validator is now login-validator and is part of the server image

2018-02-19 23:11:02 +01:00 · 2018-02-19 23:11:02 +01:00 · ee6fbe3e74
commit ee6fbe3e74
parent fd58db5eb1
11 changed files with 23 additions and 5 deletions
--- a/pkg/login-validator/cmd/login.go
+++ b/pkg/login-validator/cmd/login.go
@ -0,0 +1,193 @@
+package main
+
+import (
+	"crypto/hmac"
+	"crypto/sha512"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+	"text/template"
+
+	"gopkg.in/ldap.v2"
+)
+
+var loginSalt string
+
+type loginChecker struct {
+	students         []Student
+	ldapAddr         string
+	ldapPort         int
+	ldapIsTLS        bool
+	ldapBase         string
+	ldapBindUsername string
+	ldapBindPassword string
+}
+
+type loginUpload struct {
+	Username string
+	Password string
+}
+
+func (l loginChecker) ldapAuth(username, password string) (res bool, err error) {
+	tlsCnf := tls.Config{InsecureSkipVerify: true}
+
+	var c *ldap.Conn
+
+	if l.ldapIsTLS {
+		c, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort), &tlsCnf)
+		if err != nil {
+			return false, err
+		}
+	} else {
+		c, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort))
+		if err != nil {
+			return false, err
+		}
+
+		// Reconnect with TLS
+		err = c.StartTLS(&tlsCnf)
+		if err != nil {
+			return false, err
+		}
+	}
+	defer c.Close()
+
+	if l.ldapBindUsername != "" {
+		err = c.Bind(l.ldapBindUsername, l.ldapBindPassword)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	// Search for the given username
+	searchRequest := ldap.NewSearchRequest(
+		l.ldapBase,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectClass=person)(uid=%s))", username),
+		[]string{"dn"},
+		nil,
+	)
+
+	sr, err := c.Search(searchRequest)
+	if err != nil {
+		return false, err
+	}
+
+	if len(sr.Entries) != 1 {
+		return false, errors.New("User does not exist or too many entries returned")
+	}
+
+	userdn := sr.Entries[0].DN
+
+	err = c.Bind(userdn, password)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
+		r.RemoteAddr = addr
+	}
+	log.Printf("%s \"%s %s\" [%s]\n", r.RemoteAddr, r.Method, r.URL.Path, r.UserAgent())
+
+	w.Header().Set("Content-Type", "text/plain")
+
+	// Check request type and size
+	if r.Method != "POST" {
+		http.Error(w,
+			"Invalid request",
+			http.StatusBadRequest)
+		return
+	} else if r.ContentLength < 0 || r.ContentLength > 1023 {
+		http.Error(w,
+			"Request entity too large",
+			http.StatusRequestEntityTooLarge)
+		return
+	}
+
+	dec := json.NewDecoder(r.Body)
+	var lu loginUpload
+	if err := dec.Decode(&lu); err != nil {
+		http.Error(w,
+			err.Error(),
+			http.StatusBadRequest)
+		return
+	}
+
+	// Perform login check
+	canContinue := false
+	for _, std := range l.students {
+		if std.Login == lu.Username {
+			canContinue = true
+		}
+	}
+
+	if !canContinue {
+		log.Println("Login not found:", lu.Username, "at", r.RemoteAddr)
+		http.Error(w, "Login not found in whitelist.", http.StatusUnauthorized)
+		return
+	}
+
+	if ok, err := l.ldapAuth(lu.Username, lu.Password); err != nil {
+		log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	} else if !ok {
+		log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
+		http.Error(w, "Invalid password", http.StatusUnauthorized)
+		return
+	}
+
+	if err := l.lateLoginAction(lu.Username, r.RemoteAddr); err != nil {
+		log.Println("Error on late login action:", err)
+		http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
+		return
+	}
+
+	log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)
+	http.Error(w, "Success", http.StatusOK)
+}
+
+func (l loginChecker) lateLoginAction(username, remoteAddr string) error {
+	// Find corresponding MAC
+	var fname string
+	spl := strings.SplitN(remoteAddr, ":", 2)
+	if ip := net.ParseIP(spl[0]); ip == nil {
+		return errors.New("Unable to parse given IPv4: " + spl[0])
+	} else if arptable, err := ARPAnalyze(); err != nil {
+		return err
+	} else if arpent := ARPContainsIP(arptable, ip); arpent == nil {
+		return errors.New("Unable to find MAC in ARP table")
+	} else {
+		fname = fmt.Sprintf("%02x-%02x-%02x-%02x-%02x-%02x-%02x", arpent.HWType, arpent.HWAddress[0], arpent.HWAddress[1], arpent.HWAddress[2], arpent.HWAddress[3], arpent.HWAddress[4], arpent.HWAddress[5])
+	}
+
+	if tpl, err := ioutil.ReadFile(path.Join(tftpDir, "pxelinux.cfg", "tpl")); err != nil {
+		log.Println("Unable to open tpl: ", err)
+	} else if file, err := os.OpenFile(path.Join(tftpDir, "pxelinux.cfg", fname), os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(0644)); err != nil {
+		log.Println("Unable to open destination file: ", err)
+	} else {
+		defer file.Close()
+
+		mac := hmac.New(sha512.New512_224, []byte(loginSalt))
+
+		if configTmpl, err := template.New("pxelinux.cfg").Parse(string(tpl)); err != nil {
+			log.Println("Cannot create template: ", err)
+		} else if err := configTmpl.Execute(file, map[string]string{"username": username, "remoteAddr": remoteAddr, "pkey": fmt.Sprintf("%x", mac.Sum([]byte(username))), "fname": fname}); err != nil {
+			log.Println("An error occurs during template execution: ", err)
+		}
+	}
+
+	return nil
+}