update auth options
This commit is contained in:
parent
52c636d8d6
commit
360f800a30
|
@ -15,61 +15,68 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
var secret, clientSecret, relaySecret string
|
||||||
|
|
||||||
appID := flag.String("app-id", "", "a unique identifier for a deploy target environment")
|
appID := flag.String("app-id", "", "a unique identifier for a deploy target environment")
|
||||||
authURL := flag.String("auth-url", "", "the base url for authentication, if not the same as the tunnel relay")
|
authURL := flag.String("auth-url", "", "the base url for authentication, if not the same as the tunnel relay")
|
||||||
clientSecret := flag.String("client-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
|
|
||||||
machinePPID := flag.Bool("machine-ppid", false, "just print the machine ppid, not the token")
|
machinePPID := flag.Bool("machine-ppid", false, "just print the machine ppid, not the token")
|
||||||
relaySecret := flag.String("relay-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
|
flag.StringVar(&secret, "secret", "", "either the remote server or the tunnel relay secret (used for JWT authentication)")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
if 0 == len(*appID) {
|
|
||||||
*appID = os.Getenv("APP_ID")
|
|
||||||
}
|
|
||||||
if 0 == len(*appID) {
|
|
||||||
*appID = "telebit.io"
|
|
||||||
}
|
|
||||||
if 0 == len(*clientSecret) {
|
|
||||||
*clientSecret = os.Getenv("CLIENT_SECRET")
|
|
||||||
}
|
|
||||||
if 0 == len(*relaySecret) {
|
|
||||||
*relaySecret = os.Getenv("RELAY_SECRET")
|
|
||||||
if 0 == len(*relaySecret) {
|
|
||||||
*relaySecret = os.Getenv("SECRET")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if 0 == len(*authURL) {
|
if 0 == len(*authURL) {
|
||||||
*authURL = os.Getenv("AUTH_URL")
|
*authURL = os.Getenv("AUTH_URL")
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(flag.Args()) >= 2 {
|
if 0 == len(*appID) {
|
||||||
*relaySecret = flag.Args()[1]
|
*appID = os.Getenv("APP_ID")
|
||||||
}
|
}
|
||||||
if "" == *relaySecret && "" == *clientSecret {
|
if 0 == len(*appID) {
|
||||||
fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>\n")
|
*appID = os.Getenv("CLIENT_ID")
|
||||||
|
}
|
||||||
|
if 0 == len(*appID) {
|
||||||
|
*appID = "telebit.io"
|
||||||
|
}
|
||||||
|
|
||||||
|
if 0 == len(secret) {
|
||||||
|
clientSecret = os.Getenv("CLIENT_SECRET")
|
||||||
|
relaySecret = os.Getenv("RELAY_SECRET")
|
||||||
|
if 0 == len(relaySecret) {
|
||||||
|
relaySecret = os.Getenv("SECRET")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if 0 == len(secret) {
|
||||||
|
secret = clientSecret
|
||||||
|
}
|
||||||
|
if 0 == len(secret) {
|
||||||
|
secret = relaySecret
|
||||||
|
}
|
||||||
|
|
||||||
|
if 0 == len(secret) && 0 == len(clientSecret) && 0 == len(relaySecret) {
|
||||||
|
fmt.Fprintf(os.Stderr, "See usage: signjwt --help\n")
|
||||||
|
os.Exit(1)
|
||||||
|
return
|
||||||
|
} else if 0 != len(clientSecret) && 0 != len(relaySecret) {
|
||||||
|
fmt.Fprintf(os.Stderr, "Use only one of $SECRET or --relay-secret or --client-secret\n")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
secret := *clientSecret
|
var ppid string
|
||||||
if 0 == len(secret) {
|
muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", *appID, secret))
|
||||||
secret = *relaySecret
|
//muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", ClientID, ClientSecret))
|
||||||
}
|
|
||||||
if len(flag.Args()) >= 2 {
|
|
||||||
secret = flag.Args()[1]
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(flag.Args()) >= 3 || *machinePPID || "" != *clientSecret {
|
|
||||||
muid, err := machineid.ProtectedID(*appID + "|" + secret)
|
|
||||||
if nil != err {
|
if nil != err {
|
||||||
panic(err)
|
fmt.Fprintf(os.Stderr, "unauthorized device: %s\n", err)
|
||||||
|
os.Exit(1)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
muidBytes, _ := hex.DecodeString(muid)
|
muidBytes, _ := hex.DecodeString(muid)
|
||||||
ppid := base64.RawURLEncoding.EncodeToString(muidBytes)
|
ppid = base64.RawURLEncoding.EncodeToString(muidBytes)
|
||||||
|
|
||||||
fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID)
|
fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID)
|
||||||
fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret)
|
fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret)
|
||||||
pub := authstore.ToPublicKeyString(ppid)
|
pub := authstore.ToPublicKeyString(ppid)
|
||||||
if len(flag.Args()) >= 3 || *machinePPID {
|
|
||||||
|
if *machinePPID {
|
||||||
fmt.Fprintf(os.Stderr, "[debug]: <ppid> <pub>\n")
|
fmt.Fprintf(os.Stderr, "[debug]: <ppid> <pub>\n")
|
||||||
fmt.Fprintf(
|
fmt.Fprintf(
|
||||||
os.Stdout,
|
os.Stdout,
|
||||||
|
@ -79,12 +86,11 @@ func main() {
|
||||||
)
|
)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid)
|
fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid)
|
||||||
fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub)
|
fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub)
|
||||||
secret = ppid
|
|
||||||
}
|
|
||||||
|
|
||||||
tok, err := authstore.HMACToken(secret)
|
tok, err := authstore.HMACToken(ppid)
|
||||||
if nil != err {
|
if nil != err {
|
||||||
fmt.Fprintf(os.Stderr, "signing error: %s\n", err)
|
fmt.Fprintf(os.Stderr, "signing error: %s\n", err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
@ -92,11 +98,15 @@ func main() {
|
||||||
}
|
}
|
||||||
|
|
||||||
fmt.Fprintf(os.Stderr, "[debug] <token>\n")
|
fmt.Fprintf(os.Stderr, "[debug] <token>\n")
|
||||||
fmt.Fprintf(os.Stdout, tok)
|
fmt.Fprintf(os.Stdout, "%s\n", tok)
|
||||||
|
|
||||||
_, err = telebit.Inspect(*authURL, tok)
|
if "" != *authURL {
|
||||||
|
grants, err := telebit.Inspect(*authURL, tok)
|
||||||
if nil != err {
|
if nil != err {
|
||||||
fmt.Fprintf(os.Stderr, "inpsect relay token failed:\n%s\n", err)
|
fmt.Fprintf(os.Stderr, "inspect relay token failed:\n%s\n", err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
fmt.Fprintf(os.Stderr, "[debug] <grants>\n")
|
||||||
|
fmt.Fprintf(os.Stderr, "%+v\n", grants)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -209,6 +209,13 @@ func main() {
|
||||||
}
|
}
|
||||||
if 0 == len(*token) {
|
if 0 == len(*token) {
|
||||||
*token, err = authstore.HMACToken(ppid)
|
*token, err = authstore.HMACToken(ppid)
|
||||||
|
if dbg.Debug {
|
||||||
|
fmt.Printf("[debug] app_id: %q\n", ClientID)
|
||||||
|
//fmt.Printf("[debug] client_secret: %q\n", ClientSecret)
|
||||||
|
//fmt.Printf("[debug] ppid: %q\n", ppid)
|
||||||
|
//fmt.Printf("[debug] ppid: [redacted]\n")
|
||||||
|
fmt.Printf("[debug] token: %q\n", *token)
|
||||||
|
}
|
||||||
if nil != err {
|
if nil != err {
|
||||||
fmt.Fprintf(os.Stderr, "neither secret nor token provided\n")
|
fmt.Fprintf(os.Stderr, "neither secret nor token provided\n")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
@ -402,14 +409,14 @@ func muxAll(
|
||||||
}
|
}
|
||||||
|
|
||||||
if nil != grants {
|
if nil != grants {
|
||||||
for _, domainname := range grants.Domains {
|
for i, domainname := range grants.Domains {
|
||||||
fmt.Printf("Will respond to remote requests to %q\n", domainname)
|
fmt.Printf("[%d] Will decrypt remote requests to %q\n", i, domainname)
|
||||||
mux.HandleTLS(domainname, acme, mux, "[Terminate TLS & Recurse] for (tunnel) "+domainname)
|
mux.HandleTLS(domainname, acme, mux, "[Terminate TLS & Recurse] for (tunnel) "+domainname)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, fwd := range forwards {
|
for i, fwd := range forwards {
|
||||||
fmt.Printf("Will respond to local requests to %q\n", fwd.pattern)
|
fmt.Printf("[%d] Will decrypt local requests to %q\n", i, fwd.pattern)
|
||||||
mux.HandleTLS(fwd.pattern, acme, mux, "[Terminate TLS & Recurse] for (local) "+fwd.pattern)
|
mux.HandleTLS(fwd.pattern, acme, mux, "[Terminate TLS & Recurse] for (local) "+fwd.pattern)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -u
|
||||||
|
|
||||||
|
source .env
|
||||||
|
AUTH_URL="${AUTH_URL:-"http://localhost:3000/api"}"
|
||||||
|
|
||||||
|
# 1. (srv) create a new shared key for a given slug
|
||||||
|
# 2. (dev) try to update via ping
|
||||||
|
# 3. (dev) use key to exchange machine id
|
||||||
|
# 4. (dev) use key to connect to remote
|
||||||
|
# 5. (dev) ping occasionally
|
||||||
|
|
||||||
|
echo "CLIENT_SECRET: $CLIENT_SECRET"
|
||||||
|
TOKEN=$(go run cmd/signjwt/*.go --app-id "$APP_ID" --secret "$CLIENT_SECRET")
|
||||||
|
echo "TOKEN 1: $TOKEN"
|
||||||
|
|
||||||
|
my_parts=$(go run cmd/signjwt/*.go --secret $CLIENT_SECRET --machine-ppid)
|
||||||
|
my_ppid=$(echo $my_parts | cut -d' ' -f1)
|
||||||
|
my_keyid=$(echo $my_parts | cut -d' ' -f2)
|
||||||
|
echo "PPID: $my_ppid KeyID: $my_keyid"
|
||||||
|
|
||||||
|
curl -X POST "$AUTH_URL/ping" -H "Authorization: Bearer ${TOKEN}"
|
||||||
|
curl "$AUTH_URL/inspect" -H "Authorization: Bearer ${TOKEN}"
|
|
@ -1,23 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
set -u
|
|
||||||
|
|
||||||
# 1. (srv) create a new shared key for a given slug
|
|
||||||
# 2. (dev) try to update via ping
|
|
||||||
# 3. (dev) use key to exchange machine id
|
|
||||||
# 4. (dev) use key to connect to remote
|
|
||||||
# 5. (dev) ping occasionally
|
|
||||||
|
|
||||||
TOKEN=$(go run cmd/signjwt/*.go)
|
|
||||||
echo "TOKEN: $TOKEN"
|
|
||||||
|
|
||||||
my_shared="ZR2rxYmcKJcmtKgmH9D5Qw"
|
|
||||||
my_parts=$(go run cmd/signjwt/*.go $my_shared machineid)
|
|
||||||
my_ppid=$(echo $my_parts | cut -d' ' -f1)
|
|
||||||
my_keyid=$(echo $my_parts | cut -d' ' -f2)
|
|
||||||
echo "PPID: $my_ppid KeyID: $my_keyid"
|
|
||||||
|
|
||||||
TOKEN=$(go run cmd/signjwt/*.go $my_ppid)
|
|
||||||
curl -X POST http://localhost:3000/api/ping -H "Authorization: Bearer ${TOKEN}"
|
|
||||||
curl http://localhost:3000/api/inspect -H "Authorization: Bearer ${TOKEN}"
|
|
Loading…
Reference in New Issue