adlin/pkg/login-validator/cmd/login.go

package main

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha512"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"log"
	"net"
	"net/http"
	"strings"
	"time"
)

var (
	loginSalt string = "adelina"
	justLogin bool
)

type loginChecker struct {
	students   []Student
	authMethod AuthMethod
}

type loginUpload struct {
	Username string
	Password string
}

func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
		r.RemoteAddr = addr
	}
	log.Printf("%s \"%s %s\" [%s]\n", r.RemoteAddr, r.Method, r.URL.Path, r.UserAgent())

	w.Header().Set("Content-Type", "text/plain")

	// Check request type and size
	if r.Method != "POST" {
		http.Error(w,
			"Invalid request",
			http.StatusBadRequest)
		return
	} else if r.ContentLength < 0 || r.ContentLength > 1023 {
		http.Error(w,
			"Request entity too large",
			http.StatusRequestEntityTooLarge)
		return
	}

	dec := json.NewDecoder(r.Body)
	var lu loginUpload
	if err := dec.Decode(&lu); err != nil {
		http.Error(w,
			err.Error(),
			http.StatusBadRequest)
		return
	}

	// Perform login check
	canContinue := false
	for _, std := range l.students {
		if std.Login == lu.Username {
			canContinue = true
		}
	}

	if !canContinue {
		log.Println("Login not found:", lu.Username, "at", r.RemoteAddr)
		http.Error(w, "Login not found in whitelist.", http.StatusUnauthorized)
		return
	}

	if ok, err := l.authMethod.checkAuth(lu.Username, lu.Password); err != nil {
		log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
		http.Error(w, err.Error(), http.StatusUnauthorized)
		return
	} else if !ok {
		log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
		http.Error(w, "Invalid password", http.StatusUnauthorized)
		return
	}

	if justLogin {
		log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)
		http.Error(w, "You're now successfully logged.", http.StatusOK)
		return
	}

	// Find corresponding MAC
	var ip net.IP
	spl := strings.SplitN(r.RemoteAddr, ":", 2)
	if ip = net.ParseIP(spl[0]); ip == nil {
		http.Error(w, "Unable to parse given IPv4: "+spl[0], http.StatusInternalServerError)
		return
	}
	var mac *ARPEntry
	if tab, err := ARPAnalyze(); err != nil {
		log.Println("Error on ARPAnalyze:", err)
		http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
		return
	} else {
		mac = ARPContainsIP(tab, ip)
	}

	if mac == nil {
		log.Printf("Unable to find MAC address for given IP (%s)\n", ip)
		http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
		return
	}

	// Register the user remotely
	if ip, err := l.registerUser(lu.Username, r.RemoteAddr, *mac); err != nil {
		log.Println("Error on remote registration for", lu.Username, ":", err)
		http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
		return
	} else if err := l.lateLoginAction(lu.Username, r.RemoteAddr, *mac, ip); err != nil {
		log.Println("Error on late login action for", lu.Username, ":", err)
		http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
		return
	} else {
		log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)
		http.Error(w, fmt.Sprintf("Use the following IP: %s", ip), http.StatusOK)
	}
}

type myIP struct {
	Id    int64  `json:"id"`
	Login string `json:"login"`
	IP    string `json:"ip"`
}

func (l loginChecker) registerUser(username, remoteAddr string, ent ARPEntry) (net.IP, error) {
	bts, err := json.Marshal(map[string]interface{}{"login": username, "ip": remoteAddr, "mac": fmt.Sprintf("%02x:%02x:%02x:%02x:%02x:%02x", ent.HWAddress[0], ent.HWAddress[1], ent.HWAddress[2], ent.HWAddress[3], ent.HWAddress[4], ent.HWAddress[5])})
	if err != nil {
		return nil, nil
	}

	req, err := http.NewRequest("POST", "https://adlin.nemunai.re/api/students/", bytes.NewReader(bts))
	if err != nil {
		return nil, err
	}

	h := hmac.New(sha512.New, []byte(loginSalt))
	h.Write([]byte(fmt.Sprintf("%d", time.Now().Unix()/10)))
	req.Header.Add("X-ADLIN-Authentication", base64.StdEncoding.EncodeToString(h.Sum(nil)))
	req.Header.Set("Content-Type", "application/json")

	client := &http.Client{}
	resp, err := client.Do(req)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	if resp.StatusCode != http.StatusOK {
		return nil, errors.New(resp.Status)
	} else {
		dec := json.NewDecoder(resp.Body)
		var myip myIP
		if err := dec.Decode(&myip); err != nil {
			return nil, err
		}
		return net.ParseIP(myip.IP), nil
	}
}

func (l loginChecker) lateLoginAction(username, remoteAddr string, mac ARPEntry, ip net.IP) error {
	return RegisterUserMAC(mac, ip, username, remoteAddr)
}
Implement login endpoint 2018-02-10 13:37:23 +00:00			`package main`

			`import (`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`"bytes"`
validator: add privatekey, derived from username 2018-02-18 16:37:16 +00:00			`"crypto/hmac"`
			`"crypto/sha512"`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`"encoding/base64"`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`"encoding/json"`
validator: add LDAP auth 2018-02-18 13:41:06 +00:00			`"errors"`
			`"fmt"`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`"log"`
validator: add LDAP auth 2018-02-18 13:41:06 +00:00			`"net"`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`"net/http"`
validator: add LDAP auth 2018-02-18 13:41:06 +00:00			`"strings"`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`"time"`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`)`

login-validator: New parameter -just-login 2022-02-03 17:05:17 +00:00			`var (`
adlin: Pass SharedSecret in env 2022-02-19 10:52:09 +00:00			`loginSalt string = "adelina"`
login-validator: New parameter -just-login 2022-02-03 17:05:17 +00:00			`justLogin bool`
			`)`
validator: add privatekey, derived from username 2018-02-18 16:37:16 +00:00
validator: add LDAP auth 2018-02-18 13:41:06 +00:00			`type loginChecker struct {`
login-validator: refactor auth methods 2020-02-20 23:18:56 +00:00			`students []Student`
			`authMethod AuthMethod`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`}`

			`type loginUpload struct {`
			`Username string`
			`Password string`
			`}`

			`func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
			`if addr := r.Header.Get("X-Forwarded-For"); addr != "" {`
			`r.RemoteAddr = addr`
			`}`
			`log.Printf("%s \"%s %s\" [%s]\n", r.RemoteAddr, r.Method, r.URL.Path, r.UserAgent())`

			`w.Header().Set("Content-Type", "text/plain")`

			`// Check request type and size`
			`if r.Method != "POST" {`
			`http.Error(w,`
			`"Invalid request",`
			`http.StatusBadRequest)`
			`return`
			`} else if r.ContentLength < 0 \|\| r.ContentLength > 1023 {`
			`http.Error(w,`
			`"Request entity too large",`
			`http.StatusRequestEntityTooLarge)`
			`return`
			`}`

			`dec := json.NewDecoder(r.Body)`
			`var lu loginUpload`
			`if err := dec.Decode(&lu); err != nil {`
			`http.Error(w,`
			`err.Error(),`
			`http.StatusBadRequest)`
			`return`
			`}`

			`// Perform login check`
			`canContinue := false`
			`for _, std := range l.students {`
			`if std.Login == lu.Username {`
			`canContinue = true`
			`}`
			`}`

			`if !canContinue {`
validator: implement PXE template 2018-02-12 10:39:44 +00:00			`log.Println("Login not found:", lu.Username, "at", r.RemoteAddr)`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`http.Error(w, "Login not found in whitelist.", http.StatusUnauthorized)`
			`return`
			`}`

login-validator: refactor auth methods 2020-02-20 23:18:56 +00:00			`if ok, err := l.authMethod.checkAuth(lu.Username, lu.Password); err != nil {`
			`log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)`
			`http.Error(w, err.Error(), http.StatusUnauthorized)`
			`return`
			`} else if !ok {`
			`log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)`
			`http.Error(w, "Invalid password", http.StatusUnauthorized)`
			`return`
validator: add LDAP auth 2018-02-18 13:41:06 +00:00			`}`

login-validator: New parameter -just-login 2022-02-03 17:05:17 +00:00			`if justLogin {`
			`log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)`
			`http.Error(w, "You're now successfully logged.", http.StatusOK)`
			`return`
			`}`

login-validator: also log IP 2018-03-05 16:36:25 +00:00			`// Find corresponding MAC`
login-validator: handle iPXE tpl 2019-02-26 11:34:31 +00:00			`var ip net.IP`
pkg/login-validator: fix compilation errors 2019-02-22 00:55:02 +00:00			`spl := strings.SplitN(r.RemoteAddr, ":", 2)`
login-validator: handle iPXE tpl 2019-02-26 11:34:31 +00:00			`if ip = net.ParseIP(spl[0]); ip == nil {`
go fmt 2021-02-13 17:34:44 +00:00			`http.Error(w, "Unable to parse given IPv4: "+spl[0], http.StatusInternalServerError)`
pkg/login-validator: fix compilation errors 2019-02-22 00:55:02 +00:00			`return`
login-validator: handle iPXE tpl 2019-02-26 11:34:31 +00:00			`}`
			`var mac *ARPEntry`
			`if tab, err := ARPAnalyze(); err != nil {`
			`log.Println("Error on ARPAnalyze:", err)`
			`http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)`
pkg/login-validator: fix compilation errors 2019-02-22 00:55:02 +00:00			`return`
login-validator: also log IP 2018-03-05 16:36:25 +00:00			`} else {`
login-validator: handle iPXE tpl 2019-02-26 11:34:31 +00:00			`mac = ARPContainsIP(tab, ip)`
			`}`

			`if mac == nil {`
			`log.Printf("Unable to find MAC address for given IP (%s)\n", ip)`
			`http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)`
login-validator: add IP 2019-02-28 01:27:33 +00:00			`return`
login-validator: also log IP 2018-03-05 16:36:25 +00:00			`}`

			`// Register the user remotely`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`if ip, err := l.registerUser(lu.Username, r.RemoteAddr, *mac); err != nil {`
login-validator: precise login error 2020-02-21 00:08:15 +00:00			`log.Println("Error on remote registration for", lu.Username, ":", err)`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)`
			`return`
login-validator: add IP 2019-02-28 01:27:33 +00:00			`} else if err := l.lateLoginAction(lu.Username, r.RemoteAddr, *mac, ip); err != nil {`
login-validator: precise login error 2020-02-21 00:08:15 +00:00			`log.Println("Error on late login action for", lu.Username, ":", err)`
validator: implement PXE template 2018-02-12 10:39:44 +00:00			`http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)`
			`return`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`} else {`
			`log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)`
			`http.Error(w, fmt.Sprintf("Use the following IP: %s", ip), http.StatusOK)`
validator: implement PXE template 2018-02-12 10:39:44 +00:00			`}`
Implement login endpoint 2018-02-10 13:37:23 +00:00			`}`
validator: implement PXE template 2018-02-12 10:39:44 +00:00
login-validator: add IP 2019-02-28 01:27:33 +00:00			`type myIP struct {`
go fmt 2021-02-13 17:34:44 +00:00			Id int64 `json:"id"`
			Login string `json:"login"`
			IP string `json:"ip"`
login-validator: add IP 2019-02-28 01:27:33 +00:00			`}`

			`func (l loginChecker) registerUser(username, remoteAddr string, ent ARPEntry) (net.IP, error) {`
login-validator: handle iPXE tpl 2019-02-26 11:34:31 +00:00			`bts, err := json.Marshal(map[string]interface{}{"login": username, "ip": remoteAddr, "mac": fmt.Sprintf("%02x:%02x:%02x:%02x:%02x:%02x", ent.HWAddress[0], ent.HWAddress[1], ent.HWAddress[2], ent.HWAddress[3], ent.HWAddress[4], ent.HWAddress[5])})`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`if err != nil {`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`return nil, nil`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`}`

			`req, err := http.NewRequest("POST", "https://adlin.nemunai.re/api/students/", bytes.NewReader(bts))`
			`if err != nil {`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`return nil, err`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`}`
Fix HMAC calculation 2022-02-19 14:30:26 +00:00
			`h := hmac.New(sha512.New, []byte(loginSalt))`
			`h.Write([]byte(fmt.Sprintf("%d", time.Now().Unix()/10)))`
			`req.Header.Add("X-ADLIN-Authentication", base64.StdEncoding.EncodeToString(h.Sum(nil)))`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`req.Header.Set("Content-Type", "application/json")`

			`client := &http.Client{}`
			`resp, err := client.Do(req)`
			`if err != nil {`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`return nil, err`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`}`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`defer resp.Body.Close()`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00
			`if resp.StatusCode != http.StatusOK {`
Display IP to use in login-app 2019-02-26 22:48:01 +00:00			`return nil, errors.New(resp.Status)`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`} else {`
login-validator: add IP 2019-02-28 01:27:33 +00:00			`dec := json.NewDecoder(resp.Body)`
			`var myip myIP`
			`if err := dec.Decode(&myip); err != nil {`
			`return nil, err`
			`}`
			`return net.ParseIP(myip.IP), nil`
login-validator: talk to remote validator to register new users 2018-02-21 23:17:07 +00:00			`}`
			`}`

login-validator: add IP 2019-02-28 01:27:33 +00:00			`func (l loginChecker) lateLoginAction(username, remoteAddr string, mac ARPEntry, ip net.IP) error {`
login-validator: Save shadow file by IP 2022-02-26 21:21:31 +00:00			`return RegisterUserMAC(mac, ip, username, remoteAddr)`
validator: implement PXE template 2018-02-12 10:39:44 +00:00			`}`