mirror of
https://github.com/YunoHost/dynette.git
synced 2024-09-03 20:06:17 +02:00
Prototype of optionnal recovery password + delete interface using password
This commit is contained in:
parent
7234548b89
commit
7bdf77492c
3 changed files with 283 additions and 2 deletions
1
Gemfile
1
Gemfile
|
@ -6,3 +6,4 @@ gem 'json'
|
|||
gem 'data_mapper'
|
||||
gem 'dm-postgres-adapter'
|
||||
gem 'pg'
|
||||
gem 'bcrypt'
|
||||
|
|
249
delete.html
Normal file
249
delete.html
Normal file
|
@ -0,0 +1,249 @@
|
|||
|
||||
|
||||
<!doctype html>
|
||||
<html lang="fr">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<script>
|
||||
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
|
||||
/* SHA-256 (FIPS 180-4) implementation in JavaScript (c) Chris Veness 2002-2016 */
|
||||
/* MIT Licence */
|
||||
/* www.movable-type.co.uk/scripts/sha256.html */
|
||||
/* */
|
||||
/* - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html */
|
||||
/* http://csrc.nist.gov/groups/ST/toolkit/examples.html */
|
||||
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
|
||||
|
||||
'use strict';
|
||||
|
||||
|
||||
/**
|
||||
* SHA-256 hash function reference implementation.
|
||||
*
|
||||
* This is a direct implementation of FIPS 180-4, without any optimisations. It is intended to aid
|
||||
* understanding of the algorithm rather than for production use, though it could be used where
|
||||
* performance is not critical.
|
||||
*
|
||||
* @namespace
|
||||
*/
|
||||
var Sha256 = {};
|
||||
|
||||
|
||||
/**
|
||||
* Generates SHA-256 hash of string.
|
||||
*
|
||||
* @param {string} msg - (Unicode) string to be hashed.
|
||||
* @param {Object} [options]
|
||||
* @param {string} [options.msgFormat=string] - Message format: 'string' for JavaScript string
|
||||
* (gets converted to UTF-8 for hashing); 'hex-bytes' for string of hex bytes ('616263' ≡ 'abc') .
|
||||
* @param {string} [options.outFormat=hex] - Output format: 'hex' for string of contiguous
|
||||
* hex bytes; 'hex-w' for grouping hex bytes into groups of (4 byte / 8 character) words.
|
||||
* @returns {string} Hash of msg as hex character string.
|
||||
*/
|
||||
Sha256.hash = function(msg, options) {
|
||||
var defaults = { msgFormat: 'string', outFormat: 'hex' };
|
||||
var opt = Object.assign(defaults, options);
|
||||
|
||||
// note use throughout this routine of 'n >>> 0' to coerce Number 'n' to unsigned 32-bit integer
|
||||
|
||||
switch (opt.msgFormat) {
|
||||
default: // default is to convert string to UTF-8, as SHA only deals with byte-streams
|
||||
case 'string': msg = Sha256.utf8Encode(msg); break;
|
||||
case 'hex-bytes':msg = Sha256.hexBytesToString(msg); break; // mostly for running tests
|
||||
}
|
||||
|
||||
// constants [§4.2.2]
|
||||
var K = [
|
||||
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
|
||||
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
|
||||
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
|
||||
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
|
||||
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
|
||||
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
|
||||
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
|
||||
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ];
|
||||
|
||||
// initial hash value [§5.3.3]
|
||||
var H = [
|
||||
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 ];
|
||||
|
||||
// PREPROCESSING [§6.2.1]
|
||||
|
||||
msg += String.fromCharCode(0x80); // add trailing '1' bit (+ 0's padding) to string [§5.1.1]
|
||||
|
||||
// convert string msg into 512-bit blocks (array of 16 32-bit integers) [§5.2.1]
|
||||
var l = msg.length/4 + 2; // length (in 32-bit integers) of msg + ‘1’ + appended length
|
||||
var N = Math.ceil(l/16); // number of 16-integer (512-bit) blocks required to hold 'l' ints
|
||||
var M = new Array(N); // message M is N×16 array of 32-bit integers
|
||||
|
||||
for (var i=0; i<N; i++) {
|
||||
M[i] = new Array(16);
|
||||
for (var j=0; j<16; j++) { // encode 4 chars per integer (64 per block), big-endian encoding
|
||||
M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) |
|
||||
(msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
|
||||
} // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
|
||||
}
|
||||
// add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
|
||||
// note: most significant word would be (len-1)*8 >>> 32, but since JS converts
|
||||
// bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
|
||||
var lenHi = ((msg.length-1)*8) / Math.pow(2, 32);
|
||||
var lenLo = ((msg.length-1)*8) >>> 0;
|
||||
M[N-1][14] = Math.floor(lenHi);
|
||||
M[N-1][15] = lenLo;
|
||||
|
||||
|
||||
// HASH COMPUTATION [§6.2.2]
|
||||
|
||||
for (var i=0; i<N; i++) {
|
||||
var W = new Array(64);
|
||||
|
||||
// 1 - prepare message schedule 'W'
|
||||
for (var t=0; t<16; t++) W[t] = M[i][t];
|
||||
for (var t=16; t<64; t++) {
|
||||
W[t] = (Sha256.σ1(W[t-2]) + W[t-7] + Sha256.σ0(W[t-15]) + W[t-16]) >>> 0;
|
||||
}
|
||||
|
||||
// 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
|
||||
var a = H[0], b = H[1], c = H[2], d = H[3], e = H[4], f = H[5], g = H[6], h = H[7];
|
||||
|
||||
// 3 - main loop (note 'addition modulo 2^32')
|
||||
for (var t=0; t<64; t++) {
|
||||
var T1 = h + Sha256.Σ1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
|
||||
var T2 = Sha256.Σ0(a) + Sha256.Maj(a, b, c);
|
||||
h = g;
|
||||
g = f;
|
||||
f = e;
|
||||
e = (d + T1) >>> 0;
|
||||
d = c;
|
||||
c = b;
|
||||
b = a;
|
||||
a = (T1 + T2) >>> 0;
|
||||
}
|
||||
|
||||
// 4 - compute the new intermediate hash value (note '>>> 0' for 'addition modulo 2^32')
|
||||
H[0] = (H[0]+a) >>> 0;
|
||||
H[1] = (H[1]+b) >>> 0;
|
||||
H[2] = (H[2]+c) >>> 0;
|
||||
H[3] = (H[3]+d) >>> 0;
|
||||
H[4] = (H[4]+e) >>> 0;
|
||||
H[5] = (H[5]+f) >>> 0;
|
||||
H[6] = (H[6]+g) >>> 0;
|
||||
H[7] = (H[7]+h) >>> 0;
|
||||
}
|
||||
|
||||
// convert H0..H7 to hex strings (with leading zeros)
|
||||
for (var h=0; h<H.length; h++) H[h] = ('00000000'+H[h].toString(16)).slice(-8);
|
||||
|
||||
// concatenate H0..H7, with separator if required
|
||||
var separator = opt.outFormat=='hex-w' ? ' ' : '';
|
||||
|
||||
return H.join(separator);
|
||||
};
|
||||
|
||||
|
||||
/**
|
||||
* Rotates right (circular right shift) value x by n positions [§3.2.4].
|
||||
* @private
|
||||
*/
|
||||
Sha256.ROTR = function(n, x) {
|
||||
return (x >>> n) | (x << (32-n));
|
||||
};
|
||||
|
||||
/**
|
||||
* Logical functions [§4.1.2].
|
||||
* @private
|
||||
*/
|
||||
Sha256.Σ0 = function(x) { return Sha256.ROTR(2, x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); };
|
||||
Sha256.Σ1 = function(x) { return Sha256.ROTR(6, x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); };
|
||||
Sha256.σ0 = function(x) { return Sha256.ROTR(7, x) ^ Sha256.ROTR(18, x) ^ (x>>>3); };
|
||||
Sha256.σ1 = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); };
|
||||
Sha256.Ch = function(x, y, z) { return (x & y) ^ (~x & z); }; // 'choice'
|
||||
Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); }; // 'majority'
|
||||
|
||||
|
||||
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
|
||||
|
||||
|
||||
/**
|
||||
* Encodes multi-byte string to utf8 - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html
|
||||
*/
|
||||
Sha256.utf8Encode = function(str) {
|
||||
return unescape(encodeURIComponent(str));
|
||||
};
|
||||
|
||||
|
||||
/**
|
||||
* Converts a string of a sequence of hex numbers to a string of characters (eg '616263' => 'abc').
|
||||
*/
|
||||
Sha256.hexBytesToString = function(hexStr) {
|
||||
hexStr = hexStr.replace(' ', ''); // allow space-separated groups
|
||||
var str = '';
|
||||
for (var i=0; i<hexStr.length; i+=2) {
|
||||
str += String.fromCharCode(parseInt(hexStr.slice(i, i+2), 16));
|
||||
}
|
||||
return str;
|
||||
};
|
||||
|
||||
|
||||
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
|
||||
if (typeof module != 'undefined' && module.exports) module.exports = Sha256; // CommonJs export
|
||||
|
||||
/* END SHA256 CODE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
|
||||
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
|
||||
|
||||
function sendDeleteRequest()
|
||||
{
|
||||
// Compute 'true' password
|
||||
var domain = document.getElementById("domain").value;
|
||||
var user_password = document.getElementById("password").value;
|
||||
var true_password = Sha256.hash(domain+":"+user_password).substring(0,32);
|
||||
|
||||
// Prepare request
|
||||
var url = "./domains/"+domain
|
||||
var params = "recovery_password="+true_password;
|
||||
var xhttp = new XMLHttpRequest();
|
||||
|
||||
// Prepare handler
|
||||
xhttp.onreadystatechange = function()
|
||||
{
|
||||
if (xhttp.readyState == 4)
|
||||
{
|
||||
if (xhttp.status == 200)
|
||||
{
|
||||
document.getElementById("debug").innerHTML = xhttp.responseText;
|
||||
}
|
||||
else
|
||||
{
|
||||
document.getElementById("debug").innerHTML = "Error ? " + xhttp.responseText;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
document.getElementById("debug").innerHTML = "Sending request...";
|
||||
}
|
||||
};
|
||||
|
||||
// Actually send the request
|
||||
xhttp.open("DELETE", url, true);
|
||||
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
||||
xhttp.send(params);
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<form>
|
||||
|
||||
Domain to delete:<br>
|
||||
<input type="text" id="domain"><br>
|
||||
Password:<br>
|
||||
<input type="password" id="password"><br>
|
||||
<input type="button" value="Submit" onclick="sendDeleteRequest();">
|
||||
</form>
|
||||
<span id="debug"></span>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
|
35
dynette.rb
35
dynette.rb
|
@ -5,6 +5,7 @@ require 'sinatra'
|
|||
require 'data_mapper'
|
||||
require 'json'
|
||||
require 'base64'
|
||||
require 'bcrypt'
|
||||
|
||||
######################
|
||||
### Configuration ###
|
||||
|
@ -22,12 +23,14 @@ ALLOWED_IP = ["127.0.0.1"]
|
|||
# Dynette Entry class
|
||||
class Entry
|
||||
include DataMapper::Resource
|
||||
include BCrypt
|
||||
|
||||
property :id, Serial
|
||||
property :public_key, String
|
||||
property :subdomain, String
|
||||
property :current_ip, String
|
||||
property :created_at, DateTime
|
||||
property :recovery_password, Text
|
||||
|
||||
has n, :ips
|
||||
end
|
||||
|
@ -130,6 +133,14 @@ get '/' do
|
|||
"Wanna play the dynette ?"
|
||||
end
|
||||
|
||||
# Delete interface for user with recovery password
|
||||
get '/delete' do
|
||||
f = File.open("delete.html", "r")
|
||||
|
||||
content_type 'text/html'
|
||||
f.read
|
||||
end
|
||||
|
||||
# Get availables DynDNS domains
|
||||
get '/domains' do
|
||||
DOMAINS.to_json
|
||||
|
@ -158,9 +169,17 @@ post '/key/:public_key' do
|
|||
halt 409, { :error => "Key already exists for domain #{entry.subdomain}" }.to_json
|
||||
end
|
||||
|
||||
# If user provided a recovery password, hash and salt it before storing it
|
||||
if params.has_key?("recovery_password")
|
||||
recovery_password = BCrypt::Password.create(params[:recovery_password])
|
||||
else
|
||||
recovery_password = ""
|
||||
end
|
||||
|
||||
# Process
|
||||
entry = Entry.new(:public_key => params[:public_key], :subdomain => params[:subdomain], :current_ip => request.ip, :created_at => Time.now)
|
||||
entry = Entry.new(:public_key => params[:public_key], :subdomain => params[:subdomain], :current_ip => request.ip, :created_at => Time.now, :recovery_password => recovery_password)
|
||||
entry.ips << Ip.create(:ip_addr => request.ip)
|
||||
|
||||
if entry.save
|
||||
halt 201, { :public_key => entry.public_key, :subdomain => entry.subdomain, :current_ip => entry.current_ip }.to_json
|
||||
else
|
||||
|
@ -201,10 +220,21 @@ end
|
|||
|
||||
# Delete a sub-domain
|
||||
delete '/domains/:subdomain' do
|
||||
unless ALLOWED_IP.include? request.ip
|
||||
unless (ALLOWED_IP.include? request.ip) || (params.has_key?("recovery_password"))
|
||||
halt 403, { :error => "Access denied"}.to_json
|
||||
end
|
||||
if entry = Entry.first(:subdomain => params[:subdomain])
|
||||
|
||||
# For non-admin
|
||||
unless (ALLOWED_IP.include? request.ip)
|
||||
# If no recovery password was provided when registering domain,
|
||||
# or if wrong password is provided, deny access
|
||||
if (entry.recovery_password == "") || (BCrypt::Password.new(entry.recovery_password) != params[:recovery_password])
|
||||
halt 403, { :error => "Access denied" }.to_json
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
Ip.first(:entry_id => entry.id).destroy
|
||||
if entry.destroy
|
||||
halt 200, "OK".to_json
|
||||
|
@ -212,6 +242,7 @@ delete '/domains/:subdomain' do
|
|||
halt 412, { :error => "A problem occured during DNS deletion" }.to_json
|
||||
end
|
||||
end
|
||||
halt 404
|
||||
end
|
||||
|
||||
# Get all registered sub-domains
|
||||
|
|
Loading…
Add table
Reference in a new issue