2019-07-08 14:36:56 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2019-07-08 20:32:12 +00:00
|
|
|
"bufio"
|
|
|
|
"bytes"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2019-07-08 14:36:56 +00:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2019-07-08 20:32:12 +00:00
|
|
|
"io"
|
2019-07-11 10:20:08 +00:00
|
|
|
"io/ioutil"
|
2019-07-08 14:36:56 +00:00
|
|
|
"log"
|
|
|
|
"net/http"
|
2019-07-08 20:32:12 +00:00
|
|
|
"os"
|
2019-07-11 10:20:08 +00:00
|
|
|
"strings"
|
2019-07-08 14:36:56 +00:00
|
|
|
)
|
|
|
|
|
2019-07-11 10:20:08 +00:00
|
|
|
type jsonInput struct {
|
|
|
|
Action string `json:"action"`
|
|
|
|
Params jsonInputParams `json:"params"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type jsonInputParams struct {
|
|
|
|
Id int `json:"id"`
|
|
|
|
Session string `json:"session"`
|
|
|
|
}
|
|
|
|
|
2019-07-08 14:36:56 +00:00
|
|
|
type HttpServer struct {
|
2019-07-11 10:20:08 +00:00
|
|
|
Port string
|
|
|
|
ovpn *OpenVpnMgt
|
|
|
|
key string
|
|
|
|
cert string
|
|
|
|
minProfile string
|
|
|
|
neededProfile string
|
|
|
|
certPool *x509.CertPool
|
|
|
|
}
|
|
|
|
|
|
|
|
func parseJsonQuery(r *http.Request) (*jsonInput, error) {
|
|
|
|
var in jsonInput
|
|
|
|
body, err := ioutil.ReadAll(r.Body)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if err = json.Unmarshal(body, &in); err !=
|
|
|
|
nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &in, nil
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) {
|
2019-07-11 10:20:08 +00:00
|
|
|
fmt.Fprintf(w, "nothing here\n")
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
err, message := h.ovpn.Version()
|
|
|
|
if err != nil {
|
|
|
|
fmt.Fprintf(w, "Error : %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
jsonStr, err := json.Marshal(message)
|
|
|
|
if err != nil {
|
|
|
|
fmt.Fprintf(w, "Error : %s", err)
|
|
|
|
}
|
|
|
|
fmt.Fprintf(w, "%s", jsonStr)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
err, message := h.ovpn.Help()
|
|
|
|
if err != nil {
|
|
|
|
fmt.Fprintf(w, "Error : %s", err)
|
|
|
|
}
|
2019-07-08 20:32:12 +00:00
|
|
|
jsonStr, err := json.Marshal(message)
|
|
|
|
if err != nil {
|
|
|
|
fmt.Fprintf(w, "Error : %s", err)
|
|
|
|
}
|
|
|
|
fmt.Fprintf(w, "%s", jsonStr)
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
2019-07-11 10:20:08 +00:00
|
|
|
func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
|
|
|
|
|
|
|
|
// deactivate if there is no https auth
|
|
|
|
if h.key == "" || h.cert == "" || h.certPool == nil {
|
|
|
|
http.Error(w, "No security, deactivated", 403)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// add CORS headers
|
|
|
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
|
|
|
w.Header().Set("Access-Control-Allow-Methods", "POST")
|
|
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
|
|
w.Header().Set("Access-Control-Allow-Headers", "content-type, accept, origin, user-agent, Accept-Encoding")
|
|
|
|
|
|
|
|
// stop here if the method is OPTIONS, to allow CORS to work
|
|
|
|
if r.Method == "OPTIONS" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// stop here if the method is OPTIONS, to allow CORS to work
|
|
|
|
if r.Method != "POST" {
|
|
|
|
http.Error(w, "post only", 405)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// ssl auth
|
|
|
|
if len(r.TLS.PeerCertificates) == 0 {
|
|
|
|
log.Println(len(r.TLS.PeerCertificates))
|
|
|
|
http.Error(w, "Need certificate", 403)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage}
|
|
|
|
if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
|
|
|
|
http.Error(w, "Bad certificate", 403)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-07-12 20:33:22 +00:00
|
|
|
profile, _, _ := h.ovpn.AuthLoop(h.minProfile,
|
2019-07-11 10:20:08 +00:00
|
|
|
strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1), "", false)
|
|
|
|
if profile != h.neededProfile {
|
|
|
|
http.Error(w, fmt.Sprintf("You need the %s profile", h.neededProfile), 403)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
req, err := parseJsonQuery(r)
|
|
|
|
if err != nil {
|
|
|
|
log.Println(err)
|
|
|
|
http.Error(w, "Invalid request", 500)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
switch req.Action {
|
|
|
|
case "stats":
|
|
|
|
jsonStr, err := json.Marshal(h.ovpn.Stats())
|
|
|
|
if err != nil {
|
|
|
|
fmt.Fprintf(w, "Error : %s", err)
|
|
|
|
}
|
|
|
|
fmt.Fprintf(w, "%s", jsonStr)
|
|
|
|
|
|
|
|
case "kill":
|
|
|
|
if err := h.ovpn.Kill(req.Params.Session, req.Params.Id); err != nil {
|
|
|
|
http.Error(w, fmt.Sprintf("%s", err), 500)
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
http.Error(w, "Invalid request", 500)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewHTTPServer(port, key, cert, ca, minProfile, neededProfile string, s *OpenVpnMgt) {
|
2019-07-08 14:36:56 +00:00
|
|
|
h := &HttpServer{
|
2019-07-11 10:20:08 +00:00
|
|
|
Port: port,
|
|
|
|
ovpn: s,
|
|
|
|
key: key,
|
|
|
|
cert: cert,
|
|
|
|
minProfile: minProfile,
|
|
|
|
neededProfile: neededProfile,
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
2019-07-08 20:32:12 +00:00
|
|
|
|
2019-07-08 14:36:56 +00:00
|
|
|
http.HandleFunc("/help", h.helpHandler)
|
2019-07-11 10:20:08 +00:00
|
|
|
http.HandleFunc("/ajax", h.ajaxHandler)
|
2019-07-08 14:36:56 +00:00
|
|
|
http.HandleFunc("/version", h.versionHandler)
|
|
|
|
http.HandleFunc("/", h.handler)
|
2019-07-08 20:32:12 +00:00
|
|
|
|
|
|
|
switch {
|
|
|
|
case key == "" || cert == "":
|
|
|
|
log.Fatal(http.ListenAndServe(port, nil))
|
|
|
|
case ca != "":
|
|
|
|
h.certPool = x509.NewCertPool()
|
|
|
|
fi, err := os.Open(ca)
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
|
|
|
defer fi.Close()
|
|
|
|
buf := new(bytes.Buffer)
|
|
|
|
reader := bufio.NewReader(fi)
|
|
|
|
io.Copy(buf, reader)
|
|
|
|
if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok {
|
|
|
|
log.Fatal("Failed to append PEM.")
|
|
|
|
}
|
|
|
|
server := &http.Server{
|
|
|
|
Addr: port,
|
|
|
|
TLSConfig: &tls.Config{
|
|
|
|
ClientAuth: tls.RequestClientCert,
|
|
|
|
ClientCAs: h.certPool,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
log.Fatal(server.ListenAndServeTLS(cert, key))
|
|
|
|
default:
|
|
|
|
log.Fatal(http.ListenAndServeTLS(port, cert, key, nil))
|
|
|
|
}
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|