manage auth-retry

2019-07-11 08:14:38 +02:00
parent 7418a70afc
commit 1c02c700fa
4 changed files with 130 additions and 36 deletions
--- a/vpnsession.go
+++ b/vpnsession.go
@@ -7,12 +7,11 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"os/exec"
 	"regexp"
 	"strconv"
 	"strings"
 	"time"
-
-	hibp "github.com/mattevans/pwned-passwords"
 )

 type vpnSession struct {
@@ -30,6 +29,8 @@ type vpnSession struct {
 	PwnedPasswd   bool      `json:"pwned_passwd"`
 	Hostname      string    `json:"hostname"`
 	TooMuchPwn    bool      `json:"too_much_pwn"`
+	BwRead        int       `json:"in_bytes"`
+	BwWrite       int       `json:"out_bytes"`
 	Mail          string    `json:"-"`
 	cID           int       `json:"-"`
 	kID           int       `json:"-"`
@@ -45,11 +46,11 @@ type vpnSession struct {
 	CcPwnPassword string    `json:"-"`
 }

-func NewVPNSession(operation string) *vpnSession {
+func NewVPNSession() *vpnSession {
 	v := vpnSession{
 		Time:      time.Now().Round(time.Second),
 		Status:    "system failure",
-		Operation: operation,
+		Operation: "log in",
 	}
 	v.Hostname, _ = os.Hostname()

@@ -71,29 +72,29 @@ func (c *vpnSession) baseHash(salt string, i int64) string {
 	return fmt.Sprintf("%s%s%s%s", salt, c.Login, c.IP, i)
 }

+func (c *vpnSession) AddRoute(script, ip string) error {
+	cmd := exec.Command(script, "route", "replace", ip, "dev", c.dev)
+	return cmd.Run()
+}
+
 func (c *vpnSession) ParseSessionId(line string) error {
 	var err error
-	client_id := strings.Split(strings.Replace(line, ">CLIENT:CONNECT,", "", 1), ",")
-	if c.cID, err = strconv.Atoi(client_id[0]); err != nil {
+	re := regexp.MustCompile("^>CLIENT:[^,]*,([0-9]+),([0-9]+)$")
+	match := re.FindStringSubmatch(line)
+	if len(match) == 0 {
+		return errors.New("invalid message")
+	}
+
+	if c.cID, err = strconv.Atoi(match[1]); err != nil {
 		return err
 	}
-	if c.kID, err = strconv.Atoi(client_id[1]); err != nil {
+	if c.kID, err = strconv.Atoi(match[2]); err != nil {
 		return err
 	}
 	return nil
 }

-func (c *vpnSession) CheckPwn(password string) error {
-	client := hibp.NewClient()
-	pwned, err := client.Pwned.Compromised(password)
-	if err != nil {
-		return err
-	}
-	c.PwnedPasswd = pwned
-	return nil
-}
-
-func (c *vpnSession) ParseEnv(infos *[]string) error {
+func (c *vpnSession) ParseEnv(s *OpenVpnMgt, infos *[]string) error {
 	var err error
 	r := regexp.MustCompile("[^a-zA-Z0-9./_@-]")

@@ -128,7 +129,7 @@ func (c *vpnSession) ParseEnv(infos *[]string) error {
 				if c.otpCode == "" {
 					c.otpCode = "***"
 				}
-				go c.CheckPwn(c.password)
+				// don't check that password agains the ibp database

 			case strings.HasPrefix(p[1], "SCRV1"):
 				split := strings.Split(p[1], ":")
@@ -151,11 +152,17 @@ func (c *vpnSession) ParseEnv(infos *[]string) error {
 				if c.otpCode == "" {
 					c.otpCode = "***"
 				}
-
+				// only check if the password is pwned on the first connection
+				if c.Operation == "log in" {
+					go s.CheckPwn(c)
+				}
 			default:
 				c.password = p[1]
 				c.otpCode = ""
-				go c.CheckPwn(c.password)
+				// only check if the password is pwned on the first connection
+				if c.Operation == "log in" {
+					go s.CheckPwn(c)
+				}
 			}

 		case "username":
@@ -174,11 +181,15 @@ func (c *vpnSession) Auth(s *OpenVpnMgt) {

 	err, ok := c.auth(s)
 	// if auth is ok, time to get an IP address
-	if ok == 0 {
+	if ok == 0 && c.PrivIP == "" {
 		ip, errIP = s.getIP(c)
 		if errIP != nil {
 			ok = -10
 			err = errIP
+		} else {
+			if err := c.AddRoute(s.ipRouteScript, ip); err != nil {
+				c.LogPrintln(err)
+			}
 		}
 	}

@@ -192,6 +203,7 @@ func (c *vpnSession) Auth(s *OpenVpnMgt) {
 			cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r))
 		}
 		cmd = append(cmd, "END")
+		c.Status = "success"

 	case ok < 0:
 		cmd = []string{fmt.Sprintf("client-deny %d %d \"%s\" \"%s\"",