package main import ( "bytes" "crypto/hmac" "crypto/sha512" "crypto/tls" "encoding/base64" "encoding/json" "errors" "fmt" "io/ioutil" "log" "net" "net/http" "os" "path" "strings" "text/template" "time" "gopkg.in/ldap.v2" ) var loginSalt string type loginChecker struct { students []Student noAuth bool ldapAddr string ldapPort int ldapIsTLS bool ldapBase string ldapBindUsername string ldapBindPassword string } type loginUpload struct { Username string Password string } func (l loginChecker) ldapAuth(username, password string) (res bool, err error) { tlsCnf := tls.Config{InsecureSkipVerify: true} var c *ldap.Conn if l.ldapIsTLS { c, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort), &tlsCnf) if err != nil { return false, err } } else { c, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort)) if err != nil { return false, err } // Reconnect with TLS err = c.StartTLS(&tlsCnf) if err != nil { return false, err } } defer c.Close() if l.ldapBindUsername != "" { err = c.Bind(l.ldapBindUsername, l.ldapBindPassword) if err != nil { return false, err } } // Search for the given username searchRequest := ldap.NewSearchRequest( l.ldapBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, fmt.Sprintf("(&(objectClass=person)(uid=%s))", username), []string{"dn"}, nil, ) sr, err := c.Search(searchRequest) if err != nil { return false, err } if len(sr.Entries) != 1 { return false, errors.New("User does not exist or too many entries returned") } userdn := sr.Entries[0].DN err = c.Bind(userdn, password) if err != nil { return false, err } return true, nil } func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) { if addr := r.Header.Get("X-Forwarded-For"); addr != "" { r.RemoteAddr = addr } log.Printf("%s \"%s %s\" [%s]\n", r.RemoteAddr, r.Method, r.URL.Path, r.UserAgent()) w.Header().Set("Content-Type", "text/plain") // Check request type and size if r.Method != "POST" { http.Error(w, "Invalid request", http.StatusBadRequest) return } else if r.ContentLength < 0 || r.ContentLength > 1023 { http.Error(w, "Request entity too large", http.StatusRequestEntityTooLarge) return } dec := json.NewDecoder(r.Body) var lu loginUpload if err := dec.Decode(&lu); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } // Perform login check canContinue := false for _, std := range l.students { if std.Login == lu.Username { canContinue = true } } if !canContinue { log.Println("Login not found:", lu.Username, "at", r.RemoteAddr) http.Error(w, "Login not found in whitelist.", http.StatusUnauthorized) return } if ! l.noAuth { if ok, err := l.ldapAuth(lu.Username, lu.Password); err != nil { log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr) http.Error(w, err.Error(), http.StatusUnauthorized) return } else if !ok { log.Println("Login failed:", lu.Username, "at", r.RemoteAddr) http.Error(w, "Invalid password", http.StatusUnauthorized) return } } // Find corresponding MAC var fname string spl := strings.SplitN(r.RemoteAddr, ":", 2) if ip := net.ParseIP(spl[0]); ip == nil { http.Error(w, "Unable to parse given IPv4: " + spl[0], http.StatusInternalServerError) return } else if arptable, err := ARPAnalyze(); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } else if arpent := ARPContainsIP(arptable, ip); arpent == nil { http.Error(w, "Unable to find MAC in ARP table", http.StatusInternalServerError) return } else { fname = fmt.Sprintf("%02x-%02x-%02x-%02x-%02x-%02x-%02x", arpent.HWType, arpent.HWAddress[0], arpent.HWAddress[1], arpent.HWAddress[2], arpent.HWAddress[3], arpent.HWAddress[4], arpent.HWAddress[5]) } // Register the user remotely if err := l.registerUser(lu.Username, r.RemoteAddr, fname); err != nil { log.Println("Error on remote registration:", err) http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError) return } // Generate PXE file if err := l.lateLoginAction(lu.Username, r.RemoteAddr, fname); err != nil { log.Println("Error on late login action:", err) http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError) return } log.Println("Successful login of", lu.Username, "at", r.RemoteAddr) http.Error(w, "Success", http.StatusOK) } func (l loginChecker) registerUser(username, remoteAddr, mac string) error { bts, err := json.Marshal(map[string]interface{}{"login": username, "ip": remoteAddr, "mac": mac}) if err != nil { return nil } req, err := http.NewRequest("POST", "https://adlin.nemunai.re/api/students/", bytes.NewReader(bts)) if err != nil { return err } req.Header.Add("X-ADLIN-Authentication", base64.StdEncoding.EncodeToString(hmac.New(sha512.New, []byte(loginSalt)).Sum([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))))) req.Header.Set("Content-Type", "application/json") client := &http.Client{} resp, err := client.Do(req) if err != nil { return err } if resp.StatusCode != http.StatusOK { return errors.New(resp.Status) } else { return nil } } func (l loginChecker) lateLoginAction(username, remoteAddr, fname string) error { if tpl, err := ioutil.ReadFile(path.Join(tftpDir, "pxelinux.cfg", "tpl")); err != nil { log.Println("Unable to open tpl: ", err) } else if file, err := os.OpenFile(path.Join(tftpDir, "pxelinux.cfg", fname), os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(0644)); err != nil { log.Println("Unable to open destination file: ", err) } else { defer file.Close() mac := hmac.New(sha512.New512_224, []byte(loginSalt)) if configTmpl, err := template.New("pxelinux.cfg").Parse(string(tpl)); err != nil { log.Println("Cannot create template: ", err) } else if err := configTmpl.Execute(file, map[string]string{"username": username, "remoteAddr": remoteAddr, "pkey": fmt.Sprintf("%x", mac.Sum([]byte(username))), "fname": fname}); err != nil { log.Println("An error occurs during template execution: ", err) } } return nil }