("error starting transaction for '%v': %v", token, err) return nil, err } defer func() { _ = tx.Rollback() }() if a, err := str.FindAccountWithToken(token, tx); err == nil { principal := &rest_model_zrok.Principal{ ID: int64(a.Id), Token: a.Token, Email: a.Email, Limitless: a.Limitless, } return principal, nil } else { // check for admin secret if cfg.Admin != nil { for _, secret := range cfg.Admin.Secrets { if token == secret { principal := &rest_model_zrok.Principal{ ID: int64(-1), Admin: true, } return principal, nil } } } // no match logrus.Warnf("invalid api key '%v'", token) return nil, errors2.New(401, "invalid api key") } } func createShareToken() (string, error) { gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyz0123456789", 12) if err != nil { return "", err } return gen(), nil } func CreateToken() (string, error) { gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 12) if err != nil { return "", err } return gen(), nil } func realRemoteAddress(req *http.Request) string { ip := strings.Split(req.RemoteAddr, ":")[0] fwdAddress := req.Header.Get("X-Forwarded-For") if fwdAddress != "" { ip = fwdAddress ips := strings.Split(fwdAddress, ", ") if len(ips) > 1 { ip = ips[0] } } return ip } func proxyUrl(shrToken, template string) string { return strings.Replace(template, "{token}", shrToken, -1) } func validatePassword(cfg *config.Config, password string) error { if cfg.Passwords.Length > len(password) { return fmt.Errorf("password length: expected (%d), got (%d)", cfg.Passwords.Length, len(password)) } if cfg.Passwords.RequireCapital { if !hasCapital(password) { return fmt.Errorf("password requires capital, found none") } } if cfg.Passwords.RequireNumeric { if !hasNumeric(password) { return fmt.Errorf("password requires numeric, found none") } } if cfg.Passwords.RequireSpecial { if !strings.ContainsAny(password, cfg.Passwords.ValidSpecialCharacters) { return fmt.Errorf("password requires special character, found none") } } return nil } func hasCapital(check string) bool { for _, c := range check { if unicode.IsUpper(c) { return true } } return false } func hasNumeric(check string) bool { for _, c := range check { if unicode.IsDigit(c) { return true } } return false }