package main import ( "bufio" "bytes" "crypto/tls" "crypto/x509" "encoding/json" "fmt" "io" "io/ioutil" "log" "net/http" "os" "strings" ) type jsonInput struct { Action string `json:"action"` Params jsonInputParams `json:"params"` } type jsonInputParams struct { Id int `json:"id"` Session string `json:"session"` } type HttpServer struct { Port string ovpn *OpenVpnMgt key string cert string minProfile string neededProfile string certPool *x509.CertPool } func parseJsonQuery(r *http.Request) (*jsonInput, error) { var in jsonInput body, err := ioutil.ReadAll(r.Body) if err != nil { return nil, err } if err = json.Unmarshal(body, &in); err != nil { return nil, err } return &in, nil } func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "nothing here\n") } func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) { err, message := h.ovpn.Version() if err != nil { fmt.Fprintf(w, "Error : %s", err) } jsonStr, err := json.Marshal(message) if err != nil { fmt.Fprintf(w, "Error : %s", err) } fmt.Fprintf(w, "%s", jsonStr) } func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) { err, message := h.ovpn.Help() if err != nil { fmt.Fprintf(w, "Error : %s", err) } jsonStr, err := json.Marshal(message) if err != nil { fmt.Fprintf(w, "Error : %s", err) } fmt.Fprintf(w, "%s", jsonStr) } func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) { var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny} // deactivate if there is no https auth if h.key == "" || h.cert == "" || h.certPool == nil { http.Error(w, "No security, deactivated", 403) return } // add CORS headers w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) w.Header().Set("Access-Control-Allow-Methods", "POST") w.Header().Set("Access-Control-Allow-Credentials", "true") w.Header().Set("Access-Control-Allow-Headers", "content-type, accept, origin, user-agent, Accept-Encoding") // stop here if the method is OPTIONS, to allow CORS to work if r.Method == "OPTIONS" { return } // stop here if the method is OPTIONS, to allow CORS to work if r.Method != "POST" { http.Error(w, "post only", 405) return } // ssl auth if len(r.TLS.PeerCertificates) == 0 { log.Println(len(r.TLS.PeerCertificates)) http.Error(w, "Need certificate", 403) return } opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage} if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil { http.Error(w, "Bad certificate", 403) return } profile, _, _ := h.ovpn.AuthLoop(h.minProfile, strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1), "", false) if profile != h.neededProfile { http.Error(w, fmt.Sprintf("You need the %s profile", h.neededProfile), 403) return } req, err := parseJsonQuery(r) if err != nil { log.Println(err) http.Error(w, "Invalid request", 500) return } switch req.Action { case "stats": jsonStr, err := json.Marshal(h.ovpn.Stats()) if err != nil { fmt.Fprintf(w, "Error : %s", err) } fmt.Fprintf(w, "%s", jsonStr) case "kill": if err := h.ovpn.Kill(req.Params.Session, req.Params.Id); err != nil { http.Error(w, fmt.Sprintf("%s", err), 500) } default: http.Error(w, "Invalid request", 500) } return } func NewHTTPServer(port, key, cert, ca, minProfile, neededProfile string, s *OpenVpnMgt) { h := &HttpServer{ Port: port, ovpn: s, key: key, cert: cert, minProfile: minProfile, neededProfile: neededProfile, } http.HandleFunc("/help", h.helpHandler) http.HandleFunc("/ajax", h.ajaxHandler) http.HandleFunc("/version", h.versionHandler) http.HandleFunc("/", h.handler) switch { case key == "" || cert == "": log.Fatal(http.ListenAndServe(port, nil)) case ca != "": h.certPool = x509.NewCertPool() fi, err := os.Open(ca) if err != nil { log.Fatal(err) } defer fi.Close() buf := new(bytes.Buffer) reader := bufio.NewReader(fi) io.Copy(buf, reader) if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok { log.Fatal("Failed to append PEM.") } server := &http.Server{ Addr: port, TLSConfig: &tls.Config{ ClientAuth: tls.RequestClientCert, ClientCAs: h.certPool, }, } log.Fatal(server.ListenAndServeTLS(cert, key)) default: log.Fatal(http.ListenAndServeTLS(port, cert, key, nil)) } }