上一篇分析了 接入設備 在接入路由器,併發起首次 HTTP/80 請求到路由器上時,wifidog 是如何將此 HTTP 請求重定向至 auth-server 的流程。
之後接入設備的瀏覽器接收到 wifidog 返回的 302 重定向請求後,會將頁面重定向至 auth-server 的 /login 頁面,並且在此 URL 中會攜帶一些路由器/網關 參數,以及接入設備的 MAC 地址和客戶端訪問的源URL(如示例中的 baidu.com)。
POST /login/?gw_address=192.168.1.1&gw_port=2060&gw_id=default&mac=44:94:fc:ef:28:40&url=http%3A//www.baidu.com/ HTTP/1.1
auth-server 收到請求後處理,並返回重定向到 wifidog 的響應(注:同時攜帶了爲此接入設備的用戶分配了 token),接入設備的瀏覽器重定向至路由器上 wifidog 的 http 服務(端口 2060) /wifidog/auth 上(且攜帶了認證服務器爲此接入設備分配的 token),下面介紹下 wifidog 接收到 /wifidog/auth 的訪問後的校驗流程。
在 wifidog 啓動 http 服務前,註冊了一個針對訪問路徑 /wifidog/auth 的回調,如下:
httpdAddCContent(webserver, "/wifidog", "about", 0, NULL, http_callback_about);
httpdAddCContent(webserver, "/wifidog", "status", 0, NULL, http_callback_status);
// 註冊了針對 /wifidog/auth 的訪問回調 http_callback_auth
httpdAddCContent(webserver, "/wifidog", "auth", 0, NULL, http_callback_auth); 這樣對於 接入設備(or 客戶端) 重定向過來的 /wifidog/auth 就進入了 http_callback_auth 函數中,如下:
http_callback_auth(httpd *webserver, request *r)
{
t_client *client;
httpVar * token;
char *mac;
// 1, 獲取條件參數中的 logout 值
httpVar *logout = httpdGetVariableByName(r, "logout");
// 2, 獲取條件參數中的 token 值
if ((token = httpdGetVariableByName(r, "token"))) {
/* They supplied variable "token" */
// 3, 可以看到, 這裏要求必須能夠通過 ARP 協議獲取到 接入設備 的 MAC 地址
if (!(mac = arp_get(r->clientAddr))) {
/* We could not get their MAC address */
debug(LOG_ERR, "Failed to retrieve MAC address for ip %s", r->clientAddr);
send_http_page(r, "WiFiDog Error", "Failed to retrieve your MAC address");
} else {
/* We have their MAC address */
LOCK_CLIENT_LIST();
// 4, 檢查該客戶端(接入設備)是否已經在 wifidog 維護的接入客戶端列表中
if ((client = client_list_find(r->clientAddr, mac)) == NULL) {
debug(LOG_DEBUG, "New client for %s", r->clientAddr);
client_list_append(r->clientAddr, mac, token->value);
} else if (logout) {
// 5, 退出處理
t_authresponse authresponse;
s_config *config = config_get_config();
unsigned long long incoming = client->counters.incoming;
unsigned long long outgoing = client->counters.outgoing;
char *ip = safe_strdup(client->ip);
char *urlFragment = NULL;
t_auth_serv *auth_server = get_auth_server();
fw_deny(client->ip, client->mac, client->fw_connection_state);
client_list_delete(client);
debug(LOG_DEBUG, "Got logout from %s", client->ip);
/* Advertise the logout if we have an auth server */
if (config->auth_servers != NULL) {
UNLOCK_CLIENT_LIST();
auth_server_request(&authresponse, REQUEST_TYPE_LOGOUT, ip, mac, token->value,
incoming, outgoing);
LOCK_CLIENT_LIST();
/* Re-direct them to auth server */
debug(LOG_INFO, "Got manual logout from client ip %s, mac %s, token %s"
"- redirecting them to logout message", client->ip, client->mac, client->token);
safe_asprintf(&urlFragment, "%smessage=%s",
auth_server->authserv_msg_script_path_fragment,
GATEWAY_MESSAGE_ACCOUNT_LOGGED_OUT
);
http_send_redirect_to_auth(r, urlFragment, "Redirect to logout message");
free(urlFragment);
}
free(ip);
}
else {
// 6, 已經登錄校驗通過
debug(LOG_DEBUG, "Client for %s is already in the client list", client->ip);
}
UNLOCK_CLIENT_LIST();
if (!logout) {
// 7, 到 auth server 上進一步校驗 token
authenticate_client(r);
}
free(mac);
}
} else {
/* They did not supply variable "token" */
// 8, 未攜帶 token, 直接拒絕
send_http_page(r, "WiFiDog error", "Invalid token");
}
} 在該函數中主要處理了 客戶端退出,非法校驗,以及 客戶端校驗等流程,下面分別描述註釋中的各個步驟:
1,對於客戶端退出,則會攜帶 logout 參數信息,並走到第 5 步(當然,如果連 token 參數都沒有的話,會直接走到第 8 步,也就是拒絕);
2,按照正常的認證流程,會攜帶由認證服務器分配的 token 參數;
3,正如註釋說明的,這裏要求必須能夠通過 ARP 協議獲取到 接入設備 的 MAC 地址;(其實通過查看 arg_get 的實現,可以看到是直接解析 /proc/net/arp 文件 -- ARP cache -- 來獲取對應客戶端 IP 地址的
MAC 信息的),類似如下:
[asd@ubuntu ~]#more /proc/net/arp
IP address HW type Flags HW address Mask Device
192.168.1.203 0x1 0x2 18:03:73:d5:1b:a2 * eth0
192.168.1.1 0x1 0x2 00:21:27:63:c0:ce * eth0
4,在能夠獲取到該客戶端的 MAC 地址後,根據客戶端的 IP 和 MAC 地址檢查該客戶端是否已經在 wifidog 維護的接入設備(or客戶端)列表中,如果不在,則追加到此列表中(關於此列表的數據結構在後面再詳細描述);
5,如果該客戶端已經存在,且本次訪問是要求 logout 退出的,則進入此退出處理的流程,該流程主要包括幾個步驟:關閉該客戶端 ip/mac 的出口(outgoing)規則 --> 從客戶端列表中刪除該客戶端記錄 --> 通知認證服務器該客戶端退出(且攜帶該客戶端的token,
上下行流量等信息) --> 返回重定向至 認證服務器 的 #define DEFAULT_AUTHSERVMSGPATHFRAGMENT "gw_message.php?" 訪問路徑(攜帶一個已退出的 message);
6,如果該客戶端已經登錄校驗過,且本次訪問非 logout 退出,則直接跳轉到第 7 步;
7,這一步就是 token 校驗的過程,具體實現在 authenticate_client 函數中:
/** Authenticates a single client against the central server and returns when done
* Alters the firewall rules depending on what the auth server says
@param r httpd request struct
*/
void
authenticate_client(request *r)
{
t_client *client;
t_authresponse auth_response;
char *mac,
*token;
char *urlFragment = NULL;
s_config *config = NULL;
t_auth_serv *auth_server = NULL;
LOCK_CLIENT_LIST();
client = client_list_find_by_ip(r->clientAddr);
if (client == NULL) {
debug(LOG_ERR, "Could not find client for %s", r->clientAddr);
UNLOCK_CLIENT_LIST();
return;
}
mac = safe_strdup(client->mac);
token = safe_strdup(client->token);
UNLOCK_CLIENT_LIST();
/*
* At this point we've released the lock while we do an HTTP request since it could
* take multiple seconds to do and the gateway would effectively be frozen if we
* kept the lock.
*/
auth_server_request(&auth_response, REQUEST_TYPE_LOGIN, r->clientAddr, mac, token, 0, 0);
LOCK_CLIENT_LIST();
/* can't trust the client to still exist after n seconds have passed */
client = client_list_find(r->clientAddr, mac);
if (client == NULL) {
debug(LOG_ERR, "Could not find client node for %s (%s)", r->clientAddr, mac);
UNLOCK_CLIENT_LIST();
free(token);
free(mac);
return;
}
free(token);
free(mac);
/* Prepare some variables we'll need below */
config = config_get_config();
auth_server = get_auth_server();
switch(auth_response.authcode) {
case AUTH_ERROR:
/* Error talking to central server */
debug(LOG_ERR, "Got %d from central server authenticating token %s from %s at %s", auth_response, client->token, client->ip, client->mac);
send_http_page(r, "Error!", "Error: We did not get a valid answer from the central server");
break;
case AUTH_DENIED:
/* Central server said invalid token */
debug(LOG_INFO, "Got DENIED from central server authenticating token %s from %s at %s - redirecting them to denied message", client->token, client->ip, client->mac);
safe_asprintf(&urlFragment, "%smessage=%s",
auth_server->authserv_msg_script_path_fragment,
GATEWAY_MESSAGE_DENIED
);
http_send_redirect_to_auth(r, urlFragment, "Redirect to denied message");
free(urlFragment);
break;
case AUTH_VALIDATION:
/* They just got validated for X minutes to check their email */
debug(LOG_INFO, "Got VALIDATION from central server authenticating token %s from %s at %s"
"- adding to firewall and redirecting them to activate message", client->token,
client->ip, client->mac);
client->fw_connection_state = FW_MARK_PROBATION;
fw_allow(client->ip, client->mac, FW_MARK_PROBATION);
safe_asprintf(&urlFragment, "%smessage=%s",
auth_server->authserv_msg_script_path_fragment,
GATEWAY_MESSAGE_ACTIVATE_ACCOUNT
);
http_send_redirect_to_auth(r, urlFragment, "Redirect to activate message");
free(urlFragment);
break;
case AUTH_ALLOWED:
/* Logged in successfully as a regular account */
debug(LOG_INFO, "Got ALLOWED from central server authenticating token %s from %s at %s - "
"adding to firewall and redirecting them to portal", client->token, client->ip, client->mac);
client->fw_connection_state = FW_MARK_KNOWN;
fw_allow(client->ip, client->mac, FW_MARK_KNOWN);
served_this_session++;
safe_asprintf(&urlFragment, "%sgw_id=%s",
auth_server->authserv_portal_script_path_fragment,
config->gw_id
);
http_send_redirect_to_auth(r, urlFragment, "Redirect to portal");
free(urlFragment);
break;
case AUTH_VALIDATION_FAILED:
/* Client had X minutes to validate account by email and didn't = too late */
debug(LOG_INFO, "Got VALIDATION_FAILED from central server authenticating token %s from %s at %s "
"- redirecting them to failed_validation message", client->token, client->ip, client->mac);
safe_asprintf(&urlFragment, "%smessage=%s",
auth_server->authserv_msg_script_path_fragment,
GATEWAY_MESSAGE_ACCOUNT_VALIDATION_FAILED
);
http_send_redirect_to_auth(r, urlFragment, "Redirect to failed validation message");
free(urlFragment);
break;
default:
debug(LOG_WARNING, "I don't know what the validation code %d means for token %s from %s at %s - sending error message", auth_response.authcode, client->token, client->ip, client->mac);
send_http_page(r, "Internal Error", "We can not validate your request at this time");
break;
}
UNLOCK_CLIENT_LIST();
return;
}
這裏主要是兩大步驟:
1,通過調用 auth_server_request(&auth_response, REQUEST_TYPE_LOGIN, r->clientAddr, mac, token, 0, 0); 讓 認證服務器 對該客戶端的 token 進行校驗;
2,根據認證服務器返回的 token 校驗結果進行不同的處理(主要是對該客戶端的防火牆過濾規則進行不同的設置),這裏主要以 AUTH_ALLOWED 校驗結果進行分析,這裏主要是兩個動作:
2.1,通過 fw_allow 函數調用對此客戶端"放行";
2.2,返回重定向至認證服務器的 portal 路徑訪問的響應;
這裏就簡要分析一下 fw_allow 函數的實現,查看fw_allow的實現可以看到真正設置allow客戶端通過防火牆的動作是在iptables_fw_access中實現的,如下:
/* Set if a specific client has access through the firewall */
int iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)
{
int rc;
fw_quiet = 0;
switch(type) {
case FW_ACCESS_ALLOW:
iptables_do_command("-t mangle -A " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
rc = iptables_do_command("-t mangle -A " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
break;
case FW_ACCESS_DENY:
iptables_do_command("-t mangle -D " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
break;
default:
rc = -1;
break;
}
return rc;
}同樣的,我們這裏主要分析一下ALLOW時的iptables的防火牆設置規則,對執行的兩個iptables命令展開來就是下面兩個步驟:
1) 在mangle表中追加WiFiDog_$ID$_Outgoing外出過濾鏈,該鏈的規則如下幾條:
a) IP 地址爲該客戶端的IP地址;
b) MAC地址爲該客戶端的MAC地址;
c) 設置MARK爲FW_MARK_KNOWN;
iptables –t mangle –AWiFiDog_$ID$_Outgoing -s 客戶端IP地址 -m mac --mac-source 客戶端MAC地址 -j MARK --set-markFW_MARK_KNOWN
2)在mangle表中追加一條[接受所有目的地址爲此客戶端IP地址的] WifiDog_$ID$_Incoming輸入過濾鏈;
iptables -t mangle -AWiFiDog_$ID$_Incoming -d 客戶端IP地址 -j ACCEPT
最後,Auth server重定向客戶端瀏覽器到www.baidu.com