update auth options
This commit is contained in:
parent
52c636d8d6
commit
360f800a30
|
@ -15,61 +15,68 @@ import (
|
|||
)
|
||||
|
||||
func main() {
|
||||
var secret, clientSecret, relaySecret string
|
||||
|
||||
appID := flag.String("app-id", "", "a unique identifier for a deploy target environment")
|
||||
authURL := flag.String("auth-url", "", "the base url for authentication, if not the same as the tunnel relay")
|
||||
clientSecret := flag.String("client-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
|
||||
machinePPID := flag.Bool("machine-ppid", false, "just print the machine ppid, not the token")
|
||||
relaySecret := flag.String("relay-secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
|
||||
flag.StringVar(&secret, "secret", "", "either the remote server or the tunnel relay secret (used for JWT authentication)")
|
||||
flag.Parse()
|
||||
|
||||
if 0 == len(*appID) {
|
||||
*appID = os.Getenv("APP_ID")
|
||||
}
|
||||
if 0 == len(*appID) {
|
||||
*appID = "telebit.io"
|
||||
}
|
||||
if 0 == len(*clientSecret) {
|
||||
*clientSecret = os.Getenv("CLIENT_SECRET")
|
||||
}
|
||||
if 0 == len(*relaySecret) {
|
||||
*relaySecret = os.Getenv("RELAY_SECRET")
|
||||
if 0 == len(*relaySecret) {
|
||||
*relaySecret = os.Getenv("SECRET")
|
||||
}
|
||||
}
|
||||
|
||||
if 0 == len(*authURL) {
|
||||
*authURL = os.Getenv("AUTH_URL")
|
||||
}
|
||||
|
||||
if len(flag.Args()) >= 2 {
|
||||
*relaySecret = flag.Args()[1]
|
||||
if 0 == len(*appID) {
|
||||
*appID = os.Getenv("APP_ID")
|
||||
}
|
||||
if "" == *relaySecret && "" == *clientSecret {
|
||||
fmt.Fprintf(os.Stderr, "Usage: signjwt <secret>\n")
|
||||
if 0 == len(*appID) {
|
||||
*appID = os.Getenv("CLIENT_ID")
|
||||
}
|
||||
if 0 == len(*appID) {
|
||||
*appID = "telebit.io"
|
||||
}
|
||||
|
||||
if 0 == len(secret) {
|
||||
clientSecret = os.Getenv("CLIENT_SECRET")
|
||||
relaySecret = os.Getenv("RELAY_SECRET")
|
||||
if 0 == len(relaySecret) {
|
||||
relaySecret = os.Getenv("SECRET")
|
||||
}
|
||||
}
|
||||
if 0 == len(secret) {
|
||||
secret = clientSecret
|
||||
}
|
||||
if 0 == len(secret) {
|
||||
secret = relaySecret
|
||||
}
|
||||
|
||||
if 0 == len(secret) && 0 == len(clientSecret) && 0 == len(relaySecret) {
|
||||
fmt.Fprintf(os.Stderr, "See usage: signjwt --help\n")
|
||||
os.Exit(1)
|
||||
return
|
||||
} else if 0 != len(clientSecret) && 0 != len(relaySecret) {
|
||||
fmt.Fprintf(os.Stderr, "Use only one of $SECRET or --relay-secret or --client-secret\n")
|
||||
os.Exit(1)
|
||||
return
|
||||
}
|
||||
|
||||
secret := *clientSecret
|
||||
if 0 == len(secret) {
|
||||
secret = *relaySecret
|
||||
}
|
||||
if len(flag.Args()) >= 2 {
|
||||
secret = flag.Args()[1]
|
||||
}
|
||||
|
||||
if len(flag.Args()) >= 3 || *machinePPID || "" != *clientSecret {
|
||||
muid, err := machineid.ProtectedID(*appID + "|" + secret)
|
||||
var ppid string
|
||||
muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", *appID, secret))
|
||||
//muid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", ClientID, ClientSecret))
|
||||
if nil != err {
|
||||
panic(err)
|
||||
fmt.Fprintf(os.Stderr, "unauthorized device: %s\n", err)
|
||||
os.Exit(1)
|
||||
return
|
||||
}
|
||||
muidBytes, _ := hex.DecodeString(muid)
|
||||
ppid := base64.RawURLEncoding.EncodeToString(muidBytes)
|
||||
ppid = base64.RawURLEncoding.EncodeToString(muidBytes)
|
||||
|
||||
fmt.Fprintf(os.Stderr, "[debug] appID = %s\n", *appID)
|
||||
fmt.Fprintf(os.Stderr, "[debug] secret = %s\n", secret)
|
||||
pub := authstore.ToPublicKeyString(ppid)
|
||||
if len(flag.Args()) >= 3 || *machinePPID {
|
||||
|
||||
if *machinePPID {
|
||||
fmt.Fprintf(os.Stderr, "[debug]: <ppid> <pub>\n")
|
||||
fmt.Fprintf(
|
||||
os.Stdout,
|
||||
|
@ -79,12 +86,11 @@ func main() {
|
|||
)
|
||||
return
|
||||
}
|
||||
|
||||
fmt.Fprintf(os.Stderr, "[debug] ppid = %s\n", ppid)
|
||||
fmt.Fprintf(os.Stderr, "[debug] pub = %s\n", pub)
|
||||
secret = ppid
|
||||
}
|
||||
|
||||
tok, err := authstore.HMACToken(secret)
|
||||
tok, err := authstore.HMACToken(ppid)
|
||||
if nil != err {
|
||||
fmt.Fprintf(os.Stderr, "signing error: %s\n", err)
|
||||
os.Exit(1)
|
||||
|
@ -92,11 +98,15 @@ func main() {
|
|||
}
|
||||
|
||||
fmt.Fprintf(os.Stderr, "[debug] <token>\n")
|
||||
fmt.Fprintf(os.Stdout, tok)
|
||||
fmt.Fprintf(os.Stdout, "%s\n", tok)
|
||||
|
||||
_, err = telebit.Inspect(*authURL, tok)
|
||||
if "" != *authURL {
|
||||
grants, err := telebit.Inspect(*authURL, tok)
|
||||
if nil != err {
|
||||
fmt.Fprintf(os.Stderr, "inpsect relay token failed:\n%s\n", err)
|
||||
fmt.Fprintf(os.Stderr, "inspect relay token failed:\n%s\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Fprintf(os.Stderr, "[debug] <grants>\n")
|
||||
fmt.Fprintf(os.Stderr, "%+v\n", grants)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -209,6 +209,13 @@ func main() {
|
|||
}
|
||||
if 0 == len(*token) {
|
||||
*token, err = authstore.HMACToken(ppid)
|
||||
if dbg.Debug {
|
||||
fmt.Printf("[debug] app_id: %q\n", ClientID)
|
||||
//fmt.Printf("[debug] client_secret: %q\n", ClientSecret)
|
||||
//fmt.Printf("[debug] ppid: %q\n", ppid)
|
||||
//fmt.Printf("[debug] ppid: [redacted]\n")
|
||||
fmt.Printf("[debug] token: %q\n", *token)
|
||||
}
|
||||
if nil != err {
|
||||
fmt.Fprintf(os.Stderr, "neither secret nor token provided\n")
|
||||
os.Exit(1)
|
||||
|
@ -402,14 +409,14 @@ func muxAll(
|
|||
}
|
||||
|
||||
if nil != grants {
|
||||
for _, domainname := range grants.Domains {
|
||||
fmt.Printf("Will respond to remote requests to %q\n", domainname)
|
||||
for i, domainname := range grants.Domains {
|
||||
fmt.Printf("[%d] Will decrypt remote requests to %q\n", i, domainname)
|
||||
mux.HandleTLS(domainname, acme, mux, "[Terminate TLS & Recurse] for (tunnel) "+domainname)
|
||||
}
|
||||
}
|
||||
|
||||
for _, fwd := range forwards {
|
||||
fmt.Printf("Will respond to local requests to %q\n", fwd.pattern)
|
||||
for i, fwd := range forwards {
|
||||
fmt.Printf("[%d] Will decrypt local requests to %q\n", i, fwd.pattern)
|
||||
mux.HandleTLS(fwd.pattern, acme, mux, "[Terminate TLS & Recurse] for (local) "+fwd.pattern)
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -u
|
||||
|
||||
source .env
|
||||
AUTH_URL="${AUTH_URL:-"http://localhost:3000/api"}"
|
||||
|
||||
# 1. (srv) create a new shared key for a given slug
|
||||
# 2. (dev) try to update via ping
|
||||
# 3. (dev) use key to exchange machine id
|
||||
# 4. (dev) use key to connect to remote
|
||||
# 5. (dev) ping occasionally
|
||||
|
||||
echo "CLIENT_SECRET: $CLIENT_SECRET"
|
||||
TOKEN=$(go run cmd/signjwt/*.go --app-id "$APP_ID" --secret "$CLIENT_SECRET")
|
||||
echo "TOKEN 1: $TOKEN"
|
||||
|
||||
my_parts=$(go run cmd/signjwt/*.go --secret $CLIENT_SECRET --machine-ppid)
|
||||
my_ppid=$(echo $my_parts | cut -d' ' -f1)
|
||||
my_keyid=$(echo $my_parts | cut -d' ' -f2)
|
||||
echo "PPID: $my_ppid KeyID: $my_keyid"
|
||||
|
||||
curl -X POST "$AUTH_URL/ping" -H "Authorization: Bearer ${TOKEN}"
|
||||
curl "$AUTH_URL/inspect" -H "Authorization: Bearer ${TOKEN}"
|
|
@ -1,23 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -u
|
||||
|
||||
# 1. (srv) create a new shared key for a given slug
|
||||
# 2. (dev) try to update via ping
|
||||
# 3. (dev) use key to exchange machine id
|
||||
# 4. (dev) use key to connect to remote
|
||||
# 5. (dev) ping occasionally
|
||||
|
||||
TOKEN=$(go run cmd/signjwt/*.go)
|
||||
echo "TOKEN: $TOKEN"
|
||||
|
||||
my_shared="ZR2rxYmcKJcmtKgmH9D5Qw"
|
||||
my_parts=$(go run cmd/signjwt/*.go $my_shared machineid)
|
||||
my_ppid=$(echo $my_parts | cut -d' ' -f1)
|
||||
my_keyid=$(echo $my_parts | cut -d' ' -f2)
|
||||
echo "PPID: $my_ppid KeyID: $my_keyid"
|
||||
|
||||
TOKEN=$(go run cmd/signjwt/*.go $my_ppid)
|
||||
curl -X POST http://localhost:3000/api/ping -H "Authorization: Bearer ${TOKEN}"
|
||||
curl http://localhost:3000/api/inspect -H "Authorization: Bearer ${TOKEN}"
|
Loading…
Reference in New Issue