From 01a8bf4584f8f6b6da340797fd0b05b8f562356a Mon Sep 17 00:00:00 2001 From: "C. Alexander Leigh" Date: Wed, 15 Feb 2023 01:11:56 -0800 Subject: [PATCH] lc-gdn-api: Added AD check for domain admin group. --- .../main/java/lc/gdn/api/GdnApiService.java | 129 ++++++++++++------ 1 file changed, 85 insertions(+), 44 deletions(-) diff --git a/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java b/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java index 49fef296e..e3b90e027 100644 --- a/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java +++ b/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java @@ -1,6 +1,9 @@ package lc.gdn.api; import jakarta.servlet.http.HttpServletResponse; +import lc.cloudbox.cisco.CiscoController; +import lc.mecha.aaa.ActiveDirectory; +import lc.mecha.cred.Credential; import lc.mecha.fabric.HandlerStatus; import lc.mecha.fabric.LiteralMessageSubscription; import lc.mecha.http.server.PrefixedHandler; @@ -10,8 +13,11 @@ import lc.mecha.http.server.WebTransaction; import lc.mecha.log.MechaLogger; import lc.mecha.log.MechaLoggerFactory; +import java.net.Inet4Address; +import java.net.InetAddress; import java.nio.charset.StandardCharsets; import java.util.Base64; +import java.util.Map; import java.util.Set; public class GdnApiService extends PrefixedHandler { @@ -19,6 +25,8 @@ public class GdnApiService extends PrefixedHandler { private final WebServer ws; + private final static String SID_DADMINS = "S-1-5-21-627184053-1050413898-3607107746-512"; + public static void main(String[] args) throws Exception { GdnApiService svc = new GdnApiService(); svc.runDangerously(); @@ -35,52 +43,85 @@ public class GdnApiService extends PrefixedHandler { public HandlerStatus handlePrefixedWebRequest(WebTransaction request) throws Exception { final String authorization = request.httpServletRequest.getHeader("Authorization"); - if (authorization != null && authorization.toLowerCase().startsWith("basic")) { - // Authorization: Basic base64credentials - String base64Credentials = authorization.substring("Basic".length()).trim(); - byte[] credDecoded = Base64.getDecoder().decode(base64Credentials); - String credentials = new String(credDecoded, StandardCharsets.UTF_8); - // credentials = username:password - final String[] values = credentials.split(":", 2); - - logger.info("un: {} pw: {}", values[0], values[1]); - request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); - request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - return HandlerStatus.BREAK; - } else { - request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); - request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - return HandlerStatus.BREAK; - } - /* - synchronized (this) { - try { - Integer tunNumber = Integer.parseInt(request.httpServletRequest.getParameter("tun")); - InetAddress ipAddr = Inet4Address.getByName(request.httpServletRequest.getParameter("ip")); - - // TODO: Verify that ipAddr is actually an IP address - logger.info("Updating tunnel configuration. [tun: {}] [ip: {}]", tunNumber, ipAddr.getHostAddress()); - - CiscoController gw0 = new CiscoController("gw0.gdn.leigh-co.com", - new Credential("cisco", "abc"), "def"); - CiscoController gw3 = new CiscoController("gw3.gdn.leigh-co.com", - new Credential("aleigh", "abc"), "def"); - - gw0.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); - gw3.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); - - logger.info("Router updated."); - - request.httpServletResponse.getOutputStream() - .write("{\"router\":[\"gw0.gdn.leigh-co.com\",\"gw3.gdn.leigh-co.com\"]}".getBytes()); - } catch (Exception e) { - e.printStackTrace(); - throw e; + try { + if (authorization != null && authorization.toLowerCase().startsWith("basic")) { + // Authorization: Basic base64credentials + String base64Credentials = authorization.substring("Basic".length()).trim(); + byte[] credDecoded = Base64.getDecoder().decode(base64Credentials); + String credentials = new String(credDecoded, StandardCharsets.UTF_8); + // credentials = username:password + final String[] values = credentials.split(":", 2); + + // FIXME: Should be gdn.leigh-co.com, but the SSL certs don't have a altname for this. + ActiveDirectory ad = new ActiveDirectory("gdn.leigh-co.com", "ldaps://dc0.gdn.leigh-co.com", + "cn=users,dc=gdn,dc=leigh-co,dc=com", null, null); + + Map user = ad.authenticate(values[0], values[1]); + + logger.info("AD returns: {}", user); + if (user == null) { + request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); + request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + return HandlerStatus.BREAK; + } + + // If we got this far, it was a good login, so we can continue to use these credentials since we + // have them anyways. + ad.setInfoUser(values[0]); + ad.setInfoPassword(values[1]); + + String userSid = (String) user.get("objectSid"); + + logger.info("User SID: {}", userSid); + + Set groups = ad.findGroups(userSid); + + logger.info("Groups: {}", groups); + + if (!groups.contains(SID_DADMINS)) { + // FORBIDDEN since the u/p was good, but unauthorized. + request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); + request.httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); + return HandlerStatus.BREAK; + } + + } else { + request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); + request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + return HandlerStatus.BREAK; } + + + synchronized (this) { + try { + Integer tunNumber = Integer.parseInt(request.httpServletRequest.getParameter("tunnelId")); + InetAddress ipAddr = Inet4Address.getByName(request.httpServletRequest.getParameter("ip")); + + // TODO: Verify that ipAddr is actually an IP address + logger.info("Updating tunnel configuration. [tun: {}] [ip: {}]", tunNumber, ipAddr.getHostAddress()); + + CiscoController gw0 = new CiscoController("gw0.gdn.leigh-co.com", + new Credential("cisco", "abc"), "def"); + CiscoController gw3 = new CiscoController("gw3.gdn.leigh-co.com", + new Credential("aleigh", "abc"), "def"); + + gw0.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); + gw3.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); + + logger.info("Router updated."); + + request.httpServletResponse.getOutputStream() + .write("{\"router\":[\"gw0.gdn.leigh-co.com\",\"gw3.gdn.leigh-co.com\"]}".getBytes()); + } catch (Exception e) { + e.printStackTrace(); + throw e; + } + } + return HandlerStatus.BREAK; + } catch (Exception e) { + e.printStackTrace(); + throw e; } - return HandlerStatus.BREAK; - - */ } public void runDangerously() throws Exception { -- GitLab