Move to using golang http library verbs, add non-functional challenge

internal/data/devices.go

@@ -26,6 +26,7 @@ type Device struct {
 	Active       bool
 	Authorised   time.Time
 
+	Challenge      string
 	AssociatedNode types.ID
 }
 

internal/data/events.go

@@ -58,6 +58,21 @@ var (
 	exit        = make(chan bool)
 )
 
+func DeregisterEventListener(key string) error {
+	clusterHealthLck.Lock()
+	defer clusterHealthLck.Unlock()
+	cancelFunc, ok := contextMaps[key]
+	if !ok {
+		return fmt.Errorf("even listener was not found: %s", key)
+	}
+
+	cancelFunc()
+
+	delete(contextMaps, key)
+
+	return nil
+}
+
 func RegisterEventListener[T any](path string, isPrefix bool, f func(key string, current, previous T, et EventType) error) (string, error) {
 
 	options := []clientv3.OpOption{

internal/router/init.go

@@ -58,7 +58,7 @@ func Setup(errorChan chan<- error, iptables bool) (err error) {
 			select {
 			case <-cancel:
 				return
-			case <-time.After(100 * time.Millisecond):
+			case <-time.After(500 * time.Millisecond):
 				dev, err := ctrl.Device(config.Values.Wireguard.DevName)
 				if err != nil {
 					errorChan <- fmt.Errorf("endpoint watcher: %s", err)
@@ -92,16 +92,9 @@ func Setup(errorChan chan<- error, iptables bool) (err error) {
 					if ourPeerAddresses[device.Address] != p.Endpoint.String() && p.Endpoint != nil {
 						ourPeerAddresses[device.Address] = p.Endpoint.String()
 
-						// If we register an endpoint change on our real world device, and the Endpoint is not the same as what the cluster knows
-						// i.e the peer has either roamed and its egress has changed, or it's an attacker using a stolen wireguard profile
-						// Deauthenticate it
 						if device.Endpoint.String() != p.Endpoint.String() {
+							// This condition will trigger a challenge on the cluster
 							log.Printf("%s:%s endpoint changed %s -> %s", device.Address, device.Username, device.Endpoint.String(), p.Endpoint.String())
-
-							err = data.DeauthenticateDevice(device.Address)
-							if err != nil {
-								log.Printf("failed to deauth device (%s:%s) endpoint: %s", device.Address, device.Username, err)
-							}
 						}
 
 						// Otherwise, just update the node association

internal/users/user.go

@@ -106,12 +106,12 @@ func (u *user) Authenticate(device, mfaType string, authenticator types.Authenti
 	// Make sure that the attempts is always incremented first to stop race condition attacks
 	err := data.IncrementAuthenticationAttempt(u.Username, device)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to pre-emptively increment authentication attempt counter: %s", err)
 	}
 
 	mfa, userMfaType, attempts, locked, err := data.GetAuthenticationDetails(u.Username, device)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get authenticator details: %s", err)
 	}
 
 	lockout, err := data.GetLockout()
@@ -158,7 +158,7 @@ func (u *user) Deauthenticate(device string) error {
 func (u *user) MFA() (string, error) {
 	url, err := data.GetMFASecret(u.Username)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to get MFA details: %s", err)
 	}
 
 	return url, nil

internal/webserver/authenticators/oidc.go

@@ -107,14 +107,14 @@ func (o *Oidc) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
 	if user.IsEnforcingMFA() {
 		log.Println(user.Username, clientTunnelIp, "tried to re-register mfa despite already being registered")
 
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -127,7 +127,7 @@ func (o *Oidc) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 	err = data.SetUserMfa(user.Username, string(value), o.Type())
 	if err != nil {
 		log.Println(user.Username, clientTunnelIp, "unable to set authentication method as oidc key to db:", err)
-		http.Error(w, "Unknown error", 500)
+		http.Error(w, "Server error", http.StatusInternalServerError)
 		return
 	}
 
@@ -147,7 +147,7 @@ func (o *Oidc) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -182,7 +182,7 @@ func (o *Oidc) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 		for i := range groupsIntf {
 			conv, ok := groupsIntf[i].(string)
 			if !ok {
-				log.Println("Error, could not convert group claim to string, probably error in oidc idP configuration")
+				log.Println("Error, could not convert group claim to string, probably mistake in your OIDC idP configuration")
 				http.Error(w, "Server Error", http.StatusInternalServerError)
 				return
 			}

internal/webserver/authenticators/pam.go

@@ -44,14 +44,14 @@ func (t *Pam) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
 	if user.IsEnforcingMFA() {
 		log.Println(user.Username, clientTunnelIp, "tried to re-register mfa despite already being registered")
 
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -104,7 +104,7 @@ func (t *Pam) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -131,15 +131,15 @@ func (t *Pam) AuthoriseFunc(w http.ResponseWriter, r *http.Request) types.Authen
 	return func(mfaSecret, username string) error {
 		err := r.ParseForm()
 		if err != nil {
-			http.Error(w, "Bad request", 400)
-			return err
+			http.Error(w, "Bad request", http.StatusBadRequest)
+			return fmt.Errorf("failed to parse form: %s", err)
 		}
 
 		passwd := r.FormValue("password")
 
 		pamDetails, err := data.GetPAM()
 		if err != nil {
-			http.Error(w, "Unable to get pam details: "+err.Error(), 500)
+			http.Error(w, "Unable to get pam details: "+err.Error(), http.StatusInternalServerError)
 			return err
 		}
 
@@ -177,10 +177,9 @@ func (t *Pam) AuthoriseFunc(w http.ResponseWriter, r *http.Request) types.Authen
 		pamUsername, err := t.GetItem(pam.User)
 		if err != nil {
 			return fmt.Errorf("PAM get user '%s' (%s) failed", pamUsername, username)
-		} else {
-			return nil
 		}
 
+		return nil
 	}
 }
 

internal/webserver/authenticators/totp.go

@@ -59,14 +59,14 @@ func (t *Totp) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
 	if user.IsEnforcingMFA() {
 		log.Println(user.Username, clientTunnelIp, "tried to re-register mfa despite already being registered")
 
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -77,7 +77,7 @@ func (t *Totp) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			log.Println(user.Username, clientTunnelIp, "unable to get issuer from datastore")
 
-			http.Error(w, "Bad request", 400)
+			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
 		}
 		key, err := totp.Generate(totp.GenerateOpts{
@@ -86,29 +86,29 @@ func (t *Totp) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 		})
 		if err != nil {
 			log.Println(user.Username, clientTunnelIp, "generate key failed:", err)
-			http.Error(w, "Unknown error", 500)
+			http.Error(w, "Unknown error", http.StatusInternalServerError)
 			return
 		}
 
 		err = data.SetUserMfa(user.Username, key.URL(), t.Type())
 		if err != nil {
 			log.Println(user.Username, clientTunnelIp, "unable to save totp key to db:", err)
-			http.Error(w, "Unknown error", 500)
+			http.Error(w, "Server Error", http.StatusInternalServerError)
 			return
 		}
 
 		image, err := key.Image(200, 200)
 		if err != nil {
 			log.Println(user.Username, clientTunnelIp, "generating image failed:", err)
-			http.Error(w, "Unknown error", 500)
+			http.Error(w, "Server Error", http.StatusInternalServerError)
 			return
 		}
 
 		var buff bytes.Buffer
 		err = png.Encode(&buff, image)
 		if err != nil {
 			log.Println(user.Username, clientTunnelIp, "encoding mfa secret as png failed:", err)
-			http.Error(w, "Unknown error", 500)
+			http.Error(w, "Server Error", http.StatusInternalServerError)
 			return
 		}
 
@@ -122,7 +122,7 @@ func (t *Totp) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 			AccountName: key.AccountName(),
 		}
 
-		jsonResponse(w, &mfa, 200)
+		jsonResponse(w, &mfa, http.StatusOK)
 
 	case "POST":
 		err = user.Authenticate(clientTunnelIp.String(), t.Type(), t.AuthoriseFunc(w, r))
@@ -137,6 +137,7 @@ func (t *Totp) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 		log.Println(user.Username, clientTunnelIp, "authorised")
 		if err := user.EnforceMFA(); err != nil {
 			log.Println(user.Username, clientTunnelIp, "enforce mfa failed:", err)
+			return
 		}
 
 	default:
@@ -162,7 +163,7 @@ func (t *Totp) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -178,6 +179,7 @@ func (t *Totp) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 
 	if err != nil {
 		log.Println(user.Username, clientTunnelIp, "failed to authorise: ", err.Error())
+		// Intentionally missing http.Error as its returned via json
 		return
 	}
 
@@ -189,7 +191,7 @@ func (t *Totp) AuthoriseFunc(w http.ResponseWriter, r *http.Request) types.Authe
 	return func(mfaSecret, username string) error {
 		err := r.ParseForm()
 		if err != nil {
-			http.Error(w, "Bad request", 400)
+			http.Error(w, "Bad request", http.StatusBadRequest)
 			return err
 		}
 
@@ -200,13 +202,13 @@ func (t *Totp) AuthoriseFunc(w http.ResponseWriter, r *http.Request) types.Authe
 			return err
 		}
 
+		lockULock.Lock()
+		defer lockULock.Unlock()
+
 		if !totp.Validate(code, key.Secret()) {
 			return errors.New("code does not match expected")
 		}
 
-		lockULock.Lock()
-		defer lockULock.Unlock()
-
 		e := usedCodes[username]
 		if e.code == code && e.usetime.Add(30*time.Second).After(time.Now()) {
 			return errors.New("code already used")

internal/webserver/authenticators/webauthn.go

@@ -69,14 +69,14 @@ func (wa *Webauthn) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
 	if user.IsEnforcingMFA() {
 		log.Println(user.Username, clientTunnelIp, "tried to re-register mfa despite already being registered")
 
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}
 
@@ -188,7 +188,7 @@ func (wa *Webauthn) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	user, err := users.GetUserFromAddress(clientTunnelIp)
 	if err != nil {
 		log.Println("unknown", clientTunnelIp, "could not get associated device:", err)
-		http.Error(w, "Bad request", 400)
+		http.Error(w, "Bad request", http.StatusBadRequest)
 		return
 	}