2018-02-10 13:37:23 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
2018-02-21 23:17:07 +00:00
|
|
|
"bytes"
|
2018-02-18 16:37:16 +00:00
|
|
|
"crypto/hmac"
|
|
|
|
|
"crypto/sha512"
|
2018-02-18 13:41:06 +00:00
|
|
|
"crypto/tls"
|
2018-02-21 23:17:07 +00:00
|
|
|
"encoding/base64"
|
2018-02-10 13:37:23 +00:00
|
|
|
"encoding/json"
|
2018-02-18 13:41:06 +00:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
2018-02-10 13:37:23 +00:00
|
|
|
"log"
|
2018-02-18 13:41:06 +00:00
|
|
|
"net"
|
2018-02-10 13:37:23 +00:00
|
|
|
"net/http"
|
2018-02-18 13:41:06 +00:00
|
|
|
"os"
|
|
|
|
|
"path"
|
|
|
|
|
"strings"
|
|
|
|
|
"text/template"
|
2018-02-21 23:17:07 +00:00
|
|
|
"time"
|
2018-02-18 13:41:06 +00:00
|
|
|
|
|
|
|
|
"gopkg.in/ldap.v2"
|
2018-02-10 13:37:23 +00:00
|
|
|
)
|
|
|
|
|
|
2018-02-18 16:37:16 +00:00
|
|
|
var loginSalt string
|
|
|
|
|
|
2018-02-18 13:41:06 +00:00
|
|
|
type loginChecker struct {
|
|
|
|
|
students []Student
|
2018-02-21 23:16:26 +00:00
|
|
|
noAuth bool
|
2018-02-18 13:41:06 +00:00
|
|
|
ldapAddr string
|
|
|
|
|
ldapPort int
|
|
|
|
|
ldapIsTLS bool
|
|
|
|
|
ldapBase string
|
|
|
|
|
ldapBindUsername string
|
|
|
|
|
ldapBindPassword string
|
2018-02-10 13:37:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type loginUpload struct {
|
|
|
|
|
Username string
|
|
|
|
|
Password string
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-18 13:41:06 +00:00
|
|
|
func (l loginChecker) ldapAuth(username, password string) (res bool, err error) {
|
|
|
|
|
tlsCnf := tls.Config{InsecureSkipVerify: true}
|
|
|
|
|
|
|
|
|
|
var c *ldap.Conn
|
|
|
|
|
|
|
|
|
|
if l.ldapIsTLS {
|
|
|
|
|
c, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort), &tlsCnf)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
c, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Reconnect with TLS
|
|
|
|
|
err = c.StartTLS(&tlsCnf)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
defer c.Close()
|
|
|
|
|
|
|
|
|
|
if l.ldapBindUsername != "" {
|
|
|
|
|
err = c.Bind(l.ldapBindUsername, l.ldapBindPassword)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Search for the given username
|
|
|
|
|
searchRequest := ldap.NewSearchRequest(
|
|
|
|
|
l.ldapBase,
|
|
|
|
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
|
|
|
|
fmt.Sprintf("(&(objectClass=person)(uid=%s))", username),
|
|
|
|
|
[]string{"dn"},
|
|
|
|
|
nil,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
sr, err := c.Search(searchRequest)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(sr.Entries) != 1 {
|
|
|
|
|
return false, errors.New("User does not exist or too many entries returned")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userdn := sr.Entries[0].DN
|
|
|
|
|
|
|
|
|
|
err = c.Bind(userdn, password)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-10 13:37:23 +00:00
|
|
|
func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
|
|
|
|
|
r.RemoteAddr = addr
|
|
|
|
|
}
|
|
|
|
|
log.Printf("%s \"%s %s\" [%s]\n", r.RemoteAddr, r.Method, r.URL.Path, r.UserAgent())
|
|
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
|
|
|
|
|
|
|
|
// Check request type and size
|
|
|
|
|
if r.Method != "POST" {
|
|
|
|
|
http.Error(w,
|
|
|
|
|
"Invalid request",
|
|
|
|
|
http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
} else if r.ContentLength < 0 || r.ContentLength > 1023 {
|
|
|
|
|
http.Error(w,
|
|
|
|
|
"Request entity too large",
|
|
|
|
|
http.StatusRequestEntityTooLarge)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dec := json.NewDecoder(r.Body)
|
|
|
|
|
var lu loginUpload
|
|
|
|
|
if err := dec.Decode(&lu); err != nil {
|
|
|
|
|
http.Error(w,
|
|
|
|
|
err.Error(),
|
|
|
|
|
http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Perform login check
|
|
|
|
|
canContinue := false
|
|
|
|
|
for _, std := range l.students {
|
|
|
|
|
if std.Login == lu.Username {
|
|
|
|
|
canContinue = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !canContinue {
|
2018-02-12 10:39:44 +00:00
|
|
|
log.Println("Login not found:", lu.Username, "at", r.RemoteAddr)
|
2018-02-10 13:37:23 +00:00
|
|
|
http.Error(w, "Login not found in whitelist.", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-21 23:16:26 +00:00
|
|
|
if ! l.noAuth {
|
|
|
|
|
if ok, err := l.ldapAuth(lu.Username, lu.Password); err != nil {
|
|
|
|
|
log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
|
|
|
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
} else if !ok {
|
|
|
|
|
log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
|
|
|
|
|
http.Error(w, "Invalid password", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-02-18 13:41:06 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-05 16:36:25 +00:00
|
|
|
// Find corresponding MAC
|
|
|
|
|
var fname string
|
|
|
|
|
spl := strings.SplitN(remoteAddr, ":", 2)
|
|
|
|
|
if ip := net.ParseIP(spl[0]); ip == nil {
|
|
|
|
|
return errors.New("Unable to parse given IPv4: " + spl[0])
|
|
|
|
|
} else if arptable, err := ARPAnalyze(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
} else if arpent := ARPContainsIP(arptable, ip); arpent == nil {
|
|
|
|
|
return errors.New("Unable to find MAC in ARP table")
|
|
|
|
|
} else {
|
|
|
|
|
fname = fmt.Sprintf("%02x-%02x-%02x-%02x-%02x-%02x-%02x", arpent.HWType, arpent.HWAddress[0], arpent.HWAddress[1], arpent.HWAddress[2], arpent.HWAddress[3], arpent.HWAddress[4], arpent.HWAddress[5])
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Register the user remotely
|
|
|
|
|
if err := l.registerUser(lu.Username, r.RemoteAddr, fname); err != nil {
|
2018-02-21 23:17:07 +00:00
|
|
|
log.Println("Error on remote registration:", err)
|
|
|
|
|
http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-05 16:36:25 +00:00
|
|
|
// Generate PXE file
|
|
|
|
|
if err := l.lateLoginAction(lu.Username, r.RemoteAddr, fname); err != nil {
|
2018-02-12 10:39:44 +00:00
|
|
|
log.Println("Error on late login action:", err)
|
|
|
|
|
http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)
|
2018-02-10 13:37:23 +00:00
|
|
|
http.Error(w, "Success", http.StatusOK)
|
|
|
|
|
}
|
2018-02-12 10:39:44 +00:00
|
|
|
|
2018-03-05 16:36:25 +00:00
|
|
|
func (l loginChecker) registerUser(username, remoteAddr, mac string) error {
|
|
|
|
|
bts, err := json.Marshal(map[string]interface{}{"login": username, "ip": remoteAddr, "mac": mac})
|
2018-02-21 23:17:07 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req, err := http.NewRequest("POST", "https://adlin.nemunai.re/api/students/", bytes.NewReader(bts))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
req.Header.Add("X-ADLIN-Authentication", base64.StdEncoding.EncodeToString(hmac.New(sha512.New, []byte(loginSalt)).Sum([]byte(fmt.Sprintf("%d", time.Now().Unix()/10)))))
|
|
|
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
|
|
client := &http.Client{}
|
|
|
|
|
resp, err := client.Do(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
|
return errors.New(resp.Status)
|
|
|
|
|
} else {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-05 16:36:25 +00:00
|
|
|
func (l loginChecker) lateLoginAction(username, remoteAddr, fname string) error {
|
2018-02-12 10:39:44 +00:00
|
|
|
if tpl, err := ioutil.ReadFile(path.Join(tftpDir, "pxelinux.cfg", "tpl")); err != nil {
|
|
|
|
|
log.Println("Unable to open tpl: ", err)
|
|
|
|
|
} else if file, err := os.OpenFile(path.Join(tftpDir, "pxelinux.cfg", fname), os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(0644)); err != nil {
|
|
|
|
|
log.Println("Unable to open destination file: ", err)
|
|
|
|
|
} else {
|
|
|
|
|
defer file.Close()
|
|
|
|
|
|
2018-02-18 16:37:16 +00:00
|
|
|
mac := hmac.New(sha512.New512_224, []byte(loginSalt))
|
|
|
|
|
|
2018-02-12 10:39:44 +00:00
|
|
|
if configTmpl, err := template.New("pxelinux.cfg").Parse(string(tpl)); err != nil {
|
|
|
|
|
log.Println("Cannot create template: ", err)
|
2018-02-18 16:37:16 +00:00
|
|
|
} else if err := configTmpl.Execute(file, map[string]string{"username": username, "remoteAddr": remoteAddr, "pkey": fmt.Sprintf("%x", mac.Sum([]byte(username))), "fname": fname}); err != nil {
|
2018-02-12 10:39:44 +00:00
|
|
|
log.Println("An error occurs during template execution: ", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
