2019-03-13 10:19:51 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2020-03-01 17:15:19 +00:00
|
|
|
"encoding/base64"
|
2019-03-13 10:19:51 +00:00
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"net/http"
|
2021-02-04 17:37:22 +00:00
|
|
|
"strings"
|
2020-03-01 17:15:19 +00:00
|
|
|
"time"
|
2019-03-13 10:19:51 +00:00
|
|
|
|
2021-02-04 17:37:22 +00:00
|
|
|
"github.com/jcmturner/gokrb5/v8/client"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/config"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
2019-03-13 10:19:51 +00:00
|
|
|
"github.com/julienschmidt/httprouter"
|
2020-03-27 13:57:14 +00:00
|
|
|
|
|
|
|
"git.nemunai.re/lectures/adlin/libadlin"
|
2019-03-13 10:19:51 +00:00
|
|
|
)
|
|
|
|
|
2021-02-04 17:37:22 +00:00
|
|
|
var AuthFunc = checkAuthKrb5
|
2019-07-15 15:31:13 +00:00
|
|
|
|
2019-03-13 10:19:51 +00:00
|
|
|
func init() {
|
2019-03-13 12:47:01 +00:00
|
|
|
router.GET("/api/auth", apiAuthHandler(validateAuthToken))
|
2020-03-01 17:15:19 +00:00
|
|
|
router.POST("/api/auth", apiRawHandler(func(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
|
|
|
|
return AuthFunc(w, ps, body)
|
2019-07-15 15:31:13 +00:00
|
|
|
}))
|
2020-03-01 17:15:19 +00:00
|
|
|
router.POST("/api/auth/logout", apiRawHandler(logout))
|
2019-03-13 10:19:51 +00:00
|
|
|
}
|
|
|
|
|
2021-03-07 11:39:38 +00:00
|
|
|
func validateAuthToken(s *adlin.Student, _ httprouter.Params, _ []byte) (interface{}, error) {
|
2019-03-13 12:47:01 +00:00
|
|
|
return s, nil
|
2019-03-13 10:19:51 +00:00
|
|
|
}
|
|
|
|
|
2020-03-01 17:15:19 +00:00
|
|
|
func logout(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
|
|
|
|
http.SetCookie(w, &http.Cookie{
|
2020-03-27 13:57:14 +00:00
|
|
|
Name: "auth",
|
|
|
|
Value: "",
|
|
|
|
Path: baseURL + "/",
|
|
|
|
Expires: time.Unix(0, 0),
|
|
|
|
Secure: true,
|
2020-03-01 17:15:19 +00:00
|
|
|
HttpOnly: true,
|
|
|
|
})
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
2019-03-13 10:19:51 +00:00
|
|
|
type loginForm struct {
|
|
|
|
Username string
|
|
|
|
Password string
|
|
|
|
}
|
|
|
|
|
2020-03-27 13:57:14 +00:00
|
|
|
func completeAuth(w http.ResponseWriter, username string, session *adlin.Session) (err error) {
|
2021-03-07 11:39:38 +00:00
|
|
|
var std *adlin.Student
|
2020-03-27 13:57:14 +00:00
|
|
|
if !adlin.StudentExists(username) {
|
|
|
|
if std, err = adlin.NewStudent(username); err != nil {
|
2020-03-01 17:15:19 +00:00
|
|
|
return err
|
2019-07-15 15:31:13 +00:00
|
|
|
}
|
2020-03-27 13:57:14 +00:00
|
|
|
} else if std, err = adlin.GetStudentByLogin(username); err != nil {
|
2020-03-01 17:15:19 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if session == nil {
|
2021-03-07 11:39:38 +00:00
|
|
|
session, err = std.NewSession()
|
2020-03-01 17:15:19 +00:00
|
|
|
} else {
|
|
|
|
_, err = session.SetStudent(std)
|
2019-07-15 15:31:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
2020-03-01 17:15:19 +00:00
|
|
|
return err
|
2019-07-15 15:31:13 +00:00
|
|
|
}
|
|
|
|
|
2020-03-01 17:15:19 +00:00
|
|
|
http.SetCookie(w, &http.Cookie{
|
2020-03-27 13:57:14 +00:00
|
|
|
Name: "auth",
|
|
|
|
Value: base64.StdEncoding.EncodeToString(session.Id),
|
|
|
|
Path: baseURL + "/",
|
|
|
|
Expires: time.Now().Add(30 * 24 * time.Hour),
|
|
|
|
Secure: true,
|
2020-03-01 17:15:19 +00:00
|
|
|
HttpOnly: true,
|
|
|
|
})
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
|
|
|
var lf loginForm
|
|
|
|
if err := json.Unmarshal(body, &lf); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-07-15 15:31:13 +00:00
|
|
|
|
2020-03-01 17:15:19 +00:00
|
|
|
return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
|
2019-07-15 15:31:13 +00:00
|
|
|
}
|
|
|
|
|
2021-02-04 17:37:22 +00:00
|
|
|
func checkAuthHttp(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
2019-03-13 10:19:51 +00:00
|
|
|
var lf loginForm
|
|
|
|
if err := json.Unmarshal(body, &lf); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-03-27 13:57:14 +00:00
|
|
|
if r, err := http.NewRequest("GET", "https://owncloud.srs.epita.fr/remote.php/dav/", nil); err != nil {
|
2019-03-13 10:19:51 +00:00
|
|
|
return nil, err
|
|
|
|
} else {
|
|
|
|
r.SetBasicAuth(lf.Username, lf.Password)
|
|
|
|
|
|
|
|
if resp, err := http.DefaultClient.Do(r); err != nil {
|
|
|
|
return nil, err
|
|
|
|
} else {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
if resp.StatusCode == http.StatusOK {
|
2020-03-01 17:15:19 +00:00
|
|
|
return dummyAuth(w, nil, body)
|
2019-03-13 10:19:51 +00:00
|
|
|
} else {
|
|
|
|
return nil, errors.New(`{"status": "Invalid username or password"}`)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-02-04 17:37:22 +00:00
|
|
|
|
|
|
|
func parseETypes(s []string, w bool) []int32 {
|
|
|
|
var eti []int32
|
|
|
|
for _, et := range s {
|
|
|
|
if !w {
|
|
|
|
var weak bool
|
|
|
|
for _, wet := range strings.Fields(config.WeakETypeList) {
|
|
|
|
if et == wet {
|
|
|
|
weak = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if weak {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
i := etypeID.EtypeSupported(et)
|
|
|
|
if i != 0 {
|
|
|
|
eti = append(eti, i)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return eti
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
|
|
|
var lf loginForm
|
|
|
|
if err := json.Unmarshal(body, &lf); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
cnf := config.New()
|
|
|
|
cnf.LibDefaults.DNSLookupKDC = true
|
|
|
|
cnf.LibDefaults.DNSLookupRealm = true
|
|
|
|
cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
|
|
|
cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
|
|
|
cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
|
|
|
|
|
|
|
c := client.NewWithPassword(lf.Username, "CRI.EPITA.FR", lf.Password, cnf)
|
|
|
|
if err := c.Login(); err != nil {
|
|
|
|
if errk, ok := err.(krberror.Krberror); ok {
|
|
|
|
if errk.RootCause == krberror.NetworkingError {
|
|
|
|
return nil, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
|
|
|
|
} else if errk.RootCause == krberror.KDCError {
|
|
|
|
return nil, errors.New(`{"status": "Invalid username or password"}`)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, err
|
|
|
|
} else {
|
|
|
|
return dummyAuth(w, nil, body)
|
|
|
|
}
|
|
|
|
}
|