AdGuardHome/home/auth.go

420 lines
9.0 KiB
Go

package home
import (
"crypto/sha256"
"encoding/binary"
"encoding/hex"
"encoding/json"
"fmt"
"math/rand"
"net/http"
"strings"
"sync"
"time"
"github.com/AdguardTeam/golibs/log"
"go.etcd.io/bbolt"
"golang.org/x/crypto/bcrypt"
)
const cookieTTL = 365 * 24 // in hours
const expireTime = 30 * 24 // in hours
// Auth - global object
type Auth struct {
db *bbolt.DB
sessions map[string]uint32 // session -> expiration time (in seconds)
lock sync.Mutex
users []User
}
// User object
type User struct {
Name string `yaml:"name"`
PasswordHash string `yaml:"password"` // bcrypt hash
}
// InitAuth - create a global object
func InitAuth(dbFilename string, users []User) *Auth {
a := Auth{}
a.sessions = make(map[string]uint32)
rand.Seed(time.Now().UTC().Unix())
var err error
a.db, err = bbolt.Open(dbFilename, 0644, nil)
if err != nil {
log.Error("Auth: bbolt.Open: %s", err)
return nil
}
a.loadSessions()
a.users = users
log.Debug("Auth: initialized. users:%d sessions:%d", len(a.users), len(a.sessions))
return &a
}
// Close - close module
func (a *Auth) Close() {
_ = a.db.Close()
}
// load sessions from file, remove expired sessions
func (a *Auth) loadSessions() {
tx, err := a.db.Begin(true)
if err != nil {
log.Error("Auth: bbolt.Begin: %s", err)
return
}
defer func() {
_ = tx.Rollback()
}()
bkt := tx.Bucket([]byte("sessions"))
if bkt == nil {
return
}
removed := 0
now := uint32(time.Now().UTC().Unix())
forEach := func(k, v []byte) error {
i := binary.BigEndian.Uint32(v)
if i <= now {
err = bkt.Delete(k)
if err != nil {
log.Error("Auth: bbolt.Delete: %s", err)
} else {
removed++
}
return nil
}
a.sessions[hex.EncodeToString(k)] = i
return nil
}
_ = bkt.ForEach(forEach)
if removed != 0 {
err = tx.Commit()
if err != nil {
log.Error("bolt.Commit(): %s", err)
}
}
log.Debug("Auth: loaded %d sessions from DB (removed %d expired)", len(a.sessions), removed)
}
// store session data in file
func (a *Auth) storeSession(data []byte, expire uint32) {
a.lock.Lock()
a.sessions[hex.EncodeToString(data)] = expire
a.lock.Unlock()
tx, err := a.db.Begin(true)
if err != nil {
log.Error("Auth: bbolt.Begin: %s", err)
return
}
defer func() {
_ = tx.Rollback()
}()
bkt, err := tx.CreateBucketIfNotExists([]byte("sessions"))
if err != nil {
log.Error("Auth: bbolt.CreateBucketIfNotExists: %s", err)
return
}
var val []byte
val = make([]byte, 4)
binary.BigEndian.PutUint32(val, expire)
err = bkt.Put(data, val)
if err != nil {
log.Error("Auth: bbolt.Put: %s", err)
return
}
err = tx.Commit()
if err != nil {
log.Error("Auth: bbolt.Commit: %s", err)
return
}
log.Debug("Auth: stored session in DB")
}
// remove session from file
func (a *Auth) removeSession(sess []byte) {
tx, err := a.db.Begin(true)
if err != nil {
log.Error("Auth: bbolt.Begin: %s", err)
return
}
defer func() {
_ = tx.Rollback()
}()
bkt := tx.Bucket([]byte("sessions"))
if bkt == nil {
log.Error("Auth: bbolt.Bucket")
return
}
err = bkt.Delete(sess)
if err != nil {
log.Error("Auth: bbolt.Put: %s", err)
return
}
err = tx.Commit()
if err != nil {
log.Error("Auth: bbolt.Commit: %s", err)
return
}
log.Debug("Auth: removed session from DB")
}
// CheckSession - check if session is valid
// Return 0 if OK; -1 if session doesn't exist; 1 if session has expired
func (a *Auth) CheckSession(sess string) int {
now := uint32(time.Now().UTC().Unix())
update := false
a.lock.Lock()
expire, ok := a.sessions[sess]
if !ok {
a.lock.Unlock()
return -1
}
if expire <= now {
delete(a.sessions, sess)
key, _ := hex.DecodeString(sess)
a.removeSession(key)
a.lock.Unlock()
return 1
}
newExpire := now + expireTime*60*60
if expire/(24*60*60) != newExpire/(24*60*60) {
// update expiration time once a day
update = true
a.sessions[sess] = newExpire
}
a.lock.Unlock()
if update {
key, _ := hex.DecodeString(sess)
a.storeSession(key, expire)
}
return 0
}
// RemoveSession - remove session
func (a *Auth) RemoveSession(sess string) {
key, _ := hex.DecodeString(sess)
a.lock.Lock()
delete(a.sessions, sess)
a.lock.Unlock()
a.removeSession(key)
}
type loginJSON struct {
Name string `json:"name"`
Password string `json:"password"`
}
func getSession(u *User) []byte {
d := []byte(fmt.Sprintf("%d%s%s", rand.Uint32(), u.Name, u.PasswordHash))
hash := sha256.Sum256(d)
return hash[:]
}
func httpCookie(req loginJSON) string {
u := config.auth.UserFind(req.Name, req.Password)
if len(u.Name) == 0 {
return ""
}
sess := getSession(&u)
now := time.Now().UTC()
expire := now.Add(cookieTTL * time.Hour)
expstr := expire.Format(time.RFC1123)
expstr = expstr[:len(expstr)-len("UTC")] // "UTC" -> "GMT"
expstr += "GMT"
expireSess := uint32(now.Unix()) + expireTime*60*60
config.auth.storeSession(sess, expireSess)
return fmt.Sprintf("session=%s; Path=/; HttpOnly; Expires=%s", hex.EncodeToString(sess), expstr)
}
func handleLogin(w http.ResponseWriter, r *http.Request) {
req := loginJSON{}
err := json.NewDecoder(r.Body).Decode(&req)
if err != nil {
httpError(w, http.StatusBadRequest, "json decode: %s", err)
return
}
cookie := httpCookie(req)
if len(cookie) == 0 {
time.Sleep(1 * time.Second)
httpError(w, http.StatusBadRequest, "invalid login or password")
return
}
w.Header().Set("Set-Cookie", cookie)
w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("Expires", "0")
returnOK(w)
}
func handleLogout(w http.ResponseWriter, r *http.Request) {
cookie := r.Header.Get("Cookie")
sess := parseCookie(cookie)
config.auth.RemoveSession(sess)
w.Header().Set("Location", "/login.html")
s := fmt.Sprintf("session=; Path=/; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:00 GMT")
w.Header().Set("Set-Cookie", s)
w.WriteHeader(http.StatusFound)
}
// RegisterAuthHandlers - register handlers
func RegisterAuthHandlers() {
http.Handle("/control/login", postInstallHandler(ensureHandler("POST", handleLogin)))
httpRegister("GET", "/control/logout", handleLogout)
}
func parseCookie(cookie string) string {
pairs := strings.Split(cookie, ";")
for _, pair := range pairs {
pair = strings.TrimSpace(pair)
kv := strings.SplitN(pair, "=", 2)
if len(kv) != 2 {
continue
}
if kv[0] == "session" {
return kv[1]
}
}
return ""
}
func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/login.html" {
// redirect to dashboard if already authenticated
authRequired := config.auth != nil && config.auth.AuthRequired()
cookie, err := r.Cookie("session")
if authRequired && err == nil {
r := config.auth.CheckSession(cookie.Value)
if r == 0 {
w.Header().Set("Location", "/")
w.WriteHeader(http.StatusFound)
return
} else if r < 0 {
log.Debug("Auth: invalid cookie value: %s", cookie)
}
}
} else if r.URL.Path == "/favicon.png" ||
strings.HasPrefix(r.URL.Path, "/login.") {
// process as usual
} else if config.auth != nil && config.auth.AuthRequired() {
// redirect to login page if not authenticated
ok := false
cookie, err := r.Cookie("session")
if err == nil {
r := config.auth.CheckSession(cookie.Value)
if r == 0 {
ok = true
} else if r < 0 {
log.Debug("Auth: invalid cookie value: %s", cookie)
}
} else {
// there's no Cookie, check Basic authentication
user, pass, ok2 := r.BasicAuth()
if ok2 {
u := config.auth.UserFind(user, pass)
if len(u.Name) != 0 {
ok = true
}
}
}
if !ok {
w.Header().Set("Location", "/login.html")
w.WriteHeader(http.StatusFound)
return
}
}
handler(w, r)
}
}
type authHandler struct {
handler http.Handler
}
func (a *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
optionalAuth(a.handler.ServeHTTP)(w, r)
}
func optionalAuthHandler(handler http.Handler) http.Handler {
return &authHandler{handler}
}
// UserAdd - add new user
func (a *Auth) UserAdd(u *User, password string) {
if len(password) == 0 {
return
}
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
log.Error("bcrypt.GenerateFromPassword: %s", err)
return
}
u.PasswordHash = string(hash)
a.lock.Lock()
a.users = append(a.users, *u)
a.lock.Unlock()
log.Debug("Auth: added user: %s", u.Name)
}
// UserFind - find a user
func (a *Auth) UserFind(login string, password string) User {
a.lock.Lock()
defer a.lock.Unlock()
for _, u := range a.users {
if u.Name == login &&
bcrypt.CompareHashAndPassword([]byte(u.PasswordHash), []byte(password)) == nil {
return u
}
}
return User{}
}
// GetUsers - get users
func (a *Auth) GetUsers() []User {
a.lock.Lock()
users := a.users
a.lock.Unlock()
return users
}
// AuthRequired - if authentication is required
func (a *Auth) AuthRequired() bool {
a.lock.Lock()
r := (len(a.users) != 0)
a.lock.Unlock()
return r
}