arozos/auth.go

package main

import (
	"crypto/rand"
	"encoding/json"
	"net/http"

	auth "imuslab.com/arozos/mod/auth"
	prout "imuslab.com/arozos/mod/prouter"
	"imuslab.com/arozos/mod/utils"
)

func AuthInit() {
	//Generate session key for authentication module if empty
	sysdb.NewTable("auth")
	if *session_key == "" {
		//Check if the key was generated already. If not, generate a new one
		if !sysdb.KeyExists("auth", "sessionkey") {
			key := make([]byte, 32)
			rand.Read(key)
			newSessionKey := string(key)
			sysdb.Write("auth", "sessionkey", newSessionKey)
			systemWideLogger.PrintAndLog("Auth", "New authentication session key generated", nil)
		} else {
			systemWideLogger.PrintAndLog("Auth", "Authentication session key loaded from database", nil)

		}
		skeyString := ""
		sysdb.Read("auth", "sessionkey", &skeyString)
		session_key = &skeyString
	}

	//Create an Authentication Agent
	authAgent = auth.NewAuthenticationAgent("ao_auth", []byte(*session_key), sysdb, *allow_public_registry, func(w http.ResponseWriter, r *http.Request) {
		//Login Redirection Handler, redirect it login.system
		w.Header().Set("Cache-Control", "no-cache, no-store, no-transform, must-revalidate, private, max-age=0")
		http.Redirect(w, r, utils.ConstructRelativePathFromRequestURL(r.RequestURI, "login.system")+"?redirect="+r.URL.Path, http.StatusTemporaryRedirect)
	})

	if *allow_autologin {
		authAgent.AllowAutoLogin = true
	} else {
		//Default is false. But just in case
		authAgent.AllowAutoLogin = false
	}

	//Register the API endpoints for the authentication UI
	http.HandleFunc("/system/auth/login", authAgent.HandleLogin)
	http.HandleFunc("/system/auth/logout", authAgent.HandleLogout)
	http.HandleFunc("/system/auth/register", authAgent.HandleRegister)
	http.HandleFunc("/system/auth/checkLogin", authAgent.CheckLogin)
	http.HandleFunc("/api/auth/login", authAgent.HandleAutologinTokenLogin)

	authAgent.LoadAutologinTokenFromDB()
}

func AuthSettingsInit() {
	//Authentication related settings
	adminRouter := prout.NewModuleRouter(prout.RouterOption{
		ModuleName:  "System Setting",
		AdminOnly:   true,
		UserHandler: userHandler,
		DeniedHandler: func(w http.ResponseWriter, r *http.Request) {
			utils.SendErrorResponse(w, "Permission Denied")
		},
	})

	//Handle additional batch operations
	adminRouter.HandleFunc("/system/auth/csvimport", authAgent.HandleCreateUserAccountsFromCSV)
	adminRouter.HandleFunc("/system/auth/groupdel", authAgent.HandleUserDeleteByGroup)

	//System for logging and displaying login user information
	registerSetting(settingModule{
		Name:         "Connection Log",
		Desc:         "Logs for login attempts",
		IconPath:     "SystemAO/security/img/small_icon.png",
		Group:        "Security",
		StartDir:     "SystemAO/security/connlog.html",
		RequireAdmin: true,
	})

	adminRouter.HandleFunc("/system/auth/logger/index", authAgent.Logger.HandleIndexListing)
	adminRouter.HandleFunc("/system/auth/logger/list", authAgent.Logger.HandleTableListing)

	//Blacklist Management
	registerSetting(settingModule{
		Name:         "Access Control",
		Desc:         "Prevent / Allow certain IP ranges from logging in",
		IconPath:     "SystemAO/security/img/small_icon.png",
		Group:        "Security",
		StartDir:     "SystemAO/security/accesscontrol.html",
		RequireAdmin: true,
	})

	//Whitelist API
	adminRouter.HandleFunc("/system/auth/whitelist/enable", authAgent.WhitelistManager.HandleSetWhitelistEnable)
	adminRouter.HandleFunc("/system/auth/whitelist/list", authAgent.WhitelistManager.HandleListWhitelistedIPs)
	adminRouter.HandleFunc("/system/auth/whitelist/set", authAgent.WhitelistManager.HandleAddWhitelistedIP)
	adminRouter.HandleFunc("/system/auth/whitelist/unset", authAgent.WhitelistManager.HandleRemoveWhitelistedIP)

	//Blacklist API
	adminRouter.HandleFunc("/system/auth/blacklist/enable", authAgent.BlacklistManager.HandleSetBlacklistEnable)
	adminRouter.HandleFunc("/system/auth/blacklist/list", authAgent.BlacklistManager.HandleListBannedIPs)
	adminRouter.HandleFunc("/system/auth/blacklist/ban", authAgent.BlacklistManager.HandleAddBannedIP)
	adminRouter.HandleFunc("/system/auth/blacklist/unban", authAgent.BlacklistManager.HandleRemoveBannedIP)

	//Register nightly task for clearup all user retry counter
	nightlyManager.RegisterNightlyTask(authAgent.ExpDelayHandler.ResetAllUserRetryCounter)

	//Register nightly task for clearup all expired switchable account pools
	nightlyManager.RegisterNightlyTask(authAgent.SwitchableAccountManager.RunNightlyCleanup)

	/*
		Account switching functions
	*/

	//Register the APIs for account switching functions
	userRouter := prout.NewModuleRouter(prout.RouterOption{
		AdminOnly:   false,
		UserHandler: userHandler,
		DeniedHandler: func(w http.ResponseWriter, r *http.Request) {
			utils.SendErrorResponse(w, "Permission Denied")
		},
	})

	userRouter.HandleFunc("/system/auth/u/list", authAgent.SwitchableAccountManager.HandleSwitchableAccountListing)
	userRouter.HandleFunc("/system/auth/u/switch", authAgent.SwitchableAccountManager.HandleAccountSwitch)
	userRouter.HandleFunc("/system/auth/u/logoutAll", authAgent.SwitchableAccountManager.HandleLogoutAllAccounts)

	//API for not logged in pool check
	http.HandleFunc("/system/auth/u/p/list", func(w http.ResponseWriter, r *http.Request) {
		type ResumableSessionAccount struct {
			Username     string
			ProfileImage string
		}
		resp := ResumableSessionAccount{}
		sessionOwnerName := authAgent.SwitchableAccountManager.GetUnauthedSwitchableAccountCreatorList(w, r)
		resp.Username = sessionOwnerName
		if sessionOwnerName != "" {
			u, err := userHandler.GetUserInfoFromUsername(sessionOwnerName)
			if err == nil {
				resp.ProfileImage = u.GetUserIcon()
			}
		}

		js, _ := json.Marshal(resp)
		utils.SendJSONResponse(w, string(js))
	})
}