Gregory Rudolph
3 years ago
4 changed files with 332 additions and 0 deletions
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
module git.hugfreevikings.wtf/rudi/SecREST |
||||
|
||||
go 1.18 |
||||
|
||||
require github.com/gorilla/mux v1.8.0 |
||||
|
||||
require ( |
||||
github.com/ProtonMail/gopenpgp/v2 v2.4.6 |
||||
github.com/google/uuid v1.3.0 |
||||
) |
||||
|
||||
require ( |
||||
github.com/ProtonMail/go-crypto v0.0.0-20220113124808-70ae35bab23f // indirect |
||||
github.com/ProtonMail/go-mime v0.0.0-20220302105931-303f85f7fe0f // indirect |
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect |
||||
github.com/pkg/errors v0.9.1 // indirect |
||||
github.com/sirupsen/logrus v1.4.2 // indirect |
||||
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect |
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 // indirect |
||||
golang.org/x/text v0.3.3 // indirect |
||||
) |
@ -0,0 +1,64 @@
@@ -0,0 +1,64 @@
|
||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= |
||||
github.com/ProtonMail/go-crypto v0.0.0-20220113124808-70ae35bab23f h1:J2FzIrXN82q5uyUraeJpLIm7U6PffRwje2ORho5yIik= |
||||
github.com/ProtonMail/go-crypto v0.0.0-20220113124808-70ae35bab23f/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= |
||||
github.com/ProtonMail/go-mime v0.0.0-20220302105931-303f85f7fe0f h1:CGq7OieOz3wyQJ1fO8S0eO9TCW1JyvLrf8fhzz1i8ko= |
||||
github.com/ProtonMail/go-mime v0.0.0-20220302105931-303f85f7fe0f/go.mod h1:NYt+V3/4rEeDuaev/zw1zCq8uqVEuPHzDPo3OZrlGJ4= |
||||
github.com/ProtonMail/gopenpgp/v2 v2.4.6 h1:/EcJsFIsE0ywShAJ+lNLafcaSd6GBhIzHsaBID5pGXw= |
||||
github.com/ProtonMail/gopenpgp/v2 v2.4.6/go.mod h1:ZW1KxHNG6q5LMgFKf9Ap/d2eVYeyGf5+fAUEAjJWtmo= |
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= |
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= |
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= |
||||
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= |
||||
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= |
||||
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= |
||||
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= |
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= |
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= |
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= |
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= |
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= |
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= |
||||
github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= |
||||
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= |
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= |
||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= |
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= |
||||
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= |
||||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= |
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= |
||||
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= |
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= |
||||
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w= |
||||
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= |
||||
golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4= |
||||
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= |
||||
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= |
||||
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= |
||||
golang.org/x/mobile v0.0.0-20200801112145-973feb4309de/go.mod h1:skQtrUTUwhdJvXM/2KKJzY8pDgNr9I/FOMqDVRPBUS4= |
||||
golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= |
||||
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= |
||||
golang.org/x/mod v0.1.1-0.20191209134235-331c550502dd/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= |
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= |
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= |
||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= |
||||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= |
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= |
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= |
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw= |
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= |
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= |
||||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= |
||||
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= |
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= |
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= |
||||
golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= |
||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= |
||||
golang.org/x/tools v0.0.0-20200117012304-6edc0a871e69/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= |
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= |
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= |
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= |
||||
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= |
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= |
@ -0,0 +1,199 @@
@@ -0,0 +1,199 @@
|
||||
package SecREST |
||||
|
||||
import ( |
||||
"bytes" |
||||
"encoding/json" |
||||
"log" |
||||
"net/http" |
||||
"time" |
||||
|
||||
"github.com/ProtonMail/gopenpgp/v2/helper" |
||||
"github.com/google/uuid" |
||||
"github.com/gorilla/mux" |
||||
) |
||||
|
||||
var ( |
||||
// Handlers that will be called for internall routing after de/encryption
|
||||
Handlers []SecRESTHandler |
||||
// Auth handler
|
||||
Auth SecRESTAuth |
||||
// SERVER public key, armored
|
||||
PubKey string |
||||
// SERVER private key, armored
|
||||
PrivKey string |
||||
// Password for SERVER private key
|
||||
KeyPass string |
||||
// AuthClients is intentionally made non-persistent, expires all clients on reboot.
|
||||
// This however is open for debate.
|
||||
AuthClients = make(map[string]string) |
||||
) |
||||
|
||||
// StartRouter accepts a Port string, and a slice of SecRESTHandler
|
||||
// then starts the router.
|
||||
func StartRouter(port string, pubKey string, privKey string, keyPass string, handlers []SecRESTHandler, auth SecRESTAuth) { |
||||
log.Printf("Initializing SecREST Server") |
||||
// Get Config
|
||||
Handlers = handlers |
||||
Auth = auth |
||||
PrivKey = privKey |
||||
KeyPass = keyPass |
||||
PubKey = pubKey |
||||
log.Printf("Preparing SecREST Server on port %+v", port) |
||||
|
||||
r := mux.NewRouter() |
||||
|
||||
r.HandleFunc("/", handleRoot) |
||||
r.HandleFunc("/secure", handleSecure) |
||||
r.HandleFunc("/insecure", handleInsecure) |
||||
r.HandleFunc("/handshake", handleHandshake) |
||||
log.Printf("Starting SecREST Server") |
||||
log.Printf("Fatal error serving SecREST: %+v", http.ListenAndServe(":"+port, r)) |
||||
|
||||
} |
||||
|
||||
// Serve the base site's basic HTML and JavaScript, maybe via static file?
|
||||
func handleRoot(w http.ResponseWriter, r *http.Request) { |
||||
|
||||
} |
||||
|
||||
// Accept RAW POST of PGP armored text, and decrypt with server key
|
||||
// should be in SecRESTRequest format
|
||||
// will respond with SecRESTResponse, encrypted to client
|
||||
// ClientIdentifier header needs to match UUID in storage
|
||||
func handleSecure(w http.ResponseWriter, r *http.Request) { |
||||
w.Header().Set("Content-Type", "application/crypt64") |
||||
clientIdentifier := w.Header().Get("ClientIdentifier") |
||||
if val, ok := AuthClients[clientIdentifier]; !ok { |
||||
log.Printf("%+v not found in authorized clients. Returning 401 with empty body.", val) |
||||
w.WriteHeader(401) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
buf := new(bytes.Buffer) |
||||
buf.ReadFrom(r.Body) |
||||
decrypted, err := helper.DecryptVerifyMessageArmored(AuthClients[clientIdentifier], PrivKey, []byte(KeyPass), buf.String()) |
||||
if err != nil { |
||||
log.Printf("Unable to decrypt request from %+v, returning 500 with empty body.\n%+v", clientIdentifier, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
var request SecRESTRequest |
||||
err = json.Unmarshal([]byte(decrypted), &request) |
||||
if err != nil { |
||||
log.Printf("Unable to unmarshal decrypted request from %+v\n%+v", clientIdentifier, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
request.Insecure = false |
||||
request.TimeStamp = time.Now() |
||||
resp := routeRequest(request) |
||||
payload, err := json.Marshal(resp) |
||||
if err != nil { |
||||
log.Printf("Unable to marshal internal response for %+v\n%+v", clientIdentifier, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
armor, err := helper.EncryptSignMessageArmored(AuthClients[clientIdentifier], PrivKey, []byte(KeyPass), string(payload)) |
||||
if err != nil { |
||||
log.Printf("Unable to encrypt and sign message for %+v\n%+v", clientIdentifier, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
w.Write([]byte(armor)) |
||||
|
||||
} |
||||
|
||||
// Accept JSON Request, will route if destination allows insecure,
|
||||
// otherwise will respond with HTTP 401
|
||||
func handleInsecure(w http.ResponseWriter, r *http.Request) { |
||||
ipaddr := r.Header.Get("X-Real-IP") |
||||
request := SecRESTRequest{ |
||||
TimeStamp: time.Now(), |
||||
Insecure: true, |
||||
} |
||||
w.Header().Set("Content-Type", "application/json") |
||||
decoder := json.NewDecoder(r.Body) |
||||
if err := decoder.Decode(&request); err != nil { |
||||
log.Printf("Unable to decode request from %+v\n%+v", ipaddr, err) |
||||
w.WriteHeader(400) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
defer r.Body.Close() |
||||
resp := routeRequest(request) |
||||
payload, err := json.Marshal(resp) |
||||
if err != nil { |
||||
log.Printf("Unable to marshal internal response for %+v\n%+v", ipaddr, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
return |
||||
} |
||||
w.Write(payload) |
||||
} |
||||
|
||||
func routeRequest(r SecRESTRequest) SecRESTResponse { |
||||
var resp SecRESTResponse |
||||
for _, h := range Handlers { |
||||
if h.Path == r.Path { |
||||
if h.Insecure == r.Insecure { |
||||
resp = h.Run(r) |
||||
} else { |
||||
log.Printf("Client attempted to access secure path \"%+v\" via /insecure but is denied.", r.Path) |
||||
resp.Status = 401 |
||||
} |
||||
} |
||||
} |
||||
// If resp.Status isn't set above, no matching path found.
|
||||
if resp.Status == 0 { |
||||
log.Printf("Client attempted to access \"%+v\" but it was not found.", r.Path) |
||||
resp.Status = 404 |
||||
} |
||||
resp.Ellapsed = time.Since(r.TimeStamp).String() |
||||
return resp |
||||
} |
||||
|
||||
// Request body should contain PGP Public Key for new client,
|
||||
// and respond with PGP Public Key for Server if authorized.
|
||||
func handleHandshake(w http.ResponseWriter, r *http.Request) { |
||||
w.Header().Set("Content-Type", "application/json") |
||||
ipaddr := r.Header.Get("X-Real-IP") |
||||
start := time.Now() |
||||
success, req := Auth.Run(w, r) |
||||
if success { |
||||
w.WriteHeader(200) |
||||
clientIdentifier := uuid.New().String() |
||||
AuthClients[clientIdentifier] = req.ClientKey |
||||
authResp := SecRESTAuthResponse{ |
||||
ServerKey: PubKey, |
||||
ClientIdentifier: clientIdentifier, |
||||
} |
||||
resp := SecRESTResponse{ |
||||
AuthResponse: authResp, |
||||
Ellapsed: time.Since(start).String(), |
||||
Status: 200, |
||||
Body: "Success", |
||||
} |
||||
payload, err := json.Marshal(resp) |
||||
if err != nil { |
||||
log.Printf("Unable to marshal response payload for %+v's successful handshake:\n%+v", clientIdentifier, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
} |
||||
armor, err := helper.EncryptSignMessageArmored(AuthClients[clientIdentifier], PrivKey, []byte(KeyPass), string(payload)) |
||||
if err != nil { |
||||
log.Printf("Unable to encrypt response payload for %+v's successful handshake:\n%+v", clientIdentifier, err) |
||||
w.WriteHeader(500) |
||||
w.Write(nil) |
||||
} |
||||
w.Write([]byte(armor)) |
||||
|
||||
} else { |
||||
log.Printf("%+v tried to authenticate, unsuccessfully.", ipaddr) |
||||
w.WriteHeader(418) |
||||
w.Write([]byte("no")) |
||||
} |
||||
} |
@ -0,0 +1,48 @@
@@ -0,0 +1,48 @@
|
||||
package SecREST |
||||
|
||||
import ( |
||||
"net/http" |
||||
"time" |
||||
) |
||||
|
||||
// SecRESTRequest is a decrypted request coming in from a client
|
||||
type SecRESTRequest struct { |
||||
Path string `json:"Path"` |
||||
Body string `json:"Body"` |
||||
ClientIdentifier string `json:"ClientIdentifier"` |
||||
Insecure bool |
||||
TimeStamp time.Time `json:"TimeStamp"` |
||||
AuthRequest SecRESTAuthRequest `json:"AuthRequest"` |
||||
} |
||||
|
||||
// SecRESTResponse is a decrypted response to be sent to the client
|
||||
// Will be encrypted if request.Insecure = false
|
||||
type SecRESTResponse struct { |
||||
Status int `json:"Status"` |
||||
Body string `json:"Body"` |
||||
Ellapsed string `json:"Ellapsed"` |
||||
AuthResponse SecRESTAuthResponse `json:"AuthResponse"` |
||||
} |
||||
|
||||
// Struct for handlers, Insecure = True allows /insecure access
|
||||
type SecRESTHandler struct { |
||||
Path string |
||||
Insecure bool |
||||
Body string |
||||
Run func(SecRESTRequest) SecRESTResponse |
||||
} |
||||
|
||||
// SecRESTAuth struct is for authenticating a client, and storing their PGP key
|
||||
type SecRESTAuth struct { |
||||
// Handle Authentication for new client
|
||||
Run func(w http.ResponseWriter, r *http.Request) (bool, SecRESTAuthRequest) |
||||
} |
||||
|
||||
type SecRESTAuthResponse struct { |
||||
ServerKey string `json:"ServerKey"` |
||||
ClientIdentifier string `json:"ClientIdentifier"` |
||||
} |
||||
|
||||
type SecRESTAuthRequest struct { |
||||
ClientKey string `json:"ClientKey"` |
||||
} |
Loading…
Reference in new issue