Do not assign broadcast address when determining ip address, add start of client ui redesign

Author: NHAS

adminui/frontend/postcss.config.js

@@ -1,6 +1,6 @@
-export default {
+module.exports = {
   plugins: {
     tailwindcss: {},
     autoprefixer: {},
   },
-}
+}

internal/data/dhcp.go

@@ -102,7 +102,7 @@ func getNextIP(subnet string) (string, error) {
 		}
 
 		addr = incrementIP(addr, 1)
-		if cidr.Contains(addr) {
+		if cidr.Contains(addr) && !broadcastAddr(cidr).Equal(addr) {
 			continue
 		} else {
 			addr = incrementIP(cidr.IP, 1)
@@ -115,3 +115,22 @@ func getNextIP(subnet string) (string, error) {
 	}
 
 }
+
+// https://github.com/IBM/netaddr/blob/master/net_utils.go#L73
+func broadcastAddr(n *net.IPNet) net.IP {
+	// The golang net package doesn't make it easy to calculate the broadcast address. :(
+	var broadcast net.IP
+	switch len(n.IP) {
+	case 4:
+		broadcast = net.ParseIP("0.0.0.0").To4()
+	case 16:
+		broadcast = net.ParseIP("::")
+	default:
+		panic("Bad value for size")
+	}
+
+	for i := 0; i < len(n.IP); i++ {
+		broadcast[i] = n.IP[i] | ^n.Mask[i]
+	}
+	return broadcast
+}

internal/mfaportal/authenticators/authenticators.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"slices"
 	"sort"
 	"sync"
 
@@ -55,7 +56,7 @@ func EnableMethods(method ...types.MFA) {
 	}
 }
 
-func ReinitaliseMethods(firewall *router.Firewall, method ...types.MFA) ([]types.MFA, error) {
+func ReinitaliseMethods(method ...types.MFA) ([]types.MFA, error) {
 	lck.Lock()
 	defer lck.Unlock()
 
@@ -64,7 +65,7 @@ func ReinitaliseMethods(firewall *router.Firewall, method ...types.MFA) ([]types
 	var errRet error
 	for _, m := range method {
 		if a, ok := allMfa[m]; ok {
-			err := a.Init(firewall)
+			err := a.ReloadSettings()
 			if err != nil {
 				if errRet == nil {
 					errRet = fmt.Errorf("%s failed to init: %s", m, err)
@@ -112,6 +113,7 @@ func GetAllEnabledMethods() (r []Authenticator) {
 	return
 }
 
+// GetAllAvaliableMethods returns All implemented authenticators in wag
 func GetAllAvaliableMethods() (r []Authenticator) {
 	lck.RLock()
 	defer lck.RUnlock()
@@ -133,69 +135,55 @@ func AddMFARoutes(mux *http.ServeMux, firewall *router.Firewall) error {
 	lck.Lock()
 	defer lck.Unlock()
 
-	for method, handler := range allMfa {
-		mux.HandleFunc("GET /authorise/"+string(method)+"/", checkEnabled(handler, handler.AuthorisationAPI))
-		mux.HandleFunc("POST /authorise/"+string(method)+"/", checkEnabled(handler, handler.AuthorisationAPI))
-		mux.HandleFunc("GET /register_mfa/"+string(method)+"/", checkEnabled(handler, handler.RegistrationAPI))
-		mux.HandleFunc("POST /register_mfa/"+string(method)+"/", checkEnabled(handler, handler.RegistrationAPI))
-
-	}
-
 	enabledMethods, err := data.GetEnabledAuthenicationMethods()
 	if err != nil {
 		return err
 	}
 
-	for _, method := range enabledMethods {
-		err := allMfa[types.MFA(method)].Init(firewall)
+	for method, handler := range allMfa {
+		prefix := "/api/" + string(method)
+		r, err := handler.Routes(firewall, slices.Contains(enabledMethods, string(method)))
 		if err != nil {
 			log.Println("failed to initialise method: ", method, "err: ", err)
 			continue
 		}
-		allMfa[types.MFA(method)].Enable()
+
+		mux.Handle(prefix, http.StripPrefix(prefix, checkEnabled(r, allMfa[method])))
 	}
 
 	return nil
 }
 
-func checkEnabled(a Authenticator, f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
+type enabled struct {
+	next http.Handler
+	auth Authenticator
+}
 
-		if !a.IsEnabled() {
-			http.NotFound(w, r)
-			return
-		}
+func (d *enabled) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	d.next.ServeHTTP(w, r)
+}
 
-		f(w, r)
+func checkEnabled(next http.Handler, auth Authenticator) http.Handler {
+	return &enabled{
+		next: next,
+		auth: auth,
 	}
 }
 
 type Authenticator interface {
-	Init(fw *router.Firewall) error
-
 	IsEnabled() bool
+
 	Enable()
 	Disable()
 
+	ReloadSettings() error
+
 	Type() string
 
 	//FriendlyName is the name that is displayed in the MFA selection table
 	FriendlyName() string
 
-	//LogoutPath returns the redirection path that deauthenticates selected mfa method (mostly just "/" unless it's externally connected to something)
-	LogoutPath() string
-
-	//RegistrationAPI automatically added under /register_mfa/<mfa_method_name>
-	RegistrationAPI(w http.ResponseWriter, r *http.Request)
-
-	//AuthorisationAPI automatically added under /authorise/<mfa_method_name>
-	AuthorisationAPI(w http.ResponseWriter, r *http.Request)
-
-	//MFAPromptUI is executed in /authorise/ path to display UI when user browses to that path
-	MFAPromptUI(w http.ResponseWriter, r *http.Request, username, ip string)
-
-	//RegistrationUI is executed in /register_mfa/ path to show the UI for registration
-	RegistrationUI(w http.ResponseWriter, r *http.Request, username, ip string)
+	Routes(fw *router.Firewall, initiallyEnabled bool) (*http.ServeMux, error)
 }
 
 func StringsToMFA(methods []string) (ret []types.MFA) {

internal/mfaportal/authenticators/oidc.go

@@ -36,11 +36,7 @@ type Oidc struct {
 	fw       *router.Firewall
 }
 
-func (o *Oidc) LogoutPath() string {
-	return o.provider.GetEndSessionEndpoint()
-}
-
-func (o *Oidc) Init(fw *router.Firewall) error {
+func (o *Oidc) Routes(fw *router.Firewall, initiallyEnabled bool) error {
 
 	o.fw = fw
 

internal/mfaportal/dtos.go

@@ -0,0 +1,63 @@
+package mfaportal
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+type MFAMethod struct {
+	Method       string `json:"method"`
+	FriendlyName string `json:"friendly_name"`
+}
+
+type UserInfoDTO struct {
+	Locked              bool        `json:"is_locked"`
+	HelpMail            string      `json:"helpmail"`
+	AvailableMfaMethods []MFAMethod `json:"available_mfa_methods"`
+	Registered          bool        `json:"has_registered"`
+	Username            string      `json:"username"`
+	Authorised          bool        `json:"is_authorized"`
+}
+
+type StatusDTO struct {
+	IsAuthorised bool
+
+	MFA    []string
+	Public []string
+	Deny   []string
+}
+
+type GenericResponseDTO struct {
+	Message string `json:"message"`
+	Success bool   `json:"success"`
+}
+
+func (mp *MfaPortal) respond(err error, w http.ResponseWriter) {
+
+	var resp GenericResponseDTO
+	resp.Success = true
+	w.Header().Set("content-type", "application/json")
+	resp.Message = "OK"
+	if err != nil {
+		resp.Success = false
+		resp.Message = err.Error()
+	}
+
+	json.NewEncoder(w).Encode(resp)
+
+}
+
+func (mp *MfaPortal) respondSuccess(err error, success string, w http.ResponseWriter) {
+
+	var resp GenericResponseDTO
+	resp.Success = true
+	w.Header().Set("content-type", "application/json")
+	resp.Message = success
+	if err != nil {
+		resp.Success = false
+		resp.Message = err.Error()
+	}
+
+	json.NewEncoder(w).Encode(resp)
+
+}

internal/mfaportal/middleware.go

@@ -0,0 +1,54 @@
+package mfaportal
+
+import (
+	"context"
+	"log"
+	"net/http"
+
+	"github.com/NHAS/wag/internal/router"
+	"github.com/NHAS/wag/internal/users"
+	"github.com/NHAS/wag/internal/utils"
+)
+
+type userChecks struct {
+	next http.Handler
+	f    *router.Firewall
+}
+
+func (d *userChecks) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	clientTunnelIp := utils.GetIPFromRequest(r)
+
+	userObj, err := users.GetUserFromAddress(clientTunnelIp)
+	if err != nil {
+		http.Error(w, "Server Error", http.StatusInternalServerError)
+		log.Printf("device with unknown ip %q (%q, xff %q) used vpn endpoint CHECK CONFIG", clientTunnelIp, r.Host, r.Header.Get("X-forwarded-for"))
+		return
+	}
+
+	ctx := context.WithValue(r.Context(), users.UserContextKey, userObj)
+
+	if clientTunnelIp != nil {
+		ctx = context.WithValue(ctx, authContext, d.f.IsAuthed(clientTunnelIp.String()))
+	}
+	// Create new request with updated context
+	r = r.WithContext(ctx)
+
+	d.next.ServeHTTP(w, r)
+}
+
+func fetchState(f http.Handler, firewall *router.Firewall) http.Handler {
+	return &userChecks{
+		next: f,
+		f:    firewall,
+	}
+}
+
+type authContextKey string
+
+// Define context key for user
+const authContext authContextKey = "authed"
+
+func Authed(ctx context.Context) bool {
+	authed, ok := ctx.Value(authContext).(bool)
+	return ok && authed
+}

internal/mfaportal/resources/frontend/src/api/index.ts

@@ -1,9 +1,9 @@
 import axios from "axios";
 
 export const client = axios.create();
-export const verifyEndpoint = "/api/mfa/verify";
+export const verifyEndpoint = "/api/verify";
 
 export * from "./types";
 export * from "./totp";
 export * from "./webauthn";
-export * from "./pam";
+export * from "./pam";

internal/mfaportal/resources/frontend/src/api/info.ts

@@ -1,5 +1,5 @@
 import { client, type UserInfoDTO } from ".";
 
 export function apiGetInfo(): Promise<UserInfoDTO> {
-  return client.get("/api/info").then((res) => res.data);
+  return client.get("/api/userinfo").then((res) => res.data);
 }

internal/mfaportal/resources/frontend/src/api/types.ts

@@ -3,6 +3,11 @@ export interface MFAMethod {
   method: string;
 }
 
+export interface MFAMethod {
+	method: string
+	friendly_name: string
+}
+
 export interface UserInfoDTO {
   has_registered: boolean;
   available_mfa_methods: MFAMethod[];

internal/mfaportal/statemachine.go

@@ -64,7 +64,7 @@ func (mp *MfaPortal) oidcChanges(_ string, _ data.OIDC, _ data.OIDC, et data.Eve
 		}
 
 		if slices.Contains(methods, string(types.Oidc)) {
-			_, err := authenticators.ReinitaliseMethods(mp.firewall, types.Oidc)
+			_, err := authenticators.ReinitaliseMethods(types.Oidc)
 
 			return err
 		}
@@ -84,7 +84,7 @@ func (mp *MfaPortal) domainChanged(_ string, _, _ data.WebserverConfiguration, e
 		}
 
 		if slices.Contains(methods, string(types.Oidc)) {
-			_, err := authenticators.ReinitaliseMethods(mp.firewall, types.Oidc)
+			_, err := authenticators.ReinitaliseMethods(types.Oidc)
 
 			return err
 		}
@@ -101,14 +101,14 @@ func (mp *MfaPortal) enabledMethodsChanged(_ string, current, previous []string,
 	case data.CREATED:
 		var initdMethods []types.MFA
 
-		initdMethods, err = authenticators.ReinitaliseMethods(mp.firewall, authenticators.StringsToMFA(current)...)
+		initdMethods, err = authenticators.ReinitaliseMethods(authenticators.StringsToMFA(current)...)
 		authenticators.EnableMethods(initdMethods...)
 
 	case data.MODIFIED:
 		var initdMethods []types.MFA
 
 		authenticators.DisableMethods(authenticators.StringsToMFA(previous)...)
-		initdMethods, err = authenticators.ReinitaliseMethods(mp.firewall, authenticators.StringsToMFA(current)...)
+		initdMethods, err = authenticators.ReinitaliseMethods(authenticators.StringsToMFA(current)...)
 
 		authenticators.EnableMethods(initdMethods...)
 	}
@@ -122,7 +122,7 @@ func (mp *MfaPortal) issuerKeyChanged(_ string, _, _ string, et data.EventType)
 	case data.DELETED:
 		authenticators.DisableMethods(types.Totp, types.Webauthn)
 	case data.CREATED, data.MODIFIED:
-		_, err := authenticators.ReinitaliseMethods(mp.firewall, types.Totp, types.Webauthn)
+		_, err := authenticators.ReinitaliseMethods(types.Totp, types.Webauthn)
 		return err
 	}