Skip to content

Commit

Permalink
Close #289: Add checking for valid RUUVISESSION cookie when auth_type…
Browse files Browse the repository at this point in the history
… is set to 'allow' (#290)

* Close #289: Add checking for valid RUUVISESSION cookie when auth_type is set to 'allow'

* [#289] Add unit-test

* [#289] Add unit-tests

* [#289] Add unit-tests
  • Loading branch information
TheSomeMan authored Apr 17, 2024
1 parent 9fd73e9 commit 0ff72ad
Show file tree
Hide file tree
Showing 9 changed files with 406 additions and 57 deletions.
14 changes: 14 additions & 0 deletions src/http_server_auth.c
Original file line number Diff line number Diff line change
Expand Up @@ -105,3 +105,17 @@ http_server_get_auth(void)
{
return &g_auth_info;
}

void
http_server_auth_ruuvi_add_authorized_session(
http_server_auth_ruuvi_t* const p_auth_ruuvi,
const http_server_auth_ruuvi_session_id_t* const p_session_id,
const sta_ip_string_t* const p_remote_ip)
{
for (int32_t i = HTTP_SERVER_AUTH_RUUVI_MAX_NUM_SESSIONS - 1; i > 0; --i)
{
p_auth_ruuvi->authorized_sessions[i] = p_auth_ruuvi->authorized_sessions[i - 1];
}
p_auth_ruuvi->authorized_sessions[0].session_id = *p_session_id;
p_auth_ruuvi->authorized_sessions[0].remote_ip = *p_remote_ip;
}
6 changes: 6 additions & 0 deletions src/http_server_auth.h
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@ http_server_strnstr(const char* const p_haystack, const char* const p_needle, co
http_server_auth_info_t*
http_server_get_auth(void);

void
http_server_auth_ruuvi_add_authorized_session(
http_server_auth_ruuvi_t* const p_auth_ruuvi,
const http_server_auth_ruuvi_session_id_t* const p_session_id,
const sta_ip_string_t* const p_remote_ip);

#ifdef __cplusplus
}
#endif
Expand Down
6 changes: 4 additions & 2 deletions src/http_server_handle_req_delete_auth.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ http_server_handle_req_delete_auth(
{
return http_server_resp_401_auth_ruuvi(
p_hostinfo,
(HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? true : false);
(HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? HTTP_SERVER_AUTH_TYPE_DEFAULT
: HTTP_SERVER_AUTH_TYPE_RUUVI);
}
http_server_auth_ruuvi_authorized_session_t* const p_authorized_session
= http_server_auth_ruuvi_find_authorized_session(&session_id, p_remote_ip);
Expand All @@ -34,7 +35,8 @@ http_server_handle_req_delete_auth(
{
return http_server_resp_401_auth_ruuvi(
p_hostinfo,
(HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? true : false);
(HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? HTTP_SERVER_AUTH_TYPE_DEFAULT
: HTTP_SERVER_AUTH_TYPE_RUUVI);
}

p_authorized_session->session_id.buf[0] = '\0';
Expand Down
54 changes: 44 additions & 10 deletions src/http_server_handle_req_get_auth.c
Original file line number Diff line number Diff line change
Expand Up @@ -183,21 +183,35 @@ static http_server_resp_t
http_server_handle_req_get_auth_ruuvi(
const http_server_handle_req_auth_param_t* const p_param,
const bool flag_check,
const bool flag_auth_default,
const http_server_auth_type_e auth_type,
http_header_extra_fields_t* const p_extra_header_fields)
{
http_server_auth_ruuvi_session_id_t session_id = { 0 };
if (!http_server_auth_ruuvi_get_session_id_from_cookies(p_param->http_header, &session_id))
{
if (HTTP_SERVER_AUTH_TYPE_ALLOW == auth_type)
{
if (flag_check)
{
return http_server_handle_req_get_auth_allow(p_param->p_hostinfo, p_param->flag_access_from_lan);
}
else
{
return http_server_resp_200_auth_allow_with_new_session_id(
p_param->p_remote_ip,
p_param->p_hostinfo,
p_extra_header_fields);
}
}
if (flag_check)
{
return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, flag_auth_default);
return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, auth_type);
}
return http_server_resp_401_auth_ruuvi_with_new_session_id(
p_param->p_remote_ip,
p_param->p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
}
const http_server_auth_ruuvi_authorized_session_t* const p_authorized_session
Expand All @@ -207,19 +221,26 @@ http_server_handle_req_get_auth_ruuvi(
{
if (flag_check)
{
return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, flag_auth_default);
return http_server_resp_401_auth_ruuvi(p_param->p_hostinfo, auth_type);
}
if (HTTP_SERVER_AUTH_TYPE_ALLOW == auth_type)
{
return http_server_resp_200_auth_allow_with_new_session_id(
p_param->p_remote_ip,
p_param->p_hostinfo,
p_extra_header_fields);
}
return http_server_resp_401_auth_ruuvi_with_new_session_id(
p_param->p_remote_ip,
p_param->p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
}

const http_server_resp_auth_json_t* p_auth_json = http_server_fill_auth_json(
p_param->p_hostinfo,
flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
auth_type,
p_param->flag_access_from_lan,
NULL);
return http_server_resp_200_json(p_auth_json->buf);
Expand Down Expand Up @@ -269,17 +290,29 @@ http_server_handle_req_get_or_check_auth(
switch (p_param->p_auth_info->auth_type)
{
case HTTP_SERVER_AUTH_TYPE_ALLOW:
return http_server_handle_req_get_auth_allow(p_param->p_hostinfo, p_param->flag_access_from_lan);
return http_server_handle_req_get_auth_ruuvi(
p_param,
flag_check,
p_param->p_auth_info->auth_type,
p_extra_header_fields);
case HTTP_SERVER_AUTH_TYPE_BASIC:
return http_server_handle_req_get_auth_basic(p_param, p_extra_header_fields);
case HTTP_SERVER_AUTH_TYPE_DIGEST:
return http_server_handle_req_get_auth_digest(p_param, p_extra_header_fields);
case HTTP_SERVER_AUTH_TYPE_RUUVI:
return http_server_handle_req_get_auth_ruuvi(p_param, flag_check, false, p_extra_header_fields);
return http_server_handle_req_get_auth_ruuvi(
p_param,
flag_check,
p_param->p_auth_info->auth_type,
p_extra_header_fields);
case HTTP_SERVER_AUTH_TYPE_DENY:
return http_server_handle_req_get_auth_deny(p_param->p_hostinfo);
case HTTP_SERVER_AUTH_TYPE_DEFAULT:
return http_server_handle_req_get_auth_ruuvi(p_param, flag_check, true, p_extra_header_fields);
return http_server_handle_req_get_auth_ruuvi(
p_param,
flag_check,
p_param->p_auth_info->auth_type,
p_extra_header_fields);
case HTTP_SERVER_AUTH_TYPE_BEARER:
return http_server_resp_500();
}
Expand Down Expand Up @@ -312,5 +345,6 @@ http_server_handle_req_get_auth(
{
return http_server_handle_req_get_auth_allow(p_param->p_hostinfo, p_param->flag_access_from_lan);
}
return http_server_handle_req_get_or_check_auth(p_param, false, p_extra_header_fields, NULL);
const bool flag_check = false;
return http_server_handle_req_get_or_check_auth(p_param, flag_check, p_extra_header_fields, NULL);
}
44 changes: 14 additions & 30 deletions src/http_server_handle_req_post_auth.c
Original file line number Diff line number Diff line change
Expand Up @@ -117,27 +117,13 @@ http_server_auth_ruuvi_gen_hashed_password(
return true;
}

static void
http_server_auth_ruuvi_add_authorized_session(
http_server_auth_ruuvi_t* const p_auth_ruuvi,
const http_server_auth_ruuvi_session_id_t* const p_session_id,
const sta_ip_string_t* const p_remote_ip)
{
for (int32_t i = HTTP_SERVER_AUTH_RUUVI_MAX_NUM_SESSIONS - 1; i > 0; --i)
{
p_auth_ruuvi->authorized_sessions[i] = p_auth_ruuvi->authorized_sessions[i - 1];
}
p_auth_ruuvi->authorized_sessions[0].session_id = *p_session_id;
p_auth_ruuvi->authorized_sessions[0].remote_ip = *p_remote_ip;
}

static bool
http_server_handle_req_post_auth_check_login_session(
const http_server_auth_ruuvi_login_session_t* const p_login_session,
const http_server_auth_ruuvi_session_id_t* p_session_id,
const sta_ip_string_t* const p_remote_ip,
const wifiman_hostinfo_t* const p_hostinfo,
const bool flag_auth_default,
const http_server_auth_type_e auth_type,
http_header_extra_fields_t* const p_extra_header_fields,
http_server_resp_t* const p_resp)
{
Expand All @@ -148,7 +134,7 @@ http_server_handle_req_post_auth_check_login_session(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
return false;
}
Expand All @@ -162,7 +148,7 @@ http_server_handle_req_post_auth_check_login_session(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
return false;
}
Expand All @@ -173,7 +159,7 @@ http_server_handle_req_post_auth_check_login_session(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
return false;
}
Expand All @@ -183,7 +169,7 @@ http_server_handle_req_post_auth_check_login_session(
http_server_resp_t
http_server_handle_req_post_auth_check_auth(
http_server_auth_ruuvi_req_t* const p_auth_req,
const bool flag_auth_default,
const http_server_auth_type_e auth_type,
const sta_ip_string_t* const p_remote_ip,
const http_req_body_t http_body,
const http_server_auth_info_t* const p_auth_info,
Expand All @@ -197,7 +183,7 @@ http_server_handle_req_post_auth_check_auth(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
}
if ('\0' == p_auth_req->username.buf[0])
Expand All @@ -207,7 +193,7 @@ http_server_handle_req_post_auth_check_auth(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
"The username is empty");
}
if (0 != strcmp(p_auth_info->auth_user.buf, p_auth_req->username.buf))
Expand All @@ -217,7 +203,7 @@ http_server_handle_req_post_auth_check_auth(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
"Incorrect username");
}
wifiman_sha256_digest_hex_str_t* p_password_hash = os_calloc(1, sizeof(*p_password_hash));
Expand All @@ -238,7 +224,7 @@ http_server_handle_req_post_auth_check_auth(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
NULL);
}
if (0 != strcmp(p_password_hash->buf, p_auth_req->password.buf))
Expand All @@ -252,7 +238,7 @@ http_server_handle_req_post_auth_check_auth(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
auth_type,
"Incorrect password");
}
os_free(p_password_hash);
Expand Down Expand Up @@ -285,8 +271,6 @@ http_server_handle_req_post_auth(
return http_server_resp_503();
}

const bool flag_auth_default = (HTTP_SERVER_AUTH_TYPE_DEFAULT == p_auth_info->auth_type) ? true : false;

http_server_auth_ruuvi_session_id_t session_id = { 0 };
if (!http_server_auth_ruuvi_get_session_id_from_cookies(http_header, &session_id))
{
Expand All @@ -295,7 +279,7 @@ http_server_handle_req_post_auth(
p_remote_ip,
p_hostinfo,
p_extra_header_fields,
flag_auth_default,
p_auth_info->auth_type,
NULL);
}
const http_server_auth_ruuvi_prev_url_t prev_url = http_server_auth_ruuvi_get_prev_url_from_cookies(http_header);
Expand All @@ -308,7 +292,7 @@ http_server_handle_req_post_auth(
&session_id,
p_remote_ip,
p_hostinfo,
flag_auth_default,
p_auth_info->auth_type,
p_extra_header_fields,
&resp))
{
Expand All @@ -323,7 +307,7 @@ http_server_handle_req_post_auth(
}
resp = http_server_handle_req_post_auth_check_auth(
p_auth_req,
flag_auth_default,
p_auth_info->auth_type,
p_remote_ip,
http_body,
p_auth_info,
Expand All @@ -349,7 +333,7 @@ http_server_handle_req_post_auth(
}
const http_server_resp_auth_json_t* p_auth_json = http_server_fill_auth_json(
p_hostinfo,
flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
p_auth_info->auth_type,
flag_access_from_lan,
NULL);
return http_server_resp_200_json(p_auth_json->buf);
Expand Down
41 changes: 37 additions & 4 deletions src/http_server_resp.c
Original file line number Diff line number Diff line change
Expand Up @@ -476,7 +476,7 @@ http_server_resp_401_auth_ruuvi_with_new_session_id(
const sta_ip_string_t* const p_remote_ip,
const wifiman_hostinfo_t* const p_hostinfo,
http_header_extra_fields_t* const p_extra_header_fields,
const bool flag_auth_default,
const http_server_auth_type_e lan_auth_type,
const char* const p_err_message)
{
http_server_auth_ruuvi_t* const p_auth_info = http_server_auth_ruuvi_get_info();
Expand All @@ -495,25 +495,58 @@ http_server_resp_401_auth_ruuvi_with_new_session_id(

const http_server_resp_auth_json_t* const p_auth_json = http_server_fill_auth_json(
p_hostinfo,
flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
lan_auth_type,
flag_access_from_lan,
p_err_message);
return http_server_resp_401_json(p_auth_json);
}

http_server_resp_t
http_server_resp_401_auth_ruuvi(const wifiman_hostinfo_t* const p_hostinfo, const bool flag_auth_default)
http_server_resp_401_auth_ruuvi(const wifiman_hostinfo_t* const p_hostinfo, const http_server_auth_type_e lan_auth_type)
{
const bool flag_access_from_lan = true;

const http_server_resp_auth_json_t* const p_auth_json = http_server_fill_auth_json(
p_hostinfo,
flag_auth_default ? HTTP_SERVER_AUTH_TYPE_DEFAULT : HTTP_SERVER_AUTH_TYPE_RUUVI,
lan_auth_type,
flag_access_from_lan,
NULL);
return http_server_resp_401_json(p_auth_json);
}

http_server_resp_t
http_server_resp_200_auth_allow_with_new_session_id(
const sta_ip_string_t* const p_remote_ip,
const wifiman_hostinfo_t* const p_hostinfo,
http_header_extra_fields_t* const p_extra_header_fields)
{
http_server_auth_ruuvi_t* const p_auth_info = http_server_auth_ruuvi_get_info();
http_server_auth_ruuvi_login_session_t* const p_login_session = &p_auth_info->login_session;

http_server_login_session_init(p_login_session, p_remote_ip);

if (wifiman_sha256_is_empty_digest_hex_str(&p_login_session->challenge))
{
return http_server_resp_503();
}

http_server_resp_auth_ruuvi_prep_www_authenticate_header(p_hostinfo, p_login_session, p_extra_header_fields);

http_server_auth_ruuvi_add_authorized_session(
http_server_auth_ruuvi_get_info(),
&p_login_session->session_id,
p_remote_ip);

const bool flag_access_from_lan = true;

const http_server_resp_auth_json_t* const p_auth_json = http_server_fill_auth_json(
p_hostinfo,
HTTP_SERVER_AUTH_TYPE_ALLOW,
flag_access_from_lan,
NULL);
return http_server_resp_200_json(p_auth_json->buf);
}

http_server_resp_t
http_server_resp_403_auth_deny(const wifiman_hostinfo_t* const p_hostinfo)
{
Expand Down
Loading

0 comments on commit 0ff72ad

Please sign in to comment.