From 360f800a30aef7ce3c3431b82ce16aacbbc9cb1e Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Sun, 19 Jul 2020 02:16:11 -0600 Subject: [PATCH] update auth options --- cmd/signjwt/signjwt.go | 124 ++++++++++++++++++++++------------------- cmd/telebit/telebit.go | 15 +++-- examples/mgmt-ping.sh | 25 +++++++++ mplexer/mgmt-ping.sh | 23 -------- 4 files changed, 103 insertions(+), 84 deletions(-) create mode 100644 examples/mgmt-ping.sh delete mode 100644 mplexer/mgmt-ping.sh diff --git a/cmd/signjwt/signjwt.go b/cmd/signjwt/signjwt.go index 8a73ef4..b9c8e15 100644 --- a/cmd/signjwt/signjwt.go +++ b/cmd/signjwt/signjwt.go @@ -15,76 +15,82 @@ import ( ) func main() { + var secret, clientSecret, relaySecret string + appID := flag.String("app-id", "", "a unique identifier for a deploy target environment") authURL := flag.String("auth-url", "", "the base url for authentication, if not the same as the tunnel relay") - clientSecret := flag.String("client-secret", "", "the same secret used by telebit-relay (used for JWT authentication)") machinePPID := flag.Bool("machine-ppid", false, "just print the machine ppid, not the token") - relaySecret := flag.String("relay-secret", "", "the same secret used by telebit-relay (used for JWT authentication)") + flag.StringVar(&secret, "secret", "", "either the remote server or the tunnel relay secret (used for JWT authentication)") flag.Parse() - if 0 == len(*appID) { - *appID = os.Getenv("APP_ID") - } - if 0 == len(*appID) { - *appID = "telebit.io" - } - if 0 == len(*clientSecret) { - *clientSecret = os.Getenv("CLIENT_SECRET") - } - if 0 == len(*relaySecret) { - *relaySecret = os.Getenv("RELAY_SECRET") - if 0 == len(*relaySecret) { - *relaySecret = os.Getenv("SECRET") - } - } - if 0 == len(*authURL) { *authURL = os.Getenv("AUTH_URL") } - if len(flag.Args()) >= 2 { - *relaySecret = flag.Args()[1] + if 0 == len(*appID) { + *appID = os.Getenv("APP_ID") } - if "" == *relaySecret && "" == *clientSecret { - fmt.Fprintf(os.Stderr, "Usage: signjwt \n") + if 0 == len(*appID) { + *appID = os.Getenv("CLIENT_ID") + } + if 0 == len(*appID) { + *appID = "telebit.io" + } + + if 0 == len(secret) { + clientSecret = os.Getenv("CLIENT_SECRET") + relaySecret = os.Getenv("RELAY_SECRET") + if 0 == len(relaySecret) { + relaySecret = os.Getenv("SECRET") + } + } + if 0 == len(secret) { + secret = clientSecret + } + if 0 == len(secret) { + secret = relaySecret + } + + if 0 == len(secret) && 0 == len(clientSecret) && 0 == len(relaySecret) { + fmt.Fprintf(os.Stderr, "See usage: signjwt --help\n") + os.Exit(1) + return + } else if 0 != len(clientSecret) && 0 != len(relaySecret) { + fmt.Fprintf(os.Stderr, "Use only one of $SECRET or --relay-secret or --client-secret\n") os.Exit(1) return } - secret := *clientSecret - if 0 == len(secret) { - secret = *relaySecret + var ppid string + muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", *appID, secret)) + //muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", ClientID, ClientSecret)) + if nil != err { + fmt.Fprintf(os.Stderr, "unauthorized device: %s\n", err) + os.Exit(1) + return } - if len(flag.Args()) >= 2 { - secret = flag.Args()[1] + muidBytes, _ := hex.DecodeString(muid) + ppid = base64.RawURLEncoding.EncodeToString(muidBytes) + + fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID) + fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret) + pub := authstore.ToPublicKeyString(ppid) + + if *machinePPID { + fmt.Fprintf(os.Stderr, "[debug]: \n") + fmt.Fprintf( + os.Stdout, + "%s %s\n", + ppid, + pub, + ) + return } - if len(flag.Args()) >= 3 || *machinePPID || "" != *clientSecret { - muid, err := machineid.ProtectedID(*appID + "|" + secret) - if nil != err { - panic(err) - } - muidBytes, _ := hex.DecodeString(muid) - ppid := base64.RawURLEncoding.EncodeToString(muidBytes) - fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID) - fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret) - pub := authstore.ToPublicKeyString(ppid) - if len(flag.Args()) >= 3 || *machinePPID { - fmt.Fprintf(os.Stderr, "[debug]: \n") - fmt.Fprintf( - os.Stdout, - "%s %s\n", - ppid, - pub, - ) - return - } - fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid) - fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub) - secret = ppid - } + fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid) + fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub) - tok, err := authstore.HMACToken(secret) + tok, err := authstore.HMACToken(ppid) if nil != err { fmt.Fprintf(os.Stderr, "signing error: %s\n", err) os.Exit(1) @@ -92,11 +98,15 @@ func main() { } fmt.Fprintf(os.Stderr, "[debug] \n") - fmt.Fprintf(os.Stdout, tok) + fmt.Fprintf(os.Stdout, "%s\n", tok) - _, err = telebit.Inspect(*authURL, tok) - if nil != err { - fmt.Fprintf(os.Stderr, "inpsect relay token failed:\n%s\n", err) - os.Exit(1) + if "" != *authURL { + grants, err := telebit.Inspect(*authURL, tok) + if nil != err { + fmt.Fprintf(os.Stderr, "inspect relay token failed:\n%s\n", err) + os.Exit(1) + } + fmt.Fprintf(os.Stderr, "[debug] \n") + fmt.Fprintf(os.Stderr, "%+v\n", grants) } } diff --git a/cmd/telebit/telebit.go b/cmd/telebit/telebit.go index 180ad27..83334f6 100644 --- a/cmd/telebit/telebit.go +++ b/cmd/telebit/telebit.go @@ -209,6 +209,13 @@ func main() { } if 0 == len(*token) { *token, err = authstore.HMACToken(ppid) + if dbg.Debug { + fmt.Printf("[debug] app_id: %q\n", ClientID) + //fmt.Printf("[debug] client_secret: %q\n", ClientSecret) + //fmt.Printf("[debug] ppid: %q\n", ppid) + //fmt.Printf("[debug] ppid: [redacted]\n") + fmt.Printf("[debug] token: %q\n", *token) + } if nil != err { fmt.Fprintf(os.Stderr, "neither secret nor token provided\n") os.Exit(1) @@ -402,14 +409,14 @@ func muxAll( } if nil != grants { - for _, domainname := range grants.Domains { - fmt.Printf("Will respond to remote requests to %q\n", domainname) + for i, domainname := range grants.Domains { + fmt.Printf("[%d] Will decrypt remote requests to %q\n", i, domainname) mux.HandleTLS(domainname, acme, mux, "[Terminate TLS & Recurse] for (tunnel) "+domainname) } } - for _, fwd := range forwards { - fmt.Printf("Will respond to local requests to %q\n", fwd.pattern) + for i, fwd := range forwards { + fmt.Printf("[%d] Will decrypt local requests to %q\n", i, fwd.pattern) mux.HandleTLS(fwd.pattern, acme, mux, "[Terminate TLS & Recurse] for (local) "+fwd.pattern) } diff --git a/examples/mgmt-ping.sh b/examples/mgmt-ping.sh new file mode 100644 index 0000000..6a1a916 --- /dev/null +++ b/examples/mgmt-ping.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e +set -u + +source .env +AUTH_URL="${AUTH_URL:-"http://localhost:3000/api"}" + +# 1. (srv) create a new shared key for a given slug +# 2. (dev) try to update via ping +# 3. (dev) use key to exchange machine id +# 4. (dev) use key to connect to remote +# 5. (dev) ping occasionally + +echo "CLIENT_SECRET: $CLIENT_SECRET" +TOKEN=$(go run cmd/signjwt/*.go --app-id "$APP_ID" --secret "$CLIENT_SECRET") +echo "TOKEN 1: $TOKEN" + +my_parts=$(go run cmd/signjwt/*.go --secret $CLIENT_SECRET --machine-ppid) +my_ppid=$(echo $my_parts | cut -d' ' -f1) +my_keyid=$(echo $my_parts | cut -d' ' -f2) +echo "PPID: $my_ppid KeyID: $my_keyid" + +curl -X POST "$AUTH_URL/ping" -H "Authorization: Bearer ${TOKEN}" +curl "$AUTH_URL/inspect" -H "Authorization: Bearer ${TOKEN}" diff --git a/mplexer/mgmt-ping.sh b/mplexer/mgmt-ping.sh deleted file mode 100644 index 99d2ddb..0000000 --- a/mplexer/mgmt-ping.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -set -e -set -u - -# 1. (srv) create a new shared key for a given slug -# 2. (dev) try to update via ping -# 3. (dev) use key to exchange machine id -# 4. (dev) use key to connect to remote -# 5. (dev) ping occasionally - -TOKEN=$(go run cmd/signjwt/*.go) -echo "TOKEN: $TOKEN" - -my_shared="ZR2rxYmcKJcmtKgmH9D5Qw" -my_parts=$(go run cmd/signjwt/*.go $my_shared machineid) -my_ppid=$(echo $my_parts | cut -d' ' -f1) -my_keyid=$(echo $my_parts | cut -d' ' -f2) -echo "PPID: $my_ppid KeyID: $my_keyid" - -TOKEN=$(go run cmd/signjwt/*.go $my_ppid) -curl -X POST http://localhost:3000/api/ping -H "Authorization: Bearer ${TOKEN}" -curl http://localhost:3000/api/inspect -H "Authorization: Bearer ${TOKEN}"