openvpn-mgt/httpd.go

198 lines
4.6 KiB
Go

package main
import (
"bufio"
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"log"
"net/http"
"os"
"strings"
)
type jsonInput struct {
Action string `json:"action"`
Params jsonInputParams `json:"params"`
}
type jsonInputParams struct {
Id int `json:"id"`
Session string `json:"session"`
}
type HttpServer struct {
Port string
ovpn *OpenVpnMgt
key string
cert string
minProfile string
neededProfile string
certPool *x509.CertPool
}
func parseJsonQuery(r *http.Request) (*jsonInput, error) {
var in jsonInput
body, err := ioutil.ReadAll(r.Body)
if err != nil {
return nil, err
}
if err = json.Unmarshal(body, &in); err !=
nil {
return nil, err
}
return &in, nil
}
func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-type", "application/javascript")
fmt.Fprintf(w, "\n")
}
func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) {
err, message := h.ovpn.Version()
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
jsonStr, err := json.Marshal(message)
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
fmt.Fprintf(w, "%s", jsonStr)
}
func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) {
err, message := h.ovpn.Help()
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
jsonStr, err := json.Marshal(message)
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
fmt.Fprintf(w, "%s", jsonStr)
}
func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
w.Header().Set("Content-type", "application/json")
// deactivate if there is no https auth
if h.key == "" || h.cert == "" || h.certPool == nil {
http.Error(w, "No security, deactivated", 403)
return
}
// add CORS headers
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Methods", "POST")
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "content-type, accept, origin, user-agent, Accept-Encoding")
// stop here if the method is OPTIONS, to allow CORS to work
if r.Method == "OPTIONS" {
return
}
// stop here if the method is OPTIONS, to allow CORS to work
if r.Method != "POST" {
http.Error(w, "post only", 405)
return
}
// ssl auth
if len(r.TLS.PeerCertificates) == 0 {
log.Println(len(r.TLS.PeerCertificates))
http.Error(w, "Need certificate", 403)
return
}
opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage}
if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
http.Error(w, "Bad certificate", 403)
return
}
webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
profile, _, _ := h.ovpn.AuthLoop(h.minProfile, webuser, "", false)
if profile != h.neededProfile {
http.Error(w, fmt.Sprintf("You need the %s profile", h.neededProfile), 403)
return
}
log.Printf("%s is connected via the web interfaces\n", webuser)
req, err := parseJsonQuery(r)
if err != nil {
log.Println(err)
http.Error(w, "Invalid request", 500)
return
}
switch req.Action {
case "stats":
jsonStr, err := json.Marshal(h.ovpn.Stats())
if err != nil {
http.Error(w, fmt.Sprintf("%s", err), 500)
}
fmt.Fprintf(w, "%s", jsonStr)
case "kill":
if err := h.ovpn.Kill(req.Params.Session, req.Params.Id, webuser); err != nil {
http.Error(w, fmt.Sprintf("%s", err), 500)
}
fmt.Fprintf(w, "{}")
default:
http.Error(w, "Invalid request", 500)
}
return
}
func NewHTTPServer(port, key, cert, ca, minProfile, neededProfile string, s *OpenVpnMgt) {
h := &HttpServer{
Port: port,
ovpn: s,
key: key,
cert: cert,
minProfile: minProfile,
neededProfile: neededProfile,
}
http.HandleFunc("/help", h.helpHandler)
http.HandleFunc("/ajax", h.ajaxHandler)
http.HandleFunc("/version", h.versionHandler)
http.HandleFunc("/", h.handler)
switch {
case key == "" || cert == "":
log.Fatal(http.ListenAndServe(port, nil))
case ca != "":
h.certPool = x509.NewCertPool()
fi, err := os.Open(ca)
if err != nil {
log.Fatal(err)
}
defer fi.Close()
buf := new(bytes.Buffer)
reader := bufio.NewReader(fi)
io.Copy(buf, reader)
if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok {
log.Fatal("Failed to append PEM.")
}
server := &http.Server{
Addr: port,
TLSConfig: &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: h.certPool,
},
}
log.Fatal(server.ListenAndServeTLS(cert, key))
default:
log.Fatal(http.ListenAndServeTLS(port, cert, key, nil))
}
}