logging

wip wip wip wip
halkeye · Feb 19, 2020 · 52df6a6 · 52df6a6
1 parent 08d5973
commit 52df6a6
Show file tree

Hide file tree

Showing 44 changed files with 2,515 additions and 11,007 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+config.yaml
diff --git a/codegen.sh b/codegen.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+OUT_DIR="$DIR/proto/proto"
+
+mkdir -p "$OUT_DIR" || true
+
+protoc \
+  -I proto/ \
+  proto/*.proto \
+  --go_out="plugins=grpc:$OUT_DIR"
diff --git a/go.mod b/go.mod
@@ -3,39 +3,53 @@ module github.com/place1/wireguard-access-server
 go 1.13
 
 require (
+	github.com/Azure/azure-sdk-for-go v39.0.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.9.5 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/alexedwards/scs/v2 v2.2.0
 	github.com/beevik/etree v1.1.0 // indirect
+	github.com/coreos/etcd v3.3.18+incompatible
 	github.com/coreos/go-iptables v0.4.3
-	github.com/coreos/go-oidc v2.1.0+incompatible
+	github.com/coreos/go-oidc v2.2.1+incompatible
+	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dexidp/dex v2.13.0+incompatible
 	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/golang/protobuf v1.3.3
 	github.com/gorilla/handlers v1.4.2 // indirect
-	github.com/gorilla/mux v1.7.3
+	github.com/gorilla/mux v1.7.4
+	github.com/gorilla/sessions v1.2.0
+	github.com/gorilla/websocket v1.4.1 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.2.0
+	github.com/improbable-eng/grpc-web v0.12.0
 	github.com/jonboulle/clockwork v0.1.0 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/kr/pretty v0.1.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/miekg/dns v1.1.27
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pkg/errors v0.8.1
+	github.com/place1/wg-embed v0.0.0
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prometheus/client_golang v1.2.1
+	github.com/rs/cors v1.7.0 // indirect
 	github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7 // indirect
 	github.com/sirupsen/logrus v1.4.2
-	github.com/stretchr/testify v1.4.0 // indirect
+	github.com/tg123/go-htpasswd v1.0.0
 	github.com/vishvananda/netlink v1.0.0
-	github.com/vishvananda/netns v0.0.0-20190625233234-7109fa855b0f // indirect
-	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 // indirect
-	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 // indirect
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sys v0.0.0-20191210023423-ac6580df4449 // indirect
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20191008142428-8d021180e987
+	golang.org/x/net v0.0.0-20200202094626-16171245cfb2 // indirect
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 // indirect
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20191205174707-786493d6718c
 	google.golang.org/appengine v1.6.1 // indirect
-	google.golang.org/grpc v1.25.1 // indirect
+	google.golang.org/genproto v0.0.0-20200210034751-acff78025515 // indirect
+	google.golang.org/grpc v1.27.1
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/ldap.v2 v2.5.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v2 v2.2.2
 )
+
+replace github.com/place1/wg-embed => ../wg-embed
diff --git a/go.sum b/go.sum
diff --git a/internal/auth/authconfig.go b/internal/auth/authconfig.go
@@ -0,0 +1,25 @@
+package auth
+
+type AuthConfig struct {
+	OIDC   *OIDCConfig      `yaml:"oidc"`
+	Gitlab *GitlabConfig    `yaml:"gitlab"`
+	Basic  *BasicAuthConfig `yaml:"basic"`
+}
+
+func (c *AuthConfig) Providers() []*Provider {
+	providers := []*Provider{}
+
+	if c.OIDC != nil {
+		providers = append(providers, c.OIDC.Provider())
+	}
+
+	if c.Gitlab != nil {
+		providers = append(providers, c.Gitlab.Provider())
+	}
+
+	if c.Basic != nil {
+		providers = append(providers, c.Basic.Provider())
+	}
+
+	return providers
+}
diff --git a/internal/auth/basic.go b/internal/auth/basic.go
@@ -0,0 +1,85 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/gorilla/mux"
+	"github.com/tg123/go-htpasswd"
+)
+
+type BasicAuthConfig struct {
+	// Users is a list of htpasswd encoded username:password pairs
+	// supports BCrypt, Sha, Ssha, Md5
+	// example: "htpasswd -nB <username>"
+	// copy the result into your user's array
+	Users []string `yaml:"users"`
+}
+
+func (c *BasicAuthConfig) Provider() *Provider {
+	return &Provider{
+		RegisterRoutes: func(router *mux.Router, runtime *ProviderRuntime) error {
+			router.HandleFunc("/login", basicAuthLogin(c, runtime))
+			return nil
+		},
+	}
+}
+
+func basicAuthLogin(c *BasicAuthConfig, runtime *ProviderRuntime) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+
+		u, p, ok := r.BasicAuth()
+		if !ok {
+			w.Header().Set("WWW-Authenticate", `Basic realm="site"`)
+			w.WriteHeader(http.StatusUnauthorized)
+			fmt.Fprintln(w, "unauthorized")
+			return
+		}
+
+		if ok := checkCreds(c.Users, u, p); ok {
+			runtime.SetSession(w, r, &AuthSession{
+				Identity: &Identity{
+					Subject: u,
+				},
+			})
+		}
+
+		runtime.Done(w, r)
+	}
+}
+
+func checkCreds(users []string, username string, password string) bool {
+	for _, user := range users {
+		if u, p, ok := parsehtpassword(user); ok {
+			if u == username {
+				return checkhtpasswd(p, password)
+			}
+		}
+	}
+	return false
+}
+
+func parsehtpassword(user string) (string, string, bool) {
+	segments := strings.SplitN(user, ":", 2)
+	if len(segments) >= 1 {
+		return segments[0], segments[1], true
+	}
+	return "", "", false
+}
+
+func checkhtpasswd(required string, given string) bool {
+	if encoded, err := htpasswd.AcceptBcrypt(required); encoded != nil && err == nil {
+		return encoded.MatchesPassword(given)
+	}
+	if encoded, err := htpasswd.AcceptSha(required); encoded != nil && err == nil {
+		return encoded.MatchesPassword(given)
+	}
+	if encoded, err := htpasswd.AcceptSsha(required); encoded != nil && err == nil {
+		return encoded.MatchesPassword(given)
+	}
+	if encoded, err := htpasswd.AcceptMd5(required); encoded != nil && err == nil {
+		return encoded.MatchesPassword(given)
+	}
+	return false
+}
diff --git a/internal/auth/config.go b/internal/auth/config.go
diff --git a/internal/auth/dex.go b/internal/auth/dex.go