euclide
/
openvpn-mgt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
openvpn-mgt/vpnserver.go

356 lines
8.0 KiB
Go
Raw Blame History

package main
import (
"bufio"
"errors"
"fmt"
"io"
"log"
"net"
"os"
"strings"
"sync"
)
// Server represents the server
type OpenVpnMgt struct {
Port string
buf *bufio.ReadWriter
connected bool
m sync.RWMutex
ret chan []string
ldap map[string]ldapConfig
authCa string
vpnlogUrl string
mailRelay string
MailFrom string
CcPwnPassword string
pwnTemplate string
newAsTemplate string
cacheDir string
syslog bool
otpMasterSecrets []string
}
// NewServer returns a pointer to a new server
func NewVPNServer(port string) *OpenVpnMgt {
return &OpenVpnMgt{
Port: port,
ret: make(chan []string),
ldap: make(map[string]ldapConfig),
}
}
// Run starts a the server
func (s *OpenVpnMgt) Run() {
// Resolve the passed port into an address
addrs, err := net.ResolveTCPAddr("tcp", s.Port)
if err != nil {
log.Println(err)
os.Exit(1)
}
// start listening to client connections
listener, err := net.ListenTCP("tcp", addrs)
if err != nil {
log.Println(err)
os.Exit(1)
}
// Infinite loop since we dont want the server to shut down
for {
// Accept the incomming connections
conn, err := listener.Accept()
if err != nil {
// continue accepting connection even if an error occurs (if error occurs dont shut down)
continue
}
// run it as a go routine to allow multiple clients to connect at the same time
go s.handleConn(conn)
}
}
func (s *OpenVpnMgt) TokenPassword(c *vpnSession) (bool, string) {
//TODO implement that correcly
if c.password == "maith1wiePuw3ieb4heiNie5y" {
return true, "maith1wiePuw3ieb4heiNie5y"
}
return false, "maith1wiePuw3ieb4heiNie5y"
}
// main authentication function.
// returns 0 if auth is valid
// returns 1 if an TOTP code is necessary
// returns a negative if auth is not valid
func (s *OpenVpnMgt) Auth(c *vpnSession) (error, int) {
// an empty password is not good
if c.password == "" {
return errors.New("Empty Password"), -1
}
// check if the password is a valid token (see TOTP request)
tokenPasswordOk, tokenPassword := s.TokenPassword(c)
// password is a token. We remove it from the session object to
// avoid checking it against the ldap
if tokenPasswordOk {
c.password = ""
}
// if the otp is not empty, we check it against the valid codes as soon as
// possible
otpvalidated := false
if c.otpCode != "" {
codes, err := s.GenerateOTP(c.Login)
if err != nil {
return err, -2
}
for _, possible := range codes {
if possible == c.otpCode {
otpvalidated = true
}
}
}
c.Profile = ""
login := []string{c.Login}
pass := c.password
for {
n := c.Profile
for k, ldap := range s.ldap {
if ldap.upgradeFrom != c.Profile {
continue
}
err, userOk, passOk, secondary := ldap.Auth(login, pass)
// if there is an error, try the other configurations
if err != nil {
log.Println(err)
continue
}
// we did find a valid User
if userOk {
// the login for the new auth level is given by the current one
login = secondary
if c.Mail == "" {
c.Mail = secondary[0]
}
if passOk && c.Profile != "" {
// it's at least the second auth level, and we have a valid
// password on 2 different auth system. It's a dupplicate
// password, let's log it
log.Printf("User %s has a dupplicate password\n", c.Login)
}
// we have either a positive auth ok a previous valid one
if passOk || c.Profile != "" || tokenPasswordOk {
c.Profile = k
}
}
}
// no profile update this turn, no need to continue
if n == c.Profile {
break
}
}
// no profile validated, we stop here
if c.Profile == "" {
return errors.New("Authentication Failed"), -3
}
// check the MFA requested by the secured profile
switch s.ldap[c.Profile].mfaType {
case "internal":
if otpvalidated {
return nil, 0
}
c.password = tokenPassword
return errors.New("Need OTP Code"), 1
case "okta":
//TODO implement okta MFA
return nil, -4
}
// no MFA requested, the login is valid
return nil, 0
}
func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
if !s.connected {
return errors.New("No openvpn server present"), nil
}
for _, line := range msg {
log.Println(line)
if _, err := s.buf.WriteString(line + "\r\n"); err != nil {
return err, nil
}
}
if err := s.buf.Flush(); err != nil {
return err, nil
}
// wait for the response
ret := <-s.ret
return nil, ret
}
func (s *OpenVpnMgt) Help() (error, []string) {
err, msg := s.sendCommand([]string{"help"})
if err != nil {
return err, nil
}
return nil, msg
}
func (s *OpenVpnMgt) Version() (error, []string) {
err, msg := s.sendCommand([]string{"version"})
if err != nil {
return err, nil
}
return nil, msg
}
func (s *OpenVpnMgt) ClientValidated(line string) {
//TODO manage that : find the client, log stuff
<-s.ret
}
func (s *OpenVpnMgt) ClientDisconnect(line string) {
//TODO manage that : find the client, log stuff
<-s.ret
}
func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) {
// TODO implement
ip := s.ldap[c.Profile].ipMin
return ip.String(), nil
}
func (s *OpenVpnMgt) ClientConnect(line string) {
var cmd []string
var ip string
var errIP error
client := NewVPNSession("log in")
client.ParseSessionId(line)
infos := <-s.ret
if err := client.ParseEnv(&infos); err != nil {
log.Println(err)
return
}
err, ok := s.Auth(client)
// if auth is ok, time to get an IP address
if ok == 0 {
ip, errIP = s.getIP(client)
if errIP != nil {
ok = -10
err = errIP
}
}
switch {
case ok == 0:
cmd = []string{
fmt.Sprintf("client-auth %d %d", client.cID, client.kID),
fmt.Sprintf("ifconfig-push %s %s", ip, client.localIP),
}
for _, r := range s.ldap[client.Profile].routes {
cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r))
}
cmd = append(cmd, "END")
case ok < 0:
cmd = []string{fmt.Sprintf("client-deny %d %d \"%s\" \"%s\"",
client.cID, client.kID, err, err)}
case ok == 1:
cmd = []string{fmt.Sprintf(
"client-deny %d %d \"Need OTP\" \"CRV1:R,E:%s:%s:OTP Code \"",
client.cID, client.kID, client.password, client.b64Login())}
}
if err, _ := s.sendCommand(cmd); err != nil {
log.Println(err)
}
return
}
func (s *OpenVpnMgt) handleConn(conn net.Conn) {
defer conn.Close()
// we don't want multiple connexions, only one openvpn server at a time
s.m.Lock()
if s.connected {
conn.Write([]byte("Sorry, only one server allowed\n"))
s.m.Unlock()
return
}
s.connected = true
s.m.Unlock()
// we store the buffer pointer in the struct, to be accessed from other methods
s.buf = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn))
// most response are multilined, use response to concatenate them
response := []string{}
for {
line, err := s.buf.ReadString('\n')
// manage basic errors
switch {
case err == io.EOF:
log.Println("Reached EOF - close this connection.\n")
s.connected = false
return
case err != nil:
log.Println("Error reading line. Got: '"+line+"'\n", err)
s.connected = false
return
}
line = strings.Trim(line, "\n\r ")
// manage all "terminator" lines
for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS"} {
if strings.HasPrefix(line, terminator) {
s.ret <- response
response = nil
break
}
}
switch {
// a new openvpn server is connected
case strings.HasPrefix(line, ">INFO"):
// command sucessfull, we can ignore
case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"):
// new bloc for a disconnect event.
// We start the receiving handler, which will wait for the Channel message
case strings.HasPrefix(line, ">CLIENT:DISCONNECT"):
go s.ClientDisconnect(line)
// new bloc for a connect event.
// We start the receiving handler, which will wait for the Channel message
case strings.HasPrefix(line, ">CLIENT:ADDRESS"):
go s.ClientValidated(line)
case strings.HasPrefix(line, ">CLIENT:CONNECT"):
go s.ClientConnect(line)
default:
response = append(response, line)
}
log.Print(line)
}
}
Reference in New Issue View Git Blame Copy Permalink