Linux-Help
/
openvpn-user
mirror of
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactoring. convert for go module; totp auth

This commit is contained in:
Ilya Sosnovsky 2022-11-18 15:47:42 +03:00
parent 8ca2faa468
commit 9e5553eff6
10 changed files with 534 additions and 391 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
README.md
View File

@ -1,7 +1,7 @@
# openvpn-user
## Disclaimer
```diff
```
- Not tested in production environments!
```
@ -12,12 +12,12 @@ Use it on your own risk =)
A simple tool to use with openvpn when you need to use `auth-user-pass-verify` or wherever you want
### Example
make sure `openvpn-user` binary available through `PATH` variable and you have `auth.sh` script with `+x` rights available to openvpn server
make sure `openvpn-user` binary available through `PATH` variable and you have [auth.sh](https://github.com/pashcovich/openvpn-user/blob/master/auth.sh) or [auth_totp.sh](https://github.com/pashcovich/openvpn-user/blob/master/auth_totp.sh) script with `+x` rights available to openvpn server
i.e. put binary to `/usr/local/sbin/` and auth script to `/etc/openvpn/scripts/` dir
part of openvpn server config
```bash
```
script-security 2
auth-user-pass-verify /etc/openvpn/scripts/auth.sh via-file
```
@ -30,50 +30,85 @@ usage: openvpn-user [<flags>] <command> [<args> ...]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--db.path="./openvpn-user.db" path do openvpn-user db
--debug Enable debug mode.
--version Show application version.
Commands:
help [<command>...]
Show help.
db-init
Init db.
db-migrate
STUB: Migrate db.
create --user=USER --password=PASSWORD
Create user.
--user=USER Username.
--password=PASSWORD Password.
delete --user=USER [<flags>]
Delete user.
-f, --force delete from db.
-u, --user=USER Username.
revoke --user=USER
Revoke user.
-u, --user=USER Username.
restore --user=USER
Restore user.
-u, --user=USER Username.
list [<flags>]
List active users.
-a, --all Show all users include revoked and deleted.
check --user=USER
check user existent.
-u, --user=USER Username.
auth --user=USER [<flags>]
Auth user.
-u, --user=USER Username.
-p, --password=PASSWORD Password.
-t, --totp=TOTP TOTP code.
change-password --user=USER --password=PASSWORD
Change password
-u, --user=USER Username.
-p, --password=PASSWORD Password.
update-secret --user=USER [<flags>]
update OTP secret
register-app --user=USER
-u, --user=USER Username.
-s, --secret="generate" Secret.
register-app --user=USER --totp=TOTP
register 2FA application
-u, --user=USER Username.
-t, --totp=TOTP TOTP.
check-app --user=USER
check 2FA application
-u, --user=USER Username.
get-secret --user=USER
get OTP secret
-u, --user=USER Username.
```

3
auth.sh
View File

@ -2,11 +2,12 @@
PATH=$PATH:/usr/local/bin
set -e
auth_usr=$(head -1 $1)
auth_passwd=$(tail -1 $1)
if [ $common_name = ${auth_usr} ]; then
openvpn-user auth --user ${auth_usr} --password ${auth_passwd}
openvpn-user auth --user ${auth_usr} --password ${auth_passwd} # --db.path /etc/openvpn/easyrsa/pki/users.db
else
echo "Authorization failed"
exit 1

14
auth_totp.sh Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env sh
PATH=$PATH:/usr/local/bin
set -e
auth_usr=$(head -1 $1)
auth_token=$(tail -1 $1)
if [ $common_name = ${auth_usr} ]; then
openvpn-user auth --user ${auth_usr} --totp ${auth_token} # --db.path /etc/openvpn/easyrsa/pki/users.db
else
echo "Authorization failed"
exit 1
fi

6
go.mod
View File

@ -1,4 +1,4 @@
module openvpn-user
module github.com/pashcovich/openvpn-user
go 1.14
@ -6,8 +6,8 @@ require (
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
github.com/alecthomas/units v0.0.0-20201120081800-1786d5ef83d4 // indirect
github.com/dgryski/dgoogauth v0.0.0-20190221195224-5a805980a5f3
github.com/mattn/go-sqlite3 v1.14.6
github.com/stretchr/testify v1.7.0 // indirect
github.com/mattn/go-sqlite3 v1.14.16
github.com/sirupsen/logrus v1.9.0
golang.org/x/crypto v0.2.0
gopkg.in/alecthomas/kingpin.v2 v2.2.6
)

11
go.sum
View File

@ -2,14 +2,17 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafo
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20201120081800-1786d5ef83d4 h1:EBTWhcAX7rNQ80RLwLCpHZBBrJuzallFHnF+yMXo928=
github.com/alecthomas/units v0.0.0-20201120081800-1786d5ef83d4/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dgryski/dgoogauth v0.0.0-20190221195224-5a805980a5f3 h1:AqeKSZIG/NIC75MNQlPy/LM3LxfpLwahICJBHwSMFNc=
github.com/dgryski/dgoogauth v0.0.0-20190221195224-5a805980a5f3/go.mod h1:hEfFauPHz7+NnjR/yHJGhrKo1Za+zStgwUETx3yzqgY=
github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg=
github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
@ -30,7 +33,9 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

447
openvpn-user.go
View File

@ -1,22 +1,16 @@
package main
import (
"crypto/rand"
"database/sql"
"encoding/base32"
"fmt"
"github.com/dgryski/dgoogauth"
_ "github.com/mattn/go-sqlite3"
"golang.org/x/crypto/bcrypt"
"github.com/pashcovich/openvpn-user/src"
"gopkg.in/alecthomas/kingpin.v2"
"log"
"os"
"strings"
"text/tabwriter"
)
const (
version = "1.0.5"
version = "1.0.6"
)
var (
@ -30,83 +24,77 @@ var (
createCommandPasswordFlag = createCommand.Flag("password", "Password.").Required().String()
deleteCommand = kingpin.Command("delete", "Delete user.")
deleteCommandUserForceFlag = deleteCommand.Flag("force", "delete from db.").Default("false").Bool()
deleteCommandUserFlag = deleteCommand.Flag("user", "Username.").Required().String()
deleteCommandUserForceFlag = deleteCommand.Flag("force", "delete from db.").Short('f').Default("false").Bool()
deleteCommandUserFlag = deleteCommand.Flag("user", "Username.").Short('u').Required().String()
revokeCommand = kingpin.Command("revoke", "Revoke user.")
revokeCommandUserFlag = revokeCommand.Flag("user", "Username.").Required().String()
revokeCommandUserFlag = revokeCommand.Flag("user", "Username.").Short('u').Required().String()
restoreCommand = kingpin.Command("restore", "Restore user.")
restoreCommandUserFlag = restoreCommand.Flag("user", "Username.").Required().String()
restoreCommandUserFlag = restoreCommand.Flag("user", "Username.").Short('u').Required().String()
listCommand = kingpin.Command("list", "List active users.")
listAll = listCommand.Flag("all", "Show all users include revoked and deleted.").Default("false").Bool()
listCommand = kingpin.Command("list", "List active users.")
listCommandAllFlag = listCommand.Flag("all", "Show all users include revoked and deleted.").Short('a').Default("false").Bool()
checkCommand = kingpin.Command("check", "check user existent.")
checkCommandUserFlag = checkCommand.Flag("user", "Username.").Required().String()
checkCommandUserFlag = checkCommand.Flag("user", "Username.").Short('u').Required().String()
authCommand = kingpin.Command("auth", "Auth user.")
authCommandUserFlag = authCommand.Flag("user", "Username.").Required().String()
authCommandPasswordFlag = authCommand.Flag("password", "Password.").String()
authCommandTotpFlag = authCommand.Flag("totp", "TOTP code.").String()
//authCommandHotpFlag = authCommand.Flag("hotp", "HOTP code.").String()
authCommandUserFlag = authCommand.Flag("user", "Username.").Short('u').Required().String()
authCommandPasswordFlag = authCommand.Flag("password", "Password.").Short('p').String()
authCommandTotpFlag = authCommand.Flag("totp", "TOTP code.").Short('t').String()
changePasswordCommand = kingpin.Command("change-password", "Change password")
changePasswordCommandUserFlag = changePasswordCommand.Flag("user", "Username.").Required().String()
changePasswordCommandPasswordFlag = changePasswordCommand.Flag("password", "Password.").Required().String()
changePasswordCommandUserFlag = changePasswordCommand.Flag("user", "Username.").Short('u').Required().String()
changePasswordCommandPasswordFlag = changePasswordCommand.Flag("password", "Password.").Short('p').Required().String()
updateSecretCommand = kingpin.Command("update-secret", "update OTP secret")
updateSecretCommandUserFlag = updateSecretCommand.Flag("user", "Username.").Required().String()
updateSecretCommandSecretFlag = updateSecretCommand.Flag("secret", "Secret.").Default("generate").String()
updateSecretCommandUserFlag = updateSecretCommand.Flag("user", "Username.").Short('u').Required().String()
updateSecretCommandSecretFlag = updateSecretCommand.Flag("secret", "Secret.").Short('s').Default("generate").String()
registerAppCommand = kingpin.Command("register-app", "register 2FA application")
registerAppCommandUserFlag = registerAppCommand.Flag("user", "Username.").Required().String()
registerAppCommandUserFlag = registerAppCommand.Flag("user", "Username.").Short('u').Required().String()
registerAppCommandTotpFlag = registerAppCommand.Flag("totp", "TOTP.").Short('t').Required().String()
checkAppCommand = kingpin.Command("check-app", "check 2FA application")
checkAppCommandUserFlag = checkAppCommand.Flag("user", "Username.").Short('u').Required().String()
getSecretCommand = kingpin.Command("get-secret", "get OTP secret")
getSecretCommandUserFlag = getSecretCommand.Flag("user", "Username.").Required().String()
debug = kingpin.Flag("debug", "Enable debug mode.").Default("false").Bool()
)
type Migration struct {
id int64
name string
sql string
}
type User struct {
id int64
name string
password string
revoked bool
deleted bool
secret string
appConfigured bool
}
var (
migrations []Migration
getSecretCommandUserFlag = getSecretCommand.Flag("user", "Username.").Short('u').Required().String()
)
func main() {
migrations = append(migrations, Migration{name: "users_add_secret_column_2022_11_10", sql: "ALTER TABLE users ADD COLUMN secret string"})
migrations = append(migrations, Migration{name: "users_add_2fa_column_2022_11_11", sql: "ALTER TABLE users ADD COLUMN app_configured integer default 0"})
args := kingpin.Parse()
kingpin.Version(version)
switch kingpin.Parse() {
db, err := sql.Open("sqlite3", *dbPath)
if err != nil {
kingpin.Fatalf(err.Error())
}
defer func(db *sql.DB) {
err = db.Close()
if err != nil {
kingpin.Fatalf(err.Error())
}
}(db)
openvpnUser := src.OpenvpnUser{Database: db}
kingpin.Version(version).VersionFlag.Short('v')
switch args {
case createCommand.FullCommand():
createUser(*createCommandUserFlag, *createCommandPasswordFlag)
wrap(openvpnUser.CreateUser(*createCommandUserFlag, *createCommandPasswordFlag))
case deleteCommand.FullCommand():
deleteUser(*deleteCommandUserFlag)
wrap(openvpnUser.DeleteUser(*deleteCommandUserFlag, *deleteCommandUserForceFlag))
case revokeCommand.FullCommand():
revokedUser(*revokeCommandUserFlag)
wrap(openvpnUser.RevokedUser(*revokeCommandUserFlag))
case restoreCommand.FullCommand():
restoreUser(*restoreCommandUserFlag)
wrap(openvpnUser.RestoreUser(*restoreCommandUserFlag))
case listCommand.FullCommand():
printUsers()
openvpnUser.PrintUsers(*listCommandAllFlag)
case checkCommand.FullCommand():
_ = checkUserExistent(*checkCommandUserFlag)
_ = openvpnUser.CheckUserExistent(*checkCommandUserFlag)
case authCommand.FullCommand():
provideAuthType := 0
if *authCommandPasswordFlag != "" {
@ -115,341 +103,44 @@ func main() {
if *authCommandTotpFlag != "" {
provideAuthType += 1
}
//if *authCommandHotpFlag != "" {
// provideAuthType += 1
//}
if provideAuthType == 1 {
authUser(*authCommandUserFlag, *authCommandPasswordFlag, *authCommandTotpFlag)
authSuccessful, authErr := openvpnUser.AuthUser(*authCommandUserFlag, *authCommandPasswordFlag, *authCommandTotpFlag)
if authErr != nil {
kingpin.Fatalf(authErr.Error())
} else if authSuccessful {
fmt.Println("Authorization successful")
}
} else {
fmt.Printf("Please provide only one type of auth paswword")
fmt.Println("Please provide only one type of auth flag")
os.Exit(1)
}
case changePasswordCommand.FullCommand():
changeUserPassword(*changePasswordCommandUserFlag, *changePasswordCommandPasswordFlag)
wrap(openvpnUser.ChangeUserPassword(*changePasswordCommandUserFlag, *changePasswordCommandPasswordFlag))
case updateSecretCommand.FullCommand():
registerOtpSecret(*updateSecretCommandUserFlag, *updateSecretCommandSecretFlag)
wrap(openvpnUser.RegisterOtpSecret(*updateSecretCommandUserFlag, *updateSecretCommandSecretFlag))
case registerAppCommand.FullCommand():
registerOtpApplication(*registerAppCommandUserFlag)
wrap(openvpnUser.RegisterOtpApplication(*registerAppCommandUserFlag, *registerAppCommandTotpFlag))
case checkAppCommand.FullCommand():
appConfigured, appErr := openvpnUser.IsSecondFactorEnabled(*checkAppCommandUserFlag)
if appErr != nil {
kingpin.Fatalf(appErr.Error())
} else if appConfigured {
fmt.Println("App configured")
}
case getSecretCommand.FullCommand():
getUserOtpSecret(*getSecretCommandUserFlag)
wrap(openvpnUser.GetUserOtpSecret(*getSecretCommandUserFlag))
case dbInitCommand.FullCommand():
initDb()
openvpnUser.InitDb()
case dbMigrateCommand.FullCommand():
migrateDb()
openvpnUser.MigrateDb()
}
}
func getDb() *sql.DB {
db, err := sql.Open("sqlite3", *dbPath)
checkErr(err)
if db == nil {
panic("db is nil")
}
return db
}
func initDb() {
// boolean fields are integer because of sqlite does not support boolean: 1 = true, 0 = false
_, err := getDb().Exec("CREATE TABLE IF NOT EXISTS users(id integer not null primary key autoincrement, username string UNIQUE, password string, revoked integer default 0, deleted integer default 0)")
checkErr(err)
_, err = getDb().Exec("CREATE TABLE IF NOT EXISTS migrations(id integer not null primary key autoincrement, name string)")
checkErr(err)
fmt.Printf("Database initialized at %s\n", *dbPath)
}
func migrateDb() {
var c int
for _, migration := range migrations {
c = -1
err := getDb().QueryRow("SELECT count(*) FROM migrations WHERE name = $1", migration.name).Scan(&c)
if err != nil {
if err == sql.ErrNoRows {
continue
}
log.Fatal(err)
}
if c == 0 {
fmt.Printf("Migrating database with new migration %s\n", migration.name)
_, err := getDb().Exec(migration.sql)
checkErr(err)
_, err = getDb().Exec("INSERT INTO migrations(name) VALUES ($1)", migration.name)
checkErr(err)
}
}
fmt.Println("Migrations are up to date")
}
func createUser(username, password string) {
if !checkUserExistent(username) {
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
_, err := getDb().Exec("INSERT INTO users(username, password) VALUES ($1, $2)", username, string(hash))
checkErr(err)
fmt.Printf("User %s created\n", username)
} else {
fmt.Printf("ERROR: User %s already registered\n", username)
os.Exit(1)
}
}
func deleteUser(username string) {
deleteQuery := "UPDATE users SET deleted = 1 WHERE username = $1"
if *deleteCommandUserForceFlag {
deleteQuery = "DELETE FROM users WHERE username = $1"
}
res, err := getDb().Exec(deleteQuery, username)
checkErr(err)
if rowsAffected, rowsErr := res.RowsAffected(); rowsErr != nil {
if rowsAffected == 1 {
fmt.Printf("User %s deleted\n", username)
}
} else {
if *debug {
fmt.Printf("ERROR: due deleting user %s: %s\n", username, rowsErr)
}
}
}
func revokedUser(username string) {
if !userDeleted(username) {
res, err := getDb().Exec("UPDATE users SET revoked = 1 WHERE username = $1", username)
checkErr(err)
if rowsAffected, rowsErr := res.RowsAffected(); rowsErr != nil {
if rowsAffected == 1 {
fmt.Printf("User %s revoked\n", username)
}
} else {
if *debug {
fmt.Printf("ERROR: due reoking user %s: %s\n", username, rowsErr)
}
}
}
}
func restoreUser(username string) {
if !userDeleted(username) {
res, err := getDb().Exec("UPDATE users SET revoked = 0 WHERE username = $1", username)
checkErr(err)
if rowsAffected, rowsErr := res.RowsAffected(); rowsErr != nil {
if rowsAffected == 1 {
fmt.Printf("User %s restored\n", username)
}
} else {
if *debug {
fmt.Printf("ERROR: due restoring user %s: %s\n", username, rowsErr)
}
}
}
}
func checkUserExistent(username string) bool {
// we need to check if there is already such a user
// return true if user exist
var c int
_ = getDb().QueryRow("SELECT count(*) FROM users WHERE username = $1", username).Scan(&c)
if c == 1 {
fmt.Printf("User %s exist\n", username)
return true
} else {
return false
}
}
func userDeleted(username string) bool {
// return true if user marked as deleted
u := User{}
_ = getDb().QueryRow("SELECT deleted FROM users WHERE username = $1", username).Scan(&u.deleted)
if u.deleted {
fmt.Printf("User %s marked as deleted\n", username)
return true
} else {
return false
}
}
func userIsActive(username string) bool {
// return true if user exist and not deleted and revoked
u := User{}
err := getDb().QueryRow("SELECT revoked,deleted FROM users WHERE username = $1", username).Scan(&u.revoked, &u.deleted)
func wrap(msg string, err error) {
if err != nil {
if err == sql.ErrNoRows {
fmt.Println("User not found")
return false
}
return false
}
if !u.revoked && !u.deleted {
if *debug {
fmt.Printf("User %s is active\n", username)
}
return true
kingpin.Fatalf(err.Error())
} else {
fmt.Println("User may be deleted or revoked")
return false
}
}
func listUsers() []User {
condition := "WHERE deleted = 0 AND revoked = 0"
var users []User
if *listAll {
condition = ""
}
query := "SELECT id, username, password, revoked, deleted FROM users " + condition
rows, err := getDb().Query(query)
checkErr(err)
for rows.Next() {
u := User{}
err := rows.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted)
if err != nil {
fmt.Println(err)
continue
}
users = append(users, u)
}
return users
}
func printUsers() {
ul := listUsers()
if len(ul) > 0 {
w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', tabwriter.TabIndent|tabwriter.Debug)
_, _ = fmt.Fprintln(w, "id\t username\t revoked\t deleted")
for _, u := range ul {
fmt.Fprintf(w, "%d\t %s\t %v\t %v\n", u.id, u.name, u.revoked, u.deleted)
}
_ = w.Flush()
} else {
fmt.Println("No users created yet")
}
}
func changeUserPassword(username, password string) {
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
_, err := getDb().Exec("UPDATE users SET password = $1 WHERE username = $2", hash, username)
checkErr(err)
fmt.Println("Password changed")
}
func registerOtpSecret(username, secret string) {
if userIsActive(username) {
if secret == "generate" {
randomStr := randStr(6, "alphanum")
secret = base32.StdEncoding.EncodeToString([]byte(randomStr))
if *debug {
fmt.Printf("new generated secret for user %s: %s\n", username, secret)
}
}
_, err := getDb().Exec("UPDATE users SET secret = $1 WHERE username = $2", secret, username)
checkErr(err)
fmt.Println("Secret updated")
}
}
func registerOtpApplication(username string) {
if userIsActive(username) {
_, err := getDb().Exec("UPDATE users SET app_configured = 1 WHERE username = $2")
checkErr(err)
fmt.Printf("OTP application for user %s configured\n", username)
}
}
func getUserOtpSecret(username string) {
if userIsActive(username) {
u := User{}
_ = getDb().QueryRow("SELECT secret FROM users WHERE username = $1", username).Scan(&u.secret)
fmt.Println(u.secret)
}
}
func authUser(username, password, totp string) {
row := getDb().QueryRow("SELECT id, username, password, revoked, deleted, secret, app_configured FROM users WHERE username = $1", username)
u := User{}
err := row.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted, &u.secret, &u.appConfigured)
checkErr(err)
if userIsActive(username) {
if password == "" && len(totp) > 0 {
otpConfig := &dgoogauth.OTPConfig{
Secret: strings.TrimSpace(u.secret),
WindowSize: 3,
HotpCounter: 0,
}
// get rid of the extra \n from the token string
// otherwise the validation will fail
trimmedToken := strings.TrimSpace(totp)
// Validate token
ok, err := otpConfig.Authenticate(trimmedToken)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
if ok {
fmt.Println("Authorization successful")
os.Exit(0)
} else {
fmt.Println("Token mismatched")
os.Exit(1)
}
} else if len(password) > 0 && totp == "" {
err = bcrypt.CompareHashAndPassword([]byte(u.password), []byte(password))
if err != nil {
fmt.Println("Authorization failed")
if *debug {
fmt.Println("Passwords mismatched")
}
os.Exit(1)
} else {
fmt.Println("Authorization successful")
os.Exit(0)
}
}
}
fmt.Println("Authorization failed")
os.Exit(1)
}
func randStr(strSize int, randType string) string {
var dictionary string
if randType == "alphanum" {
dictionary = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
}
if randType == "alpha" {
dictionary = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
}
if randType == "number" {
dictionary = "0123456789"
}
var bytes = make([]byte, strSize)
rand.Read(bytes)
for k, v := range bytes {
bytes[k] = dictionary[v%byte(len(dictionary))]
}
return string(bytes)
}
func checkErr(err error) {
if err != nil {
panic(err)
fmt.Println(msg)
}
}

331
src/commands.go Normal file
View File

@ -0,0 +1,331 @@
package src
import (
"database/sql"
"encoding/base32"
"fmt"
"github.com/dgryski/dgoogauth"
log "github.com/sirupsen/logrus"
"golang.org/x/crypto/bcrypt"
"os"
"strings"
"text/tabwriter"
)
func (oUser *OpenvpnUser) InitDb() {
// boolean fields are integer because of sqlite does not support boolean: 1 = true, 0 = false
_, err := oUser.Database.Exec("CREATE TABLE IF NOT EXISTS users(id integer not null primary key autoincrement, username string UNIQUE, password string, revoked integer default 0, deleted integer default 0)")
checkErr(err)
_, err = oUser.Database.Exec("CREATE TABLE IF NOT EXISTS migrations(id integer not null primary key autoincrement, name string)")
checkErr(err)
log.Infof("Database initialized at %v", oUser.Database.Driver())
}
func (oUser *OpenvpnUser) CreateUser(username, password string) (string, error) {
if !oUser.CheckUserExistent(username) {
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
_, err := oUser.Database.Exec("INSERT INTO users(username, password, secret, revoked, deleted, app_configured) VALUES ($1, $2, $3, 0, 0, 0)", username, string(hash), "")
checkErr(err)
return "User created", nil
} else {
return "", userAlreadyExistError
}
}
func (oUser *OpenvpnUser) DeleteUser(username string, force bool) (string, error) {
deleteQuery := "UPDATE users SET deleted = 1 WHERE username = $1"
if force {
deleteQuery = "DELETE FROM users WHERE username = $1"
}
res, err := oUser.Database.Exec(deleteQuery, username)
if err != nil {
return "", err
}
rowsAffected, err := res.RowsAffected()
if err != nil {
return "", err
}
if rowsAffected == 0 {
return "", userDeleteError
}
return "User deleted", nil
}
func (oUser *OpenvpnUser) RevokedUser(username string) (string, error) {
if !oUser.userDeleted(username) {
res, err := oUser.Database.Exec("UPDATE users SET revoked = 1 WHERE username = $1", username)
if err != nil {
return "", err
}
rowsAffected, err := res.RowsAffected()
if err != nil {
return "", err
}
if rowsAffected == 0 {
return "", userRevokeError
}
return "User revoked", nil
}
return "", userDeletedError
}
func (oUser *OpenvpnUser) RestoreUser(username string) (string, error) {
if !oUser.userDeleted(username) {
res, err := oUser.Database.Exec("UPDATE users SET revoked = 0 WHERE username = $1", username)
if err != nil {
return "", err
}
rowsAffected, err := res.RowsAffected()
if err != nil {
return "", err
}
if rowsAffected == 0 {
return "", userRestoreError
}
return "User restored", nil
}
return "", userDeletedError
}
func (oUser *OpenvpnUser) CheckUserExistent(username string) bool {
c := 0
_ = oUser.Database.QueryRow("SELECT count(*) FROM users WHERE username = $1", username).Scan(&c)
if c == 1 {
return true
} else {
return false
}
}
func (oUser *OpenvpnUser) userDeleted(username string) bool {
u := User{}
_ = oUser.Database.QueryRow("SELECT deleted FROM users WHERE username = $1", username).Scan(&u.deleted)
if u.deleted {
return true
} else {
return false
}
}
func (oUser *OpenvpnUser) userIsActive(username string) bool {
// return true if user exist and not deleted or revoked
u := User{}
err := oUser.Database.QueryRow("SELECT revoked,deleted FROM users WHERE username = $1", username).Scan(&u.revoked, &u.deleted)
if err != nil {
if err == sql.ErrNoRows {
return false
}
return false
}
if !u.revoked && !u.deleted {
return true
} else {
return false
}
}
func (oUser *OpenvpnUser) listUsers(all bool) []User {
var users []User
condition := "WHERE deleted = 0 AND revoked = 0"
if all {
condition = ""
}
query := "SELECT id, username, password, revoked, deleted, app_configured FROM users " + condition
rows, err := oUser.Database.Query(query)
checkErr(err)
for rows.Next() {
u := User{}
err = rows.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted, &u.appConfigured)
if err != nil {
//log.Error(err)
continue
}
users = append(users, u)
}
return users
}
func (oUser *OpenvpnUser) PrintUsers(all bool) {
ul := oUser.listUsers(all)
if len(ul) > 0 {
w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', tabwriter.TabIndent|tabwriter.Debug)
_, _ = fmt.Fprintln(w, "id\t username\t revoked\t deleted\t app_configured")
for _, u := range ul {
_, _ = fmt.Fprintf(w, "%d\t %s\t %v\t %v\t %v\n", u.id, u.name, u.revoked, u.deleted, u.appConfigured)
}
_ = w.Flush()
} else {
log.Print("No users created yet")
}
}
func (oUser *OpenvpnUser) ChangeUserPassword(username, password string) (string, error) {
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
_, err := oUser.Database.Exec("UPDATE users SET password = $1 WHERE username = $2", hash, username)
if err != nil {
return "", err
}
return "Password changed", nil
}
func (oUser *OpenvpnUser) RegisterOtpSecret(username, secret string) (string, error) {
if oUser.userIsActive(username) {
if secret == "generate" {
randomStr := randStr(6, "alphanum")
secret = base32.StdEncoding.EncodeToString([]byte(randomStr))
log.Debug("new generated secret for user %s: %s", username, secret)
}
_, err := oUser.Database.Exec("UPDATE users SET secret = $1 WHERE username = $2", secret, username)
if err != nil {
return "", err
}
return "Secret updated", nil
}
return "", userIsNotActiveError
}
func (oUser *OpenvpnUser) RegisterOtpApplication(username, totp string) (string, error) {
if oUser.userIsActive(username) {
appConfigured, appErr := oUser.IsSecondFactorEnabled(username)
if appErr != nil {
return "", appErr
}
if !appConfigured {
authOk, authErr := oUser.AuthUser(username, "", totp)
if authErr != nil {
return "", authErr
}
if authOk {
_, err := oUser.Database.Exec("UPDATE users SET app_configured = 1 WHERE username = $2")
if err != nil {
return "", err
}
return "OTP application configured", nil
}
}
return "OTP application already configured", nil
}
return "", userIsNotActiveError
}
func (oUser *OpenvpnUser) GetUserOtpSecret(username string) (string, error) {
if oUser.userIsActive(username) {
u := User{}
_ = oUser.Database.QueryRow("SELECT secret FROM users WHERE username = $1", username).Scan(&u.secret)
return u.secret, nil
}
return "", userIsNotActiveError
}
func (oUser *OpenvpnUser) IsSecondFactorEnabled(username string) (bool, error) {
if oUser.userIsActive(username) {
u := User{}
_ = oUser.Database.QueryRow("SELECT username, appConfigured FROM users WHERE username = $1", username).Scan(&u.name, &u.appConfigured)
if u.name == username {
return u.appConfigured, nil
}
return false, checkAppError
}
return false, userIsNotActiveError
}
func (oUser *OpenvpnUser) AuthUser(username, password, totp string) (bool, error) {
row := oUser.Database.QueryRow("SELECT id, username, password, revoked, deleted, secret, app_configured FROM users WHERE username = $1", username)
u := User{}
err := row.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted, &u.secret, &u.appConfigured)
if err != nil {
return false, err
}
if oUser.userIsActive(username) {
if password == "" && len(totp) > 0 {
if len(u.secret) == 0 {
return false, userSecretDoesNotExistError
}
otpConfig := &dgoogauth.OTPConfig{
Secret: strings.TrimSpace(u.secret),
WindowSize: 3,
HotpCounter: 0,
}
trimmedToken := strings.TrimSpace(totp)
ok, err := otpConfig.Authenticate(trimmedToken)
if err != nil {
log.Error(err)
}
if ok {
return true, nil
} else {
return false, tokenMismatchedError
}
} else if len(password) > 0 && totp == "" {
err = bcrypt.CompareHashAndPassword([]byte(u.password), []byte(password))
if err != nil {
return false, passwordMismatchedError
} else {
return true, nil
}
}
}
return false, userIsNotActiveError
}
func (oUser *OpenvpnUser) MigrateDb() {
var c int
var migrations []Migration
migrations = append(migrations, Migration{name: "users_add_secret_column_2022_11_10", sql: "ALTER TABLE users ADD COLUMN secret string"})
migrations = append(migrations, Migration{name: "users_add_2fa_column_2022_11_11", sql: "ALTER TABLE users ADD COLUMN app_configured integer default 0"})
for _, migration := range migrations {
c = -1
err := oUser.Database.QueryRow("SELECT count(*) FROM migrations WHERE name = $1", migration.name).Scan(&c)
if err != nil {
if err == sql.ErrNoRows {
continue
}
log.Fatal(err)
}
if c == 0 {
log.Info("Migrating database with new migration %s\n", migration.name)
_, err = oUser.Database.Exec(migration.sql)
checkErr(err)
_, err = oUser.Database.Exec("INSERT INTO migrations(name) VALUES ($1)", migration.name)
checkErr(err)
}
}
log.Info("Migrations are up to date")
}
func checkErr(err error) {
if err != nil {
fmt.Println(err)
}
}

16
src/errors.go Normal file
View File

@ -0,0 +1,16 @@
package src
import "errors"
var (
userSecretDoesNotExistError = errors.New("user secret does not exist")
userAlreadyExistError = errors.New("user already exist")
userDeletedError = errors.New("user marked as deleted")
userRestoreError = errors.New("failed to restore user")
userRevokeError = errors.New("failed to revoke user")
userDeleteError = errors.New("failed to delete user")
userIsNotActiveError = errors.New("user is not active")
passwordMismatchedError = errors.New("password mismatched")
tokenMismatchedError = errors.New("token mismatched")
checkAppError = errors.New("failed to check 2FA app")
)

23
src/models.go Normal file
View File

@ -0,0 +1,23 @@
package src
import "database/sql"
type OpenvpnUser struct {
Database *sql.DB
}
type Migration struct {
id int64
name string
sql string
}
type User struct {
id int64
name string
password string
revoked bool
deleted bool
secret string
appConfigured bool
}

27
src/utils.go Normal file
View File

@ -0,0 +1,27 @@
package src
import "crypto/rand"
func randStr(strSize int, randType string) string {
var dictionary string
if randType == "alphanum" {
dictionary = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
}
if randType == "alpha" {
dictionary = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
}
if randType == "number" {
dictionary = "0123456789"
}
var bytes = make([]byte, strSize)
rand.Read(bytes)
for k, v := range bytes {
bytes[k] = dictionary[v%byte(len(dictionary))]
}
return string(bytes)
}