├── .gitignore ├── .goreleaser.yml ├── Dockerfile ├── LICENSE.md ├── Makefile ├── README.md ├── agent.example.yaml ├── api.example.yaml ├── api ├── agent_get_rules.go ├── alerting.go ├── cache.go ├── cloudflare.go ├── config.go ├── mock_fs.go ├── requests.go ├── setup.go ├── token.go ├── user_agents.go ├── user_login.go ├── user_register.go ├── user_update.go ├── user_verify.go └── utils.go ├── cmd ├── agent │ ├── api.go │ ├── config.go │ ├── main.go │ ├── setup.go │ ├── state.go │ └── updater.go └── api │ ├── config.go │ ├── main.go │ └── setup.go ├── database.example.env ├── database ├── agent.go ├── agent_fields.go ├── config.go ├── jsonb.go ├── setup.go └── user.go ├── docker-compose.yml ├── firewall ├── logic.go ├── path.go └── rule.go ├── frontend ├── .gitignore ├── .prettierrc.js ├── babel.config.js ├── compiled.go ├── package-lock.json ├── package.json ├── public │ ├── cf.png │ ├── favicon.png │ ├── index.html │ ├── logo.png │ ├── logo150.png │ ├── ogimage.png │ └── robots.txt ├── src │ ├── App.vue │ ├── main.js │ ├── models │ │ ├── agent.js │ │ ├── rule.js │ │ └── user.js │ ├── router.js │ ├── services │ │ ├── api.js │ │ ├── auth-header.js │ │ ├── auth.service.js │ │ └── user.service.js │ ├── store │ │ ├── auth.module.js │ │ └── index.js │ └── views │ │ ├── 2Step.vue │ │ ├── Agent.vue │ │ ├── Agents.vue │ │ ├── Home.vue │ │ ├── Login.vue │ │ ├── Profile.vue │ │ ├── Register.vue │ │ └── Verify.vue └── vue.config.js ├── go.mod ├── go.sum ├── install.sh ├── mailer ├── config.go └── mailer.go ├── mock-firewall.sh ├── release.stork ├── shieldwall-agent.service ├── shieldwall-api.service ├── update.sh └── version └── version.go /.gitignore: -------------------------------------------------------------------------------- 1 | _build 2 | .DS_Store 3 | .idea 4 | dist 5 | agent.yaml 6 | api.yaml 7 | database.env -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | before: 2 | hooks: 3 | - go mod download 4 | 5 | builds: 6 | - env: 7 | - CGO_ENABLED=0 8 | ldflags: 9 | - -s -w 10 | goos: 11 | - linux 12 | goarch: 13 | - 386 14 | - amd64 15 | - arm 16 | - arm64 17 | - mips 18 | - mipsle 19 | - mips64 20 | - mips64le 21 | main: ./cmd/agent/ 22 | binary: shieldwall-agent 23 | 24 | archives: 25 | - id: archive 26 | name_template: "shieldwall-agent_{{ .Version }}_{{ .Os }}_{{ .Arch }}" 27 | format: 'tar.gz' 28 | files: 29 | - LICENSE.md 30 | - shieldwall-agent.service 31 | - agent.example.yaml 32 | - update.sh 33 | - install.sh 34 | 35 | checksum: 36 | name_template: 'checksums.txt' 37 | 38 | snapshot: 39 | name_template: "{{ .Tag }}-next" 40 | 41 | changelog: 42 | sort: asc 43 | filters: 44 | exclude: 45 | - '^docs:' 46 | - 'typo' 47 | - '^test:' 48 | - 'misc: small fix or general refactoring i did not bother commenting' 49 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine as builder 2 | 3 | RUN apk update && apk add --no-cache make 4 | 5 | # download, cache and install deps 6 | WORKDIR /app 7 | COPY go.mod go.sum ./ 8 | RUN go mod download 9 | 10 | # copy and compiled the app 11 | COPY . . 12 | RUN make clean 13 | RUN make api 14 | 15 | # start a new stage from scratch 16 | FROM alpine:latest 17 | RUN apk --no-cache add ca-certificates 18 | 19 | WORKDIR /root/ 20 | COPY --from=builder /app/_build/shieldwall-api . 21 | 22 | EXPOSE 8666 23 | ENTRYPOINT ["./shieldwall-api"] -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | ========================== 3 | 4 | Version 3, 29 June 2007 5 | 6 | Copyright © 2007 Free Software Foundation, Inc. <> 7 | 8 | Everyone is permitted to copy and distribute verbatim copies of this license 9 | document, but changing it is not allowed. 10 | 11 | ## Preamble 12 | 13 | The GNU General Public License is a free, copyleft license for software and other 14 | kinds of works. 15 | 16 | The licenses for most software and other practical works are designed to take away 17 | your freedom to share and change the works. By contrast, the GNU General Public 18 | License is intended to guarantee your freedom to share and change all versions of a 19 | program--to make sure it remains free software for all its users. We, the Free 20 | Software Foundation, use the GNU General Public License for most of our software; it 21 | applies also to any other work released this way by its authors. You can apply it to 22 | your programs, too. 23 | 24 | When we speak of free software, we are referring to freedom, not price. Our General 25 | Public Licenses are designed to make sure that you have the freedom to distribute 26 | copies of free software (and charge for them if you wish), that you receive source 27 | code or can get it if you want it, that you can change the software or use pieces of 28 | it in new free programs, and that you know you can do these things. 29 | 30 | To protect your rights, we need to prevent others from denying you these rights or 31 | asking you to surrender the rights. Therefore, you have certain responsibilities if 32 | you distribute copies of the software, or if you modify it: responsibilities to 33 | respect the freedom of others. 34 | 35 | For example, if you distribute copies of such a program, whether gratis or for a fee, 36 | you must pass on to the recipients the same freedoms that you received. You must make 37 | sure that they, too, receive or can get the source code. And you must show them these 38 | terms so they know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: (1) assert 41 | copyright on the software, and (2) offer you this License giving you legal permission 42 | to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains that there is 45 | no warranty for this free software. For both users' and authors' sake, the GPL 46 | requires that modified versions be marked as changed, so that their problems will not 47 | be attributed erroneously to authors of previous versions. 48 | 49 | Some devices are designed to deny users access to install or run modified versions of 50 | the software inside them, although the manufacturer can do so. This is fundamentally 51 | incompatible with the aim of protecting users' freedom to change the software. The 52 | systematic pattern of such abuse occurs in the area of products for individuals to 53 | use, which is precisely where it is most unacceptable. Therefore, we have designed 54 | this version of the GPL to prohibit the practice for those products. If such problems 55 | arise substantially in other domains, we stand ready to extend this provision to 56 | those domains in future versions of the GPL, as needed to protect the freedom of 57 | users. 58 | 59 | Finally, every program is threatened constantly by software patents. States should 60 | not allow patents to restrict development and use of software on general-purpose 61 | computers, but in those that do, we wish to avoid the special danger that patents 62 | applied to a free program could make it effectively proprietary. To prevent this, the 63 | GPL assures that patents cannot be used to render the program non-free. 64 | 65 | The precise terms and conditions for copying, distribution and modification follow. 66 | 67 | ## TERMS AND CONDITIONS 68 | 69 | ### 0. Definitions. 70 | 71 | “This License” refers to version 3 of the GNU General Public License. 72 | 73 | “Copyright” also means copyright-like laws that apply to other kinds of 74 | works, such as semiconductor masks. 75 | 76 | “The Program” refers to any copyrightable work licensed under this 77 | License. Each licensee is addressed as “you”. “Licensees” and 78 | “recipients” may be individuals or organizations. 79 | 80 | To “modify” a work means to copy from or adapt all or part of the work in 81 | a fashion requiring copyright permission, other than the making of an exact copy. The 82 | resulting work is called a “modified version” of the earlier work or a 83 | work “based on” the earlier work. 84 | 85 | A “covered work” means either the unmodified Program or a work based on 86 | the Program. 87 | 88 | To “propagate” a work means to do anything with it that, without 89 | permission, would make you directly or secondarily liable for infringement under 90 | applicable copyright law, except executing it on a computer or modifying a private 91 | copy. Propagation includes copying, distribution (with or without modification), 92 | making available to the public, and in some countries other activities as well. 93 | 94 | To “convey” a work means any kind of propagation that enables other 95 | parties to make or receive copies. Mere interaction with a user through a computer 96 | network, with no transfer of a copy, is not conveying. 97 | 98 | An interactive user interface displays “Appropriate Legal Notices” to the 99 | extent that it includes a convenient and prominently visible feature that (1) 100 | displays an appropriate copyright notice, and (2) tells the user that there is no 101 | warranty for the work (except to the extent that warranties are provided), that 102 | licensees may convey the work under this License, and how to view a copy of this 103 | License. If the interface presents a list of user commands or options, such as a 104 | menu, a prominent item in the list meets this criterion. 105 | 106 | ### 1. Source Code. 107 | 108 | The “source code” for a work means the preferred form of the work for 109 | making modifications to it. “Object code” means any non-source form of a 110 | work. 111 | 112 | A “Standard Interface” means an interface that either is an official 113 | standard defined by a recognized standards body, or, in the case of interfaces 114 | specified for a particular programming language, one that is widely used among 115 | developers working in that language. 116 | 117 | The “System Libraries” of an executable work include anything, other than 118 | the work as a whole, that (a) is included in the normal form of packaging a Major 119 | Component, but which is not part of that Major Component, and (b) serves only to 120 | enable use of the work with that Major Component, or to implement a Standard 121 | Interface for which an implementation is available to the public in source code form. 122 | A “Major Component”, in this context, means a major essential component 123 | (kernel, window system, and so on) of the specific operating system (if any) on which 124 | the executable work runs, or a compiler used to produce the work, or an object code 125 | interpreter used to run it. 126 | 127 | The “Corresponding Source” for a work in object code form means all the 128 | source code needed to generate, install, and (for an executable work) run the object 129 | code and to modify the work, including scripts to control those activities. However, 130 | it does not include the work's System Libraries, or general-purpose tools or 131 | generally available free programs which are used unmodified in performing those 132 | activities but which are not part of the work. For example, Corresponding Source 133 | includes interface definition files associated with source files for the work, and 134 | the source code for shared libraries and dynamically linked subprograms that the work 135 | is specifically designed to require, such as by intimate data communication or 136 | control flow between those subprograms and other parts of the work. 137 | 138 | The Corresponding Source need not include anything that users can regenerate 139 | automatically from other parts of the Corresponding Source. 140 | 141 | The Corresponding Source for a work in source code form is that same work. 142 | 143 | ### 2. Basic Permissions. 144 | 145 | All rights granted under this License are granted for the term of copyright on the 146 | Program, and are irrevocable provided the stated conditions are met. This License 147 | explicitly affirms your unlimited permission to run the unmodified Program. The 148 | output from running a covered work is covered by this License only if the output, 149 | given its content, constitutes a covered work. This License acknowledges your rights 150 | of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not convey, without 153 | conditions so long as your license otherwise remains in force. You may convey covered 154 | works to others for the sole purpose of having them make modifications exclusively 155 | for you, or provide you with facilities for running those works, provided that you 156 | comply with the terms of this License in conveying all material for which you do not 157 | control copyright. Those thus making or running the covered works for you must do so 158 | exclusively on your behalf, under your direction and control, on terms that prohibit 159 | them from making any copies of your copyrighted material outside their relationship 160 | with you. 161 | 162 | Conveying under any other circumstances is permitted solely under the conditions 163 | stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 164 | 165 | ### 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 166 | 167 | No covered work shall be deemed part of an effective technological measure under any 168 | applicable law fulfilling obligations under article 11 of the WIPO copyright treaty 169 | adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention 170 | of such measures. 171 | 172 | When you convey a covered work, you waive any legal power to forbid circumvention of 173 | technological measures to the extent such circumvention is effected by exercising 174 | rights under this License with respect to the covered work, and you disclaim any 175 | intention to limit operation or modification of the work as a means of enforcing, 176 | against the work's users, your or third parties' legal rights to forbid circumvention 177 | of technological measures. 178 | 179 | ### 4. Conveying Verbatim Copies. 180 | 181 | You may convey verbatim copies of the Program's source code as you receive it, in any 182 | medium, provided that you conspicuously and appropriately publish on each copy an 183 | appropriate copyright notice; keep intact all notices stating that this License and 184 | any non-permissive terms added in accord with section 7 apply to the code; keep 185 | intact all notices of the absence of any warranty; and give all recipients a copy of 186 | this License along with the Program. 187 | 188 | You may charge any price or no price for each copy that you convey, and you may offer 189 | support or warranty protection for a fee. 190 | 191 | ### 5. Conveying Modified Source Versions. 192 | 193 | You may convey a work based on the Program, or the modifications to produce it from 194 | the Program, in the form of source code under the terms of section 4, provided that 195 | you also meet all of these conditions: 196 | 197 | * **a)** The work must carry prominent notices stating that you modified it, and giving a 198 | relevant date. 199 | * **b)** The work must carry prominent notices stating that it is released under this 200 | License and any conditions added under section 7. This requirement modifies the 201 | requirement in section 4 to “keep intact all notices”. 202 | * **c)** You must license the entire work, as a whole, under this License to anyone who 203 | comes into possession of a copy. This License will therefore apply, along with any 204 | applicable section 7 additional terms, to the whole of the work, and all its parts, 205 | regardless of how they are packaged. This License gives no permission to license the 206 | work in any other way, but it does not invalidate such permission if you have 207 | separately received it. 208 | * **d)** If the work has interactive user interfaces, each must display Appropriate Legal 209 | Notices; however, if the Program has interactive interfaces that do not display 210 | Appropriate Legal Notices, your work need not make them do so. 211 | 212 | A compilation of a covered work with other separate and independent works, which are 213 | not by their nature extensions of the covered work, and which are not combined with 214 | it such as to form a larger program, in or on a volume of a storage or distribution 215 | medium, is called an “aggregate” if the compilation and its resulting 216 | copyright are not used to limit the access or legal rights of the compilation's users 217 | beyond what the individual works permit. Inclusion of a covered work in an aggregate 218 | does not cause this License to apply to the other parts of the aggregate. 219 | 220 | ### 6. Conveying Non-Source Forms. 221 | 222 | You may convey a covered work in object code form under the terms of sections 4 and 223 | 5, provided that you also convey the machine-readable Corresponding Source under the 224 | terms of this License, in one of these ways: 225 | 226 | * **a)** Convey the object code in, or embodied in, a physical product (including a 227 | physical distribution medium), accompanied by the Corresponding Source fixed on a 228 | durable physical medium customarily used for software interchange. 229 | * **b)** Convey the object code in, or embodied in, a physical product (including a 230 | physical distribution medium), accompanied by a written offer, valid for at least 231 | three years and valid for as long as you offer spare parts or customer support for 232 | that product model, to give anyone who possesses the object code either (1) a copy of 233 | the Corresponding Source for all the software in the product that is covered by this 234 | License, on a durable physical medium customarily used for software interchange, for 235 | a price no more than your reasonable cost of physically performing this conveying of 236 | source, or (2) access to copy the Corresponding Source from a network server at no 237 | charge. 238 | * **c)** Convey individual copies of the object code with a copy of the written offer to 239 | provide the Corresponding Source. This alternative is allowed only occasionally and 240 | noncommercially, and only if you received the object code with such an offer, in 241 | accord with subsection 6b. 242 | * **d)** Convey the object code by offering access from a designated place (gratis or for 243 | a charge), and offer equivalent access to the Corresponding Source in the same way 244 | through the same place at no further charge. You need not require recipients to copy 245 | the Corresponding Source along with the object code. If the place to copy the object 246 | code is a network server, the Corresponding Source may be on a different server 247 | (operated by you or a third party) that supports equivalent copying facilities, 248 | provided you maintain clear directions next to the object code saying where to find 249 | the Corresponding Source. Regardless of what server hosts the Corresponding Source, 250 | you remain obligated to ensure that it is available for as long as needed to satisfy 251 | these requirements. 252 | * **e)** Convey the object code using peer-to-peer transmission, provided you inform 253 | other peers where the object code and Corresponding Source of the work are being 254 | offered to the general public at no charge under subsection 6d. 255 | 256 | A separable portion of the object code, whose source code is excluded from the 257 | Corresponding Source as a System Library, need not be included in conveying the 258 | object code work. 259 | 260 | A “User Product” is either (1) a “consumer product”, which 261 | means any tangible personal property which is normally used for personal, family, or 262 | household purposes, or (2) anything designed or sold for incorporation into a 263 | dwelling. In determining whether a product is a consumer product, doubtful cases 264 | shall be resolved in favor of coverage. For a particular product received by a 265 | particular user, “normally used” refers to a typical or common use of 266 | that class of product, regardless of the status of the particular user or of the way 267 | in which the particular user actually uses, or expects or is expected to use, the 268 | product. A product is a consumer product regardless of whether the product has 269 | substantial commercial, industrial or non-consumer uses, unless such uses represent 270 | the only significant mode of use of the product. 271 | 272 | “Installation Information” for a User Product means any methods, 273 | procedures, authorization keys, or other information required to install and execute 274 | modified versions of a covered work in that User Product from a modified version of 275 | its Corresponding Source. The information must suffice to ensure that the continued 276 | functioning of the modified object code is in no case prevented or interfered with 277 | solely because modification has been made. 278 | 279 | If you convey an object code work under this section in, or with, or specifically for 280 | use in, a User Product, and the conveying occurs as part of a transaction in which 281 | the right of possession and use of the User Product is transferred to the recipient 282 | in perpetuity or for a fixed term (regardless of how the transaction is 283 | characterized), the Corresponding Source conveyed under this section must be 284 | accompanied by the Installation Information. But this requirement does not apply if 285 | neither you nor any third party retains the ability to install modified object code 286 | on the User Product (for example, the work has been installed in ROM). 287 | 288 | The requirement to provide Installation Information does not include a requirement to 289 | continue to provide support service, warranty, or updates for a work that has been 290 | modified or installed by the recipient, or for the User Product in which it has been 291 | modified or installed. Access to a network may be denied when the modification itself 292 | materially and adversely affects the operation of the network or violates the rules 293 | and protocols for communication across the network. 294 | 295 | Corresponding Source conveyed, and Installation Information provided, in accord with 296 | this section must be in a format that is publicly documented (and with an 297 | implementation available to the public in source code form), and must require no 298 | special password or key for unpacking, reading or copying. 299 | 300 | ### 7. Additional Terms. 301 | 302 | “Additional permissions” are terms that supplement the terms of this 303 | License by making exceptions from one or more of its conditions. Additional 304 | permissions that are applicable to the entire Program shall be treated as though they 305 | were included in this License, to the extent that they are valid under applicable 306 | law. If additional permissions apply only to part of the Program, that part may be 307 | used separately under those permissions, but the entire Program remains governed by 308 | this License without regard to the additional permissions. 309 | 310 | When you convey a copy of a covered work, you may at your option remove any 311 | additional permissions from that copy, or from any part of it. (Additional 312 | permissions may be written to require their own removal in certain cases when you 313 | modify the work.) You may place additional permissions on material, added by you to a 314 | covered work, for which you have or can give appropriate copyright permission. 315 | 316 | Notwithstanding any other provision of this License, for material you add to a 317 | covered work, you may (if authorized by the copyright holders of that material) 318 | supplement the terms of this License with terms: 319 | 320 | * **a)** Disclaiming warranty or limiting liability differently from the terms of 321 | sections 15 and 16 of this License; or 322 | * **b)** Requiring preservation of specified reasonable legal notices or author 323 | attributions in that material or in the Appropriate Legal Notices displayed by works 324 | containing it; or 325 | * **c)** Prohibiting misrepresentation of the origin of that material, or requiring that 326 | modified versions of such material be marked in reasonable ways as different from the 327 | original version; or 328 | * **d)** Limiting the use for publicity purposes of names of licensors or authors of the 329 | material; or 330 | * **e)** Declining to grant rights under trademark law for use of some trade names, 331 | trademarks, or service marks; or 332 | * **f)** Requiring indemnification of licensors and authors of that material by anyone 333 | who conveys the material (or modified versions of it) with contractual assumptions of 334 | liability to the recipient, for any liability that these contractual assumptions 335 | directly impose on those licensors and authors. 336 | 337 | All other non-permissive additional terms are considered “further 338 | restrictions” within the meaning of section 10. If the Program as you received 339 | it, or any part of it, contains a notice stating that it is governed by this License 340 | along with a term that is a further restriction, you may remove that term. If a 341 | license document contains a further restriction but permits relicensing or conveying 342 | under this License, you may add to a covered work material governed by the terms of 343 | that license document, provided that the further restriction does not survive such 344 | relicensing or conveying. 345 | 346 | If you add terms to a covered work in accord with this section, you must place, in 347 | the relevant source files, a statement of the additional terms that apply to those 348 | files, or a notice indicating where to find the applicable terms. 349 | 350 | Additional terms, permissive or non-permissive, may be stated in the form of a 351 | separately written license, or stated as exceptions; the above requirements apply 352 | either way. 353 | 354 | ### 8. Termination. 355 | 356 | You may not propagate or modify a covered work except as expressly provided under 357 | this License. Any attempt otherwise to propagate or modify it is void, and will 358 | automatically terminate your rights under this License (including any patent licenses 359 | granted under the third paragraph of section 11). 360 | 361 | However, if you cease all violation of this License, then your license from a 362 | particular copyright holder is reinstated (a) provisionally, unless and until the 363 | copyright holder explicitly and finally terminates your license, and (b) permanently, 364 | if the copyright holder fails to notify you of the violation by some reasonable means 365 | prior to 60 days after the cessation. 366 | 367 | Moreover, your license from a particular copyright holder is reinstated permanently 368 | if the copyright holder notifies you of the violation by some reasonable means, this 369 | is the first time you have received notice of violation of this License (for any 370 | work) from that copyright holder, and you cure the violation prior to 30 days after 371 | your receipt of the notice. 372 | 373 | Termination of your rights under this section does not terminate the licenses of 374 | parties who have received copies or rights from you under this License. If your 375 | rights have been terminated and not permanently reinstated, you do not qualify to 376 | receive new licenses for the same material under section 10. 377 | 378 | ### 9. Acceptance Not Required for Having Copies. 379 | 380 | You are not required to accept this License in order to receive or run a copy of the 381 | Program. Ancillary propagation of a covered work occurring solely as a consequence of 382 | using peer-to-peer transmission to receive a copy likewise does not require 383 | acceptance. However, nothing other than this License grants you permission to 384 | propagate or modify any covered work. These actions infringe copyright if you do not 385 | accept this License. Therefore, by modifying or propagating a covered work, you 386 | indicate your acceptance of this License to do so. 387 | 388 | ### 10. Automatic Licensing of Downstream Recipients. 389 | 390 | Each time you convey a covered work, the recipient automatically receives a license 391 | from the original licensors, to run, modify and propagate that work, subject to this 392 | License. You are not responsible for enforcing compliance by third parties with this 393 | License. 394 | 395 | An “entity transaction” is a transaction transferring control of an 396 | organization, or substantially all assets of one, or subdividing an organization, or 397 | merging organizations. If propagation of a covered work results from an entity 398 | transaction, each party to that transaction who receives a copy of the work also 399 | receives whatever licenses to the work the party's predecessor in interest had or 400 | could give under the previous paragraph, plus a right to possession of the 401 | Corresponding Source of the work from the predecessor in interest, if the predecessor 402 | has it or can get it with reasonable efforts. 403 | 404 | You may not impose any further restrictions on the exercise of the rights granted or 405 | affirmed under this License. For example, you may not impose a license fee, royalty, 406 | or other charge for exercise of rights granted under this License, and you may not 407 | initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging 408 | that any patent claim is infringed by making, using, selling, offering for sale, or 409 | importing the Program or any portion of it. 410 | 411 | ### 11. Patents. 412 | 413 | A “contributor” is a copyright holder who authorizes use under this 414 | License of the Program or a work on which the Program is based. The work thus 415 | licensed is called the contributor's “contributor version”. 416 | 417 | A contributor's “essential patent claims” are all patent claims owned or 418 | controlled by the contributor, whether already acquired or hereafter acquired, that 419 | would be infringed by some manner, permitted by this License, of making, using, or 420 | selling its contributor version, but do not include claims that would be infringed 421 | only as a consequence of further modification of the contributor version. For 422 | purposes of this definition, “control” includes the right to grant patent 423 | sublicenses in a manner consistent with the requirements of this License. 424 | 425 | Each contributor grants you a non-exclusive, worldwide, royalty-free patent license 426 | under the contributor's essential patent claims, to make, use, sell, offer for sale, 427 | import and otherwise run, modify and propagate the contents of its contributor 428 | version. 429 | 430 | In the following three paragraphs, a “patent license” is any express 431 | agreement or commitment, however denominated, not to enforce a patent (such as an 432 | express permission to practice a patent or covenant not to sue for patent 433 | infringement). To “grant” such a patent license to a party means to make 434 | such an agreement or commitment not to enforce a patent against the party. 435 | 436 | If you convey a covered work, knowingly relying on a patent license, and the 437 | Corresponding Source of the work is not available for anyone to copy, free of charge 438 | and under the terms of this License, through a publicly available network server or 439 | other readily accessible means, then you must either (1) cause the Corresponding 440 | Source to be so available, or (2) arrange to deprive yourself of the benefit of the 441 | patent license for this particular work, or (3) arrange, in a manner consistent with 442 | the requirements of this License, to extend the patent license to downstream 443 | recipients. “Knowingly relying” means you have actual knowledge that, but 444 | for the patent license, your conveying the covered work in a country, or your 445 | recipient's use of the covered work in a country, would infringe one or more 446 | identifiable patents in that country that you have reason to believe are valid. 447 | 448 | If, pursuant to or in connection with a single transaction or arrangement, you 449 | convey, or propagate by procuring conveyance of, a covered work, and grant a patent 450 | license to some of the parties receiving the covered work authorizing them to use, 451 | propagate, modify or convey a specific copy of the covered work, then the patent 452 | license you grant is automatically extended to all recipients of the covered work and 453 | works based on it. 454 | 455 | A patent license is “discriminatory” if it does not include within the 456 | scope of its coverage, prohibits the exercise of, or is conditioned on the 457 | non-exercise of one or more of the rights that are specifically granted under this 458 | License. You may not convey a covered work if you are a party to an arrangement with 459 | a third party that is in the business of distributing software, under which you make 460 | payment to the third party based on the extent of your activity of conveying the 461 | work, and under which the third party grants, to any of the parties who would receive 462 | the covered work from you, a discriminatory patent license (a) in connection with 463 | copies of the covered work conveyed by you (or copies made from those copies), or (b) 464 | primarily for and in connection with specific products or compilations that contain 465 | the covered work, unless you entered into that arrangement, or that patent license 466 | was granted, prior to 28 March 2007. 467 | 468 | Nothing in this License shall be construed as excluding or limiting any implied 469 | license or other defenses to infringement that may otherwise be available to you 470 | under applicable patent law. 471 | 472 | ### 12. No Surrender of Others' Freedom. 473 | 474 | If conditions are imposed on you (whether by court order, agreement or otherwise) 475 | that contradict the conditions of this License, they do not excuse you from the 476 | conditions of this License. If you cannot convey a covered work so as to satisfy 477 | simultaneously your obligations under this License and any other pertinent 478 | obligations, then as a consequence you may not convey it at all. For example, if you 479 | agree to terms that obligate you to collect a royalty for further conveying from 480 | those to whom you convey the Program, the only way you could satisfy both those terms 481 | and this License would be to refrain entirely from conveying the Program. 482 | 483 | ### 13. Use with the GNU Affero General Public License. 484 | 485 | Notwithstanding any other provision of this License, you have permission to link or 486 | combine any covered work with a work licensed under version 3 of the GNU Affero 487 | General Public License into a single combined work, and to convey the resulting work. 488 | The terms of this License will continue to apply to the part which is the covered 489 | work, but the special requirements of the GNU Affero General Public License, section 490 | 13, concerning interaction through a network will apply to the combination as such. 491 | 492 | ### 14. Revised Versions of this License. 493 | 494 | The Free Software Foundation may publish revised and/or new versions of the GNU 495 | General Public License from time to time. Such new versions will be similar in spirit 496 | to the present version, but may differ in detail to address new problems or concerns. 497 | 498 | Each version is given a distinguishing version number. If the Program specifies that 499 | a certain numbered version of the GNU General Public License “or any later 500 | version” applies to it, you have the option of following the terms and 501 | conditions either of that numbered version or of any later version published by the 502 | Free Software Foundation. If the Program does not specify a version number of the GNU 503 | General Public License, you may choose any version ever published by the Free 504 | Software Foundation. 505 | 506 | If the Program specifies that a proxy can decide which future versions of the GNU 507 | General Public License can be used, that proxy's public statement of acceptance of a 508 | version permanently authorizes you to choose that version for the Program. 509 | 510 | Later license versions may give you additional or different permissions. However, no 511 | additional obligations are imposed on any author or copyright holder as a result of 512 | your choosing to follow a later version. 513 | 514 | ### 15. Disclaimer of Warranty. 515 | 516 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 517 | EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 518 | PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER 519 | EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 520 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE 521 | QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE 522 | DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 523 | 524 | ### 16. Limitation of Liability. 525 | 526 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY 527 | COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS 528 | PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, 529 | INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE 530 | PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE 531 | OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE 532 | WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 533 | POSSIBILITY OF SUCH DAMAGES. 534 | 535 | ### 17. Interpretation of Sections 15 and 16. 536 | 537 | If the disclaimer of warranty and limitation of liability provided above cannot be 538 | given local legal effect according to their terms, reviewing courts shall apply local 539 | law that most closely approximates an absolute waiver of all civil liability in 540 | connection with the Program, unless a warranty or assumption of liability accompanies 541 | a copy of the Program in return for a fee. 542 | 543 | END OF TERMS AND CONDITIONS 544 | 545 | ## How to Apply These Terms to Your New Programs 546 | 547 | If you develop a new program, and you want it to be of the greatest possible use to 548 | the public, the best way to achieve this is to make it free software which everyone 549 | can redistribute and change under these terms. 550 | 551 | To do so, attach the following notices to the program. It is safest to attach them 552 | to the start of each source file to most effectively state the exclusion of warranty; 553 | and each file should have at least the “copyright” line and a pointer to 554 | where the full notice is found. 555 | 556 | 557 | Copyright (C) 558 | 559 | This program is free software: you can redistribute it and/or modify 560 | it under the terms of the GNU General Public License as published by 561 | the Free Software Foundation, either version 3 of the License, or 562 | (at your option) any later version. 563 | 564 | This program is distributed in the hope that it will be useful, 565 | but WITHOUT ANY WARRANTY; without even the implied warranty of 566 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 567 | GNU General Public License for more details. 568 | 569 | You should have received a copy of the GNU General Public License 570 | along with this program. If not, see . 571 | 572 | Also add information on how to contact you by electronic and paper mail. 573 | 574 | If the program does terminal interaction, make it output a short notice like this 575 | when it starts in an interactive mode: 576 | 577 | Copyright (C) 578 | This program comes with ABSOLUTELY NO WARRANTY; for details type 'show w'. 579 | This is free software, and you are welcome to redistribute it 580 | under certain conditions; type 'show c' for details. 581 | 582 | The hypothetical commands 'show w' and 'show c' should show the appropriate parts of 583 | the General Public License. Of course, your program's commands might be different; 584 | for a GUI interface, you would use an “about box”. 585 | 586 | You should also get your employer (if you work as a programmer) or school, if any, to 587 | sign a “copyright disclaimer” for the program, if necessary. For more 588 | information on this, and how to apply and follow the GNU GPL, see 589 | <>. 590 | 591 | The GNU General Public License does not permit incorporating your program into 592 | proprietary programs. If your program is a subroutine library, you may consider it 593 | more useful to permit linking proprietary applications with the library. If this is 594 | what you want to do, use the GNU Lesser General Public License instead of this 595 | License. But first, please read 596 | <>. 597 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: agent api 2 | 3 | agent: _build 4 | @go build -ldflags="-w -s" -o _build/shieldwall-agent cmd/agent/*.go 5 | 6 | bindata: 7 | @go get -u github.com/go-bindata/go-bindata/... 8 | 9 | frontend: bindata 10 | @rm -rf frontend/compiled.go 11 | @cd frontend && npm run build 12 | @go-bindata -o frontend/compiled.go -pkg frontend -prefix frontend/dist ./frontend/dist/... 13 | 14 | api_and_frontend: _build frontend 15 | @go build -ldflags="-w -s" -o _build/shieldwall-api cmd/api/*.go 16 | 17 | api: _build 18 | @go build -ldflags="-w -s" -o _build/shieldwall-api cmd/api/*.go 19 | 20 | test: 21 | @go test -short ./... 22 | 23 | _build: 24 | @mkdir -p _build 25 | 26 | clean: 27 | @rm -rf _build 28 | 29 | composer_build: 30 | @docker-compose build 31 | 32 | composer_up: composer_build 33 | @docker-compose up 34 | 35 | install_api: 36 | @service shieldwall-api stop || true 37 | @cp _build/shieldwall-api /usr/bin/ 38 | @setcap 'cap_net_bind_service=+ep' /usr/bin/shieldwall-api 39 | @mkdir -p /etc/shieldwall/ 40 | @test -s /etc/shieldwall/config.yaml || cp api.example.yaml /etc/shieldwall/config.yaml 41 | @cp shieldwall-api.service /etc/systemd/system/ 42 | @systemctl daemon-reload 43 | @systemctl enable shieldwall-api 44 | @service shieldwall-api restart 45 | 46 | install_agent: 47 | @service shieldwall-agent stop || true 48 | @cp _build/shieldwall-agent /usr/bin/ 49 | @mkdir -p /etc/shieldwall/ 50 | @test -s /etc/shieldwall/config.yaml || cp agent.example.yaml /etc/shieldwall/config.yaml 51 | @cp shieldwall-agent.service /etc/systemd/system/ 52 | @systemctl daemon-reload 53 | @systemctl enable shieldwall-agent 54 | @service shieldwall-agent restart 55 | 56 | self_update: 57 | clear && git checkout . && git pull -X theirs && make clean && make api && sudo make install_api -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | Join the project community on our server! 3 |

4 | 5 | 6 | 7 |

8 |
9 | 10 |

11 | ShieldWall 12 |

13 | Release 14 | Software License 15 |

16 |

17 | 18 | ShieldWall embraces the zero-trust principle and instruments your server firewall to block inbound connections from every IP on any port, by default. The website allows you to push policies to your agents and temporarily unlock certain ports from your IP. 19 | 20 | [More on this project.](https://www.evilsocket.net/2021/02/13/Hide-your-servers-in-plain-sight-presenting-ShieldWall/) 21 | 22 | ### Quick Start 23 | 24 | Follow [the instructions here](https://github.com/evilsocket/shieldwall/wiki/Quick-Start) and then log into your 25 | https://shieldwall.me/ account to control the agent. 26 | 27 | ## Compile from Sources 28 | 29 | https://github.com/evilsocket/shieldwall/wiki 30 | 31 | ## License 32 | 33 | Released under the GPL3 license. 34 | -------------------------------------------------------------------------------- /agent.example.yaml: -------------------------------------------------------------------------------- 1 | # where to store the lists 2 | data: '/var/lib/shieldwall/' 3 | # path to iptables 4 | iptables: '/sbin/iptables' 5 | # check for newer versions and self update the agent 6 | update: true 7 | 8 | # api configuration 9 | api: 10 | # api server to use 11 | server: 'https://shieldwall.me' 12 | # authentication token 13 | token: 'deadbeefdeadbeef' 14 | # api polling period in seconds 15 | period: 10 16 | # api timeout in seconds or 0 for no timeout 17 | timeout: 0 18 | 19 | # list of ip addresses to always allow just in case 20 | allow: 21 | - '127.0.0.1' 22 | 23 | # log dropped packets to syslog 24 | drops: 25 | log: true 26 | limit: '10/min' 27 | prefix: 'shieldwall-dropped' 28 | level: 4 29 | 30 | -------------------------------------------------------------------------------- /api.example.yaml: -------------------------------------------------------------------------------- 1 | api: 2 | # frontend url 3 | url: 'https://shieldwall.me' 4 | ssl: true 5 | # used for letsencrypt 6 | domains: 7 | - shieldwall.me 8 | - www.shieldwall.me 9 | - api.shieldwall.me 10 | certs_cache: '/tmp/' 11 | # api address 12 | address: "0.0.0.0:443" 13 | # 100mb limit to avoid DoS 14 | req_max_size: 104857600 15 | token_ttl: 86400 # 24h 16 | secret: "CHANGE ME CHANGE ME" 17 | max_agents_per_user: 10 18 | cache_ttl: 600 # 10m 19 | allow_new_users: false 20 | 21 | mail: 22 | from: "noreply@shieldwall.me" 23 | smtp: 24 | address: "smtp.gmail.com" 25 | port: 587 26 | username: youremail@gmail.com 27 | password: "eh9238he923eh9238he92h3" 28 | 29 | database: 30 | host: database 31 | port: 5432 32 | user: shieldwall 33 | password: shieldwall 34 | name: shieldwall -------------------------------------------------------------------------------- /api/agent_get_rules.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "github.com/evilsocket/islazy/log" 5 | "github.com/evilsocket/shieldwall/database" 6 | "net/http" 7 | "time" 8 | ) 9 | 10 | func (api *API) GetRules(w http.ResponseWriter, r *http.Request) { 11 | agentIP := clientIP(r) 12 | agentToken := r.Header.Get("X-ShieldWall-Agent-Token") 13 | agentUA := r.Header.Get("User-Agent") 14 | 15 | if agentToken == "" { 16 | log.Warning("[%s %s] received rules request with no token", agentIP, agentUA) 17 | JSON(w, http.StatusBadRequest, nil) 18 | return 19 | } 20 | 21 | cacheWhat := "miss" 22 | 23 | // check cache first 24 | entry, found := cacheByAgentToken.Load(agentToken) 25 | if found { 26 | // expired? 27 | cached := entry.(*cachedRules) 28 | if int(time.Since(cached.CachedAt).Seconds()) >= api.config.CacheTTL { 29 | log.Debug("agent cache expired") 30 | cacheByAgentToken.Delete(agentToken) 31 | } else { 32 | // check expired rules 33 | _, expired, err := api.expireRules(cached.Rules, false) 34 | if err != nil { 35 | log.Error("error checking rules expiration: %v", err) 36 | JSON(w, http.StatusInternalServerError, nil) 37 | return 38 | } 39 | // bypass and invalidate cache if there are expired rules 40 | // in order to cache a fresh copy of the model 41 | if expired == 0 { 42 | w.Header().Set("shieldwall-cache", "hit") 43 | JSON(w, http.StatusOK, cached.Rules) 44 | return 45 | } else { 46 | cacheByAgentToken.Delete(agentToken) 47 | cacheWhat = "purge" // let the client know what happened ^_^ 48 | } 49 | } 50 | } 51 | 52 | w.Header().Set("shieldwall-cache", cacheWhat) 53 | 54 | agent, err := database.FindAgentByToken(agentToken) 55 | if err != nil { 56 | log.Warning("[%s %s] error searching for token '%s': %v", agentIP, agentUA, agentToken, err) 57 | JSON(w, http.StatusBadRequest, nil) 58 | return 59 | } else if agent == nil { 60 | log.Warning("[%s %s] invalid token '%s'", agentIP, agentUA, agentToken) 61 | JSON(w, http.StatusUnauthorized, nil) 62 | return 63 | } 64 | 65 | // check expired rules 66 | agent.Rules, _, err = api.expireRules(agent.Rules, true) 67 | if err != nil { 68 | log.Error("error checking rules expiration: %v", err) 69 | JSON(w, http.StatusInternalServerError, nil) 70 | return 71 | } 72 | 73 | // log.Debug("[%s %s] successfully authenticated", agentIP, agentUA) 74 | 75 | agent.SeenAt = time.Now() 76 | agent.Address = agentIP 77 | agent.UserAgent = agentUA 78 | 79 | if err = agent.Save(); err != nil { 80 | log.Error("error updating agent: %v", err) 81 | } 82 | 83 | // save to cache 84 | cacheByAgentToken.Store(agentToken, &cachedRules{ 85 | CachedAt: time.Now(), 86 | Rules: agent.Rules, 87 | }) 88 | 89 | JSON(w, http.StatusOK, agent.Rules) 90 | } 91 | -------------------------------------------------------------------------------- /api/alerting.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "fmt" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/shieldwall/database" 7 | "time" 8 | ) 9 | 10 | func (api *API) alertingLoop() { 11 | 12 | for { 13 | log.Debug("checking alerts ...") 14 | 15 | if agents, err := database.FindAgentsForAlert(); err != nil { 16 | log.Error("error querying database for alerts: %v", err) 17 | } else if num := len(agents); num > 0 { 18 | log.Debug("found %d agents for alerts", num) 19 | 20 | for _, agent := range agents { 21 | doAlert := false 22 | secsSinceLastAlert := uint(time.Since(agent.AlertAt).Seconds()) 23 | 24 | // alert just once 25 | if agent.AlertPeriod == 0 && secsSinceLastAlert > database.MaxAlertPeriod { 26 | log.Debug("period 0, delta s from alert is %d, limit %d", secsSinceLastAlert, database.MaxAlertPeriod) 27 | doAlert = true 28 | } else if agent.AlertPeriod != 0 && secsSinceLastAlert >= agent.AlertPeriod { 29 | log.Debug("period %d, delta s from alert is %d", agent.AlertPeriod, secsSinceLastAlert) 30 | doAlert = true 31 | } else { 32 | log.Debug("already sent at %s for agent %d", agent.AlertAt, agent.ID) 33 | } 34 | 35 | if doAlert { 36 | log.Info("sending alert for agent %s (%d)", agent.Name, agent.ID) 37 | 38 | if user, err := database.FindUserByID(int(agent.UserID)); err != nil { 39 | log.Error("error searching for agent's user: %v", err) 40 | } else { 41 | emailSubject := fmt.Sprintf("shieldwall.me alert for %s", agent.Name) 42 | emailBody := fmt.Sprintf("Your agent '%s' has not been active since %s.", 43 | agent.Name, 44 | time.Since(agent.SeenAt)) 45 | 46 | if err = api.sendmail.Send(api.mail.From, user.Email, emailSubject, emailBody); err != nil { 47 | log.Error("error sending alert email to %s: %v", user.Email, err) 48 | } else { 49 | agent.AlertAt = time.Now() 50 | if err = database.Save(&agent); err != nil { 51 | log.Error("error updating agent alert_at: %v", err) 52 | } else { 53 | log.Debug("agent alert_at updated") 54 | } 55 | } 56 | } 57 | } 58 | 59 | } 60 | } 61 | 62 | time.Sleep(time.Second * 30) 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /api/cache.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "encoding/json" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/shieldwall/database" 7 | "github.com/evilsocket/shieldwall/firewall" 8 | "gorm.io/datatypes" 9 | "sync" 10 | "time" 11 | ) 12 | 13 | type cachedRules struct { 14 | CachedAt time.Time 15 | Rules datatypes.JSON 16 | } 17 | 18 | var cacheByAgentToken = sync.Map{} 19 | 20 | func (api *API) expireRules(jsonbRules datatypes.JSON, doLog bool) (datatypes.JSON, int, error) { 21 | var rules []firewall.Rule 22 | 23 | expired := 0 24 | notExpired := make([]firewall.Rule, 0) 25 | 26 | if err := json.Unmarshal(jsonbRules, &rules); err != nil { 27 | return nil, 0, err 28 | } 29 | 30 | for _, rule := range rules { 31 | if rule.Expired() { 32 | if doLog { 33 | log.Info("rule expired %#v", rule) 34 | } 35 | expired++ 36 | } else { 37 | notExpired = append(notExpired, rule) 38 | } 39 | } 40 | 41 | return database.ToJSONB(notExpired), expired, nil 42 | } 43 | -------------------------------------------------------------------------------- /api/cloudflare.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "fmt" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/islazy/str" 7 | "io/ioutil" 8 | "net/http" 9 | "strings" 10 | "sync" 11 | "time" 12 | ) 13 | 14 | const ( 15 | cfIPv4URL = "https://www.cloudflare.com/ips-v4" 16 | cfIPv6URL = "https://www.cloudflare.com/ips-v6" 17 | ) 18 | 19 | var ( 20 | cfURLs = []string{cfIPv4URL, cfIPv6URL} 21 | cfTTL = time.Minute * time.Duration(60) 22 | cfTime = time.Time{} 23 | cfLock = sync.Mutex{} 24 | cfSubnets = []string(nil) 25 | ) 26 | 27 | func cfGetSubnets() ([]string, error) { 28 | cfLock.Lock() 29 | defer cfLock.Unlock() 30 | 31 | if cfTime.IsZero() || time.Since(cfTime) >= cfTTL { 32 | cfSubnets = nil 33 | for _, url := range cfURLs { 34 | log.Info("updating cloudflare subnets from %s ...", url) 35 | if resp, err := http.Get(url); err != nil { 36 | return nil, err 37 | } else if resp.StatusCode != http.StatusOK { 38 | return nil, fmt.Errorf("%s [%d] %s", url, resp.StatusCode, resp.Status) 39 | } else { 40 | defer resp.Body.Close() 41 | if raw, err := ioutil.ReadAll(resp.Body); err != nil { 42 | return nil, fmt.Errorf("%s %v", url, err) 43 | } else if parts := strings.Split(string(raw), "\n"); len(parts) == 0 { 44 | return nil, fmt.Errorf("%s unexpected response: %s", url, string(raw)) 45 | } else { 46 | cfTime = time.Now() 47 | for _, part := range parts { 48 | if part = str.Trim(part); part != "" { 49 | log.Info("cf: %s", part) 50 | cfSubnets = append(cfSubnets, part) 51 | } 52 | } 53 | } 54 | } 55 | } 56 | } 57 | 58 | return cfSubnets, nil 59 | } 60 | 61 | func (api *API) GetCloudflareSubnets(w http.ResponseWriter, r *http.Request) { 62 | if user := api.authorized(w, r); user != nil { 63 | if nets, err := cfGetSubnets(); err != nil { 64 | log.Error("error getting cloudflare subnets: %v", err) 65 | ERROR(w, http.StatusInternalServerError, err) 66 | } else { 67 | JSON(w, http.StatusOK, nets) 68 | } 69 | } else { 70 | JSON(w, http.StatusForbidden, nil) 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /api/config.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import "github.com/evilsocket/shieldwall/mailer" 4 | 5 | type EmailConfig struct { 6 | From string `yaml:"from"` 7 | SMTP mailer.Config `yaml:"smtp"` 8 | } 9 | 10 | type Config struct { 11 | URL string `yaml:"url"` 12 | SSL bool `yaml:"ssl"` 13 | CertsCache string `yaml:"certs_cache"` 14 | Domains []string `yaml:"domains"` 15 | Address string `yaml:"address"` 16 | ReqMaxSize int64 `yaml:"req_max_size"` 17 | TokenTTL int `yaml:"token_ttl"` 18 | Secret string `yaml:"secret"` 19 | MaxAgents int `yaml:"max_agents_per_user"` 20 | CacheTTL int `yaml:"cache_ttl"` 21 | AllowNewUsers bool `yaml:"allow_new_users"` 22 | } 23 | -------------------------------------------------------------------------------- /api/mock_fs.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | assetfs "github.com/elazarl/go-bindata-assetfs" 5 | "github.com/evilsocket/shieldwall/frontend" 6 | "net/http" 7 | "strings" 8 | ) 9 | 10 | type mockFS struct { 11 | fs http.FileSystem 12 | } 13 | 14 | func (b *mockFS) Open(name string) (http.File, error) { 15 | return b.fs.Open(name) 16 | } 17 | 18 | func (b *mockFS) Exists(prefix string, filepath string) bool { 19 | if p := strings.TrimPrefix(filepath, prefix); len(p) < len(filepath) { 20 | if _, err := b.fs.Open(p); err != nil { 21 | return false 22 | } 23 | return true 24 | } 25 | return false 26 | } 27 | 28 | func MockFS() *mockFS { 29 | return &mockFS{ 30 | fs: &assetfs.AssetFS{ 31 | Asset: frontend.Asset, 32 | AssetDir: frontend.AssetDir, 33 | }, 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /api/requests.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "github.com/evilsocket/shieldwall/database" 5 | "github.com/evilsocket/shieldwall/firewall" 6 | ) 7 | 8 | type UserRegisterRequest struct { 9 | Email string `json:"email"` 10 | Password string `json:"password"` 11 | } 12 | 13 | type UserUpdateRequest struct { 14 | NewPassword string `json:"password"` 15 | Use2FA bool `json:"use_2fa"` 16 | } 17 | 18 | type UserLoginRequest struct { 19 | Email string `json:"email"` 20 | Password string `json:"password"` 21 | } 22 | 23 | type UserResponse struct { 24 | Token string `json:"token"` 25 | User *database.User `json:"data"` 26 | Address string `json:"address"` 27 | } 28 | 29 | type Step2Request struct { 30 | Code string `json:"code"` 31 | } 32 | 33 | type AgentCreationRequest struct { 34 | Name string `json:"name"` 35 | Rules []*firewall.Rule `json:"rules"` 36 | AlertAfter uint `json:"alert_after"` 37 | AlertPeriod uint `json:"alert_period"` 38 | } 39 | 40 | type AgentUpdateRequest struct { 41 | Name string `json:"name"` 42 | Rules []*firewall.Rule `json:"rules"` 43 | AlertAfter uint `json:"alert_after"` 44 | AlertPeriod uint `json:"alert_period"` 45 | } 46 | -------------------------------------------------------------------------------- /api/setup.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "compress/flate" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/shieldwall/mailer" 7 | "github.com/go-chi/chi" 8 | "github.com/go-chi/chi/middleware" 9 | "github.com/go-chi/cors" 10 | "github.com/go-chi/httprate" 11 | "golang.org/x/crypto/acme/autocert" 12 | "net/http" 13 | "strings" 14 | "time" 15 | ) 16 | 17 | type API struct { 18 | config Config 19 | mail EmailConfig 20 | sendmail *mailer.Mailer 21 | router *chi.Mux 22 | certManager *autocert.Manager 23 | } 24 | 25 | func Setup(config Config, email EmailConfig, sendmail *mailer.Mailer) *API { 26 | api := &API{ 27 | config: config, 28 | mail: email, 29 | sendmail: sendmail, 30 | router: chi.NewRouter(), 31 | } 32 | 33 | if config.SSL { 34 | log.Info("ssl enabled for %s (caching on %s)", strings.Join(config.Domains, ", "), config.CertsCache) 35 | api.certManager = &autocert.Manager{ 36 | Cache: autocert.DirCache(config.CertsCache), 37 | Prompt: autocert.AcceptTOS, 38 | HostPolicy: autocert.HostWhitelist(config.Domains...), 39 | } 40 | } else { 41 | log.Warning("ssl disabled") 42 | } 43 | 44 | // use response compression 45 | compressor := middleware.NewCompressor(flate.DefaultCompression) 46 | api.router.Use(compressor.Handler) 47 | 48 | // set CORS rules 49 | api.router.Use(cors.Handler(cors.Options{ 50 | AllowedOrigins: []string{"*"}, 51 | AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, 52 | AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"}, 53 | AllowCredentials: false, 54 | MaxAge: 300, 55 | })) 56 | 57 | // API routes 58 | api.router.Route("/api", func(r chi.Router) { 59 | r.Route("/v1", func(r chi.Router) { 60 | r.Get("/rules", api.GetRules) 61 | 62 | r.Route("/subnets", func(r chi.Router) { 63 | r.Use(httprate.LimitByIP(1, 1*time.Second)) 64 | r.Get("/cloudflare", api.GetCloudflareSubnets) 65 | }) 66 | 67 | r.Route("/user", func(r chi.Router) { 68 | r.Use(httprate.LimitByIP(2, 1*time.Second)) 69 | 70 | r.Post("/register", api.UserRegister) 71 | r.Get("/verify/{verification:[A-Fa-f0-9]{64}}", api.UserVerify) 72 | r.Post("/login", api.UserLogin) 73 | r.Post("/2step", api.UserSecondStep) 74 | 75 | r.Post("/", api.UserUpdate) 76 | 77 | r.Route("/agents", func(r chi.Router) { 78 | r.Put("/new", api.UserCreateAgent) 79 | 80 | r.Get("/", api.UserGetAgents) 81 | r.Get("/{id:[0-9]+}", api.UserGetAgent) 82 | 83 | r.Put("/{id:[0-9]+}", api.UserUpdateAgent) 84 | r.Delete("/{id:[0-9]+}", api.UserDeleteAgent) 85 | }) 86 | }) 87 | }) 88 | }) 89 | 90 | // frontend 91 | api.router.Handle("/*", http.FileServer(MockFS())) 92 | 93 | return api 94 | } 95 | 96 | func (api *API) Run() { 97 | log.Info("api starting on %s", api.config.Address) 98 | 99 | go api.alertingLoop() 100 | 101 | if api.config.SSL { 102 | server := &http.Server{ 103 | Addr: api.config.Address, 104 | TLSConfig: api.certManager.TLSConfig(), 105 | Handler: api.router, 106 | } 107 | log.Fatal("%v", server.ListenAndServeTLS("", "")) 108 | } else { 109 | log.Fatal("%v", http.ListenAndServe(api.config.Address, api.router)) 110 | } 111 | } 112 | -------------------------------------------------------------------------------- /api/token.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "github.com/dgrijalva/jwt-go" 7 | "github.com/evilsocket/shieldwall/database" 8 | "time" 9 | ) 10 | 11 | var ( 12 | ErrTokenClaims = errors.New("can't extract claims from jwt token") 13 | ErrTokenInvalid = errors.New("jwt token not valid") 14 | ErrTokenExpired = errors.New("jwt token expired") 15 | ErrTokenIncomplete = errors.New("jwt token is missing required fields") 16 | ErrTokenUnauthorized = errors.New("jwt token authorized field is false (?!)") 17 | ErrToken2FA = errors.New("requires 2fa step") 18 | ) 19 | 20 | func (api *API) tokenFor(user *database.User, passed2FA bool) (string, error) { 21 | claims := jwt.MapClaims{} 22 | claims["authorized"] = true 23 | claims["2fa_passed"] = passed2FA 24 | claims["user_id"] = user.ID 25 | claims["expires_at"] = time.Now().Add(time.Duration(api.config.TokenTTL) * time.Second).Format(time.RFC3339) 26 | 27 | token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) 28 | signed, err := token.SignedString([]byte(api.config.Secret)) 29 | if err != nil { 30 | return "", err 31 | } 32 | return signed, nil 33 | } 34 | 35 | func (api *API) validateToken(header string) (jwt.MapClaims, error) { 36 | token, err := jwt.Parse(header, func(token *jwt.Token) (interface{}, error) { 37 | if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { 38 | return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) 39 | } 40 | return []byte(api.config.Secret), nil 41 | }) 42 | if err != nil { 43 | return nil, err 44 | } 45 | 46 | claims, ok := token.Claims.(jwt.MapClaims) 47 | if !ok { 48 | return nil, ErrTokenClaims 49 | } else if !token.Valid { 50 | return nil, ErrTokenInvalid 51 | } 52 | 53 | required := []string{ 54 | "expires_at", 55 | "authorized", 56 | "2fa_passed", 57 | "user_id", 58 | } 59 | for _, req := range required { 60 | if _, found := claims[req]; !found { 61 | return nil, ErrTokenIncomplete 62 | } 63 | } 64 | 65 | // log.Debug("%+v", claims) 66 | 67 | if expiresAt, err := time.Parse(time.RFC3339, claims["expires_at"].(string)); err != nil { 68 | return nil, ErrTokenExpired 69 | } else if expiresAt.Before(time.Now()) { 70 | return nil, ErrTokenExpired 71 | } else if claims["authorized"].(bool) != true { 72 | return nil, ErrTokenUnauthorized 73 | } 74 | 75 | if claims["2fa_passed"].(bool) == false { 76 | return claims, ErrToken2FA 77 | } 78 | 79 | return claims, err 80 | } 81 | -------------------------------------------------------------------------------- /api/user_agents.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/evilsocket/islazy/log" 7 | "github.com/evilsocket/shieldwall/database" 8 | "github.com/go-chi/chi" 9 | "io" 10 | "net/http" 11 | "strconv" 12 | ) 13 | 14 | func (api *API) authorized(w http.ResponseWriter, r *http.Request) *database.User { 15 | client := clientIP(r) 16 | tokenHeader := reqToken(r) 17 | if tokenHeader == "" { 18 | log.Debug("unauthenticated request from %s", client) 19 | ERROR(w, http.StatusUnauthorized, ErrUnauthorized) 20 | return nil 21 | } 22 | 23 | claims, err := api.validateToken(tokenHeader) 24 | if err != nil { 25 | log.Warning("token error for %s: %v", client, err) 26 | ERROR(w, http.StatusUnauthorized, ErrUnauthorized) 27 | return nil 28 | } 29 | 30 | user, err := database.FindUserByID(int(claims["user_id"].(float64))) 31 | if err != nil { 32 | ERROR(w, http.StatusUnauthorized, err) 33 | return nil 34 | } else if user == nil { 35 | log.Warning("client %s tried to authenticated with unknown claims '%v'", client, claims) 36 | ERROR(w, http.StatusUnauthorized, ErrUnauthorized) 37 | return nil 38 | } 39 | 40 | user.Address = client 41 | return user 42 | } 43 | 44 | func (api *API) UserCreateAgent(w http.ResponseWriter, r *http.Request) { 45 | if user := api.authorized(w, r); user != nil { 46 | if api.config.MaxAgents > 0 && len(user.Agents) >= api.config.MaxAgents { 47 | ERROR(w, http.StatusForbidden, fmt.Errorf("max %d agents per user reached", api.config.MaxAgents)) 48 | return 49 | } 50 | 51 | var req AgentCreationRequest 52 | 53 | defer r.Body.Close() 54 | 55 | client := clientIP(r) 56 | reader := io.LimitReader(r.Body, api.config.ReqMaxSize) 57 | decoder := json.NewDecoder(reader) 58 | 59 | err := decoder.Decode(&req) 60 | if err != nil { 61 | log.Warning("[%s] error decoding agent creation request: %v", client, err) 62 | JSON(w, http.StatusBadRequest, nil) 63 | return 64 | } 65 | 66 | fields := database.AgentWritableFields{ 67 | User: user, 68 | Name: req.Name, 69 | Rules: req.Rules, 70 | AlertAfter: req.AlertAfter, 71 | AlertPeriod: req.AlertPeriod, 72 | } 73 | agent, err := database.RegisterAgent(&fields) 74 | if err != nil { 75 | ERROR(w, http.StatusBadRequest, err) 76 | return 77 | } 78 | 79 | log.Info("registered new agent %s for %s", agent.Name, user.Email) 80 | 81 | JSON(w, http.StatusOK, agent) 82 | } else { 83 | JSON(w, http.StatusForbidden, nil) 84 | } 85 | } 86 | 87 | func (api *API) UserGetAgents(w http.ResponseWriter, r *http.Request) { 88 | if user := api.authorized(w, r); user != nil { 89 | JSON(w, http.StatusOK, user.Agents) 90 | } else { 91 | JSON(w, http.StatusForbidden, nil) 92 | } 93 | } 94 | 95 | func (api *API) UserGetAgent(w http.ResponseWriter, r *http.Request) { 96 | if user := api.authorized(w, r); user != nil { 97 | id := chi.URLParam(r, "id") 98 | if id == "" { 99 | JSON(w, http.StatusBadRequest, nil) 100 | return 101 | } 102 | 103 | idNum, err := strconv.ParseInt(id, 10, 64) 104 | if err != nil { 105 | ERROR(w, http.StatusBadRequest, err) 106 | return 107 | } 108 | 109 | for _, agent := range user.Agents { 110 | if agent.ID == uint(idNum) { 111 | JSON(w, http.StatusOK, agent) 112 | return 113 | } 114 | } 115 | 116 | ERROR(w, http.StatusNotFound, fmt.Errorf("not found")) 117 | } else { 118 | JSON(w, http.StatusForbidden, nil) 119 | } 120 | } 121 | 122 | func (api *API) UserUpdateAgent(w http.ResponseWriter, r *http.Request) { 123 | if user := api.authorized(w, r); user != nil { 124 | id := chi.URLParam(r, "id") 125 | if id == "" { 126 | JSON(w, http.StatusBadRequest, nil) 127 | return 128 | } 129 | 130 | idNum, err := strconv.ParseInt(id, 10, 64) 131 | if err != nil { 132 | ERROR(w, http.StatusBadRequest, err) 133 | return 134 | } 135 | 136 | var req AgentUpdateRequest 137 | 138 | defer r.Body.Close() 139 | 140 | client := clientIP(r) 141 | reader := io.LimitReader(r.Body, api.config.ReqMaxSize) 142 | decoder := json.NewDecoder(reader) 143 | 144 | if err = decoder.Decode(&req); err != nil { 145 | log.Warning("[%s] error decoding agent creation request: %v", client, err) 146 | JSON(w, http.StatusBadRequest, nil) 147 | return 148 | } 149 | 150 | for _, agent := range user.Agents { 151 | if agent.ID == uint(idNum) { 152 | fields := database.AgentWritableFields{ 153 | ID: agent.ID, 154 | User: user, 155 | Name: req.Name, 156 | Rules: req.Rules, 157 | AlertAfter: req.AlertAfter, 158 | AlertPeriod: req.AlertPeriod, 159 | } 160 | 161 | if err = database.UpdateAgent(&agent, &fields); err != nil { 162 | ERROR(w, http.StatusBadRequest, err) 163 | } else { 164 | cacheByAgentToken.Delete(agent.Token) 165 | JSON(w, http.StatusOK, agent) 166 | } 167 | return 168 | } 169 | } 170 | 171 | ERROR(w, http.StatusNotFound, fmt.Errorf("not found")) 172 | } else { 173 | JSON(w, http.StatusForbidden, nil) 174 | } 175 | } 176 | 177 | func (api *API) UserDeleteAgent(w http.ResponseWriter, r *http.Request) { 178 | if user := api.authorized(w, r); user != nil { 179 | id := chi.URLParam(r, "id") 180 | if id == "" { 181 | JSON(w, http.StatusBadRequest, nil) 182 | return 183 | } 184 | 185 | idNum, err := strconv.ParseInt(id, 10, 64) 186 | if err != nil { 187 | ERROR(w, http.StatusBadRequest, err) 188 | return 189 | } 190 | 191 | for _, agent := range user.Agents { 192 | if agent.ID == uint(idNum) { 193 | if err = database.Delete(&agent); err != nil { 194 | ERROR(w, http.StatusInternalServerError, err) 195 | } else { 196 | cacheByAgentToken.Delete(agent.Token) 197 | JSON(w, http.StatusOK, "agent deleted") 198 | } 199 | return 200 | } 201 | } 202 | 203 | ERROR(w, http.StatusNotFound, fmt.Errorf("not found")) 204 | } else { 205 | JSON(w, http.StatusForbidden, nil) 206 | } 207 | } 208 | -------------------------------------------------------------------------------- /api/user_login.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/evilsocket/islazy/log" 7 | "github.com/evilsocket/shieldwall/database" 8 | "io" 9 | "net/http" 10 | ) 11 | 12 | func (api *API) UserLogin(w http.ResponseWriter, r *http.Request) { 13 | var req UserLoginRequest 14 | 15 | defer r.Body.Close() 16 | 17 | client := clientIP(r) 18 | reader := io.LimitReader(r.Body, api.config.ReqMaxSize) 19 | decoder := json.NewDecoder(reader) 20 | 21 | err := decoder.Decode(&req) 22 | if err != nil { 23 | log.Warning("[%s] error decoding user login request: %v", client, err) 24 | JSON(w, http.StatusBadRequest, nil) 25 | return 26 | } 27 | 28 | user, err := database.LoginUser(client, req.Email, req.Password) 29 | if err != nil { 30 | ERROR(w, http.StatusUnauthorized, err) 31 | return 32 | } else if user == nil { 33 | ERROR(w, http.StatusUnauthorized, fmt.Errorf("invalid credentials")) // TODO: Change Errorf to errors 34 | return 35 | } else if token, err := api.tokenFor(user, !user.Use2FA); err != nil { 36 | log.Error("error creating token for user %d: %v", user.ID, err) 37 | ERROR(w, http.StatusInternalServerError, err) 38 | return 39 | } else { 40 | log.Debug("[%s] user %s logged in", client, user.Email) 41 | if user.Use2FA { 42 | log.Info("[%s] sending verification email to %s", client, user.Email) 43 | 44 | emailSubject := "shieldwall.me login verification" 45 | emailBody := fmt.Sprintf("Your verification code is %s

", user.Verification) + 46 | fmt.Sprintf("The address %s tried to login to your shieldwall account, "+ 47 | "if that wasn't you, you should change your credentials immediately.", client) 48 | 49 | if err = api.sendmail.Send(api.mail.From, user.Email, emailSubject, emailBody); err != nil { 50 | log.Error("error sending verification email to %s: %v", user.Email, err) 51 | ERROR(w, http.StatusInternalServerError, fmt.Errorf("error sending verification email")) 52 | return 53 | } else { 54 | log.Debug("verification email sent to %s (%s)", user.Email, user.Verification) 55 | } 56 | } 57 | 58 | JSON(w, http.StatusOK, UserResponse{ 59 | Token: token, 60 | User: user, 61 | Address: client, 62 | }) 63 | } 64 | } 65 | 66 | func (api *API) authorizedForStep2(w http.ResponseWriter, r *http.Request) *database.User { 67 | client := clientIP(r) 68 | tokenHeader := reqToken(r) 69 | if tokenHeader == "" { 70 | log.Debug("unauthenticated request from %s", client) 71 | ERROR(w, http.StatusUnauthorized, ErrUnauthorized) 72 | return nil 73 | } 74 | 75 | claims, err := api.validateToken(tokenHeader) 76 | if err != nil && err != ErrToken2FA { 77 | log.Warning("token error for %s: %v", client, err) 78 | ERROR(w, http.StatusUnauthorized, ErrUnauthorized) 79 | return nil 80 | } 81 | 82 | log.Debug("user claims for step2: %#v", claims) 83 | user, err := database.FindUserByID(int(claims["user_id"].(float64))) 84 | if err != nil { 85 | ERROR(w, http.StatusUnauthorized, err) 86 | return nil 87 | } else if user == nil { 88 | log.Warning("client %s tried to authenticated with unknown claims '%v'", client, claims) 89 | ERROR(w, http.StatusUnauthorized, ErrUnauthorized) 90 | return nil 91 | } 92 | 93 | user.Address = client 94 | return user 95 | } 96 | 97 | func (api *API) UserSecondStep(w http.ResponseWriter, r *http.Request) { 98 | if user := api.authorizedForStep2(w, r); user != nil { 99 | var req Step2Request 100 | 101 | defer r.Body.Close() 102 | 103 | client := clientIP(r) 104 | reader := io.LimitReader(r.Body, api.config.ReqMaxSize) 105 | decoder := json.NewDecoder(reader) 106 | 107 | err := decoder.Decode(&req) 108 | if err != nil { 109 | log.Warning("[%s] error decoding user step2 request: %v", client, err) 110 | JSON(w, http.StatusBadRequest, nil) 111 | return 112 | } 113 | 114 | if req.Code != user.Verification { 115 | log.Warning("[%s] wrong code %s", client, req.Code) 116 | JSON(w, http.StatusForbidden, nil) 117 | return 118 | } 119 | 120 | if token, err := api.tokenFor(user, true); err != nil { 121 | log.Error("error creating token for user %d: %v", user.ID, err) 122 | ERROR(w, http.StatusInternalServerError, err) 123 | return 124 | } else { 125 | JSON(w, http.StatusOK, UserResponse{ 126 | Token: token, 127 | User: user, 128 | Address: client, 129 | }) 130 | } 131 | } else { 132 | JSON(w, http.StatusForbidden, nil) 133 | } 134 | } 135 | -------------------------------------------------------------------------------- /api/user_register.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/evilsocket/islazy/log" 7 | "github.com/evilsocket/shieldwall/database" 8 | "io" 9 | "net/http" 10 | ) 11 | 12 | func (api *API) UserRegister(w http.ResponseWriter, r *http.Request) { 13 | if api.config.AllowNewUsers == false { 14 | ERROR(w, http.StatusLocked, fmt.Errorf("apologies, registrations are closed at the moment")) 15 | return 16 | } 17 | 18 | var req UserRegisterRequest 19 | 20 | defer r.Body.Close() 21 | 22 | client := clientIP(r) 23 | reader := io.LimitReader(r.Body, api.config.ReqMaxSize) 24 | decoder := json.NewDecoder(reader) 25 | 26 | err := decoder.Decode(&req) 27 | if err != nil { 28 | log.Warning("[%s] error decoding user registration request: %v", client, err) 29 | JSON(w, http.StatusBadRequest, nil) 30 | return 31 | } 32 | 33 | user, err := database.RegisterUser(client, req.Email, req.Password) 34 | if err != nil { 35 | log.Debug("[%s] %v", client, err) 36 | ERROR(w, http.StatusBadRequest, err) 37 | return 38 | } 39 | 40 | log.Info("[%s] registered new user %s", user.Address, user.Email) 41 | 42 | // prepare and send verification email 43 | link := fmt.Sprintf("%s/#/verify/%s", api.config.URL, user.Verification) 44 | 45 | emailSubject := "shieldwall.me account verification" 46 | emailBody := "Follow this link to complete your registration.

" + 47 | fmt.Sprintf("%s", link, link) 48 | 49 | if err = api.sendmail.Send(api.mail.From, user.Email, emailSubject, emailBody); err != nil { 50 | log.Error("error sending verification email to %s: %v", user.Email, err) 51 | } else { 52 | log.Debug("verification email sent to %s (%s)", user.Email, user.Verification) 53 | } 54 | 55 | JSON(w, http.StatusOK, "registration successful, proceed to email verification") 56 | } -------------------------------------------------------------------------------- /api/user_update.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "encoding/json" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/shieldwall/database" 7 | "io" 8 | "net/http" 9 | ) 10 | 11 | 12 | func (api *API) UserUpdate(w http.ResponseWriter, r *http.Request) { 13 | if user := api.authorized(w, r); user != nil { 14 | defer r.Body.Close() 15 | 16 | var req UserUpdateRequest 17 | 18 | client := clientIP(r) 19 | reader := io.LimitReader(r.Body, api.config.ReqMaxSize) 20 | decoder := json.NewDecoder(reader) 21 | 22 | if err := decoder.Decode(&req); err != nil { 23 | log.Warning("[%s] error decoding user update request: %v", client, err) 24 | JSON(w, http.StatusBadRequest, nil) 25 | return 26 | } 27 | 28 | if _, err := database.UpdateUser(user, client, req.NewPassword, req.Use2FA); err != nil { 29 | log.Debug("[%s] %v", client, err) 30 | ERROR(w, http.StatusBadRequest, err) 31 | return 32 | } 33 | 34 | token, err := api.tokenFor(user, !user.Use2FA) 35 | if err != nil { 36 | log.Error("error updating token for user %d: %v", user.ID, err) 37 | } 38 | 39 | JSON(w, http.StatusOK, UserResponse{ 40 | Token: token, 41 | User: user, 42 | Address: client, 43 | }) 44 | } else { 45 | JSON(w, http.StatusForbidden, nil) 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /api/user_verify.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "github.com/evilsocket/shieldwall/database" 5 | "github.com/go-chi/chi" 6 | "net/http" 7 | ) 8 | 9 | func (api *API) UserVerify(w http.ResponseWriter, r *http.Request) { 10 | code := chi.URLParam(r, "verification") 11 | if code == "" { 12 | JSON(w, http.StatusBadRequest, nil) 13 | return 14 | } 15 | 16 | if err := database.VerifyUser(code); err != nil { 17 | JSON(w, http.StatusBadRequest, err) 18 | return 19 | } 20 | 21 | JSON(w, http.StatusOK, "user successfully verified") 22 | } -------------------------------------------------------------------------------- /api/utils.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "encoding/json" 5 | "errors" 6 | "net/http" 7 | "strconv" 8 | "strings" 9 | 10 | "github.com/evilsocket/islazy/log" 11 | ) 12 | 13 | var ( 14 | ErrEmpty = errors.New("") 15 | ErrUnauthorized = errors.New("unauthorized") 16 | ErrMessageNotFound = errors.New("record not found") 17 | ) 18 | 19 | func strParam(r *http.Request, name string, def string) string { 20 | param := r.URL.Query().Get(name) 21 | if param != "" { 22 | return param 23 | } 24 | return def 25 | } 26 | 27 | func floatParam(r *http.Request, name string, def float32) float32 { 28 | param := r.URL.Query().Get(name) 29 | if param != "" { 30 | if v, err := strconv.ParseFloat(param, 32); err != nil { 31 | log.Warning("can't parse %s parameter from value '%s'", name, param) 32 | } else { 33 | return float32(v) 34 | } 35 | } 36 | return def 37 | } 38 | 39 | func boolParam(r *http.Request, name string, def bool) bool { 40 | param := r.URL.Query().Get(name) 41 | if param != "" { 42 | if v, err := strconv.ParseBool(param); err != nil { 43 | log.Warning("can't parse %s parameter from value '%s'", name, param) 44 | } else { 45 | return v 46 | } 47 | } 48 | return def 49 | } 50 | 51 | func intParam(r *http.Request, name string, def int) int { 52 | param := r.URL.Query().Get(name) 53 | if param != "" { 54 | if v, err := strconv.ParseInt(param, 10, 32); err != nil { 55 | log.Warning("can't parse %s parameter from value '%s'", name, param) 56 | } else { 57 | return int(v) 58 | } 59 | } 60 | return def 61 | } 62 | 63 | func clientIP(r *http.Request) string { 64 | address := strings.Split(r.RemoteAddr, ":")[0] 65 | if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" { 66 | address = forwardedFor 67 | } 68 | // https://support.cloudflare.com/hc/en-us/articles/206776727-What-is-True-Client-IP- 69 | if trueClient := r.Header.Get("True-Client-IP"); trueClient != "" { 70 | address = trueClient 71 | } 72 | // handle multiple IPs case 73 | return strings.Trim(strings.Split(address, ",")[0], " ") 74 | } 75 | 76 | func reqToken(r *http.Request) string { 77 | keys := r.URL.Query() 78 | token := keys.Get("token") 79 | if token != "" { 80 | return token 81 | } 82 | bearerToken := r.Header.Get("Authorization") 83 | if parts := strings.Split(bearerToken, " "); len(parts) == 2 { 84 | return parts[1] 85 | } 86 | return "" 87 | } 88 | 89 | func pageNum(r *http.Request) (int, error) { 90 | pageParam := r.URL.Query().Get("p") 91 | if pageParam == "" { 92 | pageParam = "1" 93 | } 94 | return strconv.Atoi(pageParam) 95 | } 96 | 97 | func JSON(w http.ResponseWriter, statusCode int, data interface{}) { 98 | js, err := json.Marshal(data) 99 | if err != nil { 100 | http.Error(w, err.Error(), http.StatusInternalServerError) 101 | return 102 | } 103 | 104 | w.Header().Set("Content-Type", "application/json") 105 | w.WriteHeader(statusCode) 106 | 107 | if _, err = w.Write(js); err != nil { 108 | log.Error("error sending response: %v", err) 109 | } else { 110 | // log.Debug("sent %d bytes of json response", sent) 111 | } 112 | } 113 | 114 | func ERROR(w http.ResponseWriter, statusCode int, err error) { 115 | if err != nil { 116 | JSON(w, statusCode, struct { 117 | Error string `json:"error"` 118 | }{ 119 | Error: err.Error(), 120 | }) 121 | return 122 | } 123 | JSON(w, http.StatusBadRequest, nil) 124 | } 125 | -------------------------------------------------------------------------------- /cmd/agent/api.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/evilsocket/islazy/log" 7 | "github.com/evilsocket/shieldwall/firewall" 8 | "github.com/evilsocket/shieldwall/version" 9 | "net/http" 10 | "runtime" 11 | "strings" 12 | "time" 13 | ) 14 | 15 | // API client 16 | type API struct { 17 | config APIConfig 18 | } 19 | 20 | func NewAPI(config APIConfig) *API { 21 | return &API{ 22 | config: config, 23 | } 24 | } 25 | 26 | func (a API) FetchRules() ([]firewall.Rule, error) { 27 | client := &http.Client{} 28 | if a.config.Timeout > 0 { 29 | client.Timeout = time.Duration(a.config.Timeout) * time.Second 30 | } 31 | 32 | if strings.Index(a.config.Server, "://") == -1 { 33 | a.config.Server = "https://" + a.config.Server 34 | } 35 | url := fmt.Sprintf("%s/api/v1/rules", a.config.Server) 36 | 37 | log.Debug("polling %s", url) 38 | 39 | req, err := http.NewRequest("GET", url, nil) 40 | if err != nil { 41 | return nil, err 42 | } 43 | 44 | // agent authentication 45 | req.Header.Set("X-ShieldWall-Agent-Token", a.config.Token) 46 | req.Header.Set("User-Agent", fmt.Sprintf( 47 | "ShieldWall Agent v%s (%s %s)", 48 | version.Version, 49 | runtime.GOOS, 50 | runtime.GOARCH)) 51 | 52 | res, err := client.Do(req) 53 | if err != nil { 54 | return nil, err 55 | } 56 | defer res.Body.Close() 57 | 58 | if res.StatusCode != http.StatusOK { 59 | return nil, fmt.Errorf("%d (%s)", res.StatusCode, res.Status) 60 | } 61 | 62 | var rules []firewall.Rule 63 | if err = json.NewDecoder(res.Body).Decode(&rules); err != nil { 64 | return nil, err 65 | } 66 | 67 | return rules, nil 68 | } 69 | -------------------------------------------------------------------------------- /cmd/agent/config.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/evilsocket/shieldwall/firewall" 5 | "gopkg.in/yaml.v2" 6 | "io/ioutil" 7 | ) 8 | 9 | type APIConfig struct { 10 | // api server hostname 11 | Server string `yaml:"server"` 12 | // auth token 13 | Token string `yaml:"token"` 14 | // api polling period 15 | Period int `yaml:"period"` 16 | // api timeout 17 | Timeout int `yaml:"timeout"` 18 | } 19 | 20 | type Config struct { 21 | // TODO: refactor to support different firewalls 22 | IPTablesPath string `yaml:"iptables"` 23 | // where lists are stored 24 | DataPath string `yaml:"data"` 25 | // list of addresses to pre allow 26 | Allow []string `yaml:"allow"` 27 | // check for newer versions and self update the agent 28 | Update bool `yaml:"update"` 29 | // dropped packet logging 30 | Drops firewall.DropConfig `yaml:"drops"` 31 | // api config 32 | API APIConfig `yaml:"api"` 33 | } 34 | 35 | func LoadAgentConfig(fileName string) (*Config, error) { 36 | raw, err := ioutil.ReadFile(fileName) 37 | if err != nil { 38 | return nil, err 39 | } 40 | 41 | conf := Config{} 42 | 43 | err = yaml.Unmarshal(raw, &conf) 44 | if err != nil { 45 | return nil, err 46 | } 47 | 48 | return &conf, nil 49 | } 50 | -------------------------------------------------------------------------------- /cmd/agent/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/sha256" 5 | "encoding/json" 6 | "flag" 7 | "fmt" 8 | "github.com/evilsocket/islazy/log" 9 | "github.com/evilsocket/shieldwall/firewall" 10 | "github.com/evilsocket/shieldwall/version" 11 | "os" 12 | "os/signal" 13 | "sort" 14 | "syscall" 15 | "time" 16 | ) 17 | 18 | var ( 19 | err = (error)(nil) 20 | conf = (* Config)(nil) 21 | state = (*State)(nil) 22 | signals = make(chan os.Signal, 1) 23 | ) 24 | 25 | func signalHandler() { 26 | signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM) 27 | s := <-signals 28 | log.Raw("\n") 29 | log.Warning("RECEIVED SIGNAL: %s", s) 30 | os.Exit(1) 31 | } 32 | 33 | func addAllowRules(s *State) { 34 | for _, address := range conf.Allow { 35 | state.Rules = append(state.Rules, firewall.Rule{ 36 | Type: firewall.RuleAllow, 37 | Address: address, 38 | Protocol: firewall.ProtoAll, 39 | Ports: []string{firewall.AllPorts}, 40 | }) 41 | } 42 | } 43 | 44 | func hashObject(v interface{}) (string, error) { 45 | if raw, err := json.Marshal(v); err != nil { 46 | return "", err 47 | } else { 48 | return fmt.Sprintf("%x", sha256.Sum256(raw)), nil 49 | } 50 | } 51 | 52 | func rulesHash(rules []firewall.Rule) string { 53 | // make sure the order is always the same 54 | sort.Slice(rules, func(i, j int) bool { 55 | return rules[i].CreatedAt.Before(rules[j].CreatedAt) 56 | }) 57 | hash, err := hashObject(rules) 58 | if err != nil { 59 | log.Warning("can't hash rules: %v", err) 60 | } 61 | return hash 62 | } 63 | 64 | func main() { 65 | flag.Parse() 66 | 67 | if showVersion { 68 | fmt.Printf("shiedwall agent v%s\n", version.Version) 69 | return 70 | } 71 | 72 | setupLogging() 73 | go signalHandler() 74 | 75 | log.Info("shieldwall agent v%s", version.Version) 76 | 77 | // load configuration 78 | if conf, err = LoadAgentConfig(confFile); err != nil { 79 | log.Fatal("error reading %s: %v", confFile, err) 80 | } 81 | 82 | // initialize firewall 83 | if err = firewall.SetPath(conf.IPTablesPath); err != nil { 84 | log.Fatal("%v", err) 85 | } 86 | 87 | // load saved state and run rules 88 | if state, err = LoadState(conf.DataPath); err != nil { 89 | log.Warning("%v", err) 90 | } 91 | 92 | // new state, add the entries allowed by configuration 93 | if len(state.Rules) == 0 && len(conf.Allow) > 0 { 94 | addAllowRules(state) 95 | } 96 | 97 | // apply previous rules from the saved state 98 | if err = firewall.Apply(state.Rules, conf.Drops); err != nil { 99 | log.Fatal("%v", err) 100 | } 101 | 102 | if conf.Update { 103 | go updater() 104 | } 105 | 106 | api := NewAPI(conf.API) 107 | // main loop 108 | for { 109 | prevHash := rulesHash(state.Rules) 110 | if rules, err := api.FetchRules(); err != nil { 111 | log.Error("error polling api: %v", err) 112 | } else { 113 | state.Rules = rules 114 | if len(conf.Allow) > 0 { 115 | addAllowRules(state) 116 | } 117 | newHash := rulesHash(state.Rules) 118 | if prevHash != newHash { 119 | log.Info("applying %d rules", len(state.Rules)) 120 | if err = firewall.Apply(state.Rules, conf.Drops); err != nil { 121 | log.Fatal("%v", err) 122 | } 123 | } else { 124 | log.Debug("no changes") 125 | } 126 | } 127 | 128 | if err = state.Save(conf.DataPath); err != nil { 129 | log.Error("error saving state to %s: %v", conf.DataPath, err) 130 | } else { 131 | log.Debug("state saved to %s", conf.DataPath) 132 | } 133 | 134 | time.Sleep(time.Second * time.Duration(conf.API.Period)) 135 | } 136 | } 137 | -------------------------------------------------------------------------------- /cmd/agent/setup.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/shieldwall/firewall" 7 | "time" 8 | ) 9 | 10 | var ( 11 | confFile = "" 12 | debug = false 13 | showVersion = false 14 | logfile = "" 15 | updateCheckPeriod = time.Duration(10) * time.Minute 16 | ) 17 | 18 | func init() { 19 | flag.StringVar(&confFile, "config", "/etc/shieldwall/config.yaml", "YAML configuration file.") 20 | flag.BoolVar(&debug, "debug", debug, "Enable debug logs.") 21 | flag.StringVar(&logfile, "log", logfile, "Log messages to this file instead of standard error.") 22 | flag.DurationVar(&updateCheckPeriod, "update-check-period", updateCheckPeriod, "Self update polling period.") 23 | 24 | flag.BoolVar(&showVersion, "version", showVersion, "Show version and exit.") 25 | flag.BoolVar(&firewall.DryRun, "dry-run", firewall.DryRun, "Do not execute firewall commands.") 26 | } 27 | 28 | func setupLogging() { 29 | if logfile != "" { 30 | log.Output = logfile 31 | } 32 | 33 | if debug == true { 34 | log.Level = log.DEBUG 35 | } else { 36 | log.Level = log.INFO 37 | } 38 | 39 | log.DateFormat = "06-Jan-02" 40 | log.TimeFormat = "15:04:05" 41 | log.DateTimeFormat = "2006-01-02 15:04:05" 42 | log.Format = "{datetime} {level:color}{level:name}{reset} {message}" 43 | 44 | if err := log.Open(); err != nil { 45 | panic(err) 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /cmd/agent/state.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/evilsocket/islazy/fs" 7 | "github.com/evilsocket/islazy/log" 8 | "github.com/evilsocket/shieldwall/firewall" 9 | "io/ioutil" 10 | "os" 11 | "path/filepath" 12 | "time" 13 | ) 14 | 15 | const stateFileName = "state.json" 16 | 17 | type State struct { 18 | UpdatedAt time.Time `json:"updated_at"` 19 | Rules []firewall.Rule `json:"rules"` 20 | } 21 | 22 | func LoadState(path string) (*State, error) { 23 | state := State { 24 | UpdatedAt: time.Now(), 25 | } 26 | 27 | if !fs.Exists(path) { 28 | log.Info("creating %s", path) 29 | if err := os.MkdirAll(path, os.ModePerm); err != nil { 30 | return &state, err 31 | } 32 | } 33 | 34 | fileName := filepath.Join(path, stateFileName) 35 | if !fs.Exists(fileName) { 36 | log.Debug("%s doesn't exist, returning initial state", fileName) 37 | return &state, nil 38 | } 39 | 40 | log.Debug("loading state from %s ...", fileName) 41 | 42 | raw, err := ioutil.ReadFile(fileName) 43 | if err != nil { 44 | return &state, fmt.Errorf("error reading %s: %v", fileName, err) 45 | } 46 | 47 | if err = json.Unmarshal(raw, &state); err != nil { 48 | return &state, fmt.Errorf("error decoding %s: %v", fileName, err) 49 | } 50 | 51 | return &state, nil 52 | } 53 | 54 | func (s *State) Save(path string) error { 55 | s.UpdatedAt = time.Now() 56 | raw, err := json.MarshalIndent(s, "", " ") 57 | if err != nil { 58 | return err 59 | } 60 | return ioutil.WriteFile(filepath.Join(path, stateFileName), raw, os.ModePerm) 61 | } -------------------------------------------------------------------------------- /cmd/agent/updater.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "archive/tar" 5 | "compress/gzip" 6 | "fmt" 7 | "github.com/evilsocket/islazy/log" 8 | "github.com/evilsocket/shieldwall/version" 9 | "io" 10 | "net/http" 11 | "os" 12 | "os/exec" 13 | "path/filepath" 14 | "regexp" 15 | "runtime" 16 | "syscall" 17 | "time" 18 | ) 19 | 20 | // Untar takes a destination path and a reader; a tar reader loops over the tarfile 21 | // creating the file structure at 'dst' along the way, and writing any files 22 | // credits to https://medium.com/@skdomino/taring-untaring-files-in-go-6b07cf56bc07 23 | func Untar(dst string, r io.Reader) error { 24 | 25 | gzr, err := gzip.NewReader(r) 26 | if err != nil { 27 | return err 28 | } 29 | defer gzr.Close() 30 | 31 | tr := tar.NewReader(gzr) 32 | 33 | for { 34 | header, err := tr.Next() 35 | 36 | switch { 37 | 38 | // if no more files are found return 39 | case err == io.EOF: 40 | return nil 41 | 42 | // return any other error 43 | case err != nil: 44 | return err 45 | 46 | // if the header is nil, just skip it (not sure how this happens) 47 | case header == nil: 48 | continue 49 | } 50 | 51 | // the target location where the dir/file should be created 52 | target := filepath.Join(dst, header.Name) 53 | 54 | // the following switch could also be done using fi.Mode(), not sure if there 55 | // a benefit of using one vs. the other. 56 | // fi := header.FileInfo() 57 | 58 | // check the file type 59 | switch header.Typeflag { 60 | 61 | // if its a dir and it doesn't exist create it 62 | case tar.TypeDir: 63 | if _, err := os.Stat(target); err != nil { 64 | if err := os.MkdirAll(target, 0755); err != nil { 65 | return err 66 | } 67 | } 68 | 69 | // if it's a file create it 70 | case tar.TypeReg: 71 | f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) 72 | if err != nil { 73 | return err 74 | } 75 | 76 | // copy over contents 77 | if _, err := io.Copy(f, tr); err != nil { 78 | return err 79 | } 80 | 81 | // manually close here after each file operation; defering would cause each file close 82 | // to wait until all operations have completed. 83 | f.Close() 84 | } 85 | } 86 | } 87 | 88 | var ( 89 | repo = "evilsocket/shieldwall" 90 | extractTo = "/tmp/shieldwall/" 91 | installer = filepath.Join(extractTo, "update.sh") 92 | versionParser = regexp.MustCompile("^https://github\\.com/" + repo + "/releases/tag/v([\\d\\.a-z]+)$") 93 | ) 94 | 95 | func updater() { 96 | log.Info("update checker started with a %s period", updateCheckPeriod) 97 | 98 | noRedirectClient := &http.Client{ 99 | CheckRedirect: func(req *http.Request, via []*http.Request) error { 100 | return http.ErrUseLastResponse 101 | }, 102 | } 103 | 104 | url := "https://github.com/" + repo + "/releases/latest" 105 | for { 106 | log.Debug("checking for updates %s", url) 107 | 108 | req, _ := http.NewRequest("GET", url, nil) 109 | resp, err := noRedirectClient.Do(req) 110 | if err != nil { 111 | log.Error("error while checking latest version: %v", err) 112 | continue 113 | } 114 | defer resp.Body.Close() 115 | 116 | location := resp.Header.Get("Location") 117 | 118 | log.Debug("location header = '%s'", location) 119 | 120 | m := versionParser.FindStringSubmatch(location) 121 | if len(m) == 2 { 122 | latest := m[1] 123 | log.Debug("latest version is '%s'", latest) 124 | if version.Version != latest { 125 | filename := fmt.Sprintf("shieldwall-agent_%s_linux_%s.tar.gz", 126 | latest, 127 | runtime.GOARCH) 128 | 129 | update := fmt.Sprintf("https://github.com/%s/releases/download/v%s/%s", 130 | repo, 131 | latest, 132 | filename) 133 | 134 | log.Important("downloading update to %s from %s", latest, update) 135 | 136 | tmpFileName := filepath.Join("/tmp/", filename) 137 | out, err := os.Create(tmpFileName) 138 | if err != nil { 139 | log.Error("error creating %s: %v", tmpFileName, err) 140 | continue 141 | } 142 | 143 | start := time.Now() 144 | resp, err := http.Get(update) 145 | defer resp.Body.Close() 146 | if err != nil { 147 | out.Close() 148 | log.Error("error downloading %s: %v", tmpFileName, err) 149 | continue 150 | } 151 | 152 | written, err := io.Copy(out, resp.Body) 153 | out.Close() 154 | 155 | if err != nil { 156 | log.Error("error writing to %s: %v", tmpFileName, err) 157 | continue 158 | } 159 | 160 | log.Debug("downloaded %d bytes to %s in %s", written, tmpFileName, time.Since(start)) 161 | 162 | start = time.Now() 163 | 164 | if out, err = os.Open(tmpFileName); err != nil { 165 | log.Error("error opening %s: %v", tmpFileName, err) 166 | continue 167 | } else if err = os.MkdirAll(extractTo, os.ModePerm); err != nil { 168 | out.Close() 169 | log.Error("error creating folder %s: %v", extractTo, err) 170 | continue 171 | } else if err = Untar(extractTo, out); err != nil { 172 | out.Close() 173 | log.Error("error extracting %s to %s: %v", tmpFileName, extractTo, err) 174 | continue 175 | } 176 | out.Close() 177 | 178 | log.Debug("extracted in %s", time.Since(start)) 179 | 180 | log.Info("running installer at %s", installer) 181 | 182 | cmd := exec.Command(installer) 183 | cmd.Dir = extractTo 184 | cmd.Env = os.Environ() 185 | // https://stackoverflow.com/questions/33165530/prevent-ctrlc-from-interrupting-exec-command-in-golang 186 | cmd.SysProcAttr = &syscall.SysProcAttr{ 187 | Setpgid: true, 188 | Pgid: 0, 189 | } 190 | if err = cmd.Start(); err != nil { 191 | log.Error("error starting the installer: %v", err) 192 | } else { 193 | log.Info("installer running as pid %d", cmd.Process.Pid) 194 | } 195 | } else { 196 | log.Debug("no updates available") 197 | } 198 | } else { 199 | log.Debug("unexpected location header: '%s'", location) 200 | } 201 | 202 | time.Sleep(updateCheckPeriod) 203 | } 204 | } 205 | -------------------------------------------------------------------------------- /cmd/api/config.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/evilsocket/shieldwall/api" 5 | "github.com/evilsocket/shieldwall/database" 6 | "github.com/ilyakaznacheev/cleanenv" 7 | ) 8 | 9 | type Config struct { 10 | Api api.Config `yaml:"api"` 11 | Email api.EmailConfig `yaml:"mail"` 12 | Database database.Config `yaml:"database"` 13 | } 14 | 15 | func LoadConfig(path string) (*Config, error) { 16 | config := Config{} 17 | 18 | if err := cleanenv.ReadConfig(path, &config); err != nil { 19 | return nil, err 20 | } 21 | 22 | return &config, nil 23 | } 24 | -------------------------------------------------------------------------------- /cmd/api/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/shieldwall/api" 7 | "github.com/evilsocket/shieldwall/database" 8 | "github.com/evilsocket/shieldwall/mailer" 9 | "github.com/evilsocket/shieldwall/version" 10 | ) 11 | 12 | var ( 13 | err = (error)(nil) 14 | conf = (* Config)(nil) 15 | mail = (*mailer.Mailer)(nil) 16 | ) 17 | 18 | func main() { 19 | flag.Parse() 20 | 21 | setupLogging() 22 | 23 | log.Info("shieldwall api v%s", version.Version) 24 | 25 | if conf, err = LoadConfig(confFile); err != nil { 26 | log.Fatal("error reading %s: %v", confFile, err) 27 | } 28 | 29 | if mail, err = mailer.New(conf.Email.SMTP); err != nil { 30 | log.Fatal("error creating mailer: %v", err) 31 | } 32 | 33 | if err = database.Setup(conf.Database); err != nil { 34 | log.Fatal("error connecting to database: %v", err) 35 | } 36 | 37 | server := api.Setup(conf.Api, conf.Email, mail) 38 | 39 | server.Run() 40 | } 41 | -------------------------------------------------------------------------------- /cmd/api/setup.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "github.com/evilsocket/islazy/log" 6 | ) 7 | 8 | var ( 9 | confFile = "" 10 | debug = false 11 | logfile = "" 12 | ) 13 | 14 | func init() { 15 | flag.StringVar(&confFile, "config", "/etc/shieldwall/config.yaml", "YAML configuration file.") 16 | flag.BoolVar(&debug, "debug", debug, "Enable debug logs.") 17 | flag.StringVar(&logfile, "log", logfile, "Log messages to this file instead of standard error.") 18 | 19 | } 20 | 21 | func setupLogging() { 22 | if logfile != "" { 23 | log.Output = logfile 24 | } 25 | 26 | if debug == true { 27 | log.Level = log.DEBUG 28 | } else { 29 | log.Level = log.INFO 30 | } 31 | 32 | log.DateFormat = "06-Jan-02" 33 | log.TimeFormat = "15:04:05" 34 | log.DateTimeFormat = "2006-01-02 15:04:05" 35 | log.Format = "{datetime} {level:color}{level:name}{reset} {message}" 36 | 37 | if err := log.Open(); err != nil { 38 | panic(err) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /database.example.env: -------------------------------------------------------------------------------- 1 | POSTGRES_USER=shieldwall 2 | POSTGRES_PASSWORD=shieldwall 3 | POSTGRES_DB=shieldwall -------------------------------------------------------------------------------- /database/agent.go: -------------------------------------------------------------------------------- 1 | package database 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "gorm.io/datatypes" 7 | "gorm.io/gorm" 8 | "time" 9 | ) 10 | 11 | type Agent struct { 12 | ID uint `gorm:"primarykey" json:"id"` 13 | CreatedAt time.Time `gorm:"index" json:"created_at"` 14 | UpdatedAt time.Time `gorm:"index" json:"updated_at"` 15 | SeenAt time.Time `gorm:"index" json:"seen_at"` 16 | DeletedAt gorm.DeletedAt `gorm:"index" json:"-"` 17 | UserID uint `gorm:"index" json:"-"` 18 | AlertAfter uint `gorm:"index" json:"alert_after"` 19 | AlertPeriod uint `gorm:"index" json:"alert_period"` 20 | AlertAt time.Time `gorm:"index" json:"alert_at"` 21 | Name string `json:"name"` 22 | Rules datatypes.JSON `sql:"type:jsonb" json:"rules"` 23 | Token string `gorm:"index" json:"token"` 24 | Address string `json:"address"` 25 | UserAgent string `json:"user_agent"` 26 | } 27 | 28 | func (a *Agent) Save() error { 29 | return db.Save(a).Error 30 | } 31 | 32 | func FindAgentByToken(token string) (*Agent, error) { 33 | var found Agent 34 | if err := db.Where("token=?", token).First(&found).Error; errors.Is(err, gorm.ErrRecordNotFound) { 35 | return nil, nil 36 | } else if err == nil { 37 | return &found, nil 38 | } else { 39 | return nil, err 40 | } 41 | } 42 | 43 | func FindAgentsForAlert() ([]*Agent, error) { 44 | var agents []*Agent 45 | query := "SELECT * FROM agents WHERE deleted_at IS NULL AND alert_after > 0 AND (seen_at IS NULL OR EXTRACT(EPOCH FROM current_timestamp-seen_at) >= alert_after)" 46 | err := db.Raw(query).Find(&agents).Error 47 | return agents, err 48 | } 49 | 50 | func RegisterAgent(fields *AgentWritableFields) (*Agent, error) { 51 | if err := fields.Validate(); err != nil { 52 | return nil, err 53 | } 54 | 55 | for i := range fields.Rules { 56 | fields.Rules[i].CreatedAt = time.Now() 57 | } 58 | 59 | newAgent := Agent{ 60 | UserID: fields.User.ID, 61 | Name: fields.Name, 62 | Token: makeRandomToken(), 63 | Rules: ToJSONB(fields.Rules), 64 | AlertAfter: fields.AlertAfter, 65 | AlertPeriod: fields.AlertPeriod, 66 | } 67 | 68 | if err := db.Create(&newAgent).Error; err != nil { 69 | return nil, fmt.Errorf("error creating new agent: %v", err) 70 | } 71 | 72 | return &newAgent, nil 73 | } 74 | 75 | func UpdateAgent(agent *Agent, fields *AgentWritableFields) error { 76 | // just to be sure 77 | fields.ID = agent.ID 78 | if err := fields.Validate(); err != nil { 79 | return err 80 | } 81 | 82 | for i, rule := range fields.Rules { 83 | if rule.TTL > 0 && rule.CreatedAt.IsZero() { 84 | fields.Rules[i].CreatedAt = time.Now() 85 | } 86 | } 87 | 88 | agent.Name = fields.Name 89 | agent.Rules = ToJSONB(fields.Rules) 90 | agent.UpdatedAt = time.Now() 91 | agent.AlertAfter = fields.AlertAfter 92 | agent.AlertPeriod = fields.AlertPeriod 93 | 94 | return db.Save(agent).Error 95 | } 96 | -------------------------------------------------------------------------------- /database/agent_fields.go: -------------------------------------------------------------------------------- 1 | package database 2 | 3 | import ( 4 | "fmt" 5 | "github.com/evilsocket/islazy/str" 6 | "github.com/evilsocket/shieldwall/firewall" 7 | ) 8 | 9 | const MinAgentNameLength = 3 10 | const MaxAgentRules = 100 11 | 12 | const MinAlertAfter = 30 // 30 seconds 13 | const MaxAlertAfter = 21600 // 6 hours 14 | 15 | const MinAlertPeriod = 1800 // 30 minutes 16 | const MaxAlertPeriod = 10800 // 3 hours 17 | 18 | type AgentWritableFields struct { 19 | ID uint 20 | Name string 21 | Rules []*firewall.Rule 22 | User *User 23 | AlertAfter uint 24 | AlertPeriod uint 25 | } 26 | 27 | func (f *AgentWritableFields) Validate() error { 28 | if f.Name = str.Trim(f.Name); len(f.Name) < MinAgentNameLength { 29 | return fmt.Errorf("agent name must be at least %d characters long", MinAgentNameLength) 30 | } 31 | 32 | if len(f.Rules) > MaxAgentRules { 33 | return fmt.Errorf("max %d rules per agent are allowed", MaxAgentRules) 34 | } 35 | 36 | if f.AlertAfter != 0 { 37 | if f.AlertAfter < MinAlertAfter { 38 | return fmt.Errorf("alert trigger time must be at least %d seconds", MinAlertAfter) 39 | } else if f.AlertAfter > MaxAlertAfter { 40 | return fmt.Errorf("alert trigger time must be at most %d seconds", MaxAlertAfter) 41 | } 42 | 43 | if f.AlertPeriod != 0 { 44 | if f.AlertPeriod < MinAlertPeriod { 45 | return fmt.Errorf("alert notification period must be at least %d seconds", MinAlertPeriod) 46 | } else if f.AlertPeriod > MaxAlertPeriod { 47 | return fmt.Errorf("alert notification period must be at most %d seconds", MaxAlertPeriod) 48 | } 49 | } 50 | } 51 | 52 | for _, rule := range f.Rules { 53 | if err := rule.Validate(); err != nil { 54 | return err 55 | } 56 | } 57 | 58 | var found Agent 59 | 60 | if f.ID == 0 { 61 | err := db.Where("name=?", f.Name).Where("user_id=?", f.User.ID).First(&found).Error 62 | if err == nil { 63 | return fmt.Errorf("agent name already used") 64 | } 65 | } else { 66 | err := db.Where("name=?", f.Name).Where("id != ?", f.ID).First(&found).Error 67 | if err == nil { 68 | return fmt.Errorf("agent name already used") 69 | } 70 | } 71 | 72 | return nil 73 | } 74 | -------------------------------------------------------------------------------- /database/config.go: -------------------------------------------------------------------------------- 1 | package database 2 | 3 | type Config struct { 4 | Hostname string `yaml:"host"` 5 | Port int `yaml:"port"` 6 | User string `yaml:"user"` 7 | Password string `yaml:"password"` 8 | Name string `yaml:"name"` 9 | } -------------------------------------------------------------------------------- /database/jsonb.go: -------------------------------------------------------------------------------- 1 | package database 2 | 3 | import ( 4 | "database/sql/driver" 5 | "encoding/json" 6 | "gorm.io/datatypes" 7 | ) 8 | 9 | type JSONB map[string]interface{} 10 | 11 | func (j JSONB) Value() (driver.Value, error) { 12 | valueString, err := json.Marshal(j) 13 | return string(valueString), err 14 | } 15 | 16 | func (j *JSONB) Scan(value interface{}) error { 17 | if err := json.Unmarshal([]byte(value.(string)), &j); err != nil { 18 | return err 19 | } 20 | return nil 21 | } 22 | 23 | func ToJSONB(v interface{}) datatypes.JSON { 24 | data, _ := json.Marshal(v) 25 | return datatypes.JSON(data) 26 | } -------------------------------------------------------------------------------- /database/setup.go: -------------------------------------------------------------------------------- 1 | package database 2 | 3 | import ( 4 | "fmt" 5 | "github.com/evilsocket/islazy/log" 6 | 7 | "gorm.io/driver/postgres" 8 | "gorm.io/gorm" 9 | "gorm.io/gorm/logger" 10 | ) 11 | 12 | var ( 13 | db = (*gorm.DB)(nil) 14 | ) 15 | 16 | func Setup(config Config) (err error) { 17 | connString := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable", 18 | config.Hostname, 19 | config.Port, 20 | config.User, 21 | config.Password, 22 | config.Name) 23 | db, err = gorm.Open(postgres.Open(connString), &gorm.Config{ 24 | Logger: logger.Default.LogMode(logger.Silent), 25 | }) 26 | if err == nil { 27 | log.Info("connected to database") 28 | if err = db.Debug().AutoMigrate(&Agent{}); err != nil { 29 | return 30 | } else if err = db.Debug().AutoMigrate(&User{}); err != nil { 31 | return 32 | } 33 | } 34 | return 35 | } 36 | 37 | func Delete(v interface{}) error { 38 | return db.Delete(v).Error 39 | } 40 | 41 | func Save(v interface{}) error { 42 | return db.Save(v).Error 43 | } -------------------------------------------------------------------------------- /database/user.go: -------------------------------------------------------------------------------- 1 | package database 2 | 3 | import ( 4 | "crypto/rand" 5 | "crypto/sha256" 6 | "encoding/hex" 7 | "fmt" 8 | "github.com/badoux/checkmail" 9 | "github.com/evilsocket/islazy/log" 10 | "github.com/evilsocket/islazy/str" 11 | "golang.org/x/crypto/bcrypt" 12 | "gorm.io/gorm" 13 | "strconv" 14 | "time" 15 | ) 16 | 17 | const MinPasswordLength = 8 18 | 19 | type User struct { 20 | ID uint `gorm:"primarykey" json:"-""` 21 | CreatedAt time.Time `gorm:"index" json:"created_at"` 22 | UpdatedAt time.Time `gorm:"index" json:"updated_at"` 23 | DeletedAt gorm.DeletedAt `gorm:"index" json:"-"` 24 | Email string `gorm:"uniqueIndex" json:"email"` 25 | Verification string `gorm:"index" json:"-"` 26 | Verified bool `gorm:"index" json:"-"` 27 | Use2FA bool `gorm:"default:true" json:"use_2fa"` // i know it's not 2fa yet 28 | Hash string `json:"-"` 29 | Address string `json:"address"` 30 | Agents []Agent `json:"-"` 31 | } 32 | 33 | func makeRandomToken() string { 34 | randomShit := make([]byte, 128) 35 | rand.Read(randomShit) 36 | 37 | data := append( 38 | []byte(strconv.FormatInt(time.Now().UnixNano(), 10)), 39 | randomShit...) 40 | 41 | hash := sha256.Sum256(data) 42 | return hex.EncodeToString(hash[:]) 43 | } 44 | 45 | func RegisterUser(address, email, password string) (*User, error) { 46 | if err := checkmail.ValidateFormat(email); err != nil { 47 | return nil, err 48 | } else if password = str.Trim(password); len(password) < MinPasswordLength { 49 | return nil, fmt.Errorf("minimum password length is %d", MinPasswordLength) 50 | } 51 | 52 | var found User 53 | if err := db.Where("email=?", email).First(&found).Error; err == nil { 54 | return nil, fmt.Errorf("email address already used") 55 | } else if err != gorm.ErrRecordNotFound { 56 | log.Error("error searching email '%s': %v", email, err) 57 | return nil, err 58 | } 59 | 60 | hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) 61 | if err != nil { 62 | return nil, fmt.Errorf("error generating password hash: %v", err) 63 | } 64 | 65 | newUser := User{ 66 | Email: email, 67 | Verification: makeRandomToken(), 68 | Hash: string(hashedPassword), 69 | Address: address, 70 | } 71 | 72 | if err = db.Create(&newUser).Error; err != nil { 73 | return nil, fmt.Errorf("error creating new user: %v", err) 74 | } 75 | 76 | return &newUser, nil 77 | } 78 | 79 | func VerifyUser(verification string) error { 80 | var found User 81 | if err := db.Where("verification=?", verification).First(&found).Error; err != nil { 82 | return err 83 | } else if found.Verified == true { 84 | return fmt.Errorf("user already verified") 85 | } else { 86 | found.Verified = true 87 | return db.Save(&found).Error 88 | } 89 | } 90 | 91 | func LoginUser(address, email, password string) (*User, error) { 92 | var found User 93 | if err := db.Where("email=?", email).First(&found).Error; err == gorm.ErrRecordNotFound { 94 | return nil, nil 95 | } else if err != nil { 96 | return nil, err 97 | } else if found.Verified == false { 98 | return nil, fmt.Errorf("account not verified") 99 | } else if err = bcrypt.CompareHashAndPassword([]byte(found.Hash), []byte(password)); err != nil { 100 | return nil, nil 101 | } 102 | 103 | if found.Use2FA { 104 | found.Verification = makeRandomToken() 105 | } 106 | 107 | found.Address = address 108 | found.UpdatedAt = time.Now() 109 | if err := db.Save(&found).Error; err != nil { 110 | log.Error("error updating logged in user: %v", err) 111 | } 112 | 113 | return &found, nil 114 | } 115 | 116 | func UpdateUser(user *User, ip string, newPassword string, use2FA bool) (*User, error) { 117 | if newPassword = str.Trim(newPassword); newPassword != "" && len(newPassword) < MinPasswordLength { 118 | return nil, fmt.Errorf("minimum password length is %d", MinPasswordLength) 119 | } 120 | 121 | if newPassword != "" { 122 | hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost) 123 | if err != nil { 124 | return nil, fmt.Errorf("error generating password hash: %v", err) 125 | } 126 | user.Hash = string(hashedPassword) 127 | } 128 | 129 | user.Use2FA = use2FA 130 | user.UpdatedAt = time.Now() 131 | user.Address = ip 132 | 133 | return user, db.Save(user).Error 134 | } 135 | 136 | func FindUserByID(id int) (*User, error) { 137 | var found User 138 | 139 | err := db.Preload("Agents", func(db *gorm.DB) *gorm.DB { 140 | return db.Order("agents.updated_at DESC") 141 | }).Find(&found, id).Error 142 | 143 | if err == gorm.ErrRecordNotFound { 144 | return nil, nil 145 | } else if err != nil { 146 | return nil, err 147 | } 148 | return &found, nil 149 | } 150 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | 4 | database: 5 | image: "postgres" 6 | env_file: 7 | - database.env 8 | ports: 9 | - 5432:5432 10 | volumes: 11 | # persist data even if container shuts down 12 | - db:/var/lib/postgresql/data/ 13 | networks: 14 | - shieldwall 15 | 16 | # shieldwall_api: 17 | # container_name: shieldwall_api 18 | # image: shieldwall_api:latest 19 | # build: 20 | # context: ./ 21 | # dockerfile: Dockerfile 22 | # depends_on: 23 | # - database 24 | # ports: 25 | # - 8666:8666 26 | # volumes: 27 | # - ./api.yaml:/etc/shieldwall/config.yaml 28 | # restart: unless-stopped 29 | # networks: 30 | # - shieldwall 31 | 32 | volumes: 33 | db: 34 | data: 35 | 36 | networks: 37 | shieldwall: 38 | driver: bridge -------------------------------------------------------------------------------- /firewall/logic.go: -------------------------------------------------------------------------------- 1 | package firewall 2 | 3 | import ( 4 | "fmt" 5 | "github.com/evilsocket/islazy/log" 6 | "github.com/evilsocket/islazy/str" 7 | "github.com/evilsocket/islazy/tui" 8 | "os/exec" 9 | "strconv" 10 | "strings" 11 | "sync" 12 | ) 13 | 14 | // TODO: implement factory pattern with generic interface in order to support more firewalls 15 | 16 | const ( 17 | swInputChain = "SHIELDWALL" 18 | swLogDropChain = "LOGNDROP" 19 | ) 20 | 21 | var DryRun = false 22 | 23 | type DropConfig struct { 24 | Log bool `yaml:"log"` 25 | Limit string `yaml:"limit"` 26 | Prefix string `yaml:"prefix"` 27 | Level int `yaml:"level"` 28 | } 29 | 30 | var lock = sync.Mutex{} 31 | 32 | func cmd(bin string, args ...string) (string, error) { 33 | log.Debug("# %s %s", bin, args) 34 | if DryRun { 35 | log.Info("%s %s %s", tui.Dim(""), bin, strings.Join(args, " ")) 36 | return "", nil 37 | } else { 38 | raw, err := exec.Command(bin, args...).CombinedOutput() 39 | if err != nil { 40 | log.Warning("%s", str.Trim(string(raw))) 41 | return "", err 42 | } else { 43 | return str.Trim(string(raw)), nil 44 | } 45 | } 46 | } 47 | 48 | func reset(binary string) error { 49 | // due to a bug, RELATED rules were added but not deleted, check how many we have and delete each one 50 | out, _ := cmd(binary, "-nL") 51 | matches := 0 // at least once 52 | for _, line := range str.SplitBy(out, "\n") { 53 | if strings.Contains(line, "RELATED,ESTABLISHED") && 54 | strings.Contains(line, "ACCEPT") { 55 | matches++ 56 | } 57 | } 58 | 59 | if matches > 0 { 60 | log.Debug("cleaning %d zombie ESTABLISHED rules", matches) 61 | } 62 | 63 | commands := []string{ 64 | fmt.Sprintf("-F %s", swInputChain), 65 | fmt.Sprintf("-D INPUT -j %s", swInputChain), 66 | fmt.Sprintf("-X %s", swInputChain), 67 | fmt.Sprintf("-F %s", swLogDropChain), 68 | fmt.Sprintf("-D INPUT -j %s", swLogDropChain), 69 | fmt.Sprintf("-X %s", swLogDropChain), 70 | } 71 | 72 | for i := 0; i < matches; i++ { 73 | commands = append(commands, "-D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") 74 | } 75 | 76 | for _, c := range commands { 77 | out, err := cmd(binary, strings.Split(c, " ")...) 78 | if err != nil { 79 | // this is not fatal, some chains/rules might not exist yet 80 | log.Debug("firewall reset: %v", err) 81 | continue 82 | } else { 83 | log.Debug("reset(%s): %s", c, out) 84 | } 85 | } 86 | 87 | return nil 88 | } 89 | 90 | func allowRelated(binary string) error { 91 | // allow related connections for responses to local clients (such as DNS) 92 | out, err := cmd(binary, "-A", "INPUT", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT") 93 | if err != nil { 94 | return fmt.Errorf("error running conntrack step: %v", err) 95 | } else { 96 | log.Debug("conntrack: %s", out) 97 | } 98 | return nil 99 | } 100 | 101 | func createInputChain(binary string) error { 102 | // create custom chain 103 | if out, err := cmd(binary, "-N", swInputChain); err != nil { 104 | return fmt.Errorf("error creating chain-shieldwall: %v", err) 105 | } else { 106 | log.Debug("error creating chain %s: %s", swInputChain, out) 107 | } 108 | 109 | // Accept everything on loopback 110 | if out, err := cmd(binary, "-A", swInputChain, "-i", "lo", "-j", "ACCEPT"); err != nil { 111 | return fmt.Errorf("error applying loopback rule: %v", err) 112 | } else { 113 | log.Debug("loopback rule applied: %s", out) 114 | } 115 | 116 | return nil 117 | } 118 | 119 | func createLogAndDropChain(binary string, drops DropConfig) error { 120 | log.Debug("enabling logging of dropped packets: %#v", drops) 121 | 122 | if out, err := cmd(binary, "-N", swLogDropChain); err != nil { 123 | return fmt.Errorf("error creating %s: %v", swLogDropChain, err) 124 | } else { 125 | log.Debug("%s: %s", swLogDropChain, out) 126 | } 127 | 128 | out, err := cmd(binary, 129 | "-A", swLogDropChain, 130 | "-m", "limit", "--limit", drops.Limit, 131 | "-j", "LOG", 132 | "--log-prefix", fmt.Sprintf("%s: ", drops.Prefix), 133 | "--log-level", strconv.FormatInt(int64(drops.Level), 10)) 134 | if err != nil { 135 | return fmt.Errorf("error enabling logging: %v", err) 136 | } else { 137 | log.Debug("logging: %s", out) 138 | } 139 | 140 | if out, err = cmd(binary, "-A", swLogDropChain, "-j", "DROP"); err != nil { 141 | return fmt.Errorf("error dropping LOGNDROP: %v", err) 142 | } else { 143 | log.Debug("dropping: %s", out) 144 | } 145 | 146 | return nil 147 | } 148 | 149 | func directInputTo(binary string, target string) error { 150 | // Apply custom chain on INPUT 151 | if out, err := cmd(binary, "-A", "INPUT", "-j", swInputChain); err != nil { 152 | return fmt.Errorf("error running %s rule: %v", swInputChain, err) 153 | } else { 154 | log.Debug("%s applied: %s", swInputChain, out) 155 | } 156 | 157 | // drop the rest 158 | if out, err := cmd(binary, "-A", "INPUT", "-j", target); err != nil { 159 | return fmt.Errorf("error running drop rule: %v", err) 160 | } else { 161 | log.Debug("drop: %s", out) 162 | } 163 | 164 | return nil 165 | } 166 | 167 | func Apply(rules []Rule, drops DropConfig) (err error) { 168 | binaries := []string{ 169 | binary4, 170 | binary6, 171 | } 172 | 173 | lock.Lock() 174 | defer lock.Unlock() 175 | 176 | for _, bin := range binaries { 177 | // skip if not available 178 | if bin == "" { 179 | continue 180 | } 181 | 182 | if err = reset(bin); err != nil { 183 | return fmt.Errorf("%s: %v", bin, err) 184 | } 185 | 186 | // allow related connections for responses to local clients (such as DNS) 187 | if err = allowRelated(bin); err != nil { 188 | return fmt.Errorf("%s: %v", bin, err) 189 | } 190 | 191 | if err = createInputChain(bin); err != nil { 192 | return fmt.Errorf("%s: %v", bin, err) 193 | } 194 | } 195 | 196 | // apply each rule 197 | for _, rule := range rules { 198 | // select either the ipv4 or ipv6 binary 199 | bin := binary4 200 | if rule.IPType() == IPv6 { 201 | if binary6 != "" { 202 | bin = binary6 203 | } else { 204 | log.Warning("found IPv6 rule but non ip6tables binary, ignored: %v", rule) 205 | continue 206 | } 207 | } 208 | 209 | // for each protocol 210 | for _, proto := range rule.Protocols() { 211 | source := []string{"-s", rule.Address} 212 | if rule.AddressType == AddressRange { 213 | // use iprange module 214 | source = []string{ 215 | "-m", 216 | "iprange", 217 | "--src-range", 218 | rule.Address, 219 | } 220 | } 221 | 222 | action := "ACCEPT" 223 | if rule.Type == RuleBlock { 224 | action = "DROP" 225 | } 226 | 227 | for _, port := range rule.Ports { 228 | args := []string{"-A", swInputChain} 229 | args = append(args, source...) 230 | args = append(args, "-p", proto, "--dport", port, "-j", action) 231 | out, err := cmd(bin, args...) 232 | if err != nil { 233 | return fmt.Errorf("error applying rule %s.%s.%s.%s: %v", 234 | rule.Type, 235 | rule.Address, 236 | port, 237 | proto, 238 | err) 239 | } else { 240 | log.Debug(" %s.%s.%s.%s: %s", 241 | rule.Type, 242 | rule.Address, 243 | port, 244 | proto, 245 | out) 246 | } 247 | } 248 | } 249 | } 250 | 251 | for _, bin := range binaries { 252 | // just drop by default 253 | target := "DROP" 254 | // enable logging? 255 | if drops.Log { 256 | if err = createLogAndDropChain(bin, drops); err != nil { 257 | return fmt.Errorf("%s: %v", bin, err) 258 | } 259 | // first log then drop 260 | target = swLogDropChain 261 | } 262 | // this is what drops everything else 263 | if err = directInputTo(bin, target); err != nil { 264 | return fmt.Errorf("%s: %v", bin, err) 265 | } 266 | } 267 | 268 | return nil 269 | } 270 | -------------------------------------------------------------------------------- /firewall/path.go: -------------------------------------------------------------------------------- 1 | package firewall 2 | 3 | import ( 4 | "os" 5 | "path" 6 | "path/filepath" 7 | "github.com/evilsocket/islazy/log" 8 | ) 9 | 10 | var ( 11 | binary4 = "/sbin/iptables" 12 | binary6 = "" 13 | ) 14 | 15 | func SetPath(bin string) (err error) { 16 | if bin, err = filepath.Abs(bin); err != nil { 17 | return 18 | } else if _, err = os.Stat(bin); err != nil { 19 | return 20 | } 21 | binary4 = bin 22 | log.Info("ipv4 firewall: %s", binary4) 23 | 24 | base := path.Dir(bin) 25 | ipv6 := filepath.Join(base, "ip6tables") 26 | 27 | if _, err = os.Stat(ipv6); err == nil { 28 | binary6 = ipv6 29 | log.Info("ipv6 firewall: %s", binary6) 30 | } else { 31 | log.Important("ipv6 firewall not found in %s", base) 32 | } 33 | 34 | return 35 | } -------------------------------------------------------------------------------- /firewall/rule.go: -------------------------------------------------------------------------------- 1 | package firewall 2 | 3 | import ( 4 | "fmt" 5 | "github.com/evilsocket/islazy/log" 6 | "net" 7 | "strconv" 8 | "strings" 9 | "time" 10 | ) 11 | 12 | const ( 13 | AllPorts = "1:65535" 14 | ) 15 | 16 | type IPType int 17 | 18 | const ( 19 | IPv4 = IPType(4) 20 | IPv6 = IPType(6) 21 | ) 22 | 23 | type Protocol string 24 | 25 | const ( 26 | ProtoTCP = Protocol("tcp") 27 | ProtoUDP = Protocol("udp") 28 | ProtoAll = Protocol("all") 29 | ) 30 | 31 | type AddressType string 32 | 33 | const ( 34 | AddressNone = AddressType("") 35 | AddressSimple = AddressType("simple") 36 | AddressMask = AddressType("mask") 37 | AddressRange = AddressType("range") 38 | ) 39 | 40 | type RuleType string 41 | 42 | const ( 43 | RuleBlock = RuleType("block") 44 | RuleAllow = RuleType("allow") 45 | ) 46 | 47 | type Rule struct { 48 | CreatedAt time.Time `json:"created_at"` 49 | TTL int `json:"ttl"` // used from the api to delete expired rules 50 | Type RuleType `json:"type"` // always RuleBlock for now 51 | Address string `json:"address"` 52 | AddressType AddressType `json:"address_type"` 53 | Protocol Protocol `json:"protocol"` 54 | Ports []string `json:"ports"` // strings to also allow ranges 55 | Comment string `json:"comment"` 56 | } 57 | 58 | func (r Rule) Expires() bool { 59 | return r.TTL > 0 60 | } 61 | 62 | func (r Rule) Expired() bool { 63 | return r.Expires() && time.Since(r.CreatedAt).Seconds() >= float64(r.TTL) 64 | } 65 | 66 | func (r Rule) IPType() IPType { 67 | if strings.Contains(r.Address, ":") { 68 | return IPv6 69 | } 70 | return IPv4 71 | } 72 | 73 | func (r Rule) Protocols() []string { 74 | switch r.Protocol { 75 | case ProtoTCP: 76 | return []string{string(ProtoTCP)} 77 | case ProtoUDP: 78 | return []string{string(ProtoUDP)} 79 | } 80 | return []string{ 81 | string(ProtoTCP), 82 | string(ProtoUDP), 83 | } 84 | } 85 | 86 | func (r *Rule) Validate() error { 87 | if r.TTL < 0 { 88 | return fmt.Errorf("really? %d", r.TTL) 89 | } 90 | 91 | for _, port := range r.Ports { 92 | if strings.Index(port, ":") != -1 { 93 | // parse as range 94 | if parts := strings.Split(port, ":"); len(parts) != 2 { 95 | return fmt.Errorf("%s is not a valid port range", port) 96 | } else if from, err := strconv.ParseInt(parts[0], 10, 32); err != nil { 97 | return fmt.Errorf("%s is not a valid port", parts[0]) 98 | } else if to, err := strconv.ParseInt(parts[1], 10, 32); err != nil { 99 | return fmt.Errorf("%s is not a valid port", parts[1]) 100 | } else if to <= from { 101 | return fmt.Errorf("bad port range, %d is not >= %d", to, from) 102 | } else if from < 1 || from > 65535 { 103 | return fmt.Errorf("%d is outside the valid ports range", from) 104 | } else if to < 1 || to > 65535 { 105 | return fmt.Errorf("%d is outside the valid ports range", to) 106 | } 107 | } else { 108 | // parse as number 109 | if p, err := strconv.ParseInt(port, 10, 32); err != nil { 110 | return fmt.Errorf("%s is not a valid port", port) 111 | } else if p < 1 || p > 65535 { 112 | return fmt.Errorf("%d is outside the valid ports range", p) 113 | } 114 | } 115 | } 116 | 117 | if addr := net.ParseIP(r.Address); addr != nil { 118 | r.AddressType = AddressSimple 119 | log.Debug("net.ParseIP('%s') = %#v", r.Address, addr) 120 | } else if ip, netw, err := net.ParseCIDR(r.Address); err == nil && ip != nil && netw != nil { 121 | r.AddressType = AddressMask 122 | } else if strings.Index(r.Address, "-") != -1 { 123 | if parts := strings.Split(r.Address, "-"); len(parts) == 2 { 124 | if net.ParseIP(parts[0]) != nil && net.ParseIP(parts[1]) != nil { 125 | r.AddressType = AddressRange 126 | } 127 | } 128 | } 129 | 130 | log.Debug("r.AddressType is %s", r.AddressType) 131 | 132 | if len(r.AddressType) == 0 { 133 | return fmt.Errorf("%s is not a valid IP address, mask or range", r.Address) 134 | 135 | } 136 | 137 | return nil 138 | } 139 | -------------------------------------------------------------------------------- /frontend/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | node_modules 3 | /dist 4 | 5 | # local env files 6 | .env.local 7 | .env.*.local 8 | 9 | # Log files 10 | npm-debug.log* 11 | yarn-debug.log* 12 | yarn-error.log* 13 | 14 | # Editor directories and files 15 | .idea 16 | .vscode 17 | *.suo 18 | *.ntvs* 19 | *.njsproj 20 | *.sln 21 | *.sw? 22 | -------------------------------------------------------------------------------- /frontend/.prettierrc.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | singleQuote: true 3 | }; 4 | -------------------------------------------------------------------------------- /frontend/babel.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | presets: [ 3 | '@vue/app' 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /frontend/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "shieldwall-frontend", 3 | "version": "1.0.0", 4 | "private": true, 5 | "scripts": { 6 | "serve": "vue-cli-service serve", 7 | "build": "vue-cli-service build", 8 | "lint": "vue-cli-service lint" 9 | }, 10 | "dependencies": { 11 | "@fortawesome/fontawesome-svg-core": "^1.2.25", 12 | "@fortawesome/free-solid-svg-icons": "^5.11.2", 13 | "@fortawesome/vue-fontawesome": "^0.1.7", 14 | "axios": "^0.21.1", 15 | "bootstrap": "^4.3.1", 16 | "core-js": "^2.6.5", 17 | "jquery": "^3.4.1", 18 | "popper.js": "^1.15.0", 19 | "vee-validate": "^2.2.15", 20 | "vue": "^2.6.10", 21 | "vue-recaptcha": "^1.3.0", 22 | "vue-router": "^3.0.3", 23 | "vue-timeago": "^5.1.3", 24 | "vuex": "^3.0.1" 25 | }, 26 | "devDependencies": { 27 | "@vue/cli-plugin-babel": "^3.11.0", 28 | "@vue/cli-plugin-eslint": "^3.11.0", 29 | "@vue/cli-service": "^4.5.11", 30 | "babel-eslint": "^10.0.1", 31 | "eslint": "^5.16.0", 32 | "eslint-plugin-vue": "^5.0.0", 33 | "vue-template-compiler": "^2.6.10" 34 | }, 35 | "eslintConfig": { 36 | "root": true, 37 | "env": { 38 | "node": true 39 | }, 40 | "extends": [ 41 | "plugin:vue/essential", 42 | "eslint:recommended" 43 | ], 44 | "rules": {}, 45 | "parserOptions": { 46 | "parser": "babel-eslint" 47 | } 48 | }, 49 | "postcss": { 50 | "plugins": { 51 | "autoprefixer": {} 52 | } 53 | }, 54 | "browserslist": [ 55 | "> 1%", 56 | "last 2 versions" 57 | ] 58 | } 59 | -------------------------------------------------------------------------------- /frontend/public/cf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/evilsocket/shieldwall/6b2f43cd9c9e58b7617d3582b91d905f4400098f/frontend/public/cf.png -------------------------------------------------------------------------------- /frontend/public/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/evilsocket/shieldwall/6b2f43cd9c9e58b7617d3582b91d905f4400098f/frontend/public/favicon.png -------------------------------------------------------------------------------- /frontend/public/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | shieldwall - secure your most private servers 12 | 13 | 14 | 15 | 16 | 17 | 18 | 20 | 21 | 22 | 23 | 24 | 25 | 27 | 28 | 29 | 30 | 32 | 33 | 34 | 45 | 46 | 62 | 63 | 64 | 68 |
69 | 70 |
71 | shieldwall was made with ♥ by evilsocket and it's 72 | released under the GPL 3 license. 73 |
74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /frontend/public/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/evilsocket/shieldwall/6b2f43cd9c9e58b7617d3582b91d905f4400098f/frontend/public/logo.png -------------------------------------------------------------------------------- /frontend/public/logo150.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/evilsocket/shieldwall/6b2f43cd9c9e58b7617d3582b91d905f4400098f/frontend/public/logo150.png -------------------------------------------------------------------------------- /frontend/public/ogimage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/evilsocket/shieldwall/6b2f43cd9c9e58b7617d3582b91d905f4400098f/frontend/public/ogimage.png -------------------------------------------------------------------------------- /frontend/public/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Disallow: -------------------------------------------------------------------------------- /frontend/src/App.vue: -------------------------------------------------------------------------------- 1 | 65 | 66 | 89 | -------------------------------------------------------------------------------- /frontend/src/main.js: -------------------------------------------------------------------------------- 1 | import Vue from 'vue'; 2 | import App from './App.vue'; 3 | import {router} from './router'; 4 | import store from './store'; 5 | import 'bootstrap'; 6 | import 'bootstrap/dist/css/bootstrap.min.css'; 7 | import VeeValidate from 'vee-validate'; 8 | import Vuex from 'vuex'; 9 | import {library} from '@fortawesome/fontawesome-svg-core'; 10 | 11 | import {FontAwesomeIcon} from '@fortawesome/vue-fontawesome'; 12 | import {faDesktop, faHome, faSignInAlt, faSignOutAlt, faTerminal, faAnchor, faArchive, faUser, faUserPlus} from '@fortawesome/free-solid-svg-icons'; 13 | import VueTimeago from 'vue-timeago' 14 | 15 | library.add(faHome, faUser, faDesktop, faUserPlus, faTerminal, faArchive, faAnchor, faSignInAlt, faSignOutAlt); 16 | 17 | Vue.config.productionTip = false; 18 | 19 | Vue.use(VeeValidate); 20 | Vue.component('font-awesome-icon', FontAwesomeIcon); 21 | 22 | Vue.use(Vuex); 23 | 24 | Vue.use(VueTimeago, { 25 | name: 'Timeago', // Component name, `Timeago` by default 26 | locale: 'en' // Default locale 27 | }); 28 | 29 | 30 | new Vue({ 31 | router, 32 | store, 33 | render: h => h(App) 34 | }).$mount('#app'); 35 | -------------------------------------------------------------------------------- /frontend/src/models/agent.js: -------------------------------------------------------------------------------- 1 | export default class Agent { 2 | constructor(name, rules) { 3 | this.name = name; 4 | this.rules = rules; 5 | this.alert_after = 0; 6 | this.alert_period = 0; 7 | } 8 | } -------------------------------------------------------------------------------- /frontend/src/models/rule.js: -------------------------------------------------------------------------------- 1 | export default class Rule { 2 | constructor(type, address, protocol, ports, ttl, comment) { 3 | this.type = type; 4 | this.address = address; 5 | this.protocol = protocol; 6 | this.ports = ports; 7 | this.ttl = ttl; 8 | this.comment = comment; 9 | } 10 | } -------------------------------------------------------------------------------- /frontend/src/models/user.js: -------------------------------------------------------------------------------- 1 | export default class User { 2 | constructor(email, password) { 3 | this.email = email; 4 | this.password = password; 5 | this.use_2fa = false; 6 | this.user_agent = ''; 7 | } 8 | } -------------------------------------------------------------------------------- /frontend/src/router.js: -------------------------------------------------------------------------------- 1 | import Vue from 'vue'; 2 | import Router from 'vue-router'; 3 | import Home from './views/Home.vue'; 4 | import Login from './views/Login.vue'; 5 | import Register from './views/Register.vue'; 6 | import Verify from './views/Verify.vue'; 7 | 8 | Vue.use(Router); 9 | 10 | export const router = new Router({ 11 | mode: 'hash', 12 | routes: [ 13 | { 14 | path: '/', 15 | name: 'home', 16 | component: Home 17 | }, 18 | { 19 | path: '/login', 20 | component: Login 21 | }, 22 | { 23 | path: '/register', 24 | component: Register 25 | }, 26 | { 27 | path: '/verify/:code', 28 | component: Verify, 29 | params: true 30 | }, 31 | { 32 | path: '/2step', 33 | name: '2step', 34 | // lazy-loaded 35 | component: () => import('./views/2Step.vue') 36 | }, 37 | { 38 | path: '/profile', 39 | name: 'profile', 40 | // lazy-loaded 41 | component: () => import('./views/Profile.vue') 42 | }, 43 | { 44 | path: '/agents', 45 | name: 'agents', 46 | // lazy-loaded 47 | component: () => import('./views/Agents.vue') 48 | }, 49 | { 50 | path: '/agents/new', 51 | name: 'agent-new', 52 | // lazy-loaded 53 | component: () => import('./views/Agent.vue') 54 | }, 55 | { 56 | path: '/agent/:id', 57 | name: 'agent-edit', 58 | // lazy-loaded 59 | component: () => import('./views/Agent.vue') 60 | }, 61 | ] 62 | }); 63 | 64 | // router.beforeEach((to, from, next) => { 65 | // const publicPages = ['/login', '/register', '/home']; 66 | // const authRequired = !publicPages.includes(to.path); 67 | // const loggedIn = localStorage.getItem('user'); 68 | 69 | // // trying to access a restricted page + not logged in 70 | // // redirect to login page 71 | // if (authRequired && !loggedIn) { 72 | // next('/login'); 73 | // } else { 74 | // next(); 75 | // } 76 | // }); 77 | -------------------------------------------------------------------------------- /frontend/src/services/api.js: -------------------------------------------------------------------------------- 1 | var apiDev, apiProto, apiHost, apiPort; 2 | 3 | if (process.env.NODE_ENV === 'development') { 4 | apiDev = true; 5 | apiProto = 'http'; 6 | apiHost = 'localhost'; 7 | apiPort = 8080; 8 | } else { 9 | apiDev = false; 10 | apiProto = 'https'; 11 | apiHost = 'shieldwall.me'; 12 | apiPort = 443; 13 | } 14 | 15 | export const API_DEV = apiDev; 16 | 17 | export const API_PROTO = apiProto; 18 | export const API_HOST = apiHost; 19 | export const API_PORT = apiPort; 20 | 21 | export const API_BASE_URL = API_PROTO + '://' + API_HOST + ':' + API_PORT + '/api/v1'; 22 | 23 | export const API_LOGIN_URL = API_BASE_URL + '/user/login'; 24 | export const API_2STEP_URL = API_BASE_URL + '/user/2step'; 25 | export const API_REGISTER_URL = API_BASE_URL + '/user/register'; 26 | export const API_VERIFICATION_URL = API_BASE_URL + '/user/verify'; 27 | 28 | export const API_USER_UPDATE_URL = API_BASE_URL + '/user/'; 29 | 30 | export const API_AGENTS_URL = API_BASE_URL + '/user/agents'; 31 | export const API_NEW_AGENT_URL = API_AGENTS_URL + '/new'; 32 | 33 | export const API_SUBNETS_URL = API_BASE_URL + '/subnets'; 34 | -------------------------------------------------------------------------------- /frontend/src/services/auth-header.js: -------------------------------------------------------------------------------- 1 | 2 | export default function authHeader() { 3 | let user = JSON.parse(localStorage.getItem('user')); 4 | if(!user) { 5 | user = JSON.parse(localStorage.getItem('user2fa')); 6 | } 7 | 8 | if (user && user.token) { 9 | return { Authorization: 'Bearer ' + user.token }; 10 | } else { 11 | return {}; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /frontend/src/services/auth.service.js: -------------------------------------------------------------------------------- 1 | import axios from 'axios'; 2 | import {API_2STEP_URL, API_LOGIN_URL, API_REGISTER_URL, API_VERIFICATION_URL} from './api'; 3 | import authHeader from './auth-header'; 4 | 5 | class AuthService { 6 | login(user) { 7 | return axios 8 | .post(API_LOGIN_URL, { 9 | email: user.email, 10 | password: user.password 11 | }) 12 | .then(response => { 13 | if (response.data.token) { 14 | if (!response.data.data.use_2fa) { 15 | window.console.log("saving user to user", response.data); 16 | localStorage.setItem('user', JSON.stringify(response.data)); 17 | } else { 18 | window.console.log("saving user to user2fa", response.data); 19 | localStorage.setItem('user2fa', JSON.stringify(response.data)); 20 | } 21 | } 22 | return response.data; 23 | }); 24 | } 25 | 26 | step2(code) { 27 | return axios 28 | .post(API_2STEP_URL, { 29 | code: code 30 | }, { headers: authHeader() }) 31 | .then(response => { 32 | if (response.data.token) { 33 | window.console.log("finalizing user to user", response.data); 34 | localStorage.setItem('user', JSON.stringify(response.data)); 35 | localStorage.removeItem('user2fa'); 36 | } 37 | return response.data; 38 | }); 39 | } 40 | 41 | logout() { 42 | localStorage.removeItem('user'); 43 | localStorage.removeItem('user2fa'); 44 | } 45 | 46 | register(user) { 47 | return axios.post(API_REGISTER_URL, { 48 | email: user.email, 49 | password: user.password 50 | }); 51 | } 52 | 53 | verify(code) { 54 | return axios.get(API_VERIFICATION_URL + '/' + code); 55 | } 56 | } 57 | 58 | export default new AuthService(); 59 | -------------------------------------------------------------------------------- /frontend/src/services/user.service.js: -------------------------------------------------------------------------------- 1 | import axios from 'axios'; 2 | import authHeader from './auth-header'; 3 | import {API_AGENTS_URL, API_USER_UPDATE_URL, API_NEW_AGENT_URL, API_SUBNETS_URL} from "@/services/api"; 4 | 5 | class UserService { 6 | getUserAgents() { 7 | return axios.get(API_AGENTS_URL, { headers: authHeader() }); 8 | } 9 | 10 | update(new_password, use_2fa) { 11 | return axios.post(API_USER_UPDATE_URL, { 12 | password: new_password, 13 | use_2fa: use_2fa 14 | }, { headers: authHeader() }); 15 | } 16 | 17 | getAgent(id) { 18 | return axios.get(API_AGENTS_URL + '/' + id, { headers: authHeader() }); 19 | } 20 | 21 | deleteAgent(id) { 22 | return axios.delete(API_AGENTS_URL + '/' + id, { headers: authHeader() }); 23 | } 24 | 25 | createAgent(agent) { 26 | return axios.put(API_NEW_AGENT_URL, agent, { headers: authHeader() }); 27 | } 28 | 29 | updateAgent(agent) { 30 | return axios.put(API_AGENTS_URL + '/' + agent.id, agent, { headers: authHeader() }); 31 | } 32 | 33 | getCloudFlareSubnets() { 34 | return axios.get(API_SUBNETS_URL + '/cloudflare', { headers: authHeader() }); 35 | } 36 | } 37 | 38 | export default new UserService(); 39 | -------------------------------------------------------------------------------- /frontend/src/store/auth.module.js: -------------------------------------------------------------------------------- 1 | import AuthService from '../services/auth.service'; 2 | 3 | const user = JSON.parse(localStorage.getItem('user')); 4 | const initialState = user 5 | ? { status: { loggedIn: true }, user } 6 | : { status: { loggedIn: false }, user: null }; 7 | 8 | export const auth = { 9 | namespaced: true, 10 | state: initialState, 11 | actions: { 12 | login({ commit }, user) { 13 | return AuthService.login(user).then( 14 | user => { 15 | commit('loginSuccess', user); 16 | return Promise.resolve(user); 17 | }, 18 | error => { 19 | commit('loginFailure'); 20 | return Promise.reject(error); 21 | } 22 | ); 23 | }, 24 | step2({ commit }, code) { 25 | return AuthService.step2(code).then( 26 | user => { 27 | commit('step2Success', user); 28 | return Promise.resolve(user); 29 | }, 30 | error => { 31 | commit('loginFailure'); 32 | return Promise.reject(error); 33 | } 34 | ); 35 | }, 36 | logout({ commit }) { 37 | AuthService.logout(); 38 | commit('logout'); 39 | }, 40 | register({ commit }, user) { 41 | return AuthService.register(user).then( 42 | response => { 43 | commit('registerSuccess'); 44 | return Promise.resolve(response.data); 45 | }, 46 | error => { 47 | commit('registerFailure'); 48 | return Promise.reject(error); 49 | } 50 | ); 51 | }, 52 | verify({ commit }, code) { 53 | return AuthService.verify(code).then( 54 | response => { 55 | commit('verifySuccess'); 56 | return Promise.resolve(response.data); 57 | }, 58 | error => { 59 | commit('verifyFailure'); 60 | return Promise.reject(error); 61 | } 62 | ); 63 | } 64 | }, 65 | mutations: { 66 | loginSuccess(state, user) { 67 | state.status.loggedIn = !user.data.use_2fa; 68 | state.user = user; 69 | }, 70 | step2Success(state, user) { 71 | state.status.loggedIn = true; 72 | state.user = user; 73 | }, 74 | loginFailure(state) { 75 | state.status.loggedIn = false; 76 | state.user = null; 77 | }, 78 | logout(state) { 79 | state.status.loggedIn = false; 80 | state.user = null; 81 | }, 82 | registerSuccess(state) { 83 | state.status.loggedIn = false; 84 | }, 85 | registerFailure(state) { 86 | state.status.loggedIn = false; 87 | }, 88 | verifySuccess() { 89 | 90 | }, 91 | verifyFailure(state) { 92 | state.status.loggedIn = false; 93 | state.user = null; 94 | } 95 | } 96 | }; 97 | -------------------------------------------------------------------------------- /frontend/src/store/index.js: -------------------------------------------------------------------------------- 1 | import Vue from 'vue'; 2 | import Vuex from 'vuex'; 3 | 4 | import { auth } from './auth.module'; 5 | 6 | Vue.use(Vuex); 7 | 8 | export default new Vuex.Store({ 9 | modules: { 10 | auth 11 | } 12 | }); 13 | -------------------------------------------------------------------------------- /frontend/src/views/2Step.vue: -------------------------------------------------------------------------------- 1 | 44 | 45 | 108 | 109 | -------------------------------------------------------------------------------- /frontend/src/views/Agent.vue: -------------------------------------------------------------------------------- 1 | 255 | 256 | 257 | 388 | 389 | -------------------------------------------------------------------------------- /frontend/src/views/Agents.vue: -------------------------------------------------------------------------------- 1 | 76 | 77 | 145 | 146 | -------------------------------------------------------------------------------- /frontend/src/views/Home.vue: -------------------------------------------------------------------------------- 1 | 62 | 63 | 77 | 78 | -------------------------------------------------------------------------------- /frontend/src/views/Login.vue: -------------------------------------------------------------------------------- 1 | 70 | 71 | 146 | 147 | -------------------------------------------------------------------------------- /frontend/src/views/Profile.vue: -------------------------------------------------------------------------------- 1 | 73 | 74 | 139 | 140 | -------------------------------------------------------------------------------- /frontend/src/views/Register.vue: -------------------------------------------------------------------------------- 1 | 77 | 78 | 147 | 148 | -------------------------------------------------------------------------------- /frontend/src/views/Verify.vue: -------------------------------------------------------------------------------- 1 | 8 | 9 | 46 | 47 | -------------------------------------------------------------------------------- /frontend/vue.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | devServer: { 3 | port: 8081 4 | } 5 | } -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/evilsocket/shieldwall 2 | 3 | go 1.15 4 | 5 | require ( 6 | github.com/badoux/checkmail v1.2.1 7 | github.com/dgrijalva/jwt-go v3.2.0+incompatible 8 | github.com/elazarl/go-bindata-assetfs v1.0.1 9 | github.com/evilsocket/islazy v1.10.6 10 | github.com/go-bindata/go-bindata v3.1.2+incompatible // indirect 11 | github.com/go-chi/chi v1.5.1 12 | github.com/go-chi/cors v1.1.1 13 | github.com/go-chi/httprate v0.4.0 14 | github.com/ilyakaznacheev/cleanenv v1.2.5 15 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 16 | gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect 17 | gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df 18 | gopkg.in/yaml.v2 v2.4.0 19 | gorm.io/datatypes v1.0.0 20 | gorm.io/driver/postgres v1.0.5 21 | gorm.io/gorm v1.20.5 22 | ) 23 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= 2 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 3 | github.com/badoux/checkmail v1.2.1 h1:TzwYx5pnsV6anJweMx2auXdekBwGr/yt1GgalIx9nBQ= 4 | github.com/badoux/checkmail v1.2.1/go.mod h1:XroCOBU5zzZJcLvgwU15I+2xXyCdTWXyR9MGfRhBYy0= 5 | github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= 6 | github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 7 | github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I= 8 | github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= 9 | github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= 10 | github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= 11 | github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= 12 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 13 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 14 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 15 | github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc h1:VRRKCwnzqk8QCaRC4os14xoKDdbHqqlJtJA0oc1ZAjg= 16 | github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= 17 | github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= 18 | github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= 19 | github.com/elazarl/go-bindata-assetfs v1.0.1 h1:m0kkaHRKEu7tUIUFVwhGGGYClXvyl4RE03qmvRTNfbw= 20 | github.com/elazarl/go-bindata-assetfs v1.0.1/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4= 21 | github.com/evilsocket/islazy v1.10.6 h1:MFq000a1ByoumoJWlytqg0qon0KlBeUfPsDjY0hK0bo= 22 | github.com/evilsocket/islazy v1.10.6/go.mod h1:OrwQGYg3DuZvXUfmH+KIZDjwTCbrjy48T24TUpGqVVw= 23 | github.com/go-bindata/go-bindata v1.0.0 h1:DZ34txDXWn1DyWa+vQf7V9ANc2ILTtrEjtlsdJRF26M= 24 | github.com/go-bindata/go-bindata v3.1.2+incompatible h1:5vjJMVhowQdPzjE1LdxyFF7YFTXg5IgGVW4gBr5IbvE= 25 | github.com/go-bindata/go-bindata v3.1.2+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo= 26 | github.com/go-chi/chi v1.5.1 h1:kfTK3Cxd/dkMu/rKs5ZceWYp+t5CtiE7vmaTv3LjC6w= 27 | github.com/go-chi/chi v1.5.1/go.mod h1:REp24E+25iKvxgeTfHmdUoL5x15kBiDBlnIl5bCwe2k= 28 | github.com/go-chi/cors v1.1.1 h1:eHuqxsIw89iXcWnWUN8R72JMibABJTN/4IOYI5WERvw= 29 | github.com/go-chi/cors v1.1.1/go.mod h1:K2Yje0VW/SJzxiyMYu6iPQYa7hMjQX2i/F491VChg1I= 30 | github.com/go-chi/httprate v0.4.0 h1:M2qVV0w6ksgLs6L8lTrvqNeaVm0ZJNVdbYM8u2T8HaE= 31 | github.com/go-chi/httprate v0.4.0/go.mod h1:7e7qjQtHzEbdyW5TYQrl4X2uNRCnlTajictc7B4ftgc= 32 | github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= 33 | github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= 34 | github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= 35 | github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE= 36 | github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= 37 | github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= 38 | github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= 39 | github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= 40 | github.com/ilyakaznacheev/cleanenv v1.2.5 h1:/SlcF9GaIvefWqFJzsccGG/NJdoaAwb7Mm7ImzhO3DM= 41 | github.com/ilyakaznacheev/cleanenv v1.2.5/go.mod h1:/i3yhzwZ3s7hacNERGFwvlhwXMDcaqwIzmayEhbRplk= 42 | github.com/jackc/chunkreader v1.0.0 h1:4s39bBR8ByfqH+DKm8rQA3E1LHZWB9XWcrz8fqaZbe0= 43 | github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= 44 | github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= 45 | github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8= 46 | github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= 47 | github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA= 48 | github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE= 49 | github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s= 50 | github.com/jackc/pgconn v1.4.0/go.mod h1:Y2O3ZDF0q4mMacyWV3AstPJpeHXWGEetiFttmq5lahk= 51 | github.com/jackc/pgconn v1.5.0/go.mod h1:QeD3lBfpTFe8WUnPZWN5KY/mB8FGMIYRdd8P8Jr0fAI= 52 | github.com/jackc/pgconn v1.5.1-0.20200601181101-fa742c524853/go.mod h1:QeD3lBfpTFe8WUnPZWN5KY/mB8FGMIYRdd8P8Jr0fAI= 53 | github.com/jackc/pgconn v1.7.0 h1:pwjzcYyfmz/HQOQlENvG1OcDqauTGaqlVahq934F0/U= 54 | github.com/jackc/pgconn v1.7.0/go.mod h1:sF/lPpNEMEOp+IYhyQGdAvrG20gWf6A1tKlr0v7JMeA= 55 | github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE= 56 | github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8= 57 | github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2 h1:JVX6jT/XfzNqIjye4717ITLaNwV9mWbJx0dLCpcRzdA= 58 | github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE= 59 | github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= 60 | github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= 61 | github.com/jackc/pgproto3 v1.1.0 h1:FYYE4yRw+AgI8wXIinMlNjBbp/UitDJwfj5LqqewP1A= 62 | github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78= 63 | github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA= 64 | github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg= 65 | github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM= 66 | github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM= 67 | github.com/jackc/pgproto3/v2 v2.0.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= 68 | github.com/jackc/pgproto3/v2 v2.0.5 h1:NUbEWPmCQZbMmYlTjVoNPhc0CfnYyz2bfUAh6A5ZVJM= 69 | github.com/jackc/pgproto3/v2 v2.0.5/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= 70 | github.com/jackc/pgservicefile v0.0.0-20200307190119-3430c5407db8/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E= 71 | github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg= 72 | github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E= 73 | github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg= 74 | github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc= 75 | github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw= 76 | github.com/jackc/pgtype v1.2.0/go.mod h1:5m2OfMh1wTK7x+Fk952IDmI4nw3nPrvtQdM0ZT4WpC0= 77 | github.com/jackc/pgtype v1.3.1-0.20200510190516-8cd94a14c75a/go.mod h1:vaogEUkALtxZMCH411K+tKzNpwzCKU+AnPzBKZ+I+Po= 78 | github.com/jackc/pgtype v1.3.1-0.20200606141011-f6355165a91c/go.mod h1:cvk9Bgu/VzJ9/lxTO5R5sf80p0DiucVtN7ZxvaC4GmQ= 79 | github.com/jackc/pgtype v1.5.0 h1:jzBqRk2HFG2CV4AIwgCI2PwTgm6UUoCAK2ofHHRirtc= 80 | github.com/jackc/pgtype v1.5.0/go.mod h1:JCULISAZBFGrHaOXIIFiyfzW5VY0GRitRr8NeJsrdig= 81 | github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y= 82 | github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM= 83 | github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc= 84 | github.com/jackc/pgx/v4 v4.5.0/go.mod h1:EpAKPLdnTorwmPUUsqrPxy5fphV18j9q3wrfRXgo+kA= 85 | github.com/jackc/pgx/v4 v4.6.1-0.20200510190926-94ba730bb1e9/go.mod h1:t3/cdRQl6fOLDxqtlyhe9UWgfIi9R8+8v8GKV5TRA/o= 86 | github.com/jackc/pgx/v4 v4.6.1-0.20200606145419-4e5062306904/go.mod h1:ZDaNWkt9sW1JMiNn0kdYBaLelIhw7Pg4qd+Vk6tw7Hg= 87 | github.com/jackc/pgx/v4 v4.9.0 h1:6STjDqppM2ROy5p1wNDcsC7zJTjSHeuCsguZmXyzx7c= 88 | github.com/jackc/pgx/v4 v4.9.0/go.mod h1:MNGWmViCgqbZck9ujOOBN63gK9XVGILXWCvKLGKmnms= 89 | github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= 90 | github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= 91 | github.com/jackc/puddle v1.1.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= 92 | github.com/jackc/puddle v1.1.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= 93 | github.com/jackc/puddle v1.1.2/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= 94 | github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E= 95 | github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= 96 | github.com/jinzhu/now v1.1.1 h1:g39TucaRWyV3dwDO++eEc6qf8TVIQ/Da48WmqjZ3i7E= 97 | github.com/jinzhu/now v1.1.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= 98 | github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc= 99 | github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= 100 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 101 | github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 102 | github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 103 | github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= 104 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 105 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 106 | github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= 107 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= 108 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 109 | github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= 110 | github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= 111 | github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= 112 | github.com/lib/pq v1.3.0 h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU= 113 | github.com/lib/pq v1.3.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= 114 | github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= 115 | github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= 116 | github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 117 | github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= 118 | github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= 119 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= 120 | github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= 121 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 122 | github.com/mattn/go-sqlite3 v1.14.3 h1:j7a/xn1U6TKA/PHHxqZuzh64CdtRc7rU9M+AvkOl5bA= 123 | github.com/mattn/go-sqlite3 v1.14.3/go.mod h1:WVKg1VTActs4Qso6iwGbiFih2UIHo0ENGwNd0Lj+XmI= 124 | github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= 125 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 126 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 127 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 128 | github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 129 | github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= 130 | github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= 131 | github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= 132 | github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= 133 | github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= 134 | github.com/shopspring/decimal v0.0.0-20200227202807-02e2044944cc h1:jUIKcSPO9MoMJBbEoyE/RJoE8vz7Mb8AjvifMMwSyvY= 135 | github.com/shopspring/decimal v0.0.0-20200227202807-02e2044944cc/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= 136 | github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= 137 | github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= 138 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 139 | github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 140 | github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= 141 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 142 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 143 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 144 | github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= 145 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 146 | github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= 147 | go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= 148 | go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= 149 | go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= 150 | go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= 151 | go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= 152 | go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= 153 | go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= 154 | go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= 155 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 156 | golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 157 | golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= 158 | golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 159 | golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 160 | golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 161 | golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 162 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= 163 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 164 | golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 165 | golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= 166 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 167 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 168 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 169 | golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA= 170 | golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 171 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 172 | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 173 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 174 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 175 | golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 176 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 177 | golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 178 | golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 179 | golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 180 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 181 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8= 182 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 183 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 184 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 185 | golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= 186 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 187 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 188 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 189 | golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 190 | golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 191 | golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 192 | golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 193 | golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 194 | golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 195 | golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 196 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 197 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= 198 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 199 | gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= 200 | gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= 201 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 202 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= 203 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 204 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 205 | gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE= 206 | gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw= 207 | gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= 208 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 209 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 210 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 211 | gorm.io/datatypes v1.0.0 h1:5rDW3AnqXaacuQn6nB/ZNAIfTCIvmL5oKGa/TtCoBFA= 212 | gorm.io/datatypes v1.0.0/go.mod h1:aKpJ+RNhLXWeF5OAdxfzBwT1UPw1wseSchF0AY3/lSw= 213 | gorm.io/driver/mysql v1.0.3 h1:+JKBYPfn1tygR1/of/Fh2T8iwuVwzt+PEJmKaXzMQXg= 214 | gorm.io/driver/mysql v1.0.3/go.mod h1:twGxftLBlFgNVNakL7F+P/x9oYqoymG3YYT8cAfI9oI= 215 | gorm.io/driver/postgres v1.0.5 h1:raX6ezL/ciUmaYTvOq48jq1GE95aMC0CmxQYbxQ4Ufw= 216 | gorm.io/driver/postgres v1.0.5/go.mod h1:qrD92UurYzNctBMVCJ8C3VQEjffEuphycXtxOudXNCA= 217 | gorm.io/driver/sqlite v1.1.3 h1:BYfdVuZB5He/u9dt4qDpZqiqDJ6KhPqs5QUqsr/Eeuc= 218 | gorm.io/driver/sqlite v1.1.3/go.mod h1:AKDgRWk8lcSQSw+9kxCJnX/yySj8G3rdwYlU57cB45c= 219 | gorm.io/driver/sqlserver v1.0.5 h1:n5knSvyaEwufxl0aROEW90pn+aLoV9h+vahYJk1x5l4= 220 | gorm.io/driver/sqlserver v1.0.5/go.mod h1:WI/bfZ+s9TigYXe3hb3XjNaUP0TqmTdXl11pECyLATs= 221 | gorm.io/gorm v1.20.1/go.mod h1:0HFTzE/SqkGTzK6TlDPPQbAYCluiVvhzoA1+aVyzenw= 222 | gorm.io/gorm v1.20.2/go.mod h1:0HFTzE/SqkGTzK6TlDPPQbAYCluiVvhzoA1+aVyzenw= 223 | gorm.io/gorm v1.20.4/go.mod h1:0HFTzE/SqkGTzK6TlDPPQbAYCluiVvhzoA1+aVyzenw= 224 | gorm.io/gorm v1.20.5 h1:g3tpSF9kggASzReK+Z3dYei1IJODLqNUbOjSuCczY8g= 225 | gorm.io/gorm v1.20.5/go.mod h1:0HFTzE/SqkGTzK6TlDPPQbAYCluiVvhzoA1+aVyzenw= 226 | honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= 227 | olympos.io/encoding/edn v0.0.0-20200308123125-93e3b8dd0e24 h1:sreVOrDp0/ezb0CHKVek/l7YwpxPJqv+jT3izfSphA4= 228 | olympos.io/encoding/edn v0.0.0-20200308123125-93e3b8dd0e24/go.mod h1:oVgVk4OWVDi43qWBEyGhXgYxt7+ED4iYNpTngSLX2Iw= 229 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | service shieldwall-agent stop || true 3 | cp shieldwall-agent /usr/bin/ 4 | mkdir -p /etc/shieldwall/ 5 | test -s /etc/shieldwall/config.yaml || cp agent.example.yaml /etc/shieldwall/config.yaml 6 | cp shieldwall-agent.service /etc/systemd/system/ 7 | systemctl daemon-reload 8 | -------------------------------------------------------------------------------- /mailer/config.go: -------------------------------------------------------------------------------- 1 | package mailer 2 | 3 | type Config struct { 4 | Address string `yaml:"address"` 5 | Port int `yaml:"port"` 6 | Username string `yaml:"username"` 7 | Password string `yaml:"password"` 8 | } 9 | 10 | -------------------------------------------------------------------------------- /mailer/mailer.go: -------------------------------------------------------------------------------- 1 | package mailer 2 | 3 | import ( 4 | "github.com/evilsocket/islazy/log" 5 | "gopkg.in/gomail.v2" 6 | "sync" 7 | ) 8 | 9 | type Mailer struct { 10 | sync.Mutex 11 | conf Config 12 | dialer *gomail.Dialer 13 | } 14 | 15 | func New(conf Config) (*Mailer, error) { 16 | return &Mailer{ 17 | conf: conf, 18 | dialer: gomail.NewDialer(conf.Address, conf.Port, conf.Username, conf.Password), 19 | }, nil 20 | } 21 | 22 | func (m *Mailer) Send(from, to, subject, body string) error { 23 | m.Lock() 24 | defer m.Unlock() 25 | 26 | log.Debug("sending email to %s via %s:%d, from=%s ...", to, m.conf.Address, m.conf.Port, from) 27 | 28 | msg := gomail.NewMessage() 29 | 30 | msg.SetHeader("From", from) 31 | msg.SetHeader("To", to) 32 | msg.SetHeader("Subject", subject) 33 | 34 | msg.SetBody("text/html", body) 35 | 36 | return m.dialer.DialAndSend(msg) 37 | } -------------------------------------------------------------------------------- /mock-firewall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "iptables $@" -------------------------------------------------------------------------------- /release.stork: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env stork -f 2 | git:changelog 3 | 4 | version:file "version/version.go" 5 | version:from_user 6 | 7 | git:create_tag $VERSION 8 | 9 | -------------------------------------------------------------------------------- /shieldwall-agent.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=shieldwall agent service 3 | Documentation=https://shieldwall.me/ 4 | Wants=network.target 5 | After=network.target 6 | 7 | [Service] 8 | Type=simple 9 | PermissionsStartOnly=true 10 | ExecStart=/usr/bin/shieldwall-agent -log /var/log/shieldwall.log 11 | Restart=always 12 | RestartSec=30 13 | KillMode=process 14 | 15 | [Install] 16 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /shieldwall-api.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=shieldwall api service 3 | Documentation=https://shieldwall.me/ 4 | Wants=network.target 5 | After=network.target 6 | 7 | [Service] 8 | Type=simple 9 | PermissionsStartOnly=true 10 | ExecStart=/usr/bin/shieldwall-api -log /var/log/shieldwall.log 11 | Restart=always 12 | RestartSec=30 13 | 14 | [Install] 15 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /update.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | service shieldwall-agent stop || true 3 | cp shieldwall-agent /usr/bin/ 4 | cp -n shieldwall-agent.service /etc/systemd/system/ 5 | systemctl daemon-reload 6 | service shieldwall-agent start -------------------------------------------------------------------------------- /version/version.go: -------------------------------------------------------------------------------- 1 | package version 2 | 3 | const Version = "1.2.1" --------------------------------------------------------------------------------