2014-01-09 06:42:05 +00:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2014-06-02 04:14:05 +00:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2014-01-09 06:42:05 +00:00
|
|
|
"net/http"
|
2016-09-15 03:24:51 +00:00
|
|
|
"strings"
|
2014-01-09 23:18:49 +00:00
|
|
|
|
2016-09-15 03:24:51 +00:00
|
|
|
ctx "github.com/gophish/gophish/context"
|
2016-01-10 17:03:17 +00:00
|
|
|
"github.com/gophish/gophish/models"
|
2016-09-15 03:24:51 +00:00
|
|
|
"github.com/gorilla/csrf"
|
2014-01-09 06:42:05 +00:00
|
|
|
)
|
|
|
|
|
2018-12-16 03:38:51 +00:00
|
|
|
// CSRFExemptPrefixes are a list of routes that are exempt from CSRF protection
|
2016-09-15 03:24:51 +00:00
|
|
|
var CSRFExemptPrefixes = []string{
|
|
|
|
"/api",
|
|
|
|
}
|
|
|
|
|
2018-12-16 03:38:51 +00:00
|
|
|
// CSRFExceptions is a middleware that prevents CSRF checks on routes listed in
|
|
|
|
// CSRFExemptPrefixes.
|
2016-09-15 03:24:51 +00:00
|
|
|
func CSRFExceptions(handler http.Handler) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
for _, prefix := range CSRFExemptPrefixes {
|
|
|
|
if strings.HasPrefix(r.URL.Path, prefix) {
|
|
|
|
r = csrf.UnsafeSkipCheck(r)
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
handler.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-05-31 18:58:18 +00:00
|
|
|
// Use allows us to stack middleware to process the request
|
|
|
|
// Example taken from https://github.com/gorilla/mux/pull/36#issuecomment-25849172
|
|
|
|
func Use(handler http.HandlerFunc, mid ...func(http.Handler) http.HandlerFunc) http.HandlerFunc {
|
|
|
|
for _, m := range mid {
|
|
|
|
handler = m(handler)
|
|
|
|
}
|
|
|
|
return handler
|
|
|
|
}
|
|
|
|
|
2014-01-09 06:42:05 +00:00
|
|
|
// GetContext wraps each request in a function which fills in the context for a given request.
|
|
|
|
// This includes setting the User and Session keys and values as necessary for use in later functions.
|
2014-01-11 04:37:42 +00:00
|
|
|
func GetContext(handler http.Handler) http.HandlerFunc {
|
2014-01-09 06:42:05 +00:00
|
|
|
// Set the context here
|
2014-01-11 04:37:42 +00:00
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2014-02-04 21:23:09 +00:00
|
|
|
// Parse the request form
|
|
|
|
err := r.ParseForm()
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, "Error parsing request", http.StatusInternalServerError)
|
|
|
|
}
|
2014-01-09 23:18:49 +00:00
|
|
|
// Set the context appropriately here.
|
2014-01-10 03:21:54 +00:00
|
|
|
// Set the session
|
2019-05-31 18:58:18 +00:00
|
|
|
session, _ := Store.Get(r, "gophish")
|
2016-09-15 03:24:51 +00:00
|
|
|
// Put the session in the context so that we can
|
|
|
|
// reuse the values in different handlers
|
|
|
|
r = ctx.Set(r, "session", session)
|
2014-01-10 04:21:12 +00:00
|
|
|
if id, ok := session.Values["id"]; ok {
|
2014-03-25 03:31:33 +00:00
|
|
|
u, err := models.GetUser(id.(int64))
|
2014-01-10 04:21:12 +00:00
|
|
|
if err != nil {
|
2016-09-15 03:24:51 +00:00
|
|
|
r = ctx.Set(r, "user", nil)
|
2014-06-02 04:38:21 +00:00
|
|
|
} else {
|
2016-09-15 03:24:51 +00:00
|
|
|
r = ctx.Set(r, "user", u)
|
2014-01-10 04:21:12 +00:00
|
|
|
}
|
|
|
|
} else {
|
2016-09-15 03:24:51 +00:00
|
|
|
r = ctx.Set(r, "user", nil)
|
2014-01-10 04:21:12 +00:00
|
|
|
}
|
2014-01-09 06:42:05 +00:00
|
|
|
handler.ServeHTTP(w, r)
|
2014-01-10 03:21:54 +00:00
|
|
|
// Remove context contents
|
2014-01-09 23:18:49 +00:00
|
|
|
ctx.Clear(r)
|
2014-01-11 04:37:42 +00:00
|
|
|
}
|
2014-01-09 06:42:05 +00:00
|
|
|
}
|
|
|
|
|
2021-05-05 10:24:47 +00:00
|
|
|
// RequireAPIKey ensures that a valid API key or login cookie is set
|
2018-12-15 21:42:32 +00:00
|
|
|
func RequireAPIKey(handler http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2014-02-11 06:14:58 +00:00
|
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
|
|
if r.Method == "OPTIONS" {
|
2021-01-24 20:01:40 +00:00
|
|
|
w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
|
2014-02-11 06:14:58 +00:00
|
|
|
w.Header().Set("Access-Control-Max-Age", "1000")
|
|
|
|
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
|
|
|
|
return
|
|
|
|
}
|
2018-04-21 17:19:58 +00:00
|
|
|
r.ParseForm()
|
|
|
|
ak := r.Form.Get("api_key")
|
2021-05-05 10:24:47 +00:00
|
|
|
// If we can't get the API key, we'll also check if user is logged in
|
|
|
|
// via the web interface
|
2018-04-21 17:19:58 +00:00
|
|
|
if ak == "" {
|
2021-05-05 10:24:47 +00:00
|
|
|
if u := ctx.Get(r, "user"); u != nil {
|
|
|
|
ak = u.(models.User).ApiKey
|
2018-04-21 17:19:58 +00:00
|
|
|
}
|
|
|
|
}
|
2014-01-31 04:46:25 +00:00
|
|
|
if ak == "" {
|
2021-05-12 14:26:21 +00:00
|
|
|
JSONError(w, http.StatusUnauthorized, "Logged out") //API Key not set
|
2017-01-19 02:12:25 +00:00
|
|
|
return
|
2014-01-31 04:46:25 +00:00
|
|
|
}
|
2018-04-21 17:19:58 +00:00
|
|
|
u, err := models.GetUserByAPIKey(ak)
|
|
|
|
if err != nil {
|
2018-12-15 21:42:32 +00:00
|
|
|
JSONError(w, http.StatusUnauthorized, "Invalid API Key")
|
2018-04-21 17:19:58 +00:00
|
|
|
return
|
|
|
|
}
|
2019-02-20 02:33:50 +00:00
|
|
|
r = ctx.Set(r, "user", u)
|
2018-04-21 17:19:58 +00:00
|
|
|
r = ctx.Set(r, "user_id", u.Id)
|
|
|
|
r = ctx.Set(r, "api_key", ak)
|
|
|
|
handler.ServeHTTP(w, r)
|
2018-12-15 21:42:32 +00:00
|
|
|
})
|
2014-01-31 04:46:25 +00:00
|
|
|
}
|
|
|
|
|
2019-02-20 02:33:50 +00:00
|
|
|
// RequireLogin checks to see if the user is currently logged in.
|
2014-01-09 06:42:05 +00:00
|
|
|
// If not, the function returns a 302 redirect to the login page.
|
2014-01-11 04:37:42 +00:00
|
|
|
func RequireLogin(handler http.Handler) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2014-01-10 04:21:12 +00:00
|
|
|
if u := ctx.Get(r, "user"); u != nil {
|
2020-06-20 03:03:51 +00:00
|
|
|
// If a password change is required for the user, then redirect them
|
|
|
|
// to the login page
|
|
|
|
currentUser := u.(models.User)
|
|
|
|
if currentUser.PasswordChangeRequired && r.URL.Path != "/reset_password" {
|
|
|
|
q := r.URL.Query()
|
|
|
|
q.Set("next", r.URL.Path)
|
|
|
|
http.Redirect(w, r, fmt.Sprintf("/reset_password?%s", q.Encode()), http.StatusTemporaryRedirect)
|
|
|
|
return
|
|
|
|
}
|
2014-01-10 04:21:12 +00:00
|
|
|
handler.ServeHTTP(w, r)
|
2019-05-31 18:58:18 +00:00
|
|
|
return
|
2014-01-10 04:21:12 +00:00
|
|
|
}
|
2019-05-31 18:58:18 +00:00
|
|
|
q := r.URL.Query()
|
|
|
|
q.Set("next", r.URL.Path)
|
|
|
|
http.Redirect(w, r, fmt.Sprintf("/login?%s", q.Encode()), http.StatusTemporaryRedirect)
|
2014-01-11 04:37:42 +00:00
|
|
|
}
|
2014-01-09 06:42:05 +00:00
|
|
|
}
|
2014-01-31 04:46:25 +00:00
|
|
|
|
2019-02-20 02:33:50 +00:00
|
|
|
// EnforceViewOnly is a global middleware that limits the ability to edit
|
|
|
|
// objects to accounts with the PermissionModifyObjects permission.
|
|
|
|
func EnforceViewOnly(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// If the request is for any non-GET HTTP method, e.g. POST, PUT,
|
|
|
|
// or DELETE, we need to ensure the user has the appropriate
|
|
|
|
// permission.
|
|
|
|
if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions {
|
|
|
|
user := ctx.Get(r, "user").(models.User)
|
|
|
|
access, err := user.HasPermission(models.PermissionModifyObjects)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !access {
|
|
|
|
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequirePermission checks to see if the user has the requested permission
|
|
|
|
// before executing the handler. If the request is unauthorized, a JSONError
|
|
|
|
// is returned.
|
|
|
|
func RequirePermission(perm string) func(http.Handler) http.HandlerFunc {
|
|
|
|
return func(next http.Handler) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
user := ctx.Get(r, "user").(models.User)
|
|
|
|
access, err := user.HasPermission(perm)
|
|
|
|
if err != nil {
|
|
|
|
JSONError(w, http.StatusInternalServerError, err.Error())
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !access {
|
|
|
|
JSONError(w, http.StatusForbidden, http.StatusText(http.StatusForbidden))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-20 15:39:23 +00:00
|
|
|
// ApplySecurityHeaders applies various security headers according to best-
|
|
|
|
// practices.
|
|
|
|
func ApplySecurityHeaders(next http.Handler) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
csp := "frame-ancestors 'none';"
|
|
|
|
w.Header().Set("Content-Security-Policy", csp)
|
|
|
|
w.Header().Set("X-Frame-Options", "DENY")
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-25 02:47:16 +00:00
|
|
|
// JSONError returns an error in JSON format with the given
|
|
|
|
// status code and message
|
2014-01-31 04:46:25 +00:00
|
|
|
func JSONError(w http.ResponseWriter, c int, m string) {
|
2014-06-02 04:14:05 +00:00
|
|
|
cj, _ := json.MarshalIndent(models.Response{Success: false, Message: m}, "", " ")
|
2017-01-19 02:12:25 +00:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
w.WriteHeader(c)
|
2014-06-02 04:14:05 +00:00
|
|
|
fmt.Fprintf(w, "%s", cj)
|
2014-01-31 04:46:25 +00:00
|
|
|
}
|