From 763813790731fb45db011b26801af749a7b10978 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Boulanouar?= <rboulanouar@gmail.com>
Date: Sun, 19 Dec 2021 15:45:05 +0100
Subject: [PATCH] Implement security ban theme (#4)

Co-authored-by: DblK <admin@dblk.org>
---
 README.md                      |  1 +
 config.example.yaml            |  5 +++++
 config/config.go               | 15 +++++++++++++--
 config/config_test.go          | 20 ++++++++++++++++++++
 mock_repository/mock_config.go | 14 ++++++++++++++
 repository/interfaces.go       |  1 +
 security.go                    |  8 ++++++++
 7 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8a505c4..5761660 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,7 @@ Here is the list of all main features so far:
 - [X] Display a webpage for forbidden devices
 - [X] Auto-refresh configuration on file change
 - [X] Add the possibility to whitelist or blacklist a switch
+- [X] Add the possibility to ban theme
 
 # Dev or build from source
 
diff --git a/config.example.yaml b/config.example.yaml
index 02bb338..53f913b 100644
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -37,6 +37,11 @@ sources:
 
 # All security information will be stored here
 security:
+  # List of theme to be banned with security
+  # Be aware that this should be string (do not forget quotes)
+  # You can find the theme of a switch in the log upon access
+  bannedTheme:
+    - "0000000000000000000000000000000000000000000000000000000000000000"
   # List of switch uid to whitelist
   # If enabled then only switch in this area will be listed
   # You can find the uid of a switch in the log upon access
diff --git a/config/config.go b/config/config.go
index e3d7efd..34c5f2b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -19,8 +19,9 @@ type debug struct {
 }
 
 type security struct {
-	Whitelist []string `mapstructure:"whitelist"`
-	Backlist  []string `mapstructure:"backlist"`
+	Whitelist   []string `mapstructure:"whitelist"`
+	Backlist    []string `mapstructure:"backlist"`
+	BannedTheme []string `mapstructure:"bannedTheme"`
 }
 
 // File holds all config information
@@ -231,3 +232,13 @@ func (cfg *File) isInWhiteList(uid string) bool {
 	})
 	return idxWhiteList != -1
 }
+
+// IsBannedTheme tells if the theme is banned or not
+func (cfg *File) IsBannedTheme(theme string) bool {
+	fmt.Println(theme)
+	fmt.Println(cfg.Security.BannedTheme)
+	idxBannedTheme := utils.Search(len(cfg.Security.BannedTheme), func(index int) bool {
+		return cfg.Security.BannedTheme[index] == theme
+	})
+	return idxBannedTheme != -1
+}
diff --git a/config/config_test.go b/config/config_test.go
index 029ce5a..685833b 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -200,4 +200,24 @@ var _ = Describe("Config", func() {
 			})
 		})
 	})
+	Context("Security for theme", func() {
+		var myConfig = config.File{}
+		Describe("IsBannedTheme", func() {
+			It("should not be banned if empty config", func() {
+				Expect(myConfig.IsBannedTheme("myTheme")).To(BeFalse())
+			})
+			It("should not be banned if no corresponding config", func() {
+				var bannedThemes = make([]string, 0)
+				bannedThemes = append(bannedThemes, "banned")
+				myConfig.Security.BannedTheme = bannedThemes
+				Expect(myConfig.IsBannedTheme("myTheme")).To(BeFalse())
+			})
+			It("should not be banned if no corresponding config", func() {
+				var bannedThemes = make([]string, 0)
+				bannedThemes = append(bannedThemes, "myTheme")
+				myConfig.Security.BannedTheme = bannedThemes
+				Expect(myConfig.IsBannedTheme("myTheme")).To(BeTrue())
+			})
+		})
+	})
 })
diff --git a/mock_repository/mock_config.go b/mock_repository/mock_config.go
index ea16778..789ce7b 100644
--- a/mock_repository/mock_config.go
+++ b/mock_repository/mock_config.go
@@ -90,6 +90,20 @@ func (mr *MockConfigMockRecorder) Host() *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Host", reflect.TypeOf((*MockConfig)(nil).Host))
 }
 
+// IsBannedTheme mocks base method.
+func (m *MockConfig) IsBannedTheme(arg0 string) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IsBannedTheme", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsBannedTheme indicates an expected call of IsBannedTheme.
+func (mr *MockConfigMockRecorder) IsBannedTheme(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsBannedTheme", reflect.TypeOf((*MockConfig)(nil).IsBannedTheme), arg0)
+}
+
 // IsBlacklisted mocks base method.
 func (m *MockConfig) IsBlacklisted(arg0 string) bool {
 	m.ctrl.T.Helper()
diff --git a/repository/interfaces.go b/repository/interfaces.go
index 822c31d..155281f 100644
--- a/repository/interfaces.go
+++ b/repository/interfaces.go
@@ -32,6 +32,7 @@ type Config interface {
 
 	IsBlacklisted(string) bool
 	IsWhitelisted(string) bool
+	IsBannedTheme(string) bool
 }
 
 // ShopTemplate contains all variables used for shop template
diff --git a/security.go b/security.go
index 070918e..3b08042 100644
--- a/security.go
+++ b/security.go
@@ -31,6 +31,14 @@ func tinfoilMiddleware(next http.Handler) http.Handler {
 				return
 			}
 
+			// Check for banned theme
+			var theme = strings.Join(headers["Theme"], "")
+			if config.GetConfig().IsBannedTheme(theme) {
+				log.Println("[Security] Banned theme detected...", uid, theme)
+				_ = shopTemplate.Execute(w, config.GetConfig().ShopTemplateData())
+				return
+			}
+
 			// No User-Agent for tinfoil app
 			if headers["User-Agent"] != nil {
 				log.Println("[Security] User-Agent detected...")