mirror of
https://github.com/bettercap/bettercap
synced 2025-08-19 21:13:18 -07:00
refact: refactored api.rest to avoid using global variables
This commit is contained in:
evilsocket
parent
9586127419
commit
894cbe76a1
2 changed files with 40 additions and 35 deletions
|
|
@ -14,15 +14,19 @@ import (
|
||||||
|
|
||||||
type RestAPI struct {
|
type RestAPI struct {
|
||||||
session.SessionModule
|
session.SessionModule
|
||||||
server *http.Server
|
server *http.Server
|
||||||
certFile string
|
username string
|
||||||
keyFile string
|
password string
|
||||||
|
certFile string
|
||||||
|
keyFile string
|
||||||
|
useWebsocket bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewRestAPI(s *session.Session) *RestAPI {
|
func NewRestAPI(s *session.Session) *RestAPI {
|
||||||
api := &RestAPI{
|
api := &RestAPI{
|
||||||
SessionModule: session.NewSessionModule("api.rest", s),
|
SessionModule: session.NewSessionModule("api.rest", s),
|
||||||
server: &http.Server{},
|
server: &http.Server{},
|
||||||
|
useWebsocket: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
api.AddParam(session.NewStringParameter("api.rest.address",
|
api.AddParam(session.NewStringParameter("api.rest.address",
|
||||||
|
|
@ -54,6 +58,10 @@ func NewRestAPI(s *session.Session) *RestAPI {
|
||||||
"",
|
"",
|
||||||
"API TLS key"))
|
"API TLS key"))
|
||||||
|
|
||||||
|
api.AddParam(session.NewBoolParameter("api.rest.websocket",
|
||||||
|
"false",
|
||||||
|
"If true the /api/events route will be available as a websocket endpoint instead of HTTPS."))
|
||||||
|
|
||||||
api.AddHandler(session.NewModuleHandler("api.rest on", "",
|
api.AddHandler(session.NewModuleHandler("api.rest on", "",
|
||||||
"Start REST API server.",
|
"Start REST API server.",
|
||||||
func(args []string) error {
|
func(args []string) error {
|
||||||
|
|
@ -106,9 +114,11 @@ func (api *RestAPI) Configure() error {
|
||||||
return err
|
return err
|
||||||
} else if api.keyFile, err = core.ExpandPath(api.keyFile); err != nil {
|
} else if api.keyFile, err = core.ExpandPath(api.keyFile); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if err, ApiUsername = api.StringParam("api.rest.username"); err != nil {
|
} else if err, api.username = api.StringParam("api.rest.username"); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if err, ApiPassword = api.StringParam("api.rest.password"); err != nil {
|
} else if err, api.password = api.StringParam("api.rest.password"); err != nil {
|
||||||
|
return err
|
||||||
|
} else if err, api.useWebsocket = api.BoolParam("api.rest.websocket"); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if core.Exists(api.certFile) == false || core.Exists(api.keyFile) == false {
|
} else if core.Exists(api.certFile) == false || core.Exists(api.keyFile) == false {
|
||||||
log.Info("Generating TLS key to %s", api.keyFile)
|
log.Info("Generating TLS key to %s", api.keyFile)
|
||||||
|
|
@ -125,8 +135,8 @@ func (api *RestAPI) Configure() error {
|
||||||
|
|
||||||
router := http.NewServeMux()
|
router := http.NewServeMux()
|
||||||
|
|
||||||
router.HandleFunc("/api/session", SessionRoute)
|
router.HandleFunc("/api/session", api.sessionRoute)
|
||||||
router.HandleFunc("/api/events", EventsRoute)
|
router.HandleFunc("/api/events", api.eventsRoute)
|
||||||
|
|
||||||
api.server.Handler = router
|
api.server.Handler = router
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,11 +9,6 @@ import (
|
||||||
"github.com/bettercap/bettercap/session"
|
"github.com/bettercap/bettercap/session"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
|
||||||
ApiUsername = ""
|
|
||||||
ApiPassword = ""
|
|
||||||
)
|
|
||||||
|
|
||||||
type CommandRequest struct {
|
type CommandRequest struct {
|
||||||
Command string `json:"cmd"`
|
Command string `json:"cmd"`
|
||||||
}
|
}
|
||||||
|
|
@ -23,17 +18,6 @@ type APIResponse struct {
|
||||||
Message string `json:"msg"`
|
Message string `json:"msg"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkAuth(r *http.Request) bool {
|
|
||||||
user, pass, _ := r.BasicAuth()
|
|
||||||
// timing attack my ass
|
|
||||||
if subtle.ConstantTimeCompare([]byte(user), []byte(ApiUsername)) != 1 {
|
|
||||||
return false
|
|
||||||
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(ApiPassword)) != 1 {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func setAuthFailed(w http.ResponseWriter) {
|
func setAuthFailed(w http.ResponseWriter) {
|
||||||
w.Header().Set("WWW-Authenticate", `Basic realm="auth"`)
|
w.Header().Set("WWW-Authenticate", `Basic realm="auth"`)
|
||||||
w.WriteHeader(401)
|
w.WriteHeader(401)
|
||||||
|
|
@ -52,11 +36,22 @@ func toJSON(w http.ResponseWriter, o interface{}) {
|
||||||
json.NewEncoder(w).Encode(o)
|
json.NewEncoder(w).Encode(o)
|
||||||
}
|
}
|
||||||
|
|
||||||
func showSession(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) checkAuth(r *http.Request) bool {
|
||||||
|
user, pass, _ := r.BasicAuth()
|
||||||
|
// timing attack my ass
|
||||||
|
if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
|
||||||
|
return false
|
||||||
|
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func (api *RestAPI) showSession(w http.ResponseWriter, r *http.Request) {
|
||||||
toJSON(w, session.I)
|
toJSON(w, session.I)
|
||||||
}
|
}
|
||||||
|
|
||||||
func runSessionCommand(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) runSessionCommand(w http.ResponseWriter, r *http.Request) {
|
||||||
var err error
|
var err error
|
||||||
var cmd CommandRequest
|
var cmd CommandRequest
|
||||||
|
|
||||||
|
|
@ -71,7 +66,7 @@ func runSessionCommand(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func showEvents(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) showEvents(w http.ResponseWriter, r *http.Request) {
|
||||||
var err error
|
var err error
|
||||||
|
|
||||||
events := session.I.Events.Sorted()
|
events := session.I.Events.Sorted()
|
||||||
|
|
@ -94,33 +89,33 @@ func showEvents(w http.ResponseWriter, r *http.Request) {
|
||||||
toJSON(w, events[0:n])
|
toJSON(w, events[0:n])
|
||||||
}
|
}
|
||||||
|
|
||||||
func clearEvents(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) clearEvents(w http.ResponseWriter, r *http.Request) {
|
||||||
session.I.Events.Clear()
|
session.I.Events.Clear()
|
||||||
}
|
}
|
||||||
|
|
||||||
func SessionRoute(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
|
||||||
setSecurityHeaders(w)
|
setSecurityHeaders(w)
|
||||||
|
|
||||||
if checkAuth(r) == false {
|
if api.checkAuth(r) == false {
|
||||||
setAuthFailed(w)
|
setAuthFailed(w)
|
||||||
} else if r.Method == "GET" {
|
} else if r.Method == "GET" {
|
||||||
showSession(w, r)
|
api.showSession(w, r)
|
||||||
} else if r.Method == "POST" {
|
} else if r.Method == "POST" {
|
||||||
runSessionCommand(w, r)
|
api.runSessionCommand(w, r)
|
||||||
} else {
|
} else {
|
||||||
http.Error(w, "Bad Request", 400)
|
http.Error(w, "Bad Request", 400)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func EventsRoute(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) eventsRoute(w http.ResponseWriter, r *http.Request) {
|
||||||
setSecurityHeaders(w)
|
setSecurityHeaders(w)
|
||||||
|
|
||||||
if checkAuth(r) == false {
|
if api.checkAuth(r) == false {
|
||||||
setAuthFailed(w)
|
setAuthFailed(w)
|
||||||
} else if r.Method == "GET" {
|
} else if r.Method == "GET" {
|
||||||
showEvents(w, r)
|
api.showEvents(w, r)
|
||||||
} else if r.Method == "DELETE" {
|
} else if r.Method == "DELETE" {
|
||||||
clearEvents(w, r)
|
api.clearEvents(w, r)
|
||||||
} else {
|
} else {
|
||||||
http.Error(w, "Bad Request", 400)
|
http.Error(w, "Bad Request", 400)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue