github/bettercap
1
0
Fork 0
mirror of https://github.com/bettercap/bettercap synced 2025-08-14 18:57:17 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

refact: refactored api.rest to avoid using global variables

Browse source
This commit is contained in:
evilsocket 2018-03-01 18:06:42 +01:00
commit 894cbe76a1
2 changed files with 40 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

24
modules/api_rest.go
View file

@ -14,15 +14,19 @@ import (
type RestAPI struct {
session.SessionModule
server *http.Server
certFile string
keyFile string
server *http.Server
username string
password string
certFile string
keyFile string
useWebsocket bool
}
func NewRestAPI(s *session.Session) *RestAPI {
api := &RestAPI{
SessionModule: session.NewSessionModule("api.rest", s),
server: &http.Server{},
useWebsocket: false,
}
api.AddParam(session.NewStringParameter("api.rest.address",
@ -54,6 +58,10 @@ func NewRestAPI(s *session.Session) *RestAPI {
"",
"API TLS key"))
api.AddParam(session.NewBoolParameter("api.rest.websocket",
"false",
"If true the /api/events route will be available as a websocket endpoint instead of HTTPS."))
api.AddHandler(session.NewModuleHandler("api.rest on", "",
"Start REST API server.",
func(args []string) error {
@ -106,9 +114,11 @@ func (api *RestAPI) Configure() error {
return err
} else if api.keyFile, err = core.ExpandPath(api.keyFile); err != nil {
return err
} else if err, ApiUsername = api.StringParam("api.rest.username"); err != nil {
} else if err, api.username = api.StringParam("api.rest.username"); err != nil {
return err
} else if err, ApiPassword = api.StringParam("api.rest.password"); err != nil {
} else if err, api.password = api.StringParam("api.rest.password"); err != nil {
return err
} else if err, api.useWebsocket = api.BoolParam("api.rest.websocket"); err != nil {
return err
} else if core.Exists(api.certFile) == false || core.Exists(api.keyFile) == false {
log.Info("Generating TLS key to %s", api.keyFile)
@ -125,8 +135,8 @@ func (api *RestAPI) Configure() error {
router := http.NewServeMux()
router.HandleFunc("/api/session", SessionRoute)
router.HandleFunc("/api/events", EventsRoute)
router.HandleFunc("/api/session", api.sessionRoute)
router.HandleFunc("/api/events", api.eventsRoute)
api.server.Handler = router

51
modules/api_rest_controller.go
View file

@ -9,11 +9,6 @@ import (
"github.com/bettercap/bettercap/session"
)
var (
ApiUsername = ""
ApiPassword = ""
)
type CommandRequest struct {
Command string `json:"cmd"`
}
@ -23,17 +18,6 @@ type APIResponse struct {
Message string `json:"msg"`
}
func checkAuth(r *http.Request) bool {
user, pass, _ := r.BasicAuth()
// timing attack my ass
if subtle.ConstantTimeCompare([]byte(user), []byte(ApiUsername)) != 1 {
return false
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(ApiPassword)) != 1 {
return false
}
return true
}
func setAuthFailed(w http.ResponseWriter) {
w.Header().Set("WWW-Authenticate", `Basic realm="auth"`)
w.WriteHeader(401)
@ -52,11 +36,22 @@ func toJSON(w http.ResponseWriter, o interface{}) {
json.NewEncoder(w).Encode(o)
}
func showSession(w http.ResponseWriter, r *http.Request) {
func (api *RestAPI) checkAuth(r *http.Request) bool {
user, pass, _ := r.BasicAuth()
// timing attack my ass
if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
return false
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
return false
}
return true
}
func (api *RestAPI) showSession(w http.ResponseWriter, r *http.Request) {
toJSON(w, session.I)
}
func runSessionCommand(w http.ResponseWriter, r *http.Request) {
func (api *RestAPI) runSessionCommand(w http.ResponseWriter, r *http.Request) {
var err error
var cmd CommandRequest
@ -71,7 +66,7 @@ func runSessionCommand(w http.ResponseWriter, r *http.Request) {
}
}
func showEvents(w http.ResponseWriter, r *http.Request) {
func (api *RestAPI) showEvents(w http.ResponseWriter, r *http.Request) {
var err error
events := session.I.Events.Sorted()
@ -94,33 +89,33 @@ func showEvents(w http.ResponseWriter, r *http.Request) {
toJSON(w, events[0:n])
}
func clearEvents(w http.ResponseWriter, r *http.Request) {
func (api *RestAPI) clearEvents(w http.ResponseWriter, r *http.Request) {
session.I.Events.Clear()
}
func SessionRoute(w http.ResponseWriter, r *http.Request) {
func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
setSecurityHeaders(w)
if checkAuth(r) == false {
if api.checkAuth(r) == false {
setAuthFailed(w)
} else if r.Method == "GET" {
showSession(w, r)
api.showSession(w, r)
} else if r.Method == "POST" {
runSessionCommand(w, r)
api.runSessionCommand(w, r)
} else {
http.Error(w, "Bad Request", 400)
}
}
func EventsRoute(w http.ResponseWriter, r *http.Request) {
func (api *RestAPI) eventsRoute(w http.ResponseWriter, r *http.Request) {
setSecurityHeaders(w)
if checkAuth(r) == false {
if api.checkAuth(r) == false {
setAuthFailed(w)
} else if r.Method == "GET" {
showEvents(w, r)
api.showEvents(w, r)
} else if r.Method == "DELETE" {
clearEvents(w, r)
api.clearEvents(w, r)
} else {
http.Error(w, "Bad Request", 400)
}