140 lines
3.4 KiB
Go
140 lines
3.4 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
func isAuthenticated(cfg *Config, r *http.Request) *User {
|
|
username, password, ok := r.BasicAuth()
|
|
if !ok {
|
|
// no basic auth header detected
|
|
return nil
|
|
}
|
|
|
|
user, ok := cfg.users[username]
|
|
if !ok {
|
|
// non-existent username
|
|
return nil
|
|
}
|
|
|
|
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
|
|
if err != nil {
|
|
log.Printf("Config contains invalid password hash for user %q", username)
|
|
return nil
|
|
}
|
|
return user
|
|
}
|
|
|
|
func getIpAddress(r *http.Request) net.IP {
|
|
addr := r.URL.Query().Get("myip")
|
|
if len(addr) > 0 {
|
|
// If myip was supplied, parse it and return the result regardless of
|
|
// success, failure will be handled later.
|
|
return net.ParseIP(addr)
|
|
}
|
|
|
|
// check http headers and request for other possible ip address sources
|
|
addr = r.Header.Get(http.CanonicalHeaderKey("X-Forwarded-For"))
|
|
if len(addr) > 0 {
|
|
tokens := strings.Split(addr, ", ")
|
|
// tokens is always at least 1 element long
|
|
// -> return first element as it contains the client's ip address
|
|
return net.ParseIP(tokens[0])
|
|
}
|
|
// TODO: support newer standarized "Forwarded"-Header
|
|
|
|
addr = r.Header.Get(http.CanonicalHeaderKey("X-Real-IP"))
|
|
if len(addr) > 0 {
|
|
return net.ParseIP(addr)
|
|
}
|
|
|
|
addr, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
if err != nil {
|
|
log.Printf("Retrieving IP-Address failed: %s", err)
|
|
return nil
|
|
}
|
|
return net.ParseIP(addr)
|
|
}
|
|
|
|
// returns api-response on failure and RRConfig on success
|
|
func verifyHostname(cfg *Config, user *User, hostname string) (string, *RRConfig) {
|
|
if len(hostname) <= 0 {
|
|
return "nohost", nil
|
|
}
|
|
|
|
// check whether the authenticated user is allowed to update the dns record
|
|
_, ok := user.records[hostname]
|
|
if !ok {
|
|
return "badauth", nil
|
|
}
|
|
|
|
// this should not fail as it is verified in LoadConfig, but better be safe
|
|
entry, ok := cfg.rrconfigs[hostname]
|
|
if !ok {
|
|
return "nohost", nil
|
|
}
|
|
|
|
// TODO: return notfqdn -> differentiate between 'hostname doesnt exist' and
|
|
// 'hostname is not fqdn'
|
|
|
|
// again, this should not fail since 'hostname' was the key used for
|
|
// cfg.rrconfigs to acquire the entry
|
|
if hostname != entry.Recordname {
|
|
return "nohost", nil
|
|
}
|
|
return "", entry
|
|
}
|
|
|
|
func RequestHandler(cfg *Config) func(w http.ResponseWriter, r *http.Request) {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
user := isAuthenticated(cfg, r)
|
|
if user == nil {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="dyndns"`)
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
w.Write([]byte("badauth"))
|
|
fmt.Fprintln(w, "badauth")
|
|
return
|
|
}
|
|
|
|
// all remaining responses should come with status code 200
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
// check for 'valid' useragent, should not be strictly necessary but
|
|
// the protocol demands it
|
|
if len(r.UserAgent()) <= 0 {
|
|
fmt.Fprintln(w, "badagent")
|
|
return
|
|
}
|
|
|
|
hostname := r.URL.Query().Get("hostname")
|
|
response, entry := verifyHostname(cfg, user, hostname)
|
|
if response != "" {
|
|
fmt.Fprintln(w, response)
|
|
return
|
|
}
|
|
|
|
ipaddr := getIpAddress(r)
|
|
if ipaddr == nil {
|
|
fmt.Fprintln(w, "911")
|
|
return
|
|
}
|
|
|
|
if !requiresRRUpdate(entry, ipaddr) {
|
|
fmt.Fprintf(w, "nochg %s\n", ipaddr.String())
|
|
return
|
|
}
|
|
|
|
err := updateRR(entry, ipaddr)
|
|
if err != nil {
|
|
log.Printf("updating RR failed: %s", err)
|
|
fmt.Fprintln(w, "911")
|
|
return
|
|
}
|
|
fmt.Fprintf(w, "good %s\n", ipaddr.String())
|
|
}
|
|
}
|