working prototype

can push OTP request can push routes
2019-07-09 23:37:37 +02:00
parent f975a19f65
commit 274e824630
8 changed files with 205 additions and 96 deletions
--- a/vpnserver.go
+++ b/vpnserver.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bufio"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 	"net"
@@ -26,8 +27,6 @@ type OpenVpnMgt struct {
 	CcPwnPassword    string
 	pwnTemplate      string
 	newAsTemplate    string
-	slackTemplate    string
-	slackTemplate2   string
 	cacheDir         string
 	syslog           bool
 	otpMasterSecrets []string
@@ -69,31 +68,40 @@ func (s *OpenVpnMgt) Run() {
 	}
 }

-func (s *OpenVpnMgt) TokenPassword(c *vpnSession) bool {
-	return false
+func (s *OpenVpnMgt) TokenPassword(c *vpnSession) (bool, string) {
+	//TODO implement that correcly
+	if c.password == "maith1wiePuw3ieb4heiNie5y" {
+		return true, "maith1wiePuw3ieb4heiNie5y"
+	}
+	return false, "maith1wiePuw3ieb4heiNie5y"
 }

-func (s *OpenVpnMgt) Auth(c *vpnSession) (error, bool) {
+// main authentication function.
+// returns 0 if auth is valid
+// returns 1 if an TOTP code is necessary
+// returns a negative if auth is not valid
+func (s *OpenVpnMgt) Auth(c *vpnSession) (error, int) {
 	// an empty password is not good
 	if c.password == "" {
-		return nil, false
+		return errors.New("Empty Password"), -1
 	}

-	// check if the password is a valid token validated for TOTP 2FA
-	tokenPassword := s.TokenPassword(c)
-	// If this is the case, empty the password to avoid checking it against the
-	// ldap server
-	if tokenPassword {
+	// check if the password is a valid token (see TOTP request)
+	tokenPasswordOk, tokenPassword := s.TokenPassword(c)
+
+	// password is a token. We remove it from the session object to
+	// avoid checking it against the ldap
+	if tokenPasswordOk {
 		c.password = ""
 	}

-	// if the otp is indicated, we check it against the valid codes as soon as
+	// if the otp is not empty, we check it against the valid codes as soon as
 	// possible
 	otpvalidated := false
 	if c.otpCode != "" {
 		codes, err := s.GenerateOTP(c.Login)
 		if err != nil {
-			return err, false
+			return err, -2
 		}
 		for _, possible := range codes {
 			if possible == c.otpCode {
@@ -102,8 +110,6 @@ func (s *OpenVpnMgt) Auth(c *vpnSession) (error, bool) {
 		}
 	}

-	log.Println(otpvalidated)
-
 	c.Profile = ""
 	login := []string{c.Login}
 	pass := c.password
@@ -114,8 +120,6 @@ func (s *OpenVpnMgt) Auth(c *vpnSession) (error, bool) {
 			if ldap.upgradeFrom != c.Profile {
 				continue
 			}
-			log.Printf("try %s with login %s\n", k, login)
-
 			err, userOk, passOk, secondary := ldap.Auth(login, pass)

 			// if there is an error, try the other configurations
@@ -141,20 +145,38 @@ func (s *OpenVpnMgt) Auth(c *vpnSession) (error, bool) {
 				}

 				// we have either a positive auth ok a previous valid one
-				if passOk || c.Profile != "" || tokenPassword {
+				if passOk || c.Profile != "" || tokenPasswordOk {
 					c.Profile = k
 				}
 			}
 		}

+		// no profile update this turn, no need to continue
 		if n == c.Profile {
 			break
 		}
 	}

-	log.Println(c)
-	log.Println(s.ldap[c.Profile])
-	return nil, false
+	// no profile validated, we stop here
+	if c.Profile == "" {
+		return errors.New("Authentication Failed"), -3
+	}
+
+	// check the MFA requested by the secured profile
+	switch s.ldap[c.Profile].mfaType {
+	case "internal":
+		if otpvalidated {
+			return nil, 0
+		}
+		c.password = tokenPassword
+		return errors.New("Need OTP Code"), 1
+	case "okta":
+		//TODO implement okta MFA
+		return nil, -4
+	}
+
+	// no MFA requested, the login is valid
+	return nil, 0
 }

 func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
@@ -162,6 +184,7 @@ func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
 		return errors.New("No openvpn server present"), nil
 	}
 	for _, line := range msg {
+		log.Println(line)
 		if _, err := s.buf.WriteString(line + "\r\n"); err != nil {
 			return err, nil
 		}
@@ -192,36 +215,73 @@ func (s *OpenVpnMgt) Version() (error, []string) {
 	return nil, msg
 }

+func (s *OpenVpnMgt) ClientValidated(line string) {
+	//TODO manage that : find the client, log stuff
+	<-s.ret
+}
+
 func (s *OpenVpnMgt) ClientDisconnect(line string) {
-	msg := <-s.ret
-	log.Println(msg)
+	//TODO manage that : find the client, log stuff
+	<-s.ret
+}
+
+func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) {
+	// TODO implement
+	ip := s.ldap[c.Profile].ipMin
+
+	return ip.String(), nil
 }

 func (s *OpenVpnMgt) ClientConnect(line string) {
+	var cmd []string
+	var ip string
+	var errIP error
+
 	client := NewVPNSession("log in")
-
 	client.ParseSessionId(line)
-
 	infos := <-s.ret
-
-	client.ParseEnv(&infos)
+	if err := client.ParseEnv(&infos); err != nil {
+		log.Println(err)
+		return
+	}

 	err, ok := s.Auth(client)

-	if err != nil {
+	// if auth is ok, time to get an IP address
+	if ok == 0 {
+		ip, errIP = s.getIP(client)
+		if errIP != nil {
+			ok = -10
+			err = errIP
+		}
+	}
+
+	switch {
+	case ok == 0:
+		cmd = []string{
+			fmt.Sprintf("client-auth %d %d", client.cID, client.kID),
+			fmt.Sprintf("ifconfig-push %s %s", ip, client.localIP),
+		}
+		for _, r := range s.ldap[client.Profile].routes {
+			cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r))
+		}
+		cmd = append(cmd, "END")
+
+	case ok < 0:
+		cmd = []string{fmt.Sprintf("client-deny %d %d \"%s\" \"%s\"",
+			client.cID, client.kID, err, err)}
+
+	case ok == 1:
+		cmd = []string{fmt.Sprintf(
+			"client-deny %d %d \"Need OTP\" \"CRV1:R,E:%s:%s:OTP Code \"",
+			client.cID, client.kID, client.password, client.b64Login())}
+	}
+
+	if err, _ := s.sendCommand(cmd); err != nil {
 		log.Println(err)
 	}

-	if ok {
-		log.Println("auth ok")
-	}
-
-	//	err, msg := s.sendCommand([]string{fmt.Sprintf("client-deny %d %d \"Need OTP\" \"CRV1:R:blabla:eC5oZW5uZXI=:OTP Code \"", client.cID, client.kID)})
-	//	if err != nil {
-	//		return
-	//	}
-	//	log.Println(msg)
-
+	return
 }

 func (s *OpenVpnMgt) handleConn(conn net.Conn) {
@@ -259,6 +319,15 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {
 		}
 		line = strings.Trim(line, "\n\r ")

+		// manage all "terminator" lines
+		for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS"} {
+			if strings.HasPrefix(line, terminator) {
+				s.ret <- response
+				response = nil
+				break
+			}
+		}
+
 		switch {
 		// a new openvpn server is connected
 		case strings.HasPrefix(line, ">INFO"):
@@ -272,16 +341,15 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {

 		// new bloc for a connect event.
 		// We start the receiving handler, which will wait for the Channel message
+		case strings.HasPrefix(line, ">CLIENT:ADDRESS"):
+			go s.ClientValidated(line)
+
 		case strings.HasPrefix(line, ">CLIENT:CONNECT"):
 			go s.ClientConnect(line)

-		// write the cumulated lines into the channel to the current handler
-		case strings.HasPrefix(line, "END") || strings.HasPrefix(line, ">CLIENT:ENV,END"):
-			s.ret <- response
-			response = nil
 		default:
 			response = append(response, line)
 		}
-		//log.Print(line)
+		log.Print(line)
 	}
 }