package home import ( "crypto/sha256" "encoding/binary" "encoding/hex" "encoding/json" "fmt" "math/rand" "net/http" "strings" "sync" "time" "github.com/AdguardTeam/golibs/log" "go.etcd.io/bbolt" "golang.org/x/crypto/bcrypt" ) const cookieTTL = 365 * 24 // in hours const expireTime = 30 * 24 // in hours // Auth - global object type Auth struct { db *bbolt.DB sessions map[string]uint32 // session -> expiration time (in seconds) lock sync.Mutex users []User } // User object type User struct { Name string `yaml:"name"` PasswordHash string `yaml:"password"` // bcrypt hash } // InitAuth - create a global object func InitAuth(dbFilename string, users []User) *Auth { a := Auth{} a.sessions = make(map[string]uint32) rand.Seed(time.Now().UTC().Unix()) var err error a.db, err = bbolt.Open(dbFilename, 0644, nil) if err != nil { log.Error("Auth: bbolt.Open: %s", err) return nil } a.loadSessions() a.users = users log.Debug("Auth: initialized. users:%d sessions:%d", len(a.users), len(a.sessions)) return &a } // Close - close module func (a *Auth) Close() { _ = a.db.Close() } // load sessions from file, remove expired sessions func (a *Auth) loadSessions() { tx, err := a.db.Begin(true) if err != nil { log.Error("Auth: bbolt.Begin: %s", err) return } defer func() { _ = tx.Rollback() }() bkt := tx.Bucket([]byte("sessions")) if bkt == nil { return } removed := 0 now := uint32(time.Now().UTC().Unix()) forEach := func(k, v []byte) error { i := binary.BigEndian.Uint32(v) if i <= now { err = bkt.Delete(k) if err != nil { log.Error("Auth: bbolt.Delete: %s", err) } else { removed++ } return nil } a.sessions[hex.EncodeToString(k)] = i return nil } _ = bkt.ForEach(forEach) if removed != 0 { err = tx.Commit() if err != nil { log.Error("bolt.Commit(): %s", err) } } log.Debug("Auth: loaded %d sessions from DB (removed %d expired)", len(a.sessions), removed) } // store session data in file func (a *Auth) storeSession(data []byte, expire uint32) { a.lock.Lock() a.sessions[hex.EncodeToString(data)] = expire a.lock.Unlock() tx, err := a.db.Begin(true) if err != nil { log.Error("Auth: bbolt.Begin: %s", err) return } defer func() { _ = tx.Rollback() }() bkt, err := tx.CreateBucketIfNotExists([]byte("sessions")) if err != nil { log.Error("Auth: bbolt.CreateBucketIfNotExists: %s", err) return } var val []byte val = make([]byte, 4) binary.BigEndian.PutUint32(val, expire) err = bkt.Put(data, val) if err != nil { log.Error("Auth: bbolt.Put: %s", err) return } err = tx.Commit() if err != nil { log.Error("Auth: bbolt.Commit: %s", err) return } log.Debug("Auth: stored session in DB") } // remove session from file func (a *Auth) removeSession(sess []byte) { tx, err := a.db.Begin(true) if err != nil { log.Error("Auth: bbolt.Begin: %s", err) return } defer func() { _ = tx.Rollback() }() bkt := tx.Bucket([]byte("sessions")) if bkt == nil { log.Error("Auth: bbolt.Bucket") return } err = bkt.Delete(sess) if err != nil { log.Error("Auth: bbolt.Put: %s", err) return } err = tx.Commit() if err != nil { log.Error("Auth: bbolt.Commit: %s", err) return } log.Debug("Auth: removed session from DB") } // CheckSession - check if session is valid // Return 0 if OK; -1 if session doesn't exist; 1 if session has expired func (a *Auth) CheckSession(sess string) int { now := uint32(time.Now().UTC().Unix()) update := false a.lock.Lock() expire, ok := a.sessions[sess] if !ok { a.lock.Unlock() return -1 } if expire <= now { delete(a.sessions, sess) key, _ := hex.DecodeString(sess) a.removeSession(key) a.lock.Unlock() return 1 } newExpire := now + expireTime*60*60 if expire/(24*60*60) != newExpire/(24*60*60) { // update expiration time once a day update = true a.sessions[sess] = newExpire } a.lock.Unlock() if update { key, _ := hex.DecodeString(sess) a.storeSession(key, expire) } return 0 } // RemoveSession - remove session func (a *Auth) RemoveSession(sess string) { key, _ := hex.DecodeString(sess) a.lock.Lock() delete(a.sessions, sess) a.lock.Unlock() a.removeSession(key) } type loginJSON struct { Name string `json:"name"` Password string `json:"password"` } func getSession(u *User) []byte { d := []byte(fmt.Sprintf("%d%s%s", rand.Uint32(), u.Name, u.PasswordHash)) hash := sha256.Sum256(d) return hash[:] } func httpCookie(req loginJSON) string { u := config.auth.UserFind(req.Name, req.Password) if len(u.Name) == 0 { return "" } sess := getSession(&u) now := time.Now().UTC() expire := now.Add(cookieTTL * time.Hour) expstr := expire.Format(time.RFC1123) expstr = expstr[:len(expstr)-len("UTC")] // "UTC" -> "GMT" expstr += "GMT" expireSess := uint32(now.Unix()) + expireTime*60*60 config.auth.storeSession(sess, expireSess) return fmt.Sprintf("session=%s; Path=/; HttpOnly; Expires=%s", hex.EncodeToString(sess), expstr) } func handleLogin(w http.ResponseWriter, r *http.Request) { req := loginJSON{} err := json.NewDecoder(r.Body).Decode(&req) if err != nil { httpError(w, http.StatusBadRequest, "json decode: %s", err) return } cookie := httpCookie(req) if len(cookie) == 0 { time.Sleep(1 * time.Second) httpError(w, http.StatusBadRequest, "invalid login or password") return } w.Header().Set("Set-Cookie", cookie) w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate") w.Header().Set("Pragma", "no-cache") w.Header().Set("Expires", "0") returnOK(w) } func handleLogout(w http.ResponseWriter, r *http.Request) { cookie := r.Header.Get("Cookie") sess := parseCookie(cookie) config.auth.RemoveSession(sess) w.Header().Set("Location", "/login.html") s := fmt.Sprintf("session=; Path=/; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:00 GMT") w.Header().Set("Set-Cookie", s) w.WriteHeader(http.StatusFound) } // RegisterAuthHandlers - register handlers func RegisterAuthHandlers() { http.Handle("/control/login", postInstallHandler(ensureHandler("POST", handleLogin))) httpRegister("GET", "/control/logout", handleLogout) } func parseCookie(cookie string) string { pairs := strings.Split(cookie, ";") for _, pair := range pairs { pair = strings.TrimSpace(pair) kv := strings.SplitN(pair, "=", 2) if len(kv) != 2 { continue } if kv[0] == "session" { return kv[1] } } return "" } func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) { return func(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/login.html" { // redirect to dashboard if already authenticated authRequired := config.auth != nil && config.auth.AuthRequired() cookie, err := r.Cookie("session") if authRequired && err == nil { r := config.auth.CheckSession(cookie.Value) if r == 0 { w.Header().Set("Location", "/") w.WriteHeader(http.StatusFound) return } else if r < 0 { log.Debug("Auth: invalid cookie value: %s", cookie) } } } else if r.URL.Path == "/favicon.png" || strings.HasPrefix(r.URL.Path, "/login.") { // process as usual } else if config.auth != nil && config.auth.AuthRequired() { // redirect to login page if not authenticated ok := false cookie, err := r.Cookie("session") if err == nil { r := config.auth.CheckSession(cookie.Value) if r == 0 { ok = true } else if r < 0 { log.Debug("Auth: invalid cookie value: %s", cookie) } } else { // there's no Cookie, check Basic authentication user, pass, ok2 := r.BasicAuth() if ok2 { u := config.auth.UserFind(user, pass) if len(u.Name) != 0 { ok = true } } } if !ok { w.Header().Set("Location", "/login.html") w.WriteHeader(http.StatusFound) return } } handler(w, r) } } type authHandler struct { handler http.Handler } func (a *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { optionalAuth(a.handler.ServeHTTP)(w, r) } func optionalAuthHandler(handler http.Handler) http.Handler { return &authHandler{handler} } // UserAdd - add new user func (a *Auth) UserAdd(u *User, password string) { if len(password) == 0 { return } hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { log.Error("bcrypt.GenerateFromPassword: %s", err) return } u.PasswordHash = string(hash) a.lock.Lock() a.users = append(a.users, *u) a.lock.Unlock() log.Debug("Auth: added user: %s", u.Name) } // UserFind - find a user func (a *Auth) UserFind(login string, password string) User { a.lock.Lock() defer a.lock.Unlock() for _, u := range a.users { if u.Name == login && bcrypt.CompareHashAndPassword([]byte(u.PasswordHash), []byte(password)) == nil { return u } } return User{} } // GetUsers - get users func (a *Auth) GetUsers() []User { a.lock.Lock() users := a.users a.lock.Unlock() return users } // AuthRequired - if authentication is required func (a *Auth) AuthRequired() bool { a.lock.Lock() r := (len(a.users) != 0) a.lock.Unlock() return r }