mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-12-17 21:31:43 +03:00
aac36a2d2f
Updates #951. Squashed commit of the following: commit 6b840fd516f5a87fde0420e3aceb9c239b22c974 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Aug 29 19:53:03 2023 +0300 client: imp docs more commit 7fc8f0363fbe4c4266cb0f67428fe4d18c351d2d Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Aug 29 19:40:00 2023 +0300 client: imp docs commit 00bc14d5760614f2797714cdc2c4c19b1a94b86e Author: Ildar Kamalov <ik@adguard.com> Date: Mon Aug 28 18:43:49 2023 +0300 try to fix lock file commit d749df74b576091e0b58928d86ea8b3b49f919da Merge: c69f9230be1f6229e5
Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Aug 28 18:14:02 2023 +0300 Merge branch 'master' into 951-blocked-services-schedule-api commit c69f9230b12f7c983db06b74324b3df77d74b32b Author: Ildar Kamalov <ik@adguard.com> Date: Mon Aug 28 17:16:20 2023 +0300 revert eslintrc commit b37916c2dff0ddea5293d87570bb58e3443d2d21 Author: Ildar Kamalov <ik@adguard.com> Date: Mon Aug 28 12:02:39 2023 +0300 fix translations commit f5bb67d81506c687d0abd580049a3eee0af808e0 Author: Ildar Kamalov <ik@adguard.com> Date: Mon Aug 28 11:43:57 2023 +0300 fix helpers commit 13ec6a8b3a0acfb62762ae7e46c6e98eb7c82212 Author: Ildar Kamalov <ik@adguard.com> Date: Mon Aug 28 11:24:57 2023 +0300 remove todo commit 23724ec2fd683ed17b9f1cee841ad9aaf4c9d04f Author: Ildar Kamalov <ik@adguard.com> Date: Mon Aug 28 09:56:56 2023 +0300 add clients schedule form commit 84d29e558a329068e64e7a95ee183946aa4515b5 Author: Ildar Kamalov <ik@adguard.com> Date: Fri Aug 25 17:44:40 2023 +0300 fix schedule form commit 83e4017688082e9eb670091d5a24d98157050502 Author: Ildar Kamalov <ik@adguard.com> Date: Fri Aug 18 12:58:16 2023 +0300 remove unused commit ef2b68e138da382e3cf42586ae604e12d9493504 Author: Ildar Kamalov <ik@adguard.com> Date: Fri Aug 18 12:57:37 2023 +0300 client: fix translation string commit 32ea80c968f52f18adbc811b2f06874644cdfe20 Author: Ildar Kamalov <ik@adguard.com> Date: Fri Aug 18 12:26:26 2023 +0300 wip schedule commit 9b770873859186c9424c8d108812e32ddff33bad Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Jul 21 14:29:50 2023 +0300 all: imp naming commit ea4e9514ea3b264bcce7f2a301db817de4e87059 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Jul 19 18:09:27 2023 +0300 all: imp code commit 98a705bdaa5c1e79394c73e5d75af2416fe9f297 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Jul 18 18:23:26 2023 +0300 all: imp naming commit 4f84b55c7bfc9f7b680feac0ec45f5ea9189299a Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Jul 14 15:01:17 2023 +0300 all: add global schedule api commit 87cf1646869ee9138964b47a27b7493674c8854a Merge: cabb80ac12adc8624c
Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Jul 14 12:09:29 2023 +0300 Merge branch 'master' into 951-blocked-services-schedule-api commit cabb80ac16de437a8118bb0166479574379c97a3 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Jul 13 13:37:23 2023 +0300 openapi: fix typo commit 2279b03acbcfc3d76216f8aaf30ae1c7894127bc Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Jul 13 12:26:19 2023 +0300 all: imp docs ... and 3 more commits
430 lines
12 KiB
Go
430 lines
12 KiB
Go
package home
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"net/netip"
|
|
"net/url"
|
|
"runtime"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/version"
|
|
"github.com/AdguardTeam/golibs/httphdr"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/AdguardTeam/golibs/mathutil"
|
|
"github.com/AdguardTeam/golibs/netutil"
|
|
"github.com/NYTimes/gziphandler"
|
|
)
|
|
|
|
// appendDNSAddrs is a convenient helper for appending a formatted form of DNS
|
|
// addresses to a slice of strings.
|
|
func appendDNSAddrs(dst []string, addrs ...netip.Addr) (res []string) {
|
|
for _, addr := range addrs {
|
|
var hostport string
|
|
if config.DNS.Port != defaultPortDNS {
|
|
hostport = netip.AddrPortFrom(addr, uint16(config.DNS.Port)).String()
|
|
} else {
|
|
hostport = addr.String()
|
|
}
|
|
|
|
dst = append(dst, hostport)
|
|
}
|
|
|
|
return dst
|
|
}
|
|
|
|
// appendDNSAddrsWithIfaces formats and appends all DNS addresses from src to
|
|
// dst. It also adds the IP addresses of all network interfaces if src contains
|
|
// an unspecified IP address.
|
|
func appendDNSAddrsWithIfaces(dst []string, src []netip.Addr) (res []string, err error) {
|
|
ifacesAdded := false
|
|
for _, h := range src {
|
|
if !h.IsUnspecified() {
|
|
dst = appendDNSAddrs(dst, h)
|
|
|
|
continue
|
|
} else if ifacesAdded {
|
|
continue
|
|
}
|
|
|
|
// Add addresses of all network interfaces for addresses like
|
|
// "0.0.0.0" and "::".
|
|
var ifaces []*aghnet.NetInterface
|
|
ifaces, err = aghnet.GetValidNetInterfacesForWeb()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("cannot get network interfaces: %w", err)
|
|
}
|
|
|
|
for _, iface := range ifaces {
|
|
dst = appendDNSAddrs(dst, iface.Addresses...)
|
|
}
|
|
|
|
ifacesAdded = true
|
|
}
|
|
|
|
return dst, nil
|
|
}
|
|
|
|
// collectDNSAddresses returns the list of DNS addresses the server is listening
|
|
// on, including the addresses on all interfaces in cases of unspecified IPs.
|
|
func collectDNSAddresses() (addrs []string, err error) {
|
|
if hosts := config.DNS.BindHosts; len(hosts) == 0 {
|
|
addrs = appendDNSAddrs(addrs, netutil.IPv4Localhost())
|
|
} else {
|
|
addrs, err = appendDNSAddrsWithIfaces(addrs, hosts)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("collecting dns addresses: %w", err)
|
|
}
|
|
}
|
|
|
|
de := getDNSEncryption()
|
|
if de.https != "" {
|
|
addrs = append(addrs, de.https)
|
|
}
|
|
|
|
if de.tls != "" {
|
|
addrs = append(addrs, de.tls)
|
|
}
|
|
|
|
if de.quic != "" {
|
|
addrs = append(addrs, de.quic)
|
|
}
|
|
|
|
return addrs, nil
|
|
}
|
|
|
|
// statusResponse is a response for /control/status endpoint.
|
|
type statusResponse struct {
|
|
Version string `json:"version"`
|
|
Language string `json:"language"`
|
|
DNSAddrs []string `json:"dns_addresses"`
|
|
DNSPort int `json:"dns_port"`
|
|
HTTPPort uint16 `json:"http_port"`
|
|
|
|
// ProtectionDisabledDuration is the duration of the protection pause in
|
|
// milliseconds.
|
|
ProtectionDisabledDuration int64 `json:"protection_disabled_duration"`
|
|
|
|
ProtectionEnabled bool `json:"protection_enabled"`
|
|
// TODO(e.burkov): Inspect if front-end doesn't requires this field as
|
|
// openapi.yaml declares.
|
|
IsDHCPAvailable bool `json:"dhcp_available"`
|
|
IsRunning bool `json:"running"`
|
|
}
|
|
|
|
func handleStatus(w http.ResponseWriter, r *http.Request) {
|
|
dnsAddrs, err := collectDNSAddresses()
|
|
if err != nil {
|
|
// Don't add a lot of formatting, since the error is already
|
|
// wrapped by collectDNSAddresses.
|
|
aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
|
|
|
|
return
|
|
}
|
|
|
|
var (
|
|
fltConf *dnsforward.FilteringConfig
|
|
protectionDisabledUntil *time.Time
|
|
protectionEnabled bool
|
|
)
|
|
if Context.dnsServer != nil {
|
|
fltConf = &dnsforward.FilteringConfig{}
|
|
Context.dnsServer.WriteDiskConfig(fltConf)
|
|
protectionEnabled, protectionDisabledUntil = Context.dnsServer.UpdatedProtectionStatus()
|
|
}
|
|
|
|
var resp statusResponse
|
|
func() {
|
|
config.RLock()
|
|
defer config.RUnlock()
|
|
|
|
var protectionDisabledDuration int64
|
|
if protectionDisabledUntil != nil {
|
|
// Make sure that we don't send negative numbers to the frontend,
|
|
// since enough time might have passed to make the difference less
|
|
// than zero.
|
|
protectionDisabledDuration = mathutil.Max(
|
|
0,
|
|
time.Until(*protectionDisabledUntil).Milliseconds(),
|
|
)
|
|
}
|
|
|
|
resp = statusResponse{
|
|
Version: version.Version(),
|
|
Language: config.Language,
|
|
DNSAddrs: dnsAddrs,
|
|
DNSPort: config.DNS.Port,
|
|
HTTPPort: config.HTTPConfig.Address.Port(),
|
|
ProtectionDisabledDuration: protectionDisabledDuration,
|
|
ProtectionEnabled: protectionEnabled,
|
|
IsRunning: isRunning(),
|
|
}
|
|
}()
|
|
|
|
// IsDHCPAvailable field is now false by default for Windows.
|
|
if runtime.GOOS != "windows" {
|
|
resp.IsDHCPAvailable = Context.dhcpServer != nil
|
|
}
|
|
|
|
aghhttp.WriteJSONResponseOK(w, r, resp)
|
|
}
|
|
|
|
// ------------------------
|
|
// registration of handlers
|
|
// ------------------------
|
|
func registerControlHandlers(web *webAPI) {
|
|
Context.mux.HandleFunc(
|
|
"/control/version.json",
|
|
postInstall(optionalAuth(web.handleVersionJSON)),
|
|
)
|
|
httpRegister(http.MethodPost, "/control/update", web.handleUpdate)
|
|
|
|
httpRegister(http.MethodGet, "/control/status", handleStatus)
|
|
httpRegister(http.MethodPost, "/control/i18n/change_language", handleI18nChangeLanguage)
|
|
httpRegister(http.MethodGet, "/control/i18n/current_language", handleI18nCurrentLanguage)
|
|
httpRegister(http.MethodGet, "/control/profile", handleGetProfile)
|
|
httpRegister(http.MethodPut, "/control/profile/update", handlePutProfile)
|
|
|
|
// No auth is necessary for DoH/DoT configurations
|
|
Context.mux.HandleFunc("/apple/doh.mobileconfig", postInstall(handleMobileConfigDoH))
|
|
Context.mux.HandleFunc("/apple/dot.mobileconfig", postInstall(handleMobileConfigDoT))
|
|
RegisterAuthHandlers()
|
|
}
|
|
|
|
func httpRegister(method, url string, handler http.HandlerFunc) {
|
|
if method == "" {
|
|
// "/dns-query" handler doesn't need auth, gzip and isn't restricted by 1 HTTP method
|
|
Context.mux.HandleFunc(url, postInstall(handler))
|
|
return
|
|
}
|
|
|
|
Context.mux.Handle(url, postInstallHandler(optionalAuthHandler(gziphandler.GzipHandler(ensureHandler(method, handler)))))
|
|
}
|
|
|
|
// ensure returns a wrapped handler that makes sure that the request has the
|
|
// correct method as well as additional method and header checks.
|
|
func ensure(
|
|
method string,
|
|
handler func(http.ResponseWriter, *http.Request),
|
|
) (wrapped func(http.ResponseWriter, *http.Request)) {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
start := time.Now()
|
|
m, u := r.Method, r.URL
|
|
log.Debug("started %s %s %s", m, r.Host, u)
|
|
defer func() { log.Debug("finished %s %s %s in %s", m, r.Host, u, time.Since(start)) }()
|
|
|
|
if m != method {
|
|
aghhttp.Error(r, w, http.StatusMethodNotAllowed, "only method %s is allowed", method)
|
|
|
|
return
|
|
}
|
|
|
|
if modifiesData(m) {
|
|
if !ensureContentType(w, r) {
|
|
return
|
|
}
|
|
|
|
Context.controlLock.Lock()
|
|
defer Context.controlLock.Unlock()
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
// modifiesData returns true if m is an HTTP method that can modify data.
|
|
func modifiesData(m string) (ok bool) {
|
|
return m == http.MethodPost || m == http.MethodPut || m == http.MethodDelete
|
|
}
|
|
|
|
// ensureContentType makes sure that the content type of a data-modifying
|
|
// request is set correctly. If it is not, ensureContentType writes a response
|
|
// to w, and ok is false.
|
|
func ensureContentType(w http.ResponseWriter, r *http.Request) (ok bool) {
|
|
const statusUnsup = http.StatusUnsupportedMediaType
|
|
|
|
cType := r.Header.Get(httphdr.ContentType)
|
|
if r.ContentLength == 0 {
|
|
if cType == "" {
|
|
return true
|
|
}
|
|
|
|
// Assume that browsers always send a content type when submitting HTML
|
|
// forms and require no content type for requests with no body to make
|
|
// sure that the request comes from JavaScript.
|
|
aghhttp.Error(r, w, statusUnsup, "empty body with content-type %q not allowed", cType)
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
const wantCType = aghhttp.HdrValApplicationJSON
|
|
if cType == wantCType {
|
|
return true
|
|
}
|
|
|
|
aghhttp.Error(r, w, statusUnsup, "only content-type %s is allowed", wantCType)
|
|
|
|
return false
|
|
}
|
|
|
|
func ensurePOST(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
|
return ensure(http.MethodPost, handler)
|
|
}
|
|
|
|
func ensureGET(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
|
return ensure(http.MethodGet, handler)
|
|
}
|
|
|
|
// Bridge between http.Handler object and Go function
|
|
type httpHandler struct {
|
|
handler func(http.ResponseWriter, *http.Request)
|
|
}
|
|
|
|
func (h *httpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
h.handler(w, r)
|
|
}
|
|
|
|
func ensureHandler(method string, handler func(http.ResponseWriter, *http.Request)) http.Handler {
|
|
h := httpHandler{}
|
|
h.handler = ensure(method, handler)
|
|
return &h
|
|
}
|
|
|
|
// preInstall lets the handler run only if firstRun is true, no redirects
|
|
func preInstall(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
if !Context.firstRun {
|
|
// if it's not first run, don't let users access it (for example /install.html when configuration is done)
|
|
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
return
|
|
}
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
// preInstallStruct wraps preInstall into a struct that can be returned as an interface where necessary
|
|
type preInstallHandlerStruct struct {
|
|
handler http.Handler
|
|
}
|
|
|
|
func (p *preInstallHandlerStruct) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
preInstall(p.handler.ServeHTTP)(w, r)
|
|
}
|
|
|
|
// preInstallHandler returns http.Handler interface for preInstall wrapper
|
|
func preInstallHandler(handler http.Handler) http.Handler {
|
|
return &preInstallHandlerStruct{handler}
|
|
}
|
|
|
|
// handleHTTPSRedirect redirects the request to HTTPS, if needed. If ok is
|
|
// true, the middleware must continue handling the request.
|
|
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
|
web := Context.web
|
|
if web.httpsServer.server == nil {
|
|
return true
|
|
}
|
|
|
|
host, err := netutil.SplitHost(r.Host)
|
|
if err != nil {
|
|
aghhttp.Error(r, w, http.StatusBadRequest, "bad host: %s", err)
|
|
|
|
return false
|
|
}
|
|
|
|
var (
|
|
forceHTTPS bool
|
|
serveHTTP3 bool
|
|
portHTTPS int
|
|
)
|
|
func() {
|
|
config.RLock()
|
|
defer config.RUnlock()
|
|
|
|
serveHTTP3, portHTTPS = config.DNS.ServeHTTP3, config.TLS.PortHTTPS
|
|
forceHTTPS = config.TLS.ForceHTTPS && config.TLS.Enabled && config.TLS.PortHTTPS != 0
|
|
}()
|
|
|
|
respHdr := w.Header()
|
|
|
|
// Let the browser know that server supports HTTP/3.
|
|
//
|
|
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc.
|
|
//
|
|
// TODO(a.garipov): Consider adding a configurable max-age. Currently, the
|
|
// default is 24 hours.
|
|
if serveHTTP3 {
|
|
altSvc := fmt.Sprintf(`h3=":%d"`, portHTTPS)
|
|
respHdr.Set(httphdr.AltSvc, altSvc)
|
|
}
|
|
|
|
if r.TLS == nil && forceHTTPS {
|
|
hostPort := host
|
|
if portHTTPS != defaultPortHTTPS {
|
|
hostPort = netutil.JoinHostPort(host, portHTTPS)
|
|
}
|
|
|
|
httpsURL := &url.URL{
|
|
Scheme: aghhttp.SchemeHTTPS,
|
|
Host: hostPort,
|
|
Path: r.URL.Path,
|
|
RawQuery: r.URL.RawQuery,
|
|
}
|
|
http.Redirect(w, r, httpsURL.String(), http.StatusTemporaryRedirect)
|
|
|
|
return false
|
|
}
|
|
|
|
// Allow the frontend from the HTTP origin to send requests to the HTTPS
|
|
// server. This can happen when the user has just set up HTTPS with
|
|
// redirects. Prevent cache-related errors by setting the Vary header.
|
|
//
|
|
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin.
|
|
originURL := &url.URL{
|
|
Scheme: aghhttp.SchemeHTTP,
|
|
Host: r.Host,
|
|
}
|
|
|
|
respHdr.Set(httphdr.AccessControlAllowOrigin, originURL.String())
|
|
respHdr.Set(httphdr.Vary, httphdr.Origin)
|
|
|
|
return true
|
|
}
|
|
|
|
// postInstall lets the handler to run only if firstRun is false. Otherwise, it
|
|
// redirects to /install.html. It also enforces HTTPS if it is enabled and
|
|
// configured and sets appropriate access control headers.
|
|
func postInstall(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
path := r.URL.Path
|
|
if Context.firstRun && !strings.HasPrefix(path, "/install.") &&
|
|
!strings.HasPrefix(path, "/assets/") {
|
|
http.Redirect(w, r, "install.html", http.StatusFound)
|
|
|
|
return
|
|
}
|
|
|
|
if !handleHTTPSRedirect(w, r) {
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
type postInstallHandlerStruct struct {
|
|
handler http.Handler
|
|
}
|
|
|
|
func (p *postInstallHandlerStruct) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
postInstall(p.handler.ServeHTTP)(w, r)
|
|
}
|
|
|
|
func postInstallHandler(handler http.Handler) http.Handler {
|
|
return &postInstallHandlerStruct{handler}
|
|
}
|