update auth options

cmd/signjwt/signjwt.go

@@ -15,76 +15,82 @@ import (
 )
 
 func main() {
+	var secret, clientSecret, relaySecret string
+
 	appID := flag.String("app-id", "", "a unique identifier for a deploy target environment")
 	authURL := flag.String("auth-url", "", "the base url for authentication, if not the same as the tunnel relay")
-	clientSecret := flag.String("client-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
 	machinePPID := flag.Bool("machine-ppid", false, "just print the machine ppid, not the token")
-	relaySecret := flag.String("relay-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
+	flag.StringVar(&secret, "secret", "", "either the remote server or the tunnel relay secret (used for JWT authentication)")
 	flag.Parse()
 
-	if 0 == len(*appID) {
-		*appID = os.Getenv("APP_ID")
-	}
-	if 0 == len(*appID) {
-		*appID = "telebit.io"
-	}
-	if 0 == len(*clientSecret) {
-		*clientSecret = os.Getenv("CLIENT_SECRET")
-	}
-	if 0 == len(*relaySecret) {
-		*relaySecret = os.Getenv("RELAY_SECRET")
-		if 0 == len(*relaySecret) {
-			*relaySecret = os.Getenv("SECRET")
-		}
-	}
-
 	if 0 == len(*authURL) {
 		*authURL = os.Getenv("AUTH_URL")
 	}
 
-	if len(flag.Args()) >= 2 {
+	if 0 == len(*appID) {
-		*relaySecret = flag.Args()[1]
+		*appID = os.Getenv("APP_ID")
 	}
-	if "" == *relaySecret && "" == *clientSecret {
+	if 0 == len(*appID) {
-		fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>\n")
+		*appID = os.Getenv("CLIENT_ID")
+	}
+	if 0 == len(*appID) {
+		*appID = "telebit.io"
+	}
+
+	if 0 == len(secret) {
+		clientSecret = os.Getenv("CLIENT_SECRET")
+		relaySecret = os.Getenv("RELAY_SECRET")
+		if 0 == len(relaySecret) {
+			relaySecret = os.Getenv("SECRET")
+		}
+	}
+	if 0 == len(secret) {
+		secret = clientSecret
+	}
+	if 0 == len(secret) {
+		secret = relaySecret
+	}
+
+	if 0 == len(secret) && 0 == len(clientSecret) && 0 == len(relaySecret) {
+		fmt.Fprintf(os.Stderr, "See usage: signjwt --help\n")
+		os.Exit(1)
+		return
+	} else if 0 != len(clientSecret) && 0 != len(relaySecret) {
+		fmt.Fprintf(os.Stderr, "Use only one of $SECRET or --relay-secret or --client-secret\n")
 		os.Exit(1)
 		return
 	}
 
-	secret := *clientSecret
+	var ppid string
-	if 0 == len(secret) {
+	muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", *appID, secret))
-		secret = *relaySecret
+	//muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", ClientID, ClientSecret))
+	if nil != err {
+		fmt.Fprintf(os.Stderr, "unauthorized device: %s\n", err)
+		os.Exit(1)
+		return
 	}
-	if len(flag.Args()) >= 2 {
+	muidBytes, _ := hex.DecodeString(muid)
-		secret = flag.Args()[1]
+	ppid = base64.RawURLEncoding.EncodeToString(muidBytes)
+
+	fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID)
+	fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret)
+	pub := authstore.ToPublicKeyString(ppid)
+
+	if *machinePPID {
+		fmt.Fprintf(os.Stderr, "[debug]: <ppid> <pub>\n")
+		fmt.Fprintf(
+			os.Stdout,
+			"%s %s\n",
+			ppid,
+			pub,
+		)
+		return
 	}
 
-	if len(flag.Args()) >= 3 || *machinePPID || "" != *clientSecret {
+	fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid)
-		muid, err := machineid.ProtectedID(*appID + "|" + secret)
+	fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub)
-		if nil != err {
-			panic(err)
-		}
-		muidBytes, _ := hex.DecodeString(muid)
-		ppid := base64.RawURLEncoding.EncodeToString(muidBytes)
-		fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID)
-		fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret)
-		pub := authstore.ToPublicKeyString(ppid)
-		if len(flag.Args()) >= 3 || *machinePPID {
-			fmt.Fprintf(os.Stderr, "[debug]: <ppid> <pub>\n")
-			fmt.Fprintf(
-				os.Stdout,
-				"%s %s\n",
-				ppid,
-				pub,
-			)
-			return
-		}
-		fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid)
-		fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub)
-		secret = ppid
-	}
 
-	tok, err := authstore.HMACToken(secret)
+	tok, err := authstore.HMACToken(ppid)
 	if nil != err {
 		fmt.Fprintf(os.Stderr, "signing error: %s\n", err)
 		os.Exit(1)
@@ -92,11 +98,15 @@ func main() {
 	}
 
 	fmt.Fprintf(os.Stderr, "[debug] <token>\n")
-	fmt.Fprintf(os.Stdout, tok)
+	fmt.Fprintf(os.Stdout, "%s\n", tok)
 
-	_, err = telebit.Inspect(*authURL, tok)
+	if "" != *authURL {
-	if nil != err {
+		grants, err := telebit.Inspect(*authURL, tok)
-		fmt.Fprintf(os.Stderr, "inpsect relay token failed:\n%s\n", err)
+		if nil != err {
-		os.Exit(1)
+			fmt.Fprintf(os.Stderr, "inspect relay token failed:\n%s\n", err)
+			os.Exit(1)
+		}
+		fmt.Fprintf(os.Stderr, "[debug] <grants>\n")
+		fmt.Fprintf(os.Stderr, "%+v\n", grants)
 	}
 }

cmd/telebit/telebit.go

@@ -209,6 +209,13 @@ func main() {
 	}
 	if 0 == len(*token) {
 		*token, err = authstore.HMACToken(ppid)
+		if dbg.Debug {
+			fmt.Printf("[debug] app_id: %q\n", ClientID)
+			//fmt.Printf("[debug] client_secret: %q\n", ClientSecret)
+			//fmt.Printf("[debug] ppid: %q\n", ppid)
+			//fmt.Printf("[debug] ppid: [redacted]\n")
+			fmt.Printf("[debug] token: %q\n", *token)
+		}
 		if nil != err {
 			fmt.Fprintf(os.Stderr, "neither secret nor token provided\n")
 			os.Exit(1)
@@ -402,14 +409,14 @@ func muxAll(
 	}
 
 	if nil != grants {
-		for _, domainname := range grants.Domains {
+		for i, domainname := range grants.Domains {
-			fmt.Printf("Will respond to remote requests to %q\n", domainname)
+			fmt.Printf("[%d] Will decrypt remote requests to %q\n", i, domainname)
 			mux.HandleTLS(domainname, acme, mux, "[Terminate TLS & Recurse] for (tunnel) "+domainname)
 		}
 	}
 
-	for _, fwd := range forwards {
+	for i, fwd := range forwards {
-		fmt.Printf("Will respond to local requests to %q\n", fwd.pattern)
+		fmt.Printf("[%d] Will decrypt local requests to %q\n", i, fwd.pattern)
 		mux.HandleTLS(fwd.pattern, acme, mux, "[Terminate TLS & Recurse] for (local) "+fwd.pattern)
 	}
 

examples/mgmt-ping.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+set -u
+
+source .env
+AUTH_URL="${AUTH_URL:-"http://localhost:3000/api"}"
+
+# 1. (srv) create a new shared key for a given slug
+# 2. (dev) try to update via ping
+# 3. (dev) use key to exchange machine id
+# 4. (dev) use key to connect to remote
+# 5. (dev) ping occasionally
+
+echo "CLIENT_SECRET: $CLIENT_SECRET"
+TOKEN=$(go run cmd/signjwt/*.go --app-id "$APP_ID" --secret "$CLIENT_SECRET")
+echo "TOKEN 1: $TOKEN"
+
+my_parts=$(go run cmd/signjwt/*.go --secret $CLIENT_SECRET --machine-ppid)
+my_ppid=$(echo $my_parts | cut -d' ' -f1)
+my_keyid=$(echo $my_parts | cut -d' ' -f2)
+echo "PPID: $my_ppid KeyID: $my_keyid"
+
+curl -X POST "$AUTH_URL/ping"  -H "Authorization: Bearer ${TOKEN}"
+curl "$AUTH_URL/inspect" -H "Authorization: Bearer ${TOKEN}"

mplexer/mgmt-ping.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-set -e
-set -u
-
-# 1. (srv) create a new shared key for a given slug
-# 2. (dev) try to update via ping
-# 3. (dev) use key to exchange machine id
-# 4. (dev) use key to connect to remote
-# 5. (dev) ping occasionally
-
-TOKEN=$(go run cmd/signjwt/*.go)
-echo "TOKEN: $TOKEN"
-
-my_shared="ZR2rxYmcKJcmtKgmH9D5Qw"
-my_parts=$(go run cmd/signjwt/*.go $my_shared machineid)
-my_ppid=$(echo $my_parts | cut -d' ' -f1)
-my_keyid=$(echo $my_parts | cut -d' ' -f2)
-echo "PPID: $my_ppid KeyID: $my_keyid"
-
-TOKEN=$(go run cmd/signjwt/*.go $my_ppid)
-curl -X POST http://localhost:3000/api/ping  -H "Authorization: Bearer ${TOKEN}"
-curl http://localhost:3000/api/inspect  -H "Authorization: Bearer ${TOKEN}"