package main import ( "bufio" "errors" "fmt" "io" "log" "net" "os" "strings" "sync" ) // Server represents the server type OpenVpnMgt struct { Port string buf *bufio.ReadWriter connected bool m sync.RWMutex ret chan []string ldap map[string]ldapConfig authCa string vpnlogUrl string mailRelay string MailFrom string CcPwnPassword string pwnTemplate string newAsTemplate string cacheDir string syslog bool otpMasterSecrets []string } // NewServer returns a pointer to a new server func NewVPNServer(port string) *OpenVpnMgt { return &OpenVpnMgt{ Port: port, ret: make(chan []string), ldap: make(map[string]ldapConfig), } } // Run starts a the server func (s *OpenVpnMgt) Run() { // Resolve the passed port into an address addrs, err := net.ResolveTCPAddr("tcp", s.Port) if err != nil { log.Println(err) os.Exit(1) } // start listening to client connections listener, err := net.ListenTCP("tcp", addrs) if err != nil { log.Println(err) os.Exit(1) } // Infinite loop since we dont want the server to shut down for { // Accept the incomming connections conn, err := listener.Accept() if err != nil { // continue accepting connection even if an error occurs (if error occurs dont shut down) continue } // run it as a go routine to allow multiple clients to connect at the same time go s.handleConn(conn) } } func (s *OpenVpnMgt) TokenPassword(c *vpnSession) (bool, string) { //TODO implement that correcly if c.password == "maith1wiePuw3ieb4heiNie5y" { return true, "maith1wiePuw3ieb4heiNie5y" } return false, "maith1wiePuw3ieb4heiNie5y" } // main authentication function. // returns 0 if auth is valid // returns 1 if an TOTP code is necessary // returns a negative if auth is not valid func (s *OpenVpnMgt) Auth(c *vpnSession) (error, int) { // an empty password is not good if c.password == "" { return errors.New("Empty Password"), -1 } // check if the password is a valid token (see TOTP request) tokenPasswordOk, tokenPassword := s.TokenPassword(c) // password is a token. We remove it from the session object to // avoid checking it against the ldap if tokenPasswordOk { c.password = "" } // if the otp is not empty, we check it against the valid codes as soon as // possible otpvalidated := false if c.otpCode != "" { codes, err := s.GenerateOTP(c.Login) if err != nil { return err, -2 } for _, possible := range codes { if possible == c.otpCode { otpvalidated = true } } } c.Profile = "" login := []string{c.Login} pass := c.password for { n := c.Profile for k, ldap := range s.ldap { if ldap.upgradeFrom != c.Profile { continue } err, userOk, passOk, secondary := ldap.Auth(login, pass) // if there is an error, try the other configurations if err != nil { log.Println(err) continue } // we did find a valid User if userOk { // the login for the new auth level is given by the current one login = secondary if c.Mail == "" { c.Mail = secondary[0] } if passOk && c.Profile != "" { // it's at least the second auth level, and we have a valid // password on 2 different auth system. It's a dupplicate // password, let's log it log.Printf("User %s has a dupplicate password\n", c.Login) } // we have either a positive auth ok a previous valid one if passOk || c.Profile != "" || tokenPasswordOk { c.Profile = k } } } // no profile update this turn, no need to continue if n == c.Profile { break } } // no profile validated, we stop here if c.Profile == "" { return errors.New("Authentication Failed"), -3 } // check the MFA requested by the secured profile switch s.ldap[c.Profile].mfaType { case "internal": if otpvalidated { return nil, 0 } c.password = tokenPassword return errors.New("Need OTP Code"), 1 case "okta": //TODO implement okta MFA return nil, -4 } // no MFA requested, the login is valid return nil, 0 } func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) { if !s.connected { return errors.New("No openvpn server present"), nil } for _, line := range msg { log.Println(line) if _, err := s.buf.WriteString(line + "\r\n"); err != nil { return err, nil } } if err := s.buf.Flush(); err != nil { return err, nil } // wait for the response ret := <-s.ret return nil, ret } func (s *OpenVpnMgt) Help() (error, []string) { err, msg := s.sendCommand([]string{"help"}) if err != nil { return err, nil } return nil, msg } func (s *OpenVpnMgt) Version() (error, []string) { err, msg := s.sendCommand([]string{"version"}) if err != nil { return err, nil } return nil, msg } func (s *OpenVpnMgt) ClientValidated(line string) { //TODO manage that : find the client, log stuff <-s.ret } func (s *OpenVpnMgt) ClientDisconnect(line string) { //TODO manage that : find the client, log stuff <-s.ret } func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) { // TODO implement ip := s.ldap[c.Profile].ipMin return ip.String(), nil } func (s *OpenVpnMgt) ClientConnect(line string) { var cmd []string var ip string var errIP error client := NewVPNSession("log in") client.ParseSessionId(line) infos := <-s.ret if err := client.ParseEnv(&infos); err != nil { log.Println(err) return } err, ok := s.Auth(client) // if auth is ok, time to get an IP address if ok == 0 { ip, errIP = s.getIP(client) if errIP != nil { ok = -10 err = errIP } } switch { case ok == 0: cmd = []string{ fmt.Sprintf("client-auth %d %d", client.cID, client.kID), fmt.Sprintf("ifconfig-push %s %s", ip, client.localIP), } for _, r := range s.ldap[client.Profile].routes { cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r)) } cmd = append(cmd, "END") case ok < 0: cmd = []string{fmt.Sprintf("client-deny %d %d \"%s\" \"%s\"", client.cID, client.kID, err, err)} case ok == 1: cmd = []string{fmt.Sprintf( "client-deny %d %d \"Need OTP\" \"CRV1:R,E:%s:%s:OTP Code \"", client.cID, client.kID, client.password, client.b64Login())} } if err, _ := s.sendCommand(cmd); err != nil { log.Println(err) } return } func (s *OpenVpnMgt) handleConn(conn net.Conn) { defer conn.Close() // we don't want multiple connexions, only one openvpn server at a time s.m.Lock() if s.connected { conn.Write([]byte("Sorry, only one server allowed\n")) s.m.Unlock() return } s.connected = true s.m.Unlock() // we store the buffer pointer in the struct, to be accessed from other methods s.buf = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)) // most response are multilined, use response to concatenate them response := []string{} for { line, err := s.buf.ReadString('\n') // manage basic errors switch { case err == io.EOF: log.Println("Reached EOF - close this connection.\n") s.connected = false return case err != nil: log.Println("Error reading line. Got: '"+line+"'\n", err) s.connected = false return } line = strings.Trim(line, "\n\r ") // manage all "terminator" lines for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS"} { if strings.HasPrefix(line, terminator) { s.ret <- response response = nil break } } switch { // a new openvpn server is connected case strings.HasPrefix(line, ">INFO"): // command sucessfull, we can ignore case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"): // new bloc for a disconnect event. // We start the receiving handler, which will wait for the Channel message case strings.HasPrefix(line, ">CLIENT:DISCONNECT"): go s.ClientDisconnect(line) // new bloc for a connect event. // We start the receiving handler, which will wait for the Channel message case strings.HasPrefix(line, ">CLIENT:ADDRESS"): go s.ClientValidated(line) case strings.HasPrefix(line, ">CLIENT:CONNECT"): go s.ClientConnect(line) default: response = append(response, line) } log.Print(line) } }