Added example script

SloCompTech · SloCompTech · commit 6f070e9e63c5 · 2020-03-22T23:20:30.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Added Site-to-site example
 - Removed `compression` from examples
 - Switched to bash wizards
+- Added auth-pass-verify example script
 
 ### 2.0.6 - Fixed bugs, added additonal parameters
 
diff --git a/README.md b/README.md
@@ -164,6 +164,8 @@ For more infromation see:
 - **configuration example directory** (for more info about example)  
 - [Contributing](CONTRIBUTING.md) (for explanation how container works, how to write an example config ...)  
 
+**Note:** OpenVPN documentation is located at `/usr/share/doc/openvpn`.
+
 ### Client
 
 1. Run container to get config structure `docker run -it --rm -v PATH:/config slocomptech/openvpn`.
diff --git a/root/usr/local/share/docker-openvpn/scripts/auth/README.md b/root/usr/local/share/docker-openvpn/scripts/auth/README.md
@@ -0,0 +1,21 @@
+# Authentication script
+
+This is sample *authentication script* for **auth-user-pass-verify** hook.
+
+## Configuration
+
+``` bash
+cp auth.py /config/openvpn/hooks/auth
+
+# Edit database name in copied auth.py script
+
+# Add option to openvpn config
+echo 'auth-user-pass-verify "/app/hook.sh auth"' >> /config/openvpn/include-server.conf
+```
+
+## Add user
+
+``` bash
+# Note: db file must end with .csv or .json
+./adduser.py /config/openvpn/hooks/auth db.csv <username> <password>
+```
diff --git a/root/usr/local/share/docker-openvpn/scripts/auth/adduser.py b/root/usr/local/share/docker-openvpn/scripts/auth/adduser.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python
+
+#
+#	Script for adding username & password to database
+#	@author Martin Dagarin
+#	@version 1
+#	@since 22/03/2020
+#
+# Usage:
+# adduser.py <databasepath> <username> <password>
+#
+
+import binascii
+import hashlib
+import json
+import os
+import sys
+
+def getExtensionFromPath(path):
+	return os.path.splitext(path)[1][1:]
+
+def hash_password(password):
+  """Hash a password for storing."""
+  salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii')
+  pwdhash = hashlib.pbkdf2_hmac('sha512', password.encode('utf-8'), 
+                              salt, 100000)
+  pwdhash = binascii.hexlify(pwdhash)
+  return (salt + pwdhash).decode('ascii')
+
+def main():
+  if len(sys.argv) < 4:
+    print('Usage: %s <database> <username> <password>' % sys.argv[0])
+    sys.exit(1)
+  
+  username = sys.argv[2].strip()
+  password = hash_password(sys.argv[3].strip())
+
+  database = sys.argv[1].strip()
+  dbextention = getExtensionFromPath(database)
+
+  if dbextention == 'csv':
+    with open(database, 'a') as file:
+      file.write('%s,%s\n' % (username, password))
+  elif dbextention == 'json':
+    if os.path.exists(database):
+      with open(database, 'r') as file: # Open file
+        data = json.loads(file.read())
+    else:
+      data = []
+    data.append({
+      'username': username,
+      'password': password
+    })
+    with open(database, 'w') as file:
+      file.write(json.dumps(data, indent=2))
+
+if __name__ == '__main__':
+	main()
diff --git a/root/usr/local/share/docker-openvpn/scripts/auth/auth.py b/root/usr/local/share/docker-openvpn/scripts/auth/auth.py
@@ -0,0 +1,158 @@
+#!/usr/bin/python
+
+#
+#	Script for checking OpenVPN name & password
+#	@author Martin Dagarin
+#	@version 2
+#	@since 22/03/2020
+#
+#	Usage:
+#	username=<username> password=<password> auth.py # via-env
+#	auth.py <filepath> # via-file
+#	# For OpenVPN auth-pass-verify hook just set path to stript
+#
+#	NOTE: Please set DATABASE to use
+#
+
+import argparse
+import binascii
+import hashlib
+import json
+import os
+import sys
+
+
+# Settings
+DATABASE = os.path.dirname(sys.argv[0]) + '/db.csv'
+
+# Return code of program
+STATUS_SUCCESS = 0
+STATUS_ERROR = 1
+
+def getExtensionFromPath(path):
+	return os.path.splitext(path)[1][1:]
+
+#
+#	Verify stored hash password
+#
+def verify_password(stored_password, provided_password):
+    """Verify a stored password against one provided by user"""
+    salt = stored_password[:64]
+    stored_password = stored_password[64:]
+    pwdhash = hashlib.pbkdf2_hmac('sha512', 
+                                  provided_password.encode('utf-8'), 
+                                  salt.encode('ascii'), 
+                                  100000)
+    pwdhash = binascii.hexlify(pwdhash).decode('ascii')
+    return pwdhash == stored_password
+#
+# Gets OpenVPN env vars
+#	@returns username and password as dictionary
+#
+def ovpn_viaEnv():
+	try:
+		return { 
+			'username': os.environ['username'], 
+			'password': os.environ['password']
+		}
+	except KeyError:
+		return { 'username': None, 'password': None }
+
+
+#
+#	Reads OpenVPN auth file
+#	@returns username and password as dictionary
+#
+def ovpn_viaFile(path):
+	if not os.path.exists(path) or not os.path.isfile(path):
+		return { 'username': None, 'password': None }
+	
+	with open(path,"r") as file:
+		return { 'username': file.readline(), 'password': file.readline() }
+
+#
+#	Authenticates user with database
+#	@return True if OK, else False
+#
+def authenticate(database, credentials):
+	# Check if username specified
+	if credentials['username'] is None:
+		return False
+	
+	# Remove leading & tailing spaces
+	credentials['username'] = credentials['username'].strip()
+	if credentials['password'] is not None:
+		credentials['password'] = credentials['password'].strip()
+
+	dbextension = getExtensionFromPath(database).lower()
+
+	try:
+		if dbextension == 'json':
+			#
+			#	.json user database
+			#	stored in format:
+			#	{
+			#		"username": "username",
+			# 	"password": "password"	
+			# }
+			#
+			with open(database, 'r') as file: # Open file
+				data = json.loads(file.read()) # Parse JSON content
+				for user in data: # Iterate through list of users
+					if user['username'].strip() == credentials['username']:
+						if verify_password(user['password'], credentials['password']): # Success
+							print('Login: User %s' % credentials['username'])
+							return True
+						else: # Wrong password
+							print('Login: Wrong password for %s' % credentials['username'])
+							return False
+			# Username not found
+			print('Login: Username %s not found' % credentials['username'])
+			return False
+		elif dbextension == 'csv':
+			#
+			#	.csv user database
+			#	format:
+			#	username,password
+			#
+			with open(database, 'r') as file: # Open file
+				for line in file:
+					line = line.strip()
+					if len(line) == 0: # Skip empty lines
+						continue
+					cells = line.split(',')
+					if len(cells) < 2: # Skip faulty lines
+						continue
+					if cells[0].strip() == credentials['username']:
+						if verify_password(cells[1].strip(), credentials['password']): # Success
+							print('Login: User %s' % credentials['username'])
+							return True
+						else: # Wrong password
+							print('Login: Wrong password for %s' % credentials['username'])
+							return False
+				# Username not found
+				print('Login: Username %s not found' % credentials['username'])
+				return False
+	except IOError:
+		pass
+
+	# Authentication method not found
+	print('Authentication method not found')
+	return False
+
+
+def main():
+	if len(sys.argv) < 2: # File not specified
+		credentials = ovpn_viaEnv()
+	else: # File specified
+		credentials = ovpn_viaFile(sys.argv[1])
+	
+	if authenticate(DATABASE, credentials):
+		print('Success')
+		sys.exit(STATUS_SUCCESS)
+	else:
+		print('Fail')
+		sys.exit(STATUS_ERROR)
+
+if __name__ == '__main__':
+	main()
