admin: new route to generate htpasswd corresponding to certificate in use by team

2019-01-17 10:51:44 +01:00 · 2019-01-17 10:51:44 +01:00 · 2623d9dd61
commit 2623d9dd61
parent 6925614f49
2 changed files with 129 additions and 0 deletions
--- a/admin/api/certificate.go
+++ b/admin/api/certificate.go
@ -2,6 +2,7 @@ package api

 import (
 	"crypto/rand"
+	"encoding/base32"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -12,6 +13,7 @@ import (
 	"path"
 	"time"
 	"strconv"
+	"strings"

 	"srs.epita.fr/fic-server/admin/pki"
 	"srs.epita.fr/fic-server/libfic"
@ -22,6 +24,10 @@ import (
 var TeamsDir string

 func init() {
+	router.GET("/api/htpasswd", apiHandler(
+		func(httprouter.Params, []byte) (interface{}, error) {
+			return genHtpasswd()
+		}))
 	router.GET("/api/ca/", apiHandler(infoCA))
 	router.GET("/api/ca.pem", apiHandler(getCAPEM))
 	router.POST("/api/ca/new", apiHandler(
@ -57,6 +63,49 @@ func init() {
 		func(cert fic.Certificate, _ []byte) (interface{}, error) { return cert.Revoke() })))
 }

+func genHtpasswd() (ret string, err error) {
+        var teams []fic.Team
+	teams, err = fic.GetTeams()
+	if err != nil {
+		return
+	}
+
+	for _, team := range teams {
+		var serials []uint64
+		serials, err = pki.GetTeamSerials(TeamsDir, team.Id)
+		if err != nil {
+			return
+		}
+
+		if len(serials) == 0 {
+			// Don't include teams that don't have associated certificates
+			continue
+		}
+
+		for _, serial := range serials {
+			var cert fic.Certificate
+			cert, err = fic.GetCertificate(serial)
+			if err != nil {
+				return
+			}
+
+			if cert.Revoked != nil {
+				continue
+			}
+
+			b := make([]byte, 5)
+			if _, err = rand.Read(b); err != nil {
+				return
+			}
+			salt := base32.StdEncoding.EncodeToString(b)
+
+			ret += fmt.Sprintf("%s:$apr1$%s$%s\n", strings.ToLower(team.Name), salt, fic.Apr1Md5(cert.Password, salt))
+		}
+	}
+
+	return
+}
+
 func infoCA(_ httprouter.Params, _ []byte) (interface{}, error) {
 	_, cacert, err := pki.LoadCA()
 	if err != nil {
--- a/libfic/utils.go
+++ b/libfic/utils.go
@ -1,6 +1,8 @@
 package fic

 import (
+	"bytes"
+	"crypto/md5"
 	"regexp"
 	"strings"
 )
@ -10,3 +12,81 @@ func ToURLid(str string) string {
 	re := regexp.MustCompile("[^a-zA-Z0-9]+")
 	return strings.TrimSuffix(re.ReplaceAllLiteralString(str, "-"), "-")
 }
+
+// Apr1Md5 computes a usable hash for basic auth in Apache and nginx.
+// Function copied from https://github.com/jimstudt/http-authentication/blob/master/basic/md5.go
+// as it was not exported in package and comes with other unwanted functions.
+// Original source code under MIT.
+func Apr1Md5(password string, salt string) string {
+	initBin := md5.Sum([]byte(password + salt + password))
+
+	initText := bytes.NewBufferString(password + "$apr1$" + salt)
+
+	for i := len(password); i > 0; i -= 16 {
+		lim := i
+		if lim > 16 {
+			lim = 16
+		}
+		initText.Write(initBin[0:lim])
+	}
+
+	for i := len(password); i > 0; i >>= 1 {
+		if (i & 1) == 1 {
+			initText.WriteByte(byte(0))
+		} else {
+			initText.WriteByte(password[0])
+		}
+	}
+
+	bin := md5.Sum(initText.Bytes())
+
+	n := bytes.NewBuffer([]byte{})
+
+	for i := 0; i < 1000; i++ {
+		n.Reset()
+
+		if (i & 1) == 1 {
+			n.WriteString(password)
+		} else {
+			n.Write(bin[:])
+		}
+
+		if i%3 != 0 {
+			n.WriteString(salt)
+		}
+
+		if i%7 != 0 {
+			n.WriteString(password)
+		}
+
+		if (i & 1) == 1 {
+			n.Write(bin[:])
+		} else {
+			n.WriteString(password)
+		}
+
+		bin = md5.Sum(n.Bytes())
+	}
+
+	result := bytes.NewBuffer([]byte{})
+
+	fill := func(a byte, b byte, c byte) {
+		v := (uint(a) << 16) + (uint(b) << 8) + uint(c)
+
+		for i := 0; i < 4; i++ {
+			result.WriteByte("./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[v&0x3f])
+			v >>= 6
+		}
+	}
+
+	fill(bin[0], bin[6], bin[12])
+	fill(bin[1], bin[7], bin[13])
+	fill(bin[2], bin[8], bin[14])
+	fill(bin[3], bin[9], bin[15])
+	fill(bin[4], bin[10], bin[5])
+	fill(0, 0, bin[11])
+
+	resultString := string(result.Bytes()[0:22])
+
+	return resultString
+}