optimisations
* use pyke's re cache * get an unlimited number of ldap attributes * get a perturbator for the OTP secret, in case of stolen phone * lowercase the username, to avoid strange behaviour with the OTP
This commit is contained in:
Xavier Henner
@@ -5,9 +5,9 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/pyke369/golang-support/rcache"
|
||||
"os"
|
||||
"os/exec"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
@@ -84,7 +84,7 @@ func (c *vpnSession) AddRoute(ip string) error {
|
||||
|
||||
func (c *vpnSession) ParseSessionId(line string) error {
|
||||
var err error
|
||||
re := regexp.MustCompile("^>CLIENT:[^,]*,([0-9]+),([0-9]+)$")
|
||||
re := rcache.Get("^>CLIENT:[^,]*,([0-9]+),([0-9]+)$")
|
||||
match := re.FindStringSubmatch(line)
|
||||
if len(match) == 0 {
|
||||
return errors.New("invalid message")
|
||||
@@ -101,8 +101,8 @@ func (c *vpnSession) ParseSessionId(line string) error {
|
||||
|
||||
func (c *vpnSession) ParseEnv(s *OpenVpnMgt, infos *[]string) error {
|
||||
var err error
|
||||
r := regexp.MustCompile("[^a-zA-Z0-9./_@-]")
|
||||
renv := regexp.MustCompile("^>CLIENT:ENV,([^=]*)=(.*)$")
|
||||
r := rcache.Get("[^a-zA-Z0-9./_@-]")
|
||||
renv := rcache.Get("^>CLIENT:ENV,([^=]*)=(.*)$")
|
||||
for _, line := range *infos {
|
||||
p := renv.FindStringSubmatch(line)
|
||||
if len(p) != 3 {
|
||||
@@ -182,7 +182,7 @@ func (c *vpnSession) ParseEnv(s *OpenVpnMgt, infos *[]string) error {
|
||||
}
|
||||
|
||||
case "username":
|
||||
c.Login = r.ReplaceAllString(p[2], "")
|
||||
c.Login = strings.ToLower(r.ReplaceAllString(p[2], ""))
|
||||
case "dev":
|
||||
c.dev = r.ReplaceAllString(p[2], "")
|
||||
case "ifconfig_netmask":
|
||||
@@ -260,11 +260,20 @@ func (c *vpnSession) auth(s *OpenVpnMgt) (error, int) {
|
||||
c.password = ""
|
||||
}
|
||||
|
||||
otpSalt := ""
|
||||
c.Profile, c.Mail, otpSalt = s.AuthLoop("", c.Login, c.password, tokenPasswordOk)
|
||||
|
||||
// no profile validated, we stop here
|
||||
if c.Profile == "" {
|
||||
c.Status = "fail (password)"
|
||||
return errors.New("Authentication Failed"), -3
|
||||
}
|
||||
|
||||
// if the otp is not empty, we check it against the valid codes as soon as
|
||||
// possible
|
||||
otpvalidated := false
|
||||
if c.otpCode != "" {
|
||||
codes, err := s.GenerateOTP(c.Login)
|
||||
codes, err := s.GenerateOTP(c.Login + otpSalt)
|
||||
if err != nil {
|
||||
return err, -2
|
||||
}
|
||||
@@ -275,14 +284,6 @@ func (c *vpnSession) auth(s *OpenVpnMgt) (error, int) {
|
||||
}
|
||||
}
|
||||
|
||||
c.Profile, c.Mail = s.AuthLoop("", c.Login, c.password, tokenPasswordOk)
|
||||
|
||||
// no profile validated, we stop here
|
||||
if c.Profile == "" {
|
||||
c.Status = "fail (password)"
|
||||
return errors.New("Authentication Failed"), -3
|
||||
}
|
||||
|
||||
// check the MFA requested by the secured profile
|
||||
c.TwoFA = true
|
||||
switch s.ldap[c.Profile].mfaType {
|
||||
|
||||
Reference in New Issue
Block a user