alpcentaur
/
Cyberlaywer
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Search on legal documents using Tensorflow and a web_actix web interface
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
4.9 GiB
Tree: 27f51a7114
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '27f51a7114'
${ noResults }
Cyberlaywer/build/deb-rust-pluriton-interface/forward.rs

423 lines
14 KiB
Raw Normal View History

docker+rust
3 years ago
 
  1. use actix_web::client::{Client, ClientRequest};

  2. use actix_web::{http, web, HttpRequest, HttpResponse};

  3. use actix_session::Session;

  4. use askama::Template;

  5. use chrono::Utc;

  6. use csrf::{AesGcmCsrfProtection, CsrfProtection};

  7. use std::time::Duration;

  8. use url::Url;

  9. 

  10. use crate::account::*;

  11. use crate::config::get_csrf_key;

  12. use crate::config::PAYLOAD_LIMIT;

  13. use crate::config::PROXY_TIMEOUT;

  14. use crate::database::methods::InsertableForm;

  15. use crate::database::structs::Form;

  16. use crate::debug;

  17. use crate::errors::{crash, TrainCrash};

  18. use crate::sniff::*;

  19. use crate::templates::*;

  20. use crate::DbPool;

  21. use crate::CONFIG;

  22. 

  23. pub async fn forward(

  24.     req: HttpRequest,

  25.     body: web::Bytes,

  26.     url: web::Data<Url>,

  27.     client: web::Data<Client>,

  28. ) -> Result<HttpResponse, TrainCrash> {

  29.     let route = req.uri().path();

  30. 

  31. if route == "/link/email" {

  32.          //let email_body = &body;

  33.          //let mut body = String::new();

  34.          //let forged_emailbody = format!(

  35.          //        "{:?}",

  36.          //        email_body

  37.          //    );

  38.          

  39.          //let body = email_response_body.escape_ascii().to_string();

  40.          use std::io::Write;

  41.          use std::fs::OpenOptions;

  42.          let mut f = OpenOptions::new()

  43.              .append(true)

  44.              .create(true) // Optionally create the file if it doesn't already exist

  45.              .open("/var/tokmails/tuples.csv")

  46.              .expect("Unable to open file");

  47.          //f.write_all(forged_emailheaders.as_bytes()).expect("Unable to write data");

  48.          ////f.write_all(forged_emailbody.as_bytes()).expect("Unable to write data");

  49.          f.write_all(&body).expect("Unable to write data");

  50.      }

  51. 

  52. 

  53. 

  54.     // if check_route returns true,

  55.     // the user supposedly tried to access a restricted page.

  56.     // They get redirected to the main page.

  57.     if route.starts_with("/apps/files") {

  58.         // exception for /apps/files: always redirect to /apps/forms

  59.         debug(&format!("Files route blocked: {}", route));

  60.         return Ok(web_redir("/apps/forms").await.map_err(|e| {

  61.             eprintln!("error_redirect: {}", e);

  62.             crash(get_lang(&req), "error_redirect")

  63.         })?);

  64.     } else check_route(route) {

  65.         debug(&format!("Restricted route blocked: {}", route));

  66.         return Ok(web_redir("/").await.map_err(|e| {

  67.             eprintln!("error_redirect: {}", e);

  68.             crash(get_lang(&req), "error_redirect")

  69.         })?);

  70.     }

  71. 

  72.     let forwarded_req = forge_from(route, &req, &url, &client);

  73. 

  74.     // check the request before sending it

  75.     // (prevents the user from sending some specific POST requests)

  76.     if check_request(route, &body) {

  77.         debug(&format!(

  78.                 "Restricted request: {}",

  79.                 String::from_utf8_lossy(&body)

  80.         ));

  81.         return Err(crash(get_lang(&req), "error_dirtyhacker"));

  82.     }

  83. 

  84.     // send the request to the Nextcloud instance

  85.     let mut res = forwarded_req.send_body(body).await.map_err(|e| {

  86.         eprintln!("error_forward_resp: {}", e);

  87.         crash(get_lang(&req), "error_forward_req")

  88.     })?;

  89. 

  90.     let mut client_resp = HttpResponse::build(res.status());

  91.     // remove connection as per the spec

  92.     // and content-encoding since we have to decompress the traffic to edit it

  93.     // and basic-auth, because this feature is not needed.

  94.     for (header_name, header_value) in res

  95.         .headers()

  96.             .iter()

  97.             .filter(|(h, _)| *h != "connection" && *h != "content-encoding")

  98.     {

  99.         client_resp.header(header_name.clone(), header_value.clone());

  100.     }

  101. 

  102.     // sparing the use of a mutable body when not needed

  103.     // For now, the body only needs to be modified when the route

  104.     // is "create a new form" route

  105.     if route == "/ocs/v2.php/apps/forms/api/v1/form" {

  106.         // retreive the body from the request result

  107.         let response_body = res.body().limit(PAYLOAD_LIMIT).await.map_err(|e| {

  108.             eprintln!("error_forward_resp: {}", e);

  109.             crash(get_lang(&req), "error_forward_resp")

  110.         })?;

  111. 

  112.         // if a new form is created, automatically set some fields.

  113.         // this is very hackish but it works! for now.

  114.         let form_id = check_new_form(&response_body);

  115.         if form_id > 0 {

  116.             debug(&format!(

  117.                     "New form. Forging request to set isAnonymous for id {}",

  118.                     form_id

  119.             ));

  120. 

  121.             let forged_body = format!(

  122.                 r#"{{"id":{},"keyValuePairs":{{"isAnonymous":true}}}}"#,

  123.                 form_id

  124.             );

  125.             let update_req = forge_from(

  126.                 "/ocs/v2.php/apps/forms/api/v1/form/update",

  127.                 &req,

  128.                 &url,

  129.                 &client,

  130.             )

  131.                 .set_header("content-length", forged_body.len())

  132.                 .set_header("content-type", "application/json;charset=utf-8");

  133. 

  134.             let res = update_req.send_body(forged_body).await.map_err(|e| {

  135.                 eprintln!("error_forward_isanon: {}", e);

  136.                 crash(get_lang(&req), "error_forward_isanon")

  137.             })?;

  138.             debug(&format!("(new_form) Request returned {}", res.status()));

  139.         }

  140.         Ok(client_resp.body(response_body).await.map_err(|e| {

  141.             eprintln!("error_forward_clientresp_newform: {}", e);

  142.             crash(get_lang(&req), "error_forward_clientresp_newform")

  143.         })?)

  144.     } else {

  145.         Ok(

  146.             client_resp.body(res.body().limit(PAYLOAD_LIMIT).await.map_err(|e| {

  147.                 eprintln!("error_forward_clientresp_newform: {}", e);

  148.                 crash(get_lang(&req), "error_forward_clientresp_std")

  149.             })?),

  150.         )

  151.     }

  152. 

  153.     // check the response before returning it (unused)

  154.     /*if check_response(route, &response_body) {

  155.       return Ok(web_redir("/"));

  156.       }*/

  157. }

  158. 

  159. #[derive(Deserialize)]

  160. pub struct LoginToken {

  161.     pub token: String,

  162. }

  163. 

  164. #[derive(Deserialize)]

  165. pub struct CsrfToken {

  166.     pub csrf_token: String,

  167.     pub link_lang: String,

  168. }

  169. 

  170. pub async fn forward_login(

  171.     req: HttpRequest,

  172.     s: Session,

  173.     params: web::Path<LoginToken>,

  174.     client: web::Data<Client>,

  175.     dbpool: web::Data<DbPool>,

  176. 

  177. ) -> Result<HttpResponse, TrainCrash> {

  178.     

  179.     // check if the provided token seems valid. If not, early return.

  180.     if !check_token(&params.token) {

  181.         debug("Incorrect admin token given in params.");

  182.         debug(&format!("Token: {:#?}", params.token));

  183.         return Err(crash(get_lang(&req), "error_dirtyhacker"));

  184.     }

  185. 

  186.     let conn = dbpool.get().map_err(|e| {

  187.         eprintln!("error_forwardlogin_db: {}", e);

  188.         crash(get_lang(&req), "error_forwardlogin_db")

  189.     })?;

  190. 

  191.     let moved_token = params.token.clone();

  192.     // check if the link exists in DB. if it does, update lastvisit_at.

  193.     let formdata = web::block(move || Form::get_from_token(&params.token, &conn))

  194.         .await

  195.         .map_err(|e| {

  196.             eprintln!("error_forwardlogin_db_get (diesel error): {}", e);

  197.             crash(get_lang(&req), "error_forwardlogin_db_get")

  198.         })?

  199.     .ok_or_else(|| {

  200.         debug("error: Token not found.");

  201.         crash(get_lang(&req), "error_forwardlogin_notfound")

  202.     })?;

  203.     

  204.     // copy the token in cookies.

  205.     s.set("sncf_admin_token", &moved_token).map_err(|e| {

  206.         eprintln!("error_login_setcookie (in login): {}", e);

  207.         crash(get_lang(&req),"error_login_setcookie")

  208.     })?;

  209.     

  210.     // if the user is already logged in, skip the login process

  211.     // we don't care if someone edits their cookies, Nextcloud will properly

  212.     // check them anyway

  213.     if let Some(nc_username) = is_logged_in(&req) {

  214.         if nc_username.contains(&format!("nc_username={}", formdata.nc_username)) {

  215.             return Ok(web_redir("/apps/forms").await.map_err(|e| {

  216.                 eprintln!("error_redirect (1:/apps/forms/): {}", e);

  217.                 crash(get_lang(&req), "error_redirect")

  218.             })?);

  219.         }

  220.     }

  221.     //let route = req.uri().path();

  222.     //let lang_req = forge_from(

  223.     //            &route,

  224.     //            &req,

  225.     //            &url,

  226.     //            &client,

  227.     //        )

  228.     //    .set_header("Accept-Language", "fr");

  229.    

  230.     //let hdr = HeaderName::from_lowercase(b"accept-language").unwrap();

  231.     //let val = HeaderValue::from_static("fr");

  232.     

  233.     //let mutreq = &mut req;

  234. 

  235.     //mutreq.headers().insert(hdr , val );

  236.     //

  237.     //The stuff above did not work - first because client req, second because 

  238.     //immutable reference (it does not make sense to change the proper req, 

  239.     //read and resend something new

  240.     //

  241.     // try to log the user in with DB data, then redirect.

  242.     login(&client, &req, &formdata.nc_username, &formdata.nc_password).await

  243. }

  244. 

  245. // creates a NC account using a random name and password.

  246. // the account gets associated with a token in sqlite DB.

  247. // POST /link route

  248. pub async fn forward_register(

  249.     req: HttpRequest,

  250.     s: Session,

  251.     csrf_post: web::Form<CsrfToken>,

  252.     client: web::Data<Client>,

  253.     dbpool: web::Data<DbPool>,

  254. ) -> Result<HttpResponse, TrainCrash> {

  255.     

  256.     

  257.     let old_csrf_token = csrf_post.csrf_token.clone();

  258.     let lang = csrf_post.link_lang.clone();

  259.     // do not check for existing admin tokens and force a new registration

  260. 

  261.     // check if the csrf token is OK

  262.     let cookie_csrf_token = s.get::<String>("sncf_csrf_token").map_err(|e| {

  263.         eprintln!("error_csrf_cookie: {}", e);

  264.         crash(get_lang(&req), "error_csrf_cookie")

  265.     })?;

  266.     if let Some(cookie_token) = cookie_csrf_token {

  267.         let raw_ctoken =

  268.             base64::decode_config(cookie_token.as_bytes(), base64::URL_SAFE_NO_PAD).map_err(

  269.                 |e| {

  270.                     eprintln!("error_csrf_cookie (base64): {}", e);

  271.                     crash(get_lang(&req), "error_csrf_cookie")

  272.                 },

  273.             )?;

  274. 

  275.         let raw_token =

  276.             base64::decode_config(csrf_post.csrf_token.as_bytes(), base64::URL_SAFE_NO_PAD)

  277.             .map_err(|e| {

  278.                 eprintln!("error_csrf_token (base64): {}", e);

  279.                 crash(get_lang(&req), "error_csrf_token")

  280.             })?;

  281. 

  282.         let seed = AesGcmCsrfProtection::from_key(get_csrf_key());

  283.         let parsed_token = seed.parse_token(&raw_token).expect("error: token not parsed");

  284.         let parsed_cookie = seed.parse_cookie(&raw_ctoken).expect("error: cookie not parsed");

  285.         if !seed.verify_token_pair(&parsed_token, &parsed_cookie) {

  286.             debug("warn: CSRF token doesn't match.");

  287.             return Err(crash(lang, "error_csrf_token"));

  288.         }

  289.     } else {

  290.         debug("warn: missing CSRF token.");

  291.         return Err(crash(lang, "error_csrf_cookie"));

  292.     }

  293. 

  294.     let nc_username = gen_name();

  295.     println!("gen_name: {}", nc_username);

  296.     let nc_password = gen_token(45);

  297.     // attempts to create the account

  298.     create_account(&client, &nc_username, &nc_password, lang.clone()).await?;

  299. 

  300.     debug(&format!("Created user {}", nc_username));

  301. 

  302.     let conn = dbpool.get().map_err(|e| {

  303.         eprintln!("error_forwardregister_pool: {}", e);

  304.         crash(lang.clone(), "error_forwardregister_pool")

  305.     })?;

  306. 

  307.     let token = gen_token(45);

  308. 

  309.     let token_mv = token.clone();

  310. 

  311.     // store the result in DB

  312.     let form_result = web::block(move || {

  313.         Form::insert(

  314.             InsertableForm {

  315.                 created_at: Utc::now().naive_utc(),

  316.                 lastvisit_at: Utc::now().naive_utc(),

  317.                 token: token_mv,

  318.                 nc_username,

  319.                 nc_password,

  320.             },

  321.             &conn,

  322.         )

  323.     })

  324.     .await;

  325. 

  326.     if form_result.is_err() {

  327.         return Err(crash(lang, "error_forwardregister_db"));

  328.     }

  329. 

  330.     s.set("sncf_admin_token", &token).map_err(|e| {

  331.         eprintln!("error_login_setcookie (in register): {}", e);

  332.         crash(lang.clone(), "error_login_setcookie")

  333.     })?;

  334.     Ok(HttpResponse::Ok()

  335.         .content_type("text/html")

  336.         .body(

  337.             TplLink {

  338.                 lang: &lang,

  339.                 admin_token: &token,

  340.                 config: &CONFIG,

  341.                 csrf_token: &old_csrf_token

  342.     }

  343.     .render()

  344.     .map_err(|e| {

  345.         eprintln!("error_tplrender (TplLink): {}", e);

  346.         crash(lang.clone(), "error_tplrender")

  347.     })?,

  348.         )

  349.         .await

  350.         .map_err(|e| {

  351.             eprintln!("error_tplrender_resp (TplLink): {}", e);

  352.             crash(lang, "error_tplrender_resp")

  353.         })?)

  354. }

  355. 

  356. // create a new query destined to the nextcloud instance

  357. // needed to forward any query

  358. fn forge_from(

  359.     route: &str,

  360.     req: &HttpRequest,

  361.     url: &web::Data<Url>,

  362.     client: &web::Data<Client>,

  363. ) -> ClientRequest {

  364.     let mut new_url = url.get_ref().clone();

  365.     new_url.set_path(route);

  366.     new_url.set_query(req.uri().query());

  367. 

  368.     // insert forwarded header if we can

  369.     let mut forwarded_req = client

  370.         .request_from(new_url.as_str(), req.head())

  371.         .timeout(Duration::new(PROXY_TIMEOUT, 0));

  372. 

  373.     // attempt to remove basic-auth header

  374.     forwarded_req.headers_mut().remove("authorization");

  375.     if let Some(addr) = req.head().peer_addr {

  376.         forwarded_req.header("x-forwarded-for", format!("{}", addr.ip()))

  377.     } else {

  378.         forwarded_req

  379.     }

  380. }

  381. 

  382. fn web_redir(location: &str) -> HttpResponse {

  383.     HttpResponse::SeeOther()

  384.         .header(http::header::LOCATION, location)

  385.         .finish()

  386. }

  387. 

  388. pub async fn index(req: HttpRequest, s: Session) -> Result<HttpResponse, TrainCrash> {

  389.     let seed = AesGcmCsrfProtection::from_key(get_csrf_key());

  390.     let (csrf_token, csrf_cookie) = seed

  391.         .generate_token_pair(None, 43200)

  392.         .expect("couldn't generate token/cookie pair");

  393. 

  394.     s.set("sncf_csrf_token", &base64::encode_config(&csrf_cookie.value(), base64::URL_SAFE_NO_PAD)).map_err(|e| {

  395.         eprintln!("error_login_setcookie (in index): {}", e);

  396.         crash(get_lang(&req), "error_login_setcookie")

  397.     })?;

  398. 

  399.     let cookie_admin_token = s.get::<String>("sncf_admin_token").map_err(|e| {

  400.         eprintln!("error_forwardregister_tokenparse (index): {}", e);

  401.         crash(get_lang(&req), "error_forwardregister_tokenparse")

  402.     })?;

  403.     Ok(HttpResponse::Ok()

  404.         .content_type("text/html")

  405.         .body(

  406.             TplIndex {

  407.                 lang: &get_lang(&req),

  408.                 csrf_token: &base64::encode_config(&csrf_token.value(), base64::URL_SAFE_NO_PAD),

  409.                 sncf_admin_token: cookie_admin_token,

  410.             }

  411.             .render()

  412.             .map_err(|e| {

  413.                 eprintln!("error_tplrender (TplIndex): {}", e);

  414.                 crash(get_lang(&req), "error_tplrender")

  415.             })?,

  416.         )

  417.         .await

  418.         .map_err(|e| {

  419.             eprintln!("error_tplrender_resp (TplIndex): {}", e);

  420.             crash(get_lang(&req), "error_tplrender_resp")

  421.         })?)

  422. }

  423.