update auth options

This commit is contained in:
AJ ONeal 2020-07-19 02:16:11 -06:00
parent 52c636d8d6
commit 360f800a30
4 changed files with 103 additions and 84 deletions

View File

@ -15,61 +15,68 @@ import (
)
func main() {
var secret, clientSecret, relaySecret string
appID := flag.String("app-id", "", "a unique identifier for a deploy target environment")
authURL := flag.String("auth-url", "", "the base url for authentication, if not the same as the tunnel relay")
clientSecret := flag.String("client-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
machinePPID := flag.Bool("machine-ppid", false, "just print the machine ppid, not the token")
relaySecret := flag.String("relay-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
flag.StringVar(&secret, "secret", "", "either the remote server or the tunnel relay secret (used for JWT authentication)")
flag.Parse()
if 0 == len(*appID) {
*appID = os.Getenv("APP_ID")
}
if 0 == len(*appID) {
*appID = "telebit.io"
}
if 0 == len(*clientSecret) {
*clientSecret = os.Getenv("CLIENT_SECRET")
}
if 0 == len(*relaySecret) {
*relaySecret = os.Getenv("RELAY_SECRET")
if 0 == len(*relaySecret) {
*relaySecret = os.Getenv("SECRET")
}
}
if 0 == len(*authURL) {
*authURL = os.Getenv("AUTH_URL")
}
if len(flag.Args()) >= 2 {
*relaySecret = flag.Args()[1]
if 0 == len(*appID) {
*appID = os.Getenv("APP_ID")
}
if "" == *relaySecret && "" == *clientSecret {
fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>\n")
if 0 == len(*appID) {
*appID = os.Getenv("CLIENT_ID")
}
if 0 == len(*appID) {
*appID = "telebit.io"
}
if 0 == len(secret) {
clientSecret = os.Getenv("CLIENT_SECRET")
relaySecret = os.Getenv("RELAY_SECRET")
if 0 == len(relaySecret) {
relaySecret = os.Getenv("SECRET")
}
}
if 0 == len(secret) {
secret = clientSecret
}
if 0 == len(secret) {
secret = relaySecret
}
if 0 == len(secret) && 0 == len(clientSecret) && 0 == len(relaySecret) {
fmt.Fprintf(os.Stderr, "See usage: signjwt --help\n")
os.Exit(1)
return
} else if 0 != len(clientSecret) && 0 != len(relaySecret) {
fmt.Fprintf(os.Stderr, "Use only one of $SECRET or --relay-secret or --client-secret\n")
os.Exit(1)
return
}
secret := *clientSecret
if 0 == len(secret) {
secret = *relaySecret
}
if len(flag.Args()) >= 2 {
secret = flag.Args()[1]
}
if len(flag.Args()) >= 3 || *machinePPID || "" != *clientSecret {
muid, err := machineid.ProtectedID(*appID + "|" + secret)
var ppid string
muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", *appID, secret))
//muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", ClientID, ClientSecret))
if nil != err {
panic(err)
fmt.Fprintf(os.Stderr, "unauthorized device: %s\n", err)
os.Exit(1)
return
}
muidBytes, _ := hex.DecodeString(muid)
ppid := base64.RawURLEncoding.EncodeToString(muidBytes)
ppid = base64.RawURLEncoding.EncodeToString(muidBytes)
fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID)
fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret)
pub := authstore.ToPublicKeyString(ppid)
if len(flag.Args()) >= 3 || *machinePPID {
if *machinePPID {
fmt.Fprintf(os.Stderr, "[debug]: <ppid> <pub>\n")
fmt.Fprintf(
os.Stdout,
@ -79,12 +86,11 @@ func main() {
)
return
}
fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid)
fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub)
secret = ppid
}
tok, err := authstore.HMACToken(secret)
tok, err := authstore.HMACToken(ppid)
if nil != err {
fmt.Fprintf(os.Stderr, "signing error: %s\n", err)
os.Exit(1)
@ -92,11 +98,15 @@ func main() {
}
fmt.Fprintf(os.Stderr, "[debug] <token>\n")
fmt.Fprintf(os.Stdout, tok)
fmt.Fprintf(os.Stdout, "%s\n", tok)
_, err = telebit.Inspect(*authURL, tok)
if "" != *authURL {
grants, err := telebit.Inspect(*authURL, tok)
if nil != err {
fmt.Fprintf(os.Stderr, "inpsect relay token failed:\n%s\n", err)
fmt.Fprintf(os.Stderr, "inspect relay token failed:\n%s\n", err)
os.Exit(1)
}
fmt.Fprintf(os.Stderr, "[debug] <grants>\n")
fmt.Fprintf(os.Stderr, "%+v\n", grants)
}
}

View File

@ -209,6 +209,13 @@ func main() {
}
if 0 == len(*token) {
*token, err = authstore.HMACToken(ppid)
if dbg.Debug {
fmt.Printf("[debug] app_id: %q\n", ClientID)
//fmt.Printf("[debug] client_secret: %q\n", ClientSecret)
//fmt.Printf("[debug] ppid: %q\n", ppid)
//fmt.Printf("[debug] ppid: [redacted]\n")
fmt.Printf("[debug] token: %q\n", *token)
}
if nil != err {
fmt.Fprintf(os.Stderr, "neither secret nor token provided\n")
os.Exit(1)
@ -402,14 +409,14 @@ func muxAll(
}
if nil != grants {
for _, domainname := range grants.Domains {
fmt.Printf("Will respond to remote requests to %q\n", domainname)
for i, domainname := range grants.Domains {
fmt.Printf("[%d] Will decrypt remote requests to %q\n", i, domainname)
mux.HandleTLS(domainname, acme, mux, "[Terminate TLS & Recurse] for (tunnel) "+domainname)
}
}
for _, fwd := range forwards {
fmt.Printf("Will respond to local requests to %q\n", fwd.pattern)
for i, fwd := range forwards {
fmt.Printf("[%d] Will decrypt local requests to %q\n", i, fwd.pattern)
mux.HandleTLS(fwd.pattern, acme, mux, "[Terminate TLS & Recurse] for (local) "+fwd.pattern)
}

25
examples/mgmt-ping.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
set -e
set -u
source .env
AUTH_URL="${AUTH_URL:-"http://localhost:3000/api"}"
# 1. (srv) create a new shared key for a given slug
# 2. (dev) try to update via ping
# 3. (dev) use key to exchange machine id
# 4. (dev) use key to connect to remote
# 5. (dev) ping occasionally
echo "CLIENT_SECRET: $CLIENT_SECRET"
TOKEN=$(go run cmd/signjwt/*.go --app-id "$APP_ID" --secret "$CLIENT_SECRET")
echo "TOKEN 1: $TOKEN"
my_parts=$(go run cmd/signjwt/*.go --secret $CLIENT_SECRET --machine-ppid)
my_ppid=$(echo $my_parts | cut -d' ' -f1)
my_keyid=$(echo $my_parts | cut -d' ' -f2)
echo "PPID: $my_ppid KeyID: $my_keyid"
curl -X POST "$AUTH_URL/ping" -H "Authorization: Bearer ${TOKEN}"
curl "$AUTH_URL/inspect" -H "Authorization: Bearer ${TOKEN}"

View File

@ -1,23 +0,0 @@
#!/bin/bash
set -e
set -u
# 1. (srv) create a new shared key for a given slug
# 2. (dev) try to update via ping
# 3. (dev) use key to exchange machine id
# 4. (dev) use key to connect to remote
# 5. (dev) ping occasionally
TOKEN=$(go run cmd/signjwt/*.go)
echo "TOKEN: $TOKEN"
my_shared="ZR2rxYmcKJcmtKgmH9D5Qw"
my_parts=$(go run cmd/signjwt/*.go $my_shared machineid)
my_ppid=$(echo $my_parts | cut -d' ' -f1)
my_keyid=$(echo $my_parts | cut -d' ' -f2)
echo "PPID: $my_ppid KeyID: $my_keyid"
TOKEN=$(go run cmd/signjwt/*.go $my_ppid)
curl -X POST http://localhost:3000/api/ping -H "Authorization: Bearer ${TOKEN}"
curl http://localhost:3000/api/inspect -H "Authorization: Bearer ${TOKEN}"