mirror of https://github.com/gophish/gophish
365 lines
12 KiB
Go
365 lines
12 KiB
Go
package controllers
|
|
|
|
import (
|
|
"compress/gzip"
|
|
"context"
|
|
"crypto/tls"
|
|
"encoding/base64"
|
|
"html/template"
|
|
"net/http"
|
|
"net/url"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/NYTimes/gziphandler"
|
|
"github.com/gophish/gophish/auth"
|
|
"github.com/gophish/gophish/config"
|
|
ctx "github.com/gophish/gophish/context"
|
|
"github.com/gophish/gophish/controllers/api"
|
|
log "github.com/gophish/gophish/logger"
|
|
mid "github.com/gophish/gophish/middleware"
|
|
"github.com/gophish/gophish/models"
|
|
"github.com/gophish/gophish/util"
|
|
"github.com/gophish/gophish/worker"
|
|
"github.com/gorilla/csrf"
|
|
"github.com/gorilla/handlers"
|
|
"github.com/gorilla/mux"
|
|
"github.com/gorilla/sessions"
|
|
"github.com/jordan-wright/unindexed"
|
|
)
|
|
|
|
// AdminServerOption is a functional option that is used to configure the
|
|
// admin server
|
|
type AdminServerOption func(*AdminServer)
|
|
|
|
// AdminServer is an HTTP server that implements the administrative Gophish
|
|
// handlers, including the dashboard and REST API.
|
|
type AdminServer struct {
|
|
server *http.Server
|
|
worker worker.Worker
|
|
config config.AdminServer
|
|
}
|
|
|
|
// WithWorker is an option that sets the background worker.
|
|
func WithWorker(w worker.Worker) AdminServerOption {
|
|
return func(as *AdminServer) {
|
|
as.worker = w
|
|
}
|
|
}
|
|
|
|
// NewAdminServer returns a new instance of the AdminServer with the
|
|
// provided config and options applied.
|
|
func NewAdminServer(config config.AdminServer, options ...AdminServerOption) *AdminServer {
|
|
defaultWorker, _ := worker.New()
|
|
defaultServer := &http.Server{
|
|
ReadTimeout: 10 * time.Second,
|
|
Addr: config.ListenURL,
|
|
}
|
|
as := &AdminServer{
|
|
worker: defaultWorker,
|
|
server: defaultServer,
|
|
config: config,
|
|
}
|
|
for _, opt := range options {
|
|
opt(as)
|
|
}
|
|
as.registerRoutes()
|
|
return as
|
|
}
|
|
|
|
// Start launches the admin server, listening on the configured address.
|
|
func (as *AdminServer) Start() {
|
|
if as.worker != nil {
|
|
go as.worker.Start()
|
|
}
|
|
if as.config.UseTLS {
|
|
// Only support TLS 1.2 and above - ref #1691, #1689
|
|
as.server.TLSConfig = &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
err := util.CheckAndCreateSSL(as.config.CertPath, as.config.KeyPath)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
log.Infof("Starting admin server at https://%s", as.config.ListenURL)
|
|
log.Fatal(as.server.ListenAndServeTLS(as.config.CertPath, as.config.KeyPath))
|
|
}
|
|
// If TLS isn't configured, just listen on HTTP
|
|
log.Infof("Starting admin server at http://%s", as.config.ListenURL)
|
|
log.Fatal(as.server.ListenAndServe())
|
|
}
|
|
|
|
// Shutdown attempts to gracefully shutdown the server.
|
|
func (as *AdminServer) Shutdown() error {
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
|
|
defer cancel()
|
|
return as.server.Shutdown(ctx)
|
|
}
|
|
|
|
// SetupAdminRoutes creates the routes for handling requests to the web interface.
|
|
// This function returns an http.Handler to be used in http.ListenAndServe().
|
|
func (as *AdminServer) registerRoutes() {
|
|
router := mux.NewRouter()
|
|
// Base Front-end routes
|
|
router.HandleFunc("/", mid.Use(as.Base, mid.RequireLogin))
|
|
router.HandleFunc("/login", as.Login)
|
|
router.HandleFunc("/logout", mid.Use(as.Logout, mid.RequireLogin))
|
|
router.HandleFunc("/campaigns", mid.Use(as.Campaigns, mid.RequireLogin))
|
|
router.HandleFunc("/campaigns/{id:[0-9]+}", mid.Use(as.CampaignID, mid.RequireLogin))
|
|
router.HandleFunc("/templates", mid.Use(as.Templates, mid.RequireLogin))
|
|
router.HandleFunc("/groups", mid.Use(as.Groups, mid.RequireLogin))
|
|
router.HandleFunc("/landing_pages", mid.Use(as.LandingPages, mid.RequireLogin))
|
|
router.HandleFunc("/sending_profiles", mid.Use(as.SendingProfiles, mid.RequireLogin))
|
|
router.HandleFunc("/settings", mid.Use(as.Settings, mid.RequireLogin))
|
|
router.HandleFunc("/users", mid.Use(as.UserManagement, mid.RequirePermission(models.PermissionModifySystem), mid.RequireLogin))
|
|
router.HandleFunc("/webhooks", mid.Use(as.Webhooks, mid.RequirePermission(models.PermissionModifySystem), mid.RequireLogin))
|
|
router.HandleFunc("/reported", mid.Use(as.Reported, mid.RequireLogin))
|
|
router.HandleFunc("/reported/attachment/{id:[0-9]+}", mid.Use(as.ReportedEmailAttachment, mid.RequireLogin))
|
|
|
|
// Create the API routes
|
|
api := api.NewServer(api.WithWorker(as.worker))
|
|
router.PathPrefix("/api/").Handler(api)
|
|
|
|
// Setup static file serving
|
|
router.PathPrefix("/").Handler(http.FileServer(unindexed.Dir("./static/")))
|
|
|
|
// Setup CSRF Protection
|
|
csrfHandler := csrf.Protect([]byte(util.GenerateSecureKey()),
|
|
csrf.FieldName("csrf_token"),
|
|
csrf.Secure(as.config.UseTLS))
|
|
adminHandler := csrfHandler(router)
|
|
adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext)
|
|
|
|
// Setup GZIP compression
|
|
gzipWrapper, _ := gziphandler.NewGzipLevelHandler(gzip.BestCompression)
|
|
adminHandler = gzipWrapper(adminHandler)
|
|
|
|
// Setup logging
|
|
adminHandler = handlers.CombinedLoggingHandler(log.Writer(), adminHandler)
|
|
as.server.Handler = adminHandler
|
|
}
|
|
|
|
type templateParams struct {
|
|
Title string
|
|
Flashes []interface{}
|
|
User models.User
|
|
Token string
|
|
Version string
|
|
ModifySystem bool
|
|
}
|
|
|
|
// newTemplateParams returns the default template parameters for a user and
|
|
// the CSRF token.
|
|
func newTemplateParams(r *http.Request) templateParams {
|
|
user := ctx.Get(r, "user").(models.User)
|
|
modifySystem, _ := user.HasPermission(models.PermissionModifySystem)
|
|
return templateParams{
|
|
Token: csrf.Token(r),
|
|
User: user,
|
|
ModifySystem: modifySystem,
|
|
Version: config.Version,
|
|
}
|
|
}
|
|
|
|
// Base handles the default path and template execution
|
|
func (as *AdminServer) Base(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Dashboard"
|
|
getTemplate(w, "dashboard").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// Campaigns handles the default path and template execution
|
|
func (as *AdminServer) Campaigns(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Campaigns"
|
|
getTemplate(w, "campaigns").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// CampaignID handles the default path and template execution
|
|
func (as *AdminServer) CampaignID(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Campaign Results"
|
|
getTemplate(w, "campaign_results").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// Templates handles the default path and template execution
|
|
func (as *AdminServer) Templates(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Email Templates"
|
|
getTemplate(w, "templates").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// Groups handles the default path and template execution
|
|
func (as *AdminServer) Groups(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Users & Groups"
|
|
getTemplate(w, "groups").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// LandingPages handles the default path and template execution
|
|
func (as *AdminServer) LandingPages(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Landing Pages"
|
|
getTemplate(w, "landing_pages").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// SendingProfiles handles the default path and template execution
|
|
func (as *AdminServer) SendingProfiles(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Sending Profiles"
|
|
getTemplate(w, "sending_profiles").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// Settings handles the changing of settings
|
|
func (as *AdminServer) Settings(w http.ResponseWriter, r *http.Request) {
|
|
switch {
|
|
case r.Method == "GET":
|
|
params := newTemplateParams(r)
|
|
params.Title = "Settings"
|
|
getTemplate(w, "settings").ExecuteTemplate(w, "base", params)
|
|
case r.Method == "POST":
|
|
err := auth.ChangePassword(r)
|
|
msg := models.Response{Success: true, Message: "Settings Updated Successfully"}
|
|
if err == auth.ErrInvalidPassword {
|
|
msg.Message = "Invalid Password"
|
|
msg.Success = false
|
|
api.JSONResponse(w, msg, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if err != nil {
|
|
msg.Message = err.Error()
|
|
msg.Success = false
|
|
api.JSONResponse(w, msg, http.StatusBadRequest)
|
|
return
|
|
}
|
|
api.JSONResponse(w, msg, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
// UserManagement is an admin-only handler that allows for the registration
|
|
// and management of user accounts within Gophish.
|
|
func (as *AdminServer) UserManagement(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "User Management"
|
|
getTemplate(w, "users").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// Webhooks is an admin-only handler that handles webhooks
|
|
func (as *AdminServer) Webhooks(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Webhooks"
|
|
getTemplate(w, "webhooks").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// Reported handles the display of user reported emails that aren't Gophish campaigns
|
|
func (as *AdminServer) Reported(w http.ResponseWriter, r *http.Request) {
|
|
params := newTemplateParams(r)
|
|
params.Title = "Reported Emails"
|
|
getTemplate(w, "reported").ExecuteTemplate(w, "base", params)
|
|
}
|
|
|
|
// ReportedEmailAttachment retrieves an attachment by id
|
|
func (as *AdminServer) ReportedEmailAttachment(w http.ResponseWriter, r *http.Request) {
|
|
vars := mux.Vars(r)
|
|
user := ctx.Get(r, "user").(models.User)
|
|
attID, _ := strconv.ParseInt(vars["id"], 0, 64)
|
|
|
|
att, err := models.GetReportedEmailAttachment(user.Id, attID)
|
|
if err != nil {
|
|
log.Error(err)
|
|
w.Write([]byte("Unable to query attachment"))
|
|
} else {
|
|
|
|
data, err := base64.StdEncoding.DecodeString(att.Content)
|
|
if err != nil {
|
|
w.Write([]byte("Unable to load attachment"))
|
|
} else {
|
|
w.Header().Set("Content-Type", att.Header)
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write(data)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Login handles the authentication flow for a user. If credentials are valid,
|
|
// a session is created
|
|
func (as *AdminServer) Login(w http.ResponseWriter, r *http.Request) {
|
|
params := struct {
|
|
User models.User
|
|
Title string
|
|
Flashes []interface{}
|
|
Token string
|
|
}{Title: "Login", Token: csrf.Token(r)}
|
|
session := ctx.Get(r, "session").(*sessions.Session)
|
|
switch {
|
|
case r.Method == "GET":
|
|
params.Flashes = session.Flashes()
|
|
session.Save(r, w)
|
|
templates := template.New("template")
|
|
_, err := templates.ParseFiles("templates/login.html", "templates/flashes.html")
|
|
if err != nil {
|
|
log.Error(err)
|
|
}
|
|
template.Must(templates, err).ExecuteTemplate(w, "base", params)
|
|
case r.Method == "POST":
|
|
//Attempt to login
|
|
succ, u, err := auth.Login(r)
|
|
if err != nil {
|
|
log.Error(err)
|
|
}
|
|
//If we've logged in, save the session and redirect to the dashboard
|
|
if succ {
|
|
session.Values["id"] = u.Id
|
|
session.Save(r, w)
|
|
next := "/"
|
|
url, err := url.Parse(r.FormValue("next"))
|
|
if err == nil {
|
|
path := url.Path
|
|
if path != "" {
|
|
next = path
|
|
}
|
|
}
|
|
http.Redirect(w, r, next, 302)
|
|
} else {
|
|
Flash(w, r, "danger", "Invalid Username/Password")
|
|
params.Flashes = session.Flashes()
|
|
session.Save(r, w)
|
|
templates := template.New("template")
|
|
_, err := templates.ParseFiles("templates/login.html", "templates/flashes.html")
|
|
if err != nil {
|
|
log.Error(err)
|
|
}
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
template.Must(templates, err).ExecuteTemplate(w, "base", params)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Logout destroys the current user session
|
|
func (as *AdminServer) Logout(w http.ResponseWriter, r *http.Request) {
|
|
session := ctx.Get(r, "session").(*sessions.Session)
|
|
delete(session.Values, "id")
|
|
Flash(w, r, "success", "You have successfully logged out")
|
|
session.Save(r, w)
|
|
http.Redirect(w, r, "/login", 302)
|
|
}
|
|
|
|
func getTemplate(w http.ResponseWriter, tmpl string) *template.Template {
|
|
templates := template.New("template")
|
|
_, err := templates.ParseFiles("templates/base.html", "templates/nav.html", "templates/"+tmpl+".html", "templates/flashes.html")
|
|
if err != nil {
|
|
log.Error(err)
|
|
}
|
|
return template.Must(templates, err)
|
|
}
|
|
|
|
// Flash handles the rendering flash messages
|
|
func Flash(w http.ResponseWriter, r *http.Request, t string, m string) {
|
|
session := ctx.Get(r, "session").(*sessions.Session)
|
|
session.AddFlash(models.Flash{
|
|
Type: t,
|
|
Message: m,
|
|
})
|
|
}
|