From 9e5553eff6845730b65dac7695ed0967fdfcc03e Mon Sep 17 00:00:00 2001 From: Ilya Sosnovsky Date: Fri, 18 Nov 2022 15:47:42 +0300 Subject: [PATCH] refactoring. convert for go module; totp auth --- README.md | 47 ++++- auth.sh | 3 +- auth_totp.sh | 14 ++ go.mod | 6 +- go.sum | 11 +- openvpn-user.go | 447 ++++++++---------------------------------------- src/commands.go | 331 +++++++++++++++++++++++++++++++++++ src/errors.go | 16 ++ src/models.go | 23 +++ src/utils.go | 27 +++ 10 files changed, 534 insertions(+), 391 deletions(-) create mode 100644 auth_totp.sh create mode 100644 src/commands.go create mode 100644 src/errors.go create mode 100644 src/models.go create mode 100644 src/utils.go diff --git a/README.md b/README.md index 66dde71..772eb07 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # openvpn-user ## Disclaimer -```diff +``` - Not tested in production environments! ``` @@ -12,12 +12,12 @@ Use it on your own risk =) A simple tool to use with openvpn when you need to use `–auth-user-pass-verify` or wherever you want ### Example -make sure `openvpn-user` binary available through `PATH` variable and you have `auth.sh` script with `+x` rights available to openvpn server +make sure `openvpn-user` binary available through `PATH` variable and you have [auth.sh](https://github.com/pashcovich/openvpn-user/blob/master/auth.sh) or [auth_totp.sh](https://github.com/pashcovich/openvpn-user/blob/master/auth_totp.sh) script with `+x` rights available to openvpn server i.e. put binary to `/usr/local/sbin/` and auth script to `/etc/openvpn/scripts/` dir part of openvpn server config -```bash +``` script-security 2 auth-user-pass-verify /etc/openvpn/scripts/auth.sh via-file ``` @@ -30,50 +30,85 @@ usage: openvpn-user [] [ ...] Flags: --help Show context-sensitive help (also try --help-long and --help-man). --db.path="./openvpn-user.db" path do openvpn-user db - --debug Enable debug mode. - --version Show application version. Commands: help [...] Show help. + db-init Init db. + db-migrate STUB: Migrate db. + create --user=USER --password=PASSWORD Create user. + --user=USER Username. + --password=PASSWORD Password. + delete --user=USER [] Delete user. + -f, --force delete from db. + -u, --user=USER Username. + revoke --user=USER Revoke user. + -u, --user=USER Username. + restore --user=USER Restore user. + -u, --user=USER Username. + list [] List active users. + -a, --all Show all users include revoked and deleted. + check --user=USER check user existent. + -u, --user=USER Username. + auth --user=USER [] Auth user. + -u, --user=USER Username. + -p, --password=PASSWORD Password. + -t, --totp=TOTP TOTP code. + change-password --user=USER --password=PASSWORD Change password + -u, --user=USER Username. + -p, --password=PASSWORD Password. + update-secret --user=USER [] update OTP secret - register-app --user=USER + -u, --user=USER Username. + -s, --secret="generate" Secret. + + register-app --user=USER --totp=TOTP register 2FA application + -u, --user=USER Username. + -t, --totp=TOTP TOTP. + + check-app --user=USER + check 2FA application + + -u, --user=USER Username. + get-secret --user=USER get OTP secret + -u, --user=USER Username. + ``` diff --git a/auth.sh b/auth.sh index adada83..5439538 100644 --- a/auth.sh +++ b/auth.sh @@ -2,11 +2,12 @@ PATH=$PATH:/usr/local/bin set -e + auth_usr=$(head -1 $1) auth_passwd=$(tail -1 $1) if [ $common_name = ${auth_usr} ]; then - openvpn-user auth --user ${auth_usr} --password ${auth_passwd} + openvpn-user auth --user ${auth_usr} --password ${auth_passwd} # --db.path /etc/openvpn/easyrsa/pki/users.db else echo "Authorization failed" exit 1 diff --git a/auth_totp.sh b/auth_totp.sh new file mode 100644 index 0000000..a9d4214 --- /dev/null +++ b/auth_totp.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env sh + +PATH=$PATH:/usr/local/bin +set -e + +auth_usr=$(head -1 $1) +auth_token=$(tail -1 $1) + +if [ $common_name = ${auth_usr} ]; then + openvpn-user auth --user ${auth_usr} --totp ${auth_token} # --db.path /etc/openvpn/easyrsa/pki/users.db +else + echo "Authorization failed" + exit 1 +fi diff --git a/go.mod b/go.mod index 0d42d0d..008a89a 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module openvpn-user +module github.com/pashcovich/openvpn-user go 1.14 @@ -6,8 +6,8 @@ require ( github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect github.com/alecthomas/units v0.0.0-20201120081800-1786d5ef83d4 // indirect github.com/dgryski/dgoogauth v0.0.0-20190221195224-5a805980a5f3 - github.com/mattn/go-sqlite3 v1.14.6 - github.com/stretchr/testify v1.7.0 // indirect + github.com/mattn/go-sqlite3 v1.14.16 + github.com/sirupsen/logrus v1.9.0 golang.org/x/crypto v0.2.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 ) diff --git a/go.sum b/go.sum index bc45468..18e9cce 100644 --- a/go.sum +++ b/go.sum @@ -2,14 +2,17 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafo github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20201120081800-1786d5ef83d4 h1:EBTWhcAX7rNQ80RLwLCpHZBBrJuzallFHnF+yMXo928= github.com/alecthomas/units v0.0.0-20201120081800-1786d5ef83d4/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= -github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/dgoogauth v0.0.0-20190221195224-5a805980a5f3 h1:AqeKSZIG/NIC75MNQlPy/LM3LxfpLwahICJBHwSMFNc= github.com/dgryski/dgoogauth v0.0.0-20190221195224-5a805980a5f3/go.mod h1:hEfFauPHz7+NnjR/yHJGhrKo1Za+zStgwUETx3yzqgY= -github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg= -github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= +github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= +github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= @@ -30,7 +33,9 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= diff --git a/openvpn-user.go b/openvpn-user.go index 91f23ec..892a16f 100644 --- a/openvpn-user.go +++ b/openvpn-user.go @@ -1,22 +1,16 @@ package main import ( - "crypto/rand" "database/sql" - "encoding/base32" "fmt" - "github.com/dgryski/dgoogauth" _ "github.com/mattn/go-sqlite3" - "golang.org/x/crypto/bcrypt" + "github.com/pashcovich/openvpn-user/src" "gopkg.in/alecthomas/kingpin.v2" - "log" "os" - "strings" - "text/tabwriter" ) const ( - version = "1.0.5" + version = "1.0.6" ) var ( @@ -30,83 +24,77 @@ var ( createCommandPasswordFlag = createCommand.Flag("password", "Password.").Required().String() deleteCommand = kingpin.Command("delete", "Delete user.") - deleteCommandUserForceFlag = deleteCommand.Flag("force", "delete from db.").Default("false").Bool() - deleteCommandUserFlag = deleteCommand.Flag("user", "Username.").Required().String() + deleteCommandUserForceFlag = deleteCommand.Flag("force", "delete from db.").Short('f').Default("false").Bool() + deleteCommandUserFlag = deleteCommand.Flag("user", "Username.").Short('u').Required().String() revokeCommand = kingpin.Command("revoke", "Revoke user.") - revokeCommandUserFlag = revokeCommand.Flag("user", "Username.").Required().String() + revokeCommandUserFlag = revokeCommand.Flag("user", "Username.").Short('u').Required().String() restoreCommand = kingpin.Command("restore", "Restore user.") - restoreCommandUserFlag = restoreCommand.Flag("user", "Username.").Required().String() + restoreCommandUserFlag = restoreCommand.Flag("user", "Username.").Short('u').Required().String() - listCommand = kingpin.Command("list", "List active users.") - listAll = listCommand.Flag("all", "Show all users include revoked and deleted.").Default("false").Bool() + listCommand = kingpin.Command("list", "List active users.") + listCommandAllFlag = listCommand.Flag("all", "Show all users include revoked and deleted.").Short('a').Default("false").Bool() checkCommand = kingpin.Command("check", "check user existent.") - checkCommandUserFlag = checkCommand.Flag("user", "Username.").Required().String() + checkCommandUserFlag = checkCommand.Flag("user", "Username.").Short('u').Required().String() authCommand = kingpin.Command("auth", "Auth user.") - authCommandUserFlag = authCommand.Flag("user", "Username.").Required().String() - authCommandPasswordFlag = authCommand.Flag("password", "Password.").String() - authCommandTotpFlag = authCommand.Flag("totp", "TOTP code.").String() - //authCommandHotpFlag = authCommand.Flag("hotp", "HOTP code.").String() + authCommandUserFlag = authCommand.Flag("user", "Username.").Short('u').Required().String() + authCommandPasswordFlag = authCommand.Flag("password", "Password.").Short('p').String() + authCommandTotpFlag = authCommand.Flag("totp", "TOTP code.").Short('t').String() changePasswordCommand = kingpin.Command("change-password", "Change password") - changePasswordCommandUserFlag = changePasswordCommand.Flag("user", "Username.").Required().String() - changePasswordCommandPasswordFlag = changePasswordCommand.Flag("password", "Password.").Required().String() + changePasswordCommandUserFlag = changePasswordCommand.Flag("user", "Username.").Short('u').Required().String() + changePasswordCommandPasswordFlag = changePasswordCommand.Flag("password", "Password.").Short('p').Required().String() updateSecretCommand = kingpin.Command("update-secret", "update OTP secret") - updateSecretCommandUserFlag = updateSecretCommand.Flag("user", "Username.").Required().String() - updateSecretCommandSecretFlag = updateSecretCommand.Flag("secret", "Secret.").Default("generate").String() + updateSecretCommandUserFlag = updateSecretCommand.Flag("user", "Username.").Short('u').Required().String() + updateSecretCommandSecretFlag = updateSecretCommand.Flag("secret", "Secret.").Short('s').Default("generate").String() registerAppCommand = kingpin.Command("register-app", "register 2FA application") - registerAppCommandUserFlag = registerAppCommand.Flag("user", "Username.").Required().String() + registerAppCommandUserFlag = registerAppCommand.Flag("user", "Username.").Short('u').Required().String() + registerAppCommandTotpFlag = registerAppCommand.Flag("totp", "TOTP.").Short('t').Required().String() + + checkAppCommand = kingpin.Command("check-app", "check 2FA application") + checkAppCommandUserFlag = checkAppCommand.Flag("user", "Username.").Short('u').Required().String() getSecretCommand = kingpin.Command("get-secret", "get OTP secret") - getSecretCommandUserFlag = getSecretCommand.Flag("user", "Username.").Required().String() - - debug = kingpin.Flag("debug", "Enable debug mode.").Default("false").Bool() -) - -type Migration struct { - id int64 - name string - sql string -} - -type User struct { - id int64 - name string - password string - revoked bool - deleted bool - secret string - appConfigured bool -} - -var ( - migrations []Migration + getSecretCommandUserFlag = getSecretCommand.Flag("user", "Username.").Short('u').Required().String() ) func main() { - migrations = append(migrations, Migration{name: "users_add_secret_column_2022_11_10", sql: "ALTER TABLE users ADD COLUMN secret string"}) - migrations = append(migrations, Migration{name: "users_add_2fa_column_2022_11_11", sql: "ALTER TABLE users ADD COLUMN app_configured integer default 0"}) + args := kingpin.Parse() - kingpin.Version(version) - switch kingpin.Parse() { + db, err := sql.Open("sqlite3", *dbPath) + if err != nil { + kingpin.Fatalf(err.Error()) + } + defer func(db *sql.DB) { + err = db.Close() + if err != nil { + kingpin.Fatalf(err.Error()) + } + }(db) + + openvpnUser := src.OpenvpnUser{Database: db} + + kingpin.Version(version).VersionFlag.Short('v') + + switch args { case createCommand.FullCommand(): - createUser(*createCommandUserFlag, *createCommandPasswordFlag) + wrap(openvpnUser.CreateUser(*createCommandUserFlag, *createCommandPasswordFlag)) case deleteCommand.FullCommand(): - deleteUser(*deleteCommandUserFlag) + wrap(openvpnUser.DeleteUser(*deleteCommandUserFlag, *deleteCommandUserForceFlag)) case revokeCommand.FullCommand(): - revokedUser(*revokeCommandUserFlag) + wrap(openvpnUser.RevokedUser(*revokeCommandUserFlag)) case restoreCommand.FullCommand(): - restoreUser(*restoreCommandUserFlag) + wrap(openvpnUser.RestoreUser(*restoreCommandUserFlag)) case listCommand.FullCommand(): - printUsers() + openvpnUser.PrintUsers(*listCommandAllFlag) case checkCommand.FullCommand(): - _ = checkUserExistent(*checkCommandUserFlag) + _ = openvpnUser.CheckUserExistent(*checkCommandUserFlag) case authCommand.FullCommand(): provideAuthType := 0 if *authCommandPasswordFlag != "" { @@ -115,341 +103,44 @@ func main() { if *authCommandTotpFlag != "" { provideAuthType += 1 } - //if *authCommandHotpFlag != "" { - // provideAuthType += 1 - //} if provideAuthType == 1 { - authUser(*authCommandUserFlag, *authCommandPasswordFlag, *authCommandTotpFlag) + authSuccessful, authErr := openvpnUser.AuthUser(*authCommandUserFlag, *authCommandPasswordFlag, *authCommandTotpFlag) + if authErr != nil { + kingpin.Fatalf(authErr.Error()) + } else if authSuccessful { + fmt.Println("Authorization successful") + } } else { - fmt.Printf("Please provide only one type of auth paswword") + fmt.Println("Please provide only one type of auth flag") os.Exit(1) } case changePasswordCommand.FullCommand(): - changeUserPassword(*changePasswordCommandUserFlag, *changePasswordCommandPasswordFlag) + wrap(openvpnUser.ChangeUserPassword(*changePasswordCommandUserFlag, *changePasswordCommandPasswordFlag)) case updateSecretCommand.FullCommand(): - registerOtpSecret(*updateSecretCommandUserFlag, *updateSecretCommandSecretFlag) + wrap(openvpnUser.RegisterOtpSecret(*updateSecretCommandUserFlag, *updateSecretCommandSecretFlag)) case registerAppCommand.FullCommand(): - registerOtpApplication(*registerAppCommandUserFlag) + wrap(openvpnUser.RegisterOtpApplication(*registerAppCommandUserFlag, *registerAppCommandTotpFlag)) + case checkAppCommand.FullCommand(): + appConfigured, appErr := openvpnUser.IsSecondFactorEnabled(*checkAppCommandUserFlag) + if appErr != nil { + kingpin.Fatalf(appErr.Error()) + } else if appConfigured { + fmt.Println("App configured") + } case getSecretCommand.FullCommand(): - getUserOtpSecret(*getSecretCommandUserFlag) + wrap(openvpnUser.GetUserOtpSecret(*getSecretCommandUserFlag)) + case dbInitCommand.FullCommand(): - initDb() + openvpnUser.InitDb() case dbMigrateCommand.FullCommand(): - migrateDb() + openvpnUser.MigrateDb() } } -func getDb() *sql.DB { - db, err := sql.Open("sqlite3", *dbPath) - checkErr(err) - if db == nil { - panic("db is nil") - } - return db -} - -func initDb() { - // boolean fields are integer because of sqlite does not support boolean: 1 = true, 0 = false - _, err := getDb().Exec("CREATE TABLE IF NOT EXISTS users(id integer not null primary key autoincrement, username string UNIQUE, password string, revoked integer default 0, deleted integer default 0)") - checkErr(err) - _, err = getDb().Exec("CREATE TABLE IF NOT EXISTS migrations(id integer not null primary key autoincrement, name string)") - checkErr(err) - fmt.Printf("Database initialized at %s\n", *dbPath) -} - -func migrateDb() { - var c int - for _, migration := range migrations { - c = -1 - err := getDb().QueryRow("SELECT count(*) FROM migrations WHERE name = $1", migration.name).Scan(&c) - if err != nil { - if err == sql.ErrNoRows { - continue - } - log.Fatal(err) - } - if c == 0 { - fmt.Printf("Migrating database with new migration %s\n", migration.name) - _, err := getDb().Exec(migration.sql) - checkErr(err) - _, err = getDb().Exec("INSERT INTO migrations(name) VALUES ($1)", migration.name) - checkErr(err) - } - } - fmt.Println("Migrations are up to date") -} - -func createUser(username, password string) { - if !checkUserExistent(username) { - hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) - _, err := getDb().Exec("INSERT INTO users(username, password) VALUES ($1, $2)", username, string(hash)) - checkErr(err) - fmt.Printf("User %s created\n", username) - } else { - fmt.Printf("ERROR: User %s already registered\n", username) - os.Exit(1) - } - -} - -func deleteUser(username string) { - deleteQuery := "UPDATE users SET deleted = 1 WHERE username = $1" - if *deleteCommandUserForceFlag { - deleteQuery = "DELETE FROM users WHERE username = $1" - } - res, err := getDb().Exec(deleteQuery, username) - checkErr(err) - if rowsAffected, rowsErr := res.RowsAffected(); rowsErr != nil { - if rowsAffected == 1 { - fmt.Printf("User %s deleted\n", username) - } - } else { - if *debug { - fmt.Printf("ERROR: due deleting user %s: %s\n", username, rowsErr) - } - } -} - -func revokedUser(username string) { - if !userDeleted(username) { - res, err := getDb().Exec("UPDATE users SET revoked = 1 WHERE username = $1", username) - checkErr(err) - if rowsAffected, rowsErr := res.RowsAffected(); rowsErr != nil { - if rowsAffected == 1 { - fmt.Printf("User %s revoked\n", username) - } - } else { - if *debug { - fmt.Printf("ERROR: due reoking user %s: %s\n", username, rowsErr) - } - } - } -} - -func restoreUser(username string) { - if !userDeleted(username) { - res, err := getDb().Exec("UPDATE users SET revoked = 0 WHERE username = $1", username) - checkErr(err) - if rowsAffected, rowsErr := res.RowsAffected(); rowsErr != nil { - if rowsAffected == 1 { - fmt.Printf("User %s restored\n", username) - } - } else { - if *debug { - fmt.Printf("ERROR: due restoring user %s: %s\n", username, rowsErr) - } - } - } -} - -func checkUserExistent(username string) bool { - // we need to check if there is already such a user - // return true if user exist - var c int - _ = getDb().QueryRow("SELECT count(*) FROM users WHERE username = $1", username).Scan(&c) - if c == 1 { - fmt.Printf("User %s exist\n", username) - return true - } else { - return false - } -} - -func userDeleted(username string) bool { - // return true if user marked as deleted - u := User{} - _ = getDb().QueryRow("SELECT deleted FROM users WHERE username = $1", username).Scan(&u.deleted) - if u.deleted { - fmt.Printf("User %s marked as deleted\n", username) - return true - } else { - return false - } -} - -func userIsActive(username string) bool { - // return true if user exist and not deleted and revoked - u := User{} - err := getDb().QueryRow("SELECT revoked,deleted FROM users WHERE username = $1", username).Scan(&u.revoked, &u.deleted) +func wrap(msg string, err error) { if err != nil { - if err == sql.ErrNoRows { - fmt.Println("User not found") - return false - } - return false - } - if !u.revoked && !u.deleted { - if *debug { - fmt.Printf("User %s is active\n", username) - } - return true + kingpin.Fatalf(err.Error()) } else { - fmt.Println("User may be deleted or revoked") - return false - } -} - -func listUsers() []User { - condition := "WHERE deleted = 0 AND revoked = 0" - var users []User - if *listAll { - condition = "" - } - query := "SELECT id, username, password, revoked, deleted FROM users " + condition - rows, err := getDb().Query(query) - checkErr(err) - - for rows.Next() { - u := User{} - err := rows.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted) - if err != nil { - fmt.Println(err) - continue - } - users = append(users, u) - } - - return users -} - -func printUsers() { - ul := listUsers() - if len(ul) > 0 { - w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', tabwriter.TabIndent|tabwriter.Debug) - _, _ = fmt.Fprintln(w, "id\t username\t revoked\t deleted") - for _, u := range ul { - fmt.Fprintf(w, "%d\t %s\t %v\t %v\n", u.id, u.name, u.revoked, u.deleted) - } - _ = w.Flush() - } else { - fmt.Println("No users created yet") - } -} - -func changeUserPassword(username, password string) { - hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) - _, err := getDb().Exec("UPDATE users SET password = $1 WHERE username = $2", hash, username) - checkErr(err) - - fmt.Println("Password changed") -} - -func registerOtpSecret(username, secret string) { - if userIsActive(username) { - if secret == "generate" { - randomStr := randStr(6, "alphanum") - - secret = base32.StdEncoding.EncodeToString([]byte(randomStr)) - if *debug { - fmt.Printf("new generated secret for user %s: %s\n", username, secret) - } - } - - _, err := getDb().Exec("UPDATE users SET secret = $1 WHERE username = $2", secret, username) - checkErr(err) - - fmt.Println("Secret updated") - } -} - -func registerOtpApplication(username string) { - if userIsActive(username) { - - _, err := getDb().Exec("UPDATE users SET app_configured = 1 WHERE username = $2") - checkErr(err) - - fmt.Printf("OTP application for user %s configured\n", username) - } -} - -func getUserOtpSecret(username string) { - if userIsActive(username) { - u := User{} - _ = getDb().QueryRow("SELECT secret FROM users WHERE username = $1", username).Scan(&u.secret) - - fmt.Println(u.secret) - } -} - -func authUser(username, password, totp string) { - - row := getDb().QueryRow("SELECT id, username, password, revoked, deleted, secret, app_configured FROM users WHERE username = $1", username) - u := User{} - err := row.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted, &u.secret, &u.appConfigured) - checkErr(err) - - if userIsActive(username) { - if password == "" && len(totp) > 0 { - otpConfig := &dgoogauth.OTPConfig{ - Secret: strings.TrimSpace(u.secret), - WindowSize: 3, - HotpCounter: 0, - } - - // get rid of the extra \n from the token string - // otherwise the validation will fail - trimmedToken := strings.TrimSpace(totp) - - // Validate token - ok, err := otpConfig.Authenticate(trimmedToken) - - if err != nil { - fmt.Println(err) - os.Exit(1) - } - if ok { - fmt.Println("Authorization successful") - os.Exit(0) - } else { - fmt.Println("Token mismatched") - os.Exit(1) - } - - } else if len(password) > 0 && totp == "" { - - err = bcrypt.CompareHashAndPassword([]byte(u.password), []byte(password)) - if err != nil { - fmt.Println("Authorization failed") - if *debug { - fmt.Println("Passwords mismatched") - } - os.Exit(1) - } else { - fmt.Println("Authorization successful") - os.Exit(0) - } - } - } - fmt.Println("Authorization failed") - os.Exit(1) -} - -func randStr(strSize int, randType string) string { - - var dictionary string - - if randType == "alphanum" { - dictionary = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" - } - - if randType == "alpha" { - dictionary = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" - } - - if randType == "number" { - dictionary = "0123456789" - } - - var bytes = make([]byte, strSize) - rand.Read(bytes) - for k, v := range bytes { - bytes[k] = dictionary[v%byte(len(dictionary))] - } - return string(bytes) -} - -func checkErr(err error) { - if err != nil { - panic(err) + fmt.Println(msg) } } diff --git a/src/commands.go b/src/commands.go new file mode 100644 index 0000000..7b624e9 --- /dev/null +++ b/src/commands.go @@ -0,0 +1,331 @@ +package src + +import ( + "database/sql" + "encoding/base32" + "fmt" + "github.com/dgryski/dgoogauth" + log "github.com/sirupsen/logrus" + "golang.org/x/crypto/bcrypt" + "os" + "strings" + "text/tabwriter" +) + +func (oUser *OpenvpnUser) InitDb() { + // boolean fields are integer because of sqlite does not support boolean: 1 = true, 0 = false + _, err := oUser.Database.Exec("CREATE TABLE IF NOT EXISTS users(id integer not null primary key autoincrement, username string UNIQUE, password string, revoked integer default 0, deleted integer default 0)") + checkErr(err) + _, err = oUser.Database.Exec("CREATE TABLE IF NOT EXISTS migrations(id integer not null primary key autoincrement, name string)") + checkErr(err) + log.Infof("Database initialized at %v", oUser.Database.Driver()) +} + +func (oUser *OpenvpnUser) CreateUser(username, password string) (string, error) { + if !oUser.CheckUserExistent(username) { + hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) + _, err := oUser.Database.Exec("INSERT INTO users(username, password, secret, revoked, deleted, app_configured) VALUES ($1, $2, $3, 0, 0, 0)", username, string(hash), "") + checkErr(err) + return "User created", nil + } else { + return "", userAlreadyExistError + + } + +} + +func (oUser *OpenvpnUser) DeleteUser(username string, force bool) (string, error) { + deleteQuery := "UPDATE users SET deleted = 1 WHERE username = $1" + if force { + deleteQuery = "DELETE FROM users WHERE username = $1" + } + res, err := oUser.Database.Exec(deleteQuery, username) + if err != nil { + return "", err + } + + rowsAffected, err := res.RowsAffected() + if err != nil { + return "", err + } + + if rowsAffected == 0 { + return "", userDeleteError + } + return "User deleted", nil + +} + +func (oUser *OpenvpnUser) RevokedUser(username string) (string, error) { + if !oUser.userDeleted(username) { + res, err := oUser.Database.Exec("UPDATE users SET revoked = 1 WHERE username = $1", username) + if err != nil { + return "", err + } + + rowsAffected, err := res.RowsAffected() + if err != nil { + return "", err + } + + if rowsAffected == 0 { + return "", userRevokeError + } + return "User revoked", nil + } + return "", userDeletedError +} + +func (oUser *OpenvpnUser) RestoreUser(username string) (string, error) { + if !oUser.userDeleted(username) { + res, err := oUser.Database.Exec("UPDATE users SET revoked = 0 WHERE username = $1", username) + if err != nil { + return "", err + } + + rowsAffected, err := res.RowsAffected() + if err != nil { + return "", err + } + + if rowsAffected == 0 { + return "", userRestoreError + } + return "User restored", nil + } + return "", userDeletedError +} + +func (oUser *OpenvpnUser) CheckUserExistent(username string) bool { + c := 0 + _ = oUser.Database.QueryRow("SELECT count(*) FROM users WHERE username = $1", username).Scan(&c) + if c == 1 { + return true + } else { + return false + } +} + +func (oUser *OpenvpnUser) userDeleted(username string) bool { + u := User{} + _ = oUser.Database.QueryRow("SELECT deleted FROM users WHERE username = $1", username).Scan(&u.deleted) + if u.deleted { + return true + } else { + return false + } +} + +func (oUser *OpenvpnUser) userIsActive(username string) bool { + // return true if user exist and not deleted or revoked + u := User{} + err := oUser.Database.QueryRow("SELECT revoked,deleted FROM users WHERE username = $1", username).Scan(&u.revoked, &u.deleted) + if err != nil { + if err == sql.ErrNoRows { + return false + } + return false + } + if !u.revoked && !u.deleted { + return true + } else { + return false + } +} + +func (oUser *OpenvpnUser) listUsers(all bool) []User { + var users []User + condition := "WHERE deleted = 0 AND revoked = 0" + + if all { + condition = "" + } + + query := "SELECT id, username, password, revoked, deleted, app_configured FROM users " + condition + + rows, err := oUser.Database.Query(query) + checkErr(err) + + for rows.Next() { + u := User{} + err = rows.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted, &u.appConfigured) + if err != nil { + //log.Error(err) + continue + } + users = append(users, u) + } + + return users +} + +func (oUser *OpenvpnUser) PrintUsers(all bool) { + ul := oUser.listUsers(all) + if len(ul) > 0 { + w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', tabwriter.TabIndent|tabwriter.Debug) + _, _ = fmt.Fprintln(w, "id\t username\t revoked\t deleted\t app_configured") + for _, u := range ul { + _, _ = fmt.Fprintf(w, "%d\t %s\t %v\t %v\t %v\n", u.id, u.name, u.revoked, u.deleted, u.appConfigured) + } + _ = w.Flush() + } else { + log.Print("No users created yet") + } +} + +func (oUser *OpenvpnUser) ChangeUserPassword(username, password string) (string, error) { + hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) + _, err := oUser.Database.Exec("UPDATE users SET password = $1 WHERE username = $2", hash, username) + if err != nil { + return "", err + } + + return "Password changed", nil +} + +func (oUser *OpenvpnUser) RegisterOtpSecret(username, secret string) (string, error) { + if oUser.userIsActive(username) { + if secret == "generate" { + randomStr := randStr(6, "alphanum") + + secret = base32.StdEncoding.EncodeToString([]byte(randomStr)) + log.Debug("new generated secret for user %s: %s", username, secret) + } + + _, err := oUser.Database.Exec("UPDATE users SET secret = $1 WHERE username = $2", secret, username) + if err != nil { + return "", err + } + + return "Secret updated", nil + } + return "", userIsNotActiveError +} + +func (oUser *OpenvpnUser) RegisterOtpApplication(username, totp string) (string, error) { + if oUser.userIsActive(username) { + + appConfigured, appErr := oUser.IsSecondFactorEnabled(username) + if appErr != nil { + return "", appErr + } + if !appConfigured { + + authOk, authErr := oUser.AuthUser(username, "", totp) + if authErr != nil { + return "", authErr + } + if authOk { + _, err := oUser.Database.Exec("UPDATE users SET app_configured = 1 WHERE username = $2") + if err != nil { + return "", err + } + return "OTP application configured", nil + } + } + return "OTP application already configured", nil + } + return "", userIsNotActiveError +} + +func (oUser *OpenvpnUser) GetUserOtpSecret(username string) (string, error) { + if oUser.userIsActive(username) { + u := User{} + _ = oUser.Database.QueryRow("SELECT secret FROM users WHERE username = $1", username).Scan(&u.secret) + + return u.secret, nil + } + return "", userIsNotActiveError +} +func (oUser *OpenvpnUser) IsSecondFactorEnabled(username string) (bool, error) { + if oUser.userIsActive(username) { + u := User{} + _ = oUser.Database.QueryRow("SELECT username, appConfigured FROM users WHERE username = $1", username).Scan(&u.name, &u.appConfigured) + if u.name == username { + return u.appConfigured, nil + } + return false, checkAppError + } + return false, userIsNotActiveError +} + +func (oUser *OpenvpnUser) AuthUser(username, password, totp string) (bool, error) { + + row := oUser.Database.QueryRow("SELECT id, username, password, revoked, deleted, secret, app_configured FROM users WHERE username = $1", username) + u := User{} + err := row.Scan(&u.id, &u.name, &u.password, &u.revoked, &u.deleted, &u.secret, &u.appConfigured) + if err != nil { + return false, err + } + + if oUser.userIsActive(username) { + if password == "" && len(totp) > 0 { + if len(u.secret) == 0 { + return false, userSecretDoesNotExistError + } + + otpConfig := &dgoogauth.OTPConfig{ + Secret: strings.TrimSpace(u.secret), + WindowSize: 3, + HotpCounter: 0, + } + + trimmedToken := strings.TrimSpace(totp) + + ok, err := otpConfig.Authenticate(trimmedToken) + + if err != nil { + log.Error(err) + } + if ok { + return true, nil + } else { + return false, tokenMismatchedError + } + + } else if len(password) > 0 && totp == "" { + err = bcrypt.CompareHashAndPassword([]byte(u.password), []byte(password)) + if err != nil { + return false, passwordMismatchedError + } else { + return true, nil + + } + } + } + return false, userIsNotActiveError + +} + +func (oUser *OpenvpnUser) MigrateDb() { + var c int + var migrations []Migration + + migrations = append(migrations, Migration{name: "users_add_secret_column_2022_11_10", sql: "ALTER TABLE users ADD COLUMN secret string"}) + migrations = append(migrations, Migration{name: "users_add_2fa_column_2022_11_11", sql: "ALTER TABLE users ADD COLUMN app_configured integer default 0"}) + + for _, migration := range migrations { + c = -1 + err := oUser.Database.QueryRow("SELECT count(*) FROM migrations WHERE name = $1", migration.name).Scan(&c) + if err != nil { + if err == sql.ErrNoRows { + continue + } + log.Fatal(err) + } + if c == 0 { + log.Info("Migrating database with new migration %s\n", migration.name) + _, err = oUser.Database.Exec(migration.sql) + checkErr(err) + _, err = oUser.Database.Exec("INSERT INTO migrations(name) VALUES ($1)", migration.name) + checkErr(err) + } + } + log.Info("Migrations are up to date") +} + +func checkErr(err error) { + if err != nil { + fmt.Println(err) + } +} diff --git a/src/errors.go b/src/errors.go new file mode 100644 index 0000000..8faa7da --- /dev/null +++ b/src/errors.go @@ -0,0 +1,16 @@ +package src + +import "errors" + +var ( + userSecretDoesNotExistError = errors.New("user secret does not exist") + userAlreadyExistError = errors.New("user already exist") + userDeletedError = errors.New("user marked as deleted") + userRestoreError = errors.New("failed to restore user") + userRevokeError = errors.New("failed to revoke user") + userDeleteError = errors.New("failed to delete user") + userIsNotActiveError = errors.New("user is not active") + passwordMismatchedError = errors.New("password mismatched") + tokenMismatchedError = errors.New("token mismatched") + checkAppError = errors.New("failed to check 2FA app") +) diff --git a/src/models.go b/src/models.go new file mode 100644 index 0000000..37e7ea5 --- /dev/null +++ b/src/models.go @@ -0,0 +1,23 @@ +package src + +import "database/sql" + +type OpenvpnUser struct { + Database *sql.DB +} + +type Migration struct { + id int64 + name string + sql string +} + +type User struct { + id int64 + name string + password string + revoked bool + deleted bool + secret string + appConfigured bool +} diff --git a/src/utils.go b/src/utils.go new file mode 100644 index 0000000..9ebc26f --- /dev/null +++ b/src/utils.go @@ -0,0 +1,27 @@ +package src + +import "crypto/rand" + +func randStr(strSize int, randType string) string { + + var dictionary string + + if randType == "alphanum" { + dictionary = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + } + + if randType == "alpha" { + dictionary = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + } + + if randType == "number" { + dictionary = "0123456789" + } + + var bytes = make([]byte, strSize) + rand.Read(bytes) + for k, v := range bytes { + bytes[k] = dictionary[v%byte(len(dictionary))] + } + return string(bytes) +}