2014-11-16 13:13:20 -07:00
|
|
|
// Copyright (C) 2014 The Syncthing Authors.
|
2014-09-29 12:43:32 -07:00
|
|
|
//
|
2015-03-07 13:36:35 -07:00
|
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
2017-02-08 23:52:18 -07:00
|
|
|
// You can obtain one at https://mozilla.org/MPL/2.0/.
|
2014-09-03 23:31:38 -07:00
|
|
|
|
2019-03-26 12:53:58 -07:00
|
|
|
package api
|
2014-06-04 12:20:07 -07:00
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"os"
|
2014-07-06 06:00:44 -07:00
|
|
|
"strings"
|
2014-06-04 12:20:07 -07:00
|
|
|
|
2015-08-06 02:29:25 -07:00
|
|
|
"github.com/syncthing/syncthing/lib/osutil"
|
2016-05-26 00:02:56 -07:00
|
|
|
"github.com/syncthing/syncthing/lib/rand"
|
2015-08-06 02:29:25 -07:00
|
|
|
"github.com/syncthing/syncthing/lib/sync"
|
2014-06-04 12:20:07 -07:00
|
|
|
)
|
|
|
|
|
2016-01-03 13:56:19 -07:00
|
|
|
const maxCsrfTokens = 25
|
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
type csrfManager struct {
|
|
|
|
// tokens is a list of valid tokens. It is sorted so that the most
|
|
|
|
// recently used token is first in the list. New tokens are added to the front
|
|
|
|
// of the list (as it is the most recently used at that time). The list is
|
|
|
|
// pruned to a maximum of maxCsrfTokens, throwing away the least recently used
|
|
|
|
// tokens.
|
|
|
|
tokens []string
|
|
|
|
tokensMut sync.Mutex
|
|
|
|
|
|
|
|
unique string
|
|
|
|
prefix string
|
|
|
|
apiKeyValidator apiKeyValidator
|
|
|
|
next http.Handler
|
|
|
|
saveLocation string
|
|
|
|
}
|
|
|
|
|
|
|
|
type apiKeyValidator interface {
|
|
|
|
IsValidAPIKey(key string) bool
|
|
|
|
}
|
|
|
|
|
2014-06-04 12:20:07 -07:00
|
|
|
// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
|
|
|
|
// the request with 403. For / and /index.html, set a new CSRF cookie if none
|
|
|
|
// is currently set.
|
2019-09-05 04:35:51 -07:00
|
|
|
func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidator, next http.Handler, saveLocation string) *csrfManager {
|
|
|
|
m := &csrfManager{
|
|
|
|
tokensMut: sync.NewMutex(),
|
|
|
|
unique: unique,
|
|
|
|
prefix: prefix,
|
|
|
|
apiKeyValidator: apiKeyValidator,
|
|
|
|
next: next,
|
|
|
|
saveLocation: saveLocation,
|
|
|
|
}
|
|
|
|
m.load()
|
|
|
|
return m
|
|
|
|
}
|
2014-07-05 12:40:29 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Allow requests carrying a valid API key
|
|
|
|
if m.apiKeyValidator.IsValidAPIKey(r.Header.Get("X-API-Key")) {
|
|
|
|
// Set the access-control-allow-origin header for CORS requests
|
|
|
|
// since a valid API key has been provided
|
|
|
|
w.Header().Add("Access-Control-Allow-Origin", "*")
|
|
|
|
m.next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
2016-08-02 04:06:45 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/rest/debug") {
|
|
|
|
// Debugging functions are only available when explicitly
|
|
|
|
// enabled, and can be accessed without a CSRF token
|
|
|
|
m.next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Allow requests for anything not under the protected path prefix,
|
|
|
|
// and set a CSRF cookie if there isn't already a valid one.
|
|
|
|
if !strings.HasPrefix(r.URL.Path, m.prefix) {
|
|
|
|
cookie, err := r.Cookie("CSRF-Token-" + m.unique)
|
|
|
|
if err != nil || !m.validToken(cookie.Value) {
|
|
|
|
l.Debugln("new CSRF cookie in response to request for", r.URL)
|
|
|
|
cookie = &http.Cookie{
|
|
|
|
Name: "CSRF-Token-" + m.unique,
|
|
|
|
Value: m.newToken(),
|
2014-07-05 12:40:29 -07:00
|
|
|
}
|
2019-09-05 04:35:51 -07:00
|
|
|
http.SetCookie(w, cookie)
|
2014-07-05 12:40:29 -07:00
|
|
|
}
|
2019-09-05 04:35:51 -07:00
|
|
|
m.next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
2014-06-05 00:16:12 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
// Verify the CSRF token
|
|
|
|
token := r.Header.Get("X-CSRF-Token-" + m.unique)
|
|
|
|
if !m.validToken(token) {
|
|
|
|
http.Error(w, "CSRF Error", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2014-07-05 12:40:29 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
m.next.ServeHTTP(w, r)
|
2014-06-04 12:20:07 -07:00
|
|
|
}
|
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
func (m *csrfManager) validToken(token string) bool {
|
|
|
|
m.tokensMut.Lock()
|
|
|
|
defer m.tokensMut.Unlock()
|
|
|
|
for i, t := range m.tokens {
|
2014-06-04 12:20:07 -07:00
|
|
|
if t == token {
|
2016-01-03 13:56:19 -07:00
|
|
|
if i > 0 {
|
|
|
|
// Move this token to the head of the list. Copy the tokens at
|
|
|
|
// the front one step to the right and then replace the token
|
|
|
|
// at the head.
|
2019-09-05 04:35:51 -07:00
|
|
|
copy(m.tokens[1:], m.tokens[:i+1])
|
|
|
|
m.tokens[0] = token
|
2016-01-03 13:56:19 -07:00
|
|
|
}
|
2014-06-04 12:20:07 -07:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
func (m *csrfManager) newToken() string {
|
2016-05-26 00:02:56 -07:00
|
|
|
token := rand.String(32)
|
2014-06-04 12:20:07 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
m.tokensMut.Lock()
|
|
|
|
m.tokens = append([]string{token}, m.tokens...)
|
|
|
|
if len(m.tokens) > maxCsrfTokens {
|
|
|
|
m.tokens = m.tokens[:maxCsrfTokens]
|
2014-06-04 12:20:07 -07:00
|
|
|
}
|
2019-09-05 04:35:51 -07:00
|
|
|
defer m.tokensMut.Unlock()
|
2014-06-04 12:20:07 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
m.save()
|
2014-06-04 12:20:07 -07:00
|
|
|
|
|
|
|
return token
|
|
|
|
}
|
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
func (m *csrfManager) save() {
|
2015-07-11 08:03:40 -07:00
|
|
|
// We're ignoring errors in here. It's not super critical and there's
|
|
|
|
// nothing relevant we can do about them anyway...
|
2015-07-13 03:44:59 -07:00
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
if m.saveLocation == "" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
f, err := osutil.CreateAtomic(m.saveLocation)
|
2014-06-04 12:20:07 -07:00
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
for _, t := range m.tokens {
|
2015-07-11 08:03:40 -07:00
|
|
|
fmt.Fprintln(f, t)
|
2014-06-04 12:20:07 -07:00
|
|
|
}
|
|
|
|
|
2015-07-11 08:03:40 -07:00
|
|
|
f.Close()
|
2014-06-04 12:20:07 -07:00
|
|
|
}
|
|
|
|
|
2019-09-05 04:35:51 -07:00
|
|
|
func (m *csrfManager) load() {
|
|
|
|
if m.saveLocation == "" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
f, err := os.Open(m.saveLocation)
|
2014-06-04 12:20:07 -07:00
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
|
s := bufio.NewScanner(f)
|
|
|
|
for s.Scan() {
|
2019-09-05 04:35:51 -07:00
|
|
|
m.tokens = append(m.tokens, s.Text())
|
2014-06-04 12:20:07 -07:00
|
|
|
}
|
|
|
|
}
|