Apq
/
syncthing
mirror of https://github.com/syncthing/syncthing.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191
							// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at https://mozilla.org/MPL/2.0/.

package api

import (
	"bufio"
	"fmt"
	"net/http"
	"os"
	"strings"

	"github.com/syncthing/syncthing/lib/osutil"
	"github.com/syncthing/syncthing/lib/rand"
	"github.com/syncthing/syncthing/lib/sync"
)

const maxCsrfTokens = 25

type csrfManager struct {
	// tokens is a list of valid tokens. It is sorted so that the most
	// recently used token is first in the list. New tokens are added to the front
	// of the list (as it is the most recently used at that time). The list is
	// pruned to a maximum of maxCsrfTokens, throwing away the least recently used
	// tokens.
	tokens    []string
	tokensMut sync.Mutex

	unique          string
	prefix          string
	apiKeyValidator apiKeyValidator
	next            http.Handler
	saveLocation    string
}

type apiKeyValidator interface {
	IsValidAPIKey(key string) bool
}

// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
// the request with 403. For / and /index.html, set a new CSRF cookie if none
// is currently set.
func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidator, next http.Handler, saveLocation string) *csrfManager {
	m := &csrfManager{
		tokensMut:       sync.NewMutex(),
		tokens:          make([]string, 0, maxCsrfTokens),
		unique:          unique,
		prefix:          prefix,
		apiKeyValidator: apiKeyValidator,
		next:            next,
		saveLocation:    saveLocation,
	}
	m.load()
	return m
}

func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	// Allow requests carrying a valid API key
	if hasValidAPIKeyHeader(r, m.apiKeyValidator) {
		// Set the access-control-allow-origin header for CORS requests
		// since a valid API key has been provided
		w.Header().Add("Access-Control-Allow-Origin", "*")
		m.next.ServeHTTP(w, r)
		return
	}

	if strings.HasPrefix(r.URL.Path, "/rest/debug") {
		// Debugging functions are only available when explicitly
		// enabled, and can be accessed without a CSRF token
		m.next.ServeHTTP(w, r)
		return
	}

	if strings.HasPrefix(r.URL.Path, "/rest/noauth") {
		// REST calls that don't require authentication also do not
		// need a CSRF token.
		m.next.ServeHTTP(w, r)
		return
	}

	// Allow requests for anything not under the protected path prefix,
	// and set a CSRF cookie if there isn't already a valid one.
	if !strings.HasPrefix(r.URL.Path, m.prefix) {
		cookie, err := r.Cookie("CSRF-Token-" + m.unique)
		if err != nil || !m.validToken(cookie.Value) {
			l.Debugln("new CSRF cookie in response to request for", r.URL)
			cookie = &http.Cookie{
				Name:  "CSRF-Token-" + m.unique,
				Value: m.newToken(),
			}
			http.SetCookie(w, cookie)
		}
		m.next.ServeHTTP(w, r)
		return
	}

	// Verify the CSRF token
	token := r.Header.Get("X-CSRF-Token-" + m.unique)
	if !m.validToken(token) {
		http.Error(w, "CSRF Error", http.StatusForbidden)
		return
	}

	m.next.ServeHTTP(w, r)
}

func (m *csrfManager) validToken(token string) bool {
	m.tokensMut.Lock()
	defer m.tokensMut.Unlock()
	for i, t := range m.tokens {
		if t == token {
			if i > 0 {
				// Move this token to the head of the list. Copy the tokens at
				// the front one step to the right and then replace the token
				// at the head.
				copy(m.tokens[1:], m.tokens[:i])
				m.tokens[0] = token
			}
			return true
		}
	}
	return false
}

func (m *csrfManager) newToken() string {
	token := rand.String(32)

	m.tokensMut.Lock()
	defer m.tokensMut.Unlock()

	if len(m.tokens) < maxCsrfTokens {
		m.tokens = append(m.tokens, "")
	}
	copy(m.tokens[1:], m.tokens)
	m.tokens[0] = token

	m.save()

	return token
}

func (m *csrfManager) save() {
	// We're ignoring errors in here. It's not super critical and there's
	// nothing relevant we can do about them anyway...

	if m.saveLocation == "" {
		return
	}

	f, err := osutil.CreateAtomic(m.saveLocation)
	if err != nil {
		return
	}

	for _, t := range m.tokens {
		fmt.Fprintln(f, t)
	}

	f.Close()
}

func (m *csrfManager) load() {
	if m.saveLocation == "" {
		return
	}

	f, err := os.Open(m.saveLocation)
	if err != nil {
		return
	}
	defer f.Close()

	s := bufio.NewScanner(f)
	for s.Scan() {
		m.tokens = append(m.tokens, s.Text())
	}
}

func hasValidAPIKeyHeader(r *http.Request, validator apiKeyValidator) bool {
	if key := r.Header.Get("X-API-Key"); validator.IsValidAPIKey(key) {
		return true
	}
	if auth := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(auth), "bearer ") {
		bearerToken := auth[len("bearer "):]
		return validator.IsValidAPIKey(bearerToken)
	}
	return false
}