tuer3/webinterface/www/cgi-bin/kraut.space

#!/bin/sh -e
#    tuer3 web interface
#    Copyright (C) 2017-2019 Hackspace Jena e. V.
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.
#
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.

header() {
    printf 'Content-type: text/html\nStrict-Transport-Security: max-age=86400000\n\n'
}

# extract parameters
# tr -cd removes all characters, this prevents things like xss
getp() {
  echo "$REQUEST_URI" | sed 's/.*?//' | sed 's/%20/ /g' \
    | tr '?&' '\n'  | tr --complement --delete '0-9a-z_= \n' \
    | grep --extended-regexp "^$1=" | sed "s/^$1=//"
}

secret="$(getp secret)"
secret_length="$(echo "$secret" | wc --chars)"
hashed_secret="$(echo "$secret" | sha512sum | cut -f1 -d\ )"
cmd=$(getp cmd)

# check secret
# the secrets file has to contain the hashes on a single line, comments are allowed on seperate lines
# secrets can only contain the characters that are allowed in getp() with tr -cd
if [ -z "$secret" ] \
    || [ "$secret_length" -lt 30 ] \
    || ! grep -q ";$hashed_secret$" /etc/tuer3.0/door_access_list
then
    header

    CABBAGE=""
    [ -z "$secret" ] || CABBAGE="Ich bin mir nicht sicher. Mir scheint, du bist doch ein Kohlkopf oder Anderes!"

    # shellcheck disable=SC2002
    cat /var/www/tpl/secret.html | sed 's/<!--XCABBAGEX-->/'"$CABBAGE"'/'

    exit
fi

# control relais card
if [ -n "$cmd" ]; then
    case "$cmd" in
        #indoor_unlock)   pin=17; delay1=0;  delay2=1;;   unused pin
        indoor_lock)   pin=4;  delay1=0;  delay2=1;;
        indoor_open)   pin=27; delay1=0;  delay2=1;;
        outdoor_buzz)  pin=22; delay1=15; delay2=5;;
        *) header; echo 'Do not hack the hackerspace!'"$cmd"; exit;;
    esac

    # execute long-running ppio job in background shell
    (   sleep $delay1
        /usr/local/bin/gpio -g write $pin on
        sleep $delay2
        /usr/local/bin/gpio -g write $pin off
    ) </dev/null >/dev/null 2>/dev/null &

    DATE="$(date +"%F %T")"
    echo "$DATE $cmd $hashed_secret" >>/var/log/tuer/log &

    header
    sed 's/XTIMEOUTX/'"$((delay1 + delay2))"'/' /var/www/tpl/wait.html | sed 's/XSECRETX/'"$secret"/

    exit
fi

# show feature page
header
sed 's/XSECRET_HEREX/'"$secret"'/' /var/www/tpl/features.html
exit
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`#!/bin/sh -e`
add licenses and credits 2019-10-05 14:38:33 +02:00			`# tuer3 web interface`
			`# Copyright (C) 2017-2019 Hackspace Jena e. V.`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Affero General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with this program. If not, see <https://www.gnu.org/licenses/>.`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00
			`header() {`
fix html head not delivered 2019-09-25 20:40:43 +02:00			`printf 'Content-type: text/html\nStrict-Transport-Security: max-age=86400000\n\n'`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`}`

			`# extract parameters`
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`# tr -cd removes all characters, this prevents things like xss`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`getp() {`
adopt new wireless hardware 2017-09-07 22:12:10 +02:00			`echo "$REQUEST_URI" \| sed 's/.*?//' \| sed 's/%20/ /g' \`
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`\| tr '?&' '\n' \| tr --complement --delete '0-9a-z_= \n' \`
			`\| grep --extended-regexp "^$1=" \| sed "s/^$1=//"`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`}`
map cgi-bin/kraut.space to / 2017-09-11 20:50:46 +02:00
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`secret="$(getp secret)"`
			`secret_length="$(echo "$secret" \| wc --chars)"`
			`hashed_secret="$(echo "$secret" \| sha512sum \| cut -f1 -d\ )"`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`cmd=$(getp cmd)`

			`# check secret`
			`# the secrets file has to contain the hashes on a single line, comments are allowed on seperate lines`
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`# secrets can only contain the characters that are allowed in getp() with tr -cd`
fix invalid HTML delivery on wrong key 2019-09-25 21:07:52 +02:00			`if [ -z "$secret" ] \`
			`\|\| [ "$secret_length" -lt 30 ] \`
			`\|\| ! grep -q ";$hashed_secret$" /etc/tuer3.0/door_access_list`
			`then`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`header`
fix invalid HTML delivery on wrong key 2019-09-25 21:07:52 +02:00
			`CABBAGE=""`
			`[ -z "$secret" ] \|\| CABBAGE="Ich bin mir nicht sicher. Mir scheint, du bist doch ein Kohlkopf oder Anderes!"`

			`# shellcheck disable=SC2002`
			`cat /var/www/tpl/secret.html \| sed 's/<!--XCABBAGEX-->/'"$CABBAGE"'/'`

add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`exit`
			`fi`

			`# control relais card`
			`if [ -n "$cmd" ]; then`
			`case "$cmd" in`
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`#indoor_unlock) pin=17; delay1=0; delay2=1;; unused pin`
			`indoor_lock) pin=4; delay1=0; delay2=1;;`
			`indoor_open) pin=27; delay1=0; delay2=1;;`
			`outdoor_buzz) pin=22; delay1=15; delay2=5;;`
			`*) header; echo 'Do not hack the hackerspace!'"$cmd"; exit;;`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`esac`
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`# execute long-running ppio job in background shell`
			`( sleep $delay1`
fix invalid HTML delivery on wrong key 2019-09-25 21:07:52 +02:00			`/usr/local/bin/gpio -g write $pin on`
			`sleep $delay2`
			`/usr/local/bin/gpio -g write $pin off`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`) </dev/null >/dev/null 2>/dev/null &`

fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`DATE="$(date +"%F %T")"`
			`echo "$DATE $cmd $hashed_secret" >>/var/log/tuer/log &`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00
			`header`
fix codestyle, indentation and shellcheck issue 2019-09-25 20:32:12 +02:00			`sed 's/XTIMEOUTX/'"$((delay1 + delay2))"'/' /var/www/tpl/wait.html \| sed 's/XSECRETX/'"$secret"/`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00
fix invalid HTML delivery on wrong key 2019-09-25 21:07:52 +02:00			`exit`
add kraut.space bash cgi script 2017-07-05 23:24:57 +02:00			`fi`

			`# show feature page`
			`header`
			`sed 's/XSECRET_HEREX/'"$secret"'/' /var/www/tpl/features.html`
			`exit`