Exemple #1
0
        /// <summary>Creates a deep copy of the HttpInput class</summary>
        /// <param name="input">The object to copy</param>
        /// <remarks>The function makes a deep copy of quite a lot which can be slow</remarks>
        protected HttpInput(HttpInput input)
        {
            foreach (HttpInputItem item in input)
            {
                _items.Add(item.Name, new HttpInputItem(item));
            }

            Name           = input._name;
            _ignoreChanges = input._ignoreChanges;
        }
Exemple #2
0
        private static void TestToString()
        {
            string    queryString = "title=hello&firstname=jonas&status=super";
            HttpInput input       = HttpHelper.ParseQueryString(queryString);

            Assert.Equal(queryString, input.ToString(true));

            queryString = "title[jonas]=hello&title[arne]=ohno&firstname=jonas&status=super";
            input       = HttpHelper.ParseQueryString(queryString);
            Assert.Equal(queryString, input.ToString(true));
        }
Exemple #3
0
 /// <summary>
 /// Clear everything in the request
 /// </summary>
 public void Clear()
 {
     _body.Dispose();
     _body          = new MemoryStream();
     _contentLength = 0;
     _method        = string.Empty;
     _uri           = HttpHelper.EmptyUri;
     _queryString   = HttpInput.Empty;
     _bodyBytesLeft = 0;
     _headers.Clear();
     _connection = ConnectionType.Close;
     IsAjax      = false;
     _form.Clear();
 }
Exemple #4
0
        private void ReadLogData(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session, BodyWriter bw)
        {
            HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;

            if (string.IsNullOrEmpty(input["id"].Value))
            {
                RESTHandler.HandleControlCGI(request, response, session, bw, typeof(RESTMethods.LogData));
            }
            else
            {
                var key = string.Format("{0}/{1}", input["id"].Value, Duplicati.Library.Utility.Utility.ParseBool(input["remotelog"].Value, false) ? "remotelog" : "log");
                RESTHandler.DoProcess(request, response, session, request.Method, typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
        }
        /// <summary>
        /// Add a sub item.
        /// </summary>
        /// <param name="name">Can contain array formatting, the item is then parsed and added in multiple levels</param>
        /// <param name="value">Value to add.</param>
        /// <exception cref="ArgumentNullException">Argument is null.</exception>
        /// <exception cref="InvalidOperationException">Cannot add stuff to <see cref="HttpInput.Empty"/>.</exception>
        public void Add(string name, string value)
        {
            if (name == null && value != null)
            {
                throw new ArgumentNullException("name");
            }
            if (name == null)
            {
                return;
            }
            if (_ignoreChanges)
            {
                throw new InvalidOperationException("Cannot add stuff to HttpInput.Empty.");
            }

            int pos = name.IndexOf('[');

            if (pos != -1)
            {
                string name1 = name.Substring(0, pos);
                string name2 = HttpInput.ExtractOne(name);
                if (!_items.ContainsKey(name1))
                {
                    _items.Add(name1, new HttpInputItem(name1, null));
                }
                _items[name1].Add(name2, value);

                /*
                 * HttpInputItem item = HttpInput.ParseItem(name, value);
                 *
                 * // Add the value to an existing sub item
                 * if (_items.ContainsKey(item.Name))
                 * _items[item.Name].Add(item.Value);
                 * else
                 * _items.Add(item.Name, item);
                 */
            }
            else
            {
                if (_items.ContainsKey(name))
                {
                    _items[name].Add(value);
                }
                else
                {
                    _items.Add(name, new HttpInputItem(name, value));
                }
            }
        }
Exemple #6
0
 /// <summary>
 /// Clear everything in the request
 /// </summary>
 public void Clear()
 {
     //return;
     _body.Dispose();
     _body          = new MemoryStream();
     _contentLength = 0;
     _method        = string.Empty;
     _uri           = null;
     _queryString   = HttpInput.Empty;
     _bodyBytesLeft = 0;
     _headers.Clear();
     _connection = ConnectionType.Close;
     _param.SetForm(HttpInput.Empty);
     _param.SetQueryString(HttpInput.Empty);
     IsAjax = false;
     _form.Clear();
 }
Exemple #7
0
 /// <summary>
 /// Clear everything in the request
 /// </summary>
 public void Clear()
 {
     if (_body != null && _body.CanRead)
     {
         _body.Dispose();
     }
     _body          = null;
     _contentLength = 0;
     _method        = string.Empty;
     _uri           = HttpHelper.EmptyUri;
     _queryString   = HttpInput.Empty;
     _bodyBytesLeft = 0;
     _headers.Clear();
     _connection = ConnectionType.KeepAlive;
     IsAjax      = false;
     _form.Clear();
 }
Exemple #8
0
        /// <summary>
        /// Parses a query string.
        /// </summary>
        /// <param name="queryString">Query string (URI encoded)</param>
        /// <returns>A <see cref="HttpInput"/> object if successful; otherwise <see cref="HttpInput.Empty"/></returns>
        /// <exception cref="ArgumentNullException"><c>queryString</c> is null.</exception>
        /// <exception cref="FormatException">If string cannot be parsed.</exception>
        public static HttpInput ParseQueryString(string queryString)
        {
            if (queryString == null)
            {
                throw new ArgumentNullException("queryString");
            }
            if (queryString == string.Empty)
            {
                return(HttpInput.Empty);
            }

            HttpInput input = new HttpInput("QueryString");

            queryString = queryString.TrimStart('?', '&');

            // a simple value.
            if (queryString.IndexOf("&") == -1 && !queryString.Contains("%3d") && !queryString.Contains("%3D") && !queryString.Contains("="))
            {
                input.Add(string.Empty, queryString);
                return(input);
            }

            int    state    = 0;
            int    startpos = 0;
            string name     = null;

            for (int i = 0; i < queryString.Length; ++i)
            {
                int newIndexPos;
                if (state == 0 && IsEqual(queryString, ref i, out newIndexPos))
                {
                    name     = queryString.Substring(startpos, i - startpos);
                    i        = newIndexPos;
                    startpos = i + 1;
                    ++state;
                }
                else if (state == 1 && IsAmp(queryString, ref i, out newIndexPos))
                {
                    Add(input, name, queryString.Substring(startpos, i - startpos));
                    i        = newIndexPos;
                    startpos = i + 1;
                    state    = 0;
                    name     = null;
                }
            }

            if (state == 0 && !input.GetEnumerator().MoveNext())
            {
                throw new FormatException("Not a valid query string: " + queryString);
            }

            if (startpos <= queryString.Length)
            {
                if (name != null)
                {
                    Add(input, name, queryString.Substring(startpos, queryString.Length - startpos));
                }
                else
                {
                    Add(input, string.Empty, queryString.Substring(startpos, queryString.Length - startpos));
                }
            }


            return(input);
        }
        public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
        {
            HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;

            var auth_token = FindAuthCookie(request);
            var xsrf_token = FindXSRFToken(request);

            if (!HasXSRFCookie(request))
            {
                var cookieAdded = AddXSRFTokenToRespone(response);

                if (!cookieAdded)
                {
                    response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
                    response.Reason = "Too Many Concurrent Request, try again later";
                    return(true);
                }
            }
            Tuple <DateTime, string> tmpTuple;
            DateTime tmpDateTime;

            if (LOGOUT_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase))
            {
                if (!string.IsNullOrWhiteSpace(auth_token))
                {
                    // Remove the active auth token
                    m_activeTokens.TryRemove(auth_token, out tmpDateTime);
                }

                response.Status = System.Net.HttpStatusCode.NoContent;
                response.Reason = "OK";

                return(true);
            }
            else if (LOGIN_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase))
            {
                // Remove expired nonces
                foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key))
                {
                    m_activeNonces.TryRemove(k, out tmpTuple);
                }

                if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value))
                {
                    if (m_activeNonces.Count > 50)
                    {
                        response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
                        response.Reason = "Too many active login attempts";
                        return(true);
                    }

                    var password = Program.DataConnection.ApplicationSettings.WebserverPassword;

                    if (request.Headers[TRAYICONPASSWORDSOURCE_HEADER] == "database")
                    {
                        password = Program.DataConnection.ApplicationSettings.WebserverPasswordTrayIconHash;
                    }

                    var buf     = new byte[32];
                    var expires = DateTime.UtcNow.AddMinutes(AUTH_TIMEOUT_MINUTES);
                    m_prng.GetBytes(buf);
                    var nonce = Convert.ToBase64String(buf);

                    var sha256 = System.Security.Cryptography.SHA256.Create();
                    sha256.TransformBlock(buf, 0, buf.Length, buf, 0);
                    buf = Convert.FromBase64String(password);
                    sha256.TransformFinalBlock(buf, 0, buf.Length);
                    var pwd = Convert.ToBase64String(sha256.Hash);

                    m_activeNonces.AddOrUpdate(nonce, key => new Tuple <DateTime, string>(expires, pwd), (key, existingValue) =>
                    {
                        // Simulate the original behavior => if the nonce, against all odds, is already used
                        // we throw an ArgumentException
                        throw new ArgumentException("An element with the same key already exists in the dictionary.");
                    });

                    response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires));
                    using (var bw = new BodyWriter(response, request))
                    {
                        bw.OutputOK(new {
                            Status = "OK",
                            Nonce  = nonce,
                            Salt   = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt
                        });
                    }
                    return(true);
                }
                else
                {
                    if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value))
                    {
                        var nonce_el   = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)];
                        var nonce      = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value;
                        var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce);
                        if (m_activeNonces.ContainsKey(urldecoded))
                        {
                            nonce = urldecoded;
                        }

                        if (!m_activeNonces.ContainsKey(nonce))
                        {
                            response.Status      = System.Net.HttpStatusCode.Unauthorized;
                            response.Reason      = "Unauthorized";
                            response.ContentType = "application/json";
                            return(true);
                        }

                        var pwd = m_activeNonces[nonce].Item2;

                        // Remove the nonce
                        m_activeNonces.TryRemove(nonce, out tmpTuple);

                        if (pwd != input["password"].Value)
                        {
                            response.Status      = System.Net.HttpStatusCode.Unauthorized;
                            response.Reason      = "Unauthorized";
                            response.ContentType = "application/json";
                            return(true);
                        }

                        var buf     = new byte[32];
                        var expires = DateTime.UtcNow.AddHours(1);
                        m_prng.GetBytes(buf);
                        var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf);
                        while (token.Length > 0 && token.EndsWith("=", StringComparison.Ordinal))
                        {
                            token = token.Substring(0, token.Length - 1);
                        }

                        m_activeTokens.AddOrUpdate(token, key => expires, (key, existingValue) =>
                        {
                            // Simulate the original behavior => if the token, against all odds, is already used
                            // we throw an ArgumentException
                            throw new ArgumentException("An element with the same key already exists in the dictionary.");
                        });

                        response.Cookies.Add(new  HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires));

                        using (var bw = new BodyWriter(response, request))
                            bw.OutputOK();

                        return(true);
                    }
                }
            }

            var limitedAccess =
                request.Uri.AbsolutePath.StartsWith(RESTHandler.API_URI_PATH, StringComparison.OrdinalIgnoreCase)
            ;

            // Override to allow the CAPTCHA call to go through
            if (request.Uri.AbsolutePath.StartsWith(CAPTCHA_IMAGE_URI, StringComparison.OrdinalIgnoreCase) && request.Method == "GET")
            {
                limitedAccess = false;
            }

            if (limitedAccess)
            {
                if (xsrf_token != null && m_activexsrf.ContainsKey(xsrf_token))
                {
                    var expires = DateTime.UtcNow.AddMinutes(XSRF_TIMEOUT_MINUTES);
                    m_activexsrf[xsrf_token] = expires;
                    response.Cookies.Add(new ResponseCookie(XSRF_COOKIE_NAME, xsrf_token, expires));
                }
                else
                {
                    response.Status = System.Net.HttpStatusCode.BadRequest;
                    response.Reason = "Missing XSRF Token. Please reload the page";

                    return(true);
                }
            }

            if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword))
            {
                return(false);
            }

            foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key))
            {
                m_activeTokens.TryRemove(k, out tmpDateTime);
            }


            // If we have a valid token, proceed
            if (!string.IsNullOrWhiteSpace(auth_token))
            {
                DateTime expires;
                var      found = m_activeTokens.TryGetValue(auth_token, out expires);
                if (!found)
                {
                    auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token);
                    found      = m_activeTokens.TryGetValue(auth_token, out expires);
                }

                if (found && DateTime.UtcNow < expires)
                {
                    expires = DateTime.UtcNow.AddHours(1);

                    m_activeTokens[auth_token] = expires;
                    response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires));
                    return(false);
                }
            }

            if ("/".Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase) || "/index.html".Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase))
            {
                response.Redirect("/login.html");
                return(true);
            }

            if (limitedAccess)
            {
                response.Status = System.Net.HttpStatusCode.Unauthorized;
                response.Reason = "Not logged in";
                response.AddHeader("Location", "login.html");

                return(true);
            }

            return(false);
        }
Exemple #10
0
 internal void SetForm(HttpInput form)
 {
     _form = form;
 }
Exemple #11
0
 internal void SetQueryString(HttpInput query)
 {
     _query = query;
 }
Exemple #12
0
        public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
        {
            HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;

            var authcookie = request.Cookies[AUTH_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(AUTH_COOKIE_NAME)];
            var authinput  = input["auth-token"] ?? input[Library.Utility.Uri.UrlEncode("auth-token")];

            var auth_token = authcookie == null || string.IsNullOrWhiteSpace(authcookie.Value) ? null : authcookie.Value;

            if (authinput != null && !string.IsNullOrWhiteSpace(authinput.Value))
            {
                auth_token = input["auth-token"].Value;
            }

            if (request.Uri.AbsolutePath == "/logout.cgi")
            {
                if (!string.IsNullOrWhiteSpace(auth_token))
                {
                    if (m_activeTokens.ContainsKey(auth_token))
                    {
                        m_activeTokens.Remove(auth_token);
                    }
                }

                response.Status = System.Net.HttpStatusCode.NoContent;
                response.Reason = "OK";

                return(true);
            }
            else if (request.Uri.AbsolutePath == "/login.cgi")
            {
                foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key).ToList())
                {
                    m_activeNonces.Remove(k);
                }

                if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value))
                {
                    if (m_activeNonces.Count > 50)
                    {
                        response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
                        response.Reason = "Too many active login attempts";
                        return(true);
                    }

                    var buf     = new byte[32];
                    var expires = DateTime.UtcNow.AddMinutes(10);
                    m_prng.GetBytes(buf);
                    var nonce = Convert.ToBase64String(buf);

                    var sha256 = System.Security.Cryptography.SHA256.Create();
                    sha256.TransformBlock(buf, 0, buf.Length, buf, 0);
                    buf = Convert.FromBase64String(Program.DataConnection.ApplicationSettings.WebserverPassword);
                    sha256.TransformFinalBlock(buf, 0, buf.Length);
                    var pwd = Convert.ToBase64String(sha256.Hash);

                    m_activeNonces.Add(nonce, new Tuple <DateTime, string>(expires, pwd));

                    response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires));
                    using (var bw = new BodyWriter(response))
                    {
                        bw.OutputOK(new {
                            Status = "OK",
                            Nonce  = nonce,
                            Salt   = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt
                        });
                    }
                    return(true);
                }
                else
                {
                    if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value))
                    {
                        var nonce_el   = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)];
                        var nonce      = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value;
                        var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce);
                        if (m_activeNonces.ContainsKey(urldecoded))
                        {
                            nonce = urldecoded;
                        }

                        if (!m_activeNonces.ContainsKey(nonce))
                        {
                            response.Status      = System.Net.HttpStatusCode.Unauthorized;
                            response.Reason      = "Unauthorized";
                            response.ContentType = "application/json";
                            return(true);
                        }

                        var pwd = m_activeNonces[nonce].Item2;
                        m_activeNonces.Remove(nonce);

                        if (pwd != input["password"].Value)
                        {
                            response.Status      = System.Net.HttpStatusCode.Unauthorized;
                            response.Reason      = "Unauthorized";
                            response.ContentType = "application/json";
                            return(true);
                        }

                        var buf     = new byte[32];
                        var expires = DateTime.UtcNow.AddHours(1);
                        m_prng.GetBytes(buf);
                        var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf);
                        while (token.Length > 0 && token.EndsWith("="))
                        {
                            token = token.Substring(0, token.Length - 1);
                        }

                        m_activeTokens.Add(token, expires);
                        response.Cookies.Add(new  HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires));

                        using (var bw = new BodyWriter(response))
                            bw.OutputOK();

                        return(true);
                    }
                }
            }

            if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword))
            {
                return(false);
            }

            foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key).ToList())
            {
                m_activeTokens.Remove(k);
            }


            // If we have a valid token, proceeed
            if (!string.IsNullOrWhiteSpace(auth_token))
            {
                DateTime expires;
                var      found = m_activeTokens.TryGetValue(auth_token, out expires);
                if (!found)
                {
                    auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token);
                    found      = m_activeTokens.TryGetValue(auth_token, out expires);
                }

                if (found && DateTime.UtcNow < expires)
                {
                    expires = DateTime.UtcNow.AddHours(1);
                    m_activeTokens[auth_token] = expires;
                    response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires));
                    return(false);
                }
            }

            if (request.Uri.AbsolutePath == "/" || request.Uri.AbsolutePath == "/index.html")
            {
                response.Redirect("/login.html");
                return(true);
            }

            if (request.Uri.AbsolutePath == "/control.cgi")
            {
                response.Status = System.Net.HttpStatusCode.Unauthorized;
                response.Reason = "Not logged in";
                response.AddHeader("Location", "login.html");

                return(true);
            }

            return(false);
        }
Exemple #13
0
 /// <summary>
 /// Makes a deep copy of the input
 /// </summary>
 /// <param name="input">The input to copy</param>
 public HttpForm(HttpInput input) : base(input)
 {
 }
Exemple #14
0
        public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
        {
            //We use the fake entry point /control.cgi to listen for requests
            //This ensures that the rest of the webserver can just serve plain files
            if (!request.Uri.AbsolutePath.Equals(CONTROL_HANDLER_URI, StringComparison.InvariantCultureIgnoreCase))
            {
                return(false);
            }

            HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;

            string action = input["action"].Value ?? "";

            //Lookup the actual handler method
            ProcessSub method;

            SUPPORTED_METHODS.TryGetValue(action, out method);

            if (method == null)
            {
                response.Status = System.Net.HttpStatusCode.NotImplemented;
                response.Reason = "Unsupported action: " + (action == null ? "<null>" : "");
                response.Send();
            }
            else
            {
                //Default setup
                response.Status = System.Net.HttpStatusCode.OK;
                response.Reason = "OK";
                #if DEBUG
                response.ContentType = "text/plain";
                #else
                response.ContentType = "text/json";
                #endif
                using (BodyWriter bw = new BodyWriter(response, request))
                {
                    try
                    {
                        method(request, response, session, bw);
                    }
                    catch (Exception ex)
                    {
                        Program.DataConnection.LogError("", string.Format("Request for {0} gave error", action), ex);
                        Console.WriteLine(ex.ToString());

                        try
                        {
                            if (!response.HeadersSent)
                            {
                                response.Status      = System.Net.HttpStatusCode.InternalServerError;
                                response.Reason      = "Error";
                                response.ContentType = "text/plain";

                                bw.WriteJsonObject(new
                                {
                                    Message = ex.Message,
                                    Type    = ex.GetType().Name,
                                    #if DEBUG
                                    Stacktrace = ex.ToString()
                                    #endif
                                });
                                bw.Flush();
                            }
                        }
                        catch (Exception flex)
                        {
                            Program.DataConnection.LogError("", "Reporting error gave error", flex);
                        }
                    }
                }
            }

            return(true);
        }
Exemple #15
0
        private void SendCommand(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session, BodyWriter bw)
        {
            HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;

            string command = input["command"].Value ?? "";

            switch (command.ToLowerInvariant())
            {
            case "check-update":
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Updates).Name.ToLowerInvariant(), "check");
                return;

            case "install-update":
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Updates).Name.ToLowerInvariant(), "install");
                return;

            case "activate-update":
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Updates).Name.ToLowerInvariant(), "activate");
                return;

            case "pause":
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.ServerState).Name.ToLowerInvariant(), "pause");
                return;

            case "resume":
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.ServerState).Name.ToLowerInvariant(), "resume");
                return;

            case "stop":
            case "abort":
            {
                var key = string.Format("{0}/{1}", input["taskid"].Value, command);
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Task).Name.ToLowerInvariant(), key);
            }
                return;

            case "is-backup-active":
            {
                var key = string.Format("{0}/isactive", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
                RESTHandler.DoProcess(request, response, session, "GET", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
                return;

            case "run":
            case "run-backup":
            {
                var key = string.Format("{0}/start", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
                return;

            case "run-verify":
            {
                var key = string.Format("{0}/verify", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
                return;

            case "run-repair-update":
            {
                var key = string.Format("{0}/repairupdate", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
                return;

            case "run-repair":
            {
                var key = string.Format("{0}/repair", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
                return;

            case "create-report":
            {
                var key = string.Format("{0}/createreport", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
            }
                return;

            default:
            {
                var key = string.Format("{0}", Library.Utility.Uri.UrlPathEncode(input["command"].Value));
                RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.WebModule).Name.ToLowerInvariant(), key);
                return;
            }
            }
        }
Exemple #16
0
        public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
        {
            HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;

            var auth_token = FindAuthCookie(request);
            var xsrf_token = FindXSRFToken(request);

            if (!HasXSRFCookie(request))
            {
                var cookieAdded = AddXSRFTokenToRespone(response);

                if (!cookieAdded)
                {
                    response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
                    response.Reason = "Too Many Concurrent Request, try again later";
                    return(true);
                }
            }

            if (LOGOUT_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
            {
                if (!string.IsNullOrWhiteSpace(auth_token))
                {
                    if (m_activeTokens.ContainsKey(auth_token))
                    {
                        m_activeTokens.Remove(auth_token);
                    }
                }

                response.Status = System.Net.HttpStatusCode.NoContent;
                response.Reason = "OK";

                return(true);
            }
            else if (LOGIN_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
            {
                foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key).ToList())
                {
                    m_activeNonces.Remove(k);
                }

                if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value))
                {
                    if (m_activeNonces.Count > 50)
                    {
                        response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
                        response.Reason = "Too many active login attempts";
                        return(true);
                    }

                    var buf     = new byte[32];
                    var expires = DateTime.UtcNow.AddMinutes(AUTH_TIMEOUT_MINUTES);
                    m_prng.GetBytes(buf);
                    var nonce = Convert.ToBase64String(buf);

                    var sha256 = System.Security.Cryptography.SHA256.Create();
                    sha256.TransformBlock(buf, 0, buf.Length, buf, 0);
                    buf = Convert.FromBase64String(Program.DataConnection.ApplicationSettings.WebserverPassword);
                    sha256.TransformFinalBlock(buf, 0, buf.Length);
                    var pwd = Convert.ToBase64String(sha256.Hash);

                    m_activeNonces.Add(nonce, new Tuple <DateTime, string>(expires, pwd));

                    response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires));
                    using (var bw = new BodyWriter(response, request))
                    {
                        bw.OutputOK(new {
                            Status = "OK",
                            Nonce  = nonce,
                            Salt   = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt
                        });
                    }
                    return(true);
                }
                else
                {
                    if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value))
                    {
                        var nonce_el   = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)];
                        var nonce      = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value;
                        var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce);
                        if (m_activeNonces.ContainsKey(urldecoded))
                        {
                            nonce = urldecoded;
                        }

                        if (!m_activeNonces.ContainsKey(nonce))
                        {
                            response.Status      = System.Net.HttpStatusCode.Unauthorized;
                            response.Reason      = "Unauthorized";
                            response.ContentType = "application/json";
                            return(true);
                        }

                        var pwd = m_activeNonces[nonce].Item2;
                        m_activeNonces.Remove(nonce);

                        if (pwd != input["password"].Value)
                        {
                            response.Status      = System.Net.HttpStatusCode.Unauthorized;
                            response.Reason      = "Unauthorized";
                            response.ContentType = "application/json";
                            return(true);
                        }

                        var buf     = new byte[32];
                        var expires = DateTime.UtcNow.AddHours(1);
                        m_prng.GetBytes(buf);
                        var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf);
                        while (token.Length > 0 && token.EndsWith("="))
                        {
                            token = token.Substring(0, token.Length - 1);
                        }

                        m_activeTokens.Add(token, expires);
                        response.Cookies.Add(new  HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires));

                        using (var bw = new BodyWriter(response, request))
                            bw.OutputOK();

                        return(true);
                    }
                }
            }

            var limitedAccess =
                ControlHandler.CONTROL_HANDLER_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase)
                ||
                request.Uri.AbsolutePath.StartsWith(RESTHandler.API_URI_PATH, StringComparison.InvariantCultureIgnoreCase)
            ;

            if (limitedAccess)
            {
                if (xsrf_token != null && m_activexsrf.ContainsKey(xsrf_token))
                {
                    var expires = DateTime.UtcNow.AddMinutes(XSRF_TIMEOUT_MINUTES);
                    m_activexsrf[xsrf_token] = expires;
                    response.Cookies.Add(new ResponseCookie(XSRF_COOKIE_NAME, xsrf_token, expires));
                }
                else
                {
                    response.Status = System.Net.HttpStatusCode.BadRequest;
                    response.Reason = "Missing XSRF Token";

                    return(true);
                }
            }

            if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword))
            {
                return(false);
            }

            foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key).ToList())
            {
                m_activeTokens.Remove(k);
            }


            // If we have a valid token, proceeed
            if (!string.IsNullOrWhiteSpace(auth_token))
            {
                DateTime expires;
                var      found = m_activeTokens.TryGetValue(auth_token, out expires);
                if (!found)
                {
                    auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token);
                    found      = m_activeTokens.TryGetValue(auth_token, out expires);
                }

                if (found && DateTime.UtcNow < expires)
                {
                    expires = DateTime.UtcNow.AddHours(1);
                    m_activeTokens[auth_token] = expires;
                    response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires));
                    return(false);
                }
            }

            if ("/".Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase) || "/index.html".Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
            {
                response.Redirect("/login.html");
                return(true);
            }

            if (ControlHandler.CONTROL_HANDLER_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
            {
                response.Status = System.Net.HttpStatusCode.Unauthorized;
                response.Reason = "Not logged in";
                response.AddHeader("Location", "login.html");

                return(true);
            }

            return(false);
        }