fix nil pointer, add more debugging
This commit is contained in:
parent
01177518e0
commit
678d7b5e11
|
@ -139,7 +139,7 @@ func routeAll() chi.Router {
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
claims, ok := ctx.Value(MWKey("claims")).(*MgmtClaims)
|
claims, ok := ctx.Value(MWKey("claims")).(*MgmtClaims)
|
||||||
if !ok {
|
if !ok {
|
||||||
msg := `{"error":"failure to ping: 1"}`
|
msg := `{"error":"failure to ping: 3"}`
|
||||||
fmt.Println("touch no claims", claims)
|
fmt.Println("touch no claims", claims)
|
||||||
http.Error(w, msg+"\n", http.StatusBadRequest)
|
http.Error(w, msg+"\n", http.StatusBadRequest)
|
||||||
return
|
return
|
||||||
|
|
|
@ -21,7 +21,20 @@ var httpsrv *http.Server
|
||||||
func init() {
|
func init() {
|
||||||
r := chi.NewRouter()
|
r := chi.NewRouter()
|
||||||
|
|
||||||
r.HandleFunc("/ws", upgradeWebsocket)
|
r.Use(func(next http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
fmt.Println("[debug] should be handled by API or websocket upgrade")
|
||||||
|
next.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
r.Mount("/ws", http.HandlerFunc(upgradeWebsocket))
|
||||||
|
|
||||||
|
r.HandleFunc("/api/ping", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
fmt.Printf("[debug] hit /api/ping and replying\n")
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
w.Write(apiPingContent)
|
||||||
|
}))
|
||||||
|
|
||||||
r.Route("/api", func(r chi.Router) {
|
r.Route("/api", func(r chi.Router) {
|
||||||
// TODO token needs a globally unique subject
|
// TODO token needs a globally unique subject
|
||||||
|
@ -40,6 +53,7 @@ func init() {
|
||||||
if "*" != grants.Subject {
|
if "*" != grants.Subject {
|
||||||
log.Println("only admins allowed", err)
|
log.Println("only admins allowed", err)
|
||||||
w.Write(apiNotAuthorizedContent)
|
w.Write(apiNotAuthorizedContent)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
next.ServeHTTP(w, r)
|
next.ServeHTTP(w, r)
|
||||||
|
@ -59,6 +73,7 @@ func init() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var apiPingContent = []byte("{ \"success\": true, \"error\": \"\" }\n")
|
||||||
var apiNotFoundContent = []byte("{ \"error\": \"not found\" }\n")
|
var apiNotFoundContent = []byte("{ \"error\": \"not found\" }\n")
|
||||||
var apiNotAuthorizedContent = []byte("{ \"error\": \"not authorized\" }\n")
|
var apiNotAuthorizedContent = []byte("{ \"error\": \"not authorized\" }\n")
|
||||||
|
|
||||||
|
@ -146,6 +161,7 @@ func upgradeWebsocket(w http.ResponseWriter, r *http.Request) {
|
||||||
ReadBufferSize: 1024,
|
ReadBufferSize: 1024,
|
||||||
WriteBufferSize: 1024,
|
WriteBufferSize: 1024,
|
||||||
}
|
}
|
||||||
|
fmt.Println("[debug] grants", grants)
|
||||||
conn, err := upgrader.Upgrade(w, r, nil)
|
conn, err := upgrader.Upgrade(w, r, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("WebSocket upgrade failed", err)
|
log.Println("WebSocket upgrade failed", err)
|
||||||
|
|
|
@ -12,6 +12,7 @@ func NewAuthorizer(authURL string) telebit.Authorizer {
|
||||||
return func(r *http.Request) (*telebit.Grants, error) {
|
return func(r *http.Request) (*telebit.Grants, error) {
|
||||||
// do we have a valid wss_client?
|
// do we have a valid wss_client?
|
||||||
|
|
||||||
|
fmt.Printf("[authz] Authorization = %s\n", r.Header.Get("Authorization"))
|
||||||
var tokenString string
|
var tokenString string
|
||||||
if auth := strings.Split(r.Header.Get("Authorization"), " "); len(auth) > 1 {
|
if auth := strings.Split(r.Header.Get("Authorization"), " "); len(auth) > 1 {
|
||||||
// TODO handle Basic auth tokens as well
|
// TODO handle Basic auth tokens as well
|
||||||
|
@ -25,10 +26,12 @@ func NewAuthorizer(authURL string) telebit.Authorizer {
|
||||||
r.URL.Query().Set("access_token", "[redacted]")
|
r.URL.Query().Set("access_token", "[redacted]")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fmt.Printf("[authz] authURL = %s\n", authURL)
|
||||||
|
fmt.Printf("[authz] token = %s\n", tokenString)
|
||||||
grants, err := telebit.Inspect(authURL, tokenString)
|
grants, err := telebit.Inspect(authURL, tokenString)
|
||||||
|
|
||||||
if nil != err {
|
if nil != err {
|
||||||
fmt.Println("return an error, do not go on")
|
fmt.Printf("[authorizer] error inspecting %q: %s\ntoken: %s\n", authURL, err, tokenString)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if "" != r.URL.Query().Get("access_token") {
|
if "" != r.URL.Query().Get("access_token") {
|
||||||
|
|
|
@ -21,9 +21,10 @@ import (
|
||||||
"git.coolaj86.com/coolaj86/go-telebitd/mgmt"
|
"git.coolaj86.com/coolaj86/go-telebitd/mgmt"
|
||||||
"git.coolaj86.com/coolaj86/go-telebitd/mgmt/authstore"
|
"git.coolaj86.com/coolaj86/go-telebitd/mgmt/authstore"
|
||||||
telebit "git.coolaj86.com/coolaj86/go-telebitd/mplexer"
|
telebit "git.coolaj86.com/coolaj86/go-telebitd/mplexer"
|
||||||
"git.coolaj86.com/coolaj86/go-telebitd/mplexer/dns01"
|
tbDns01 "git.coolaj86.com/coolaj86/go-telebitd/mplexer/dns01"
|
||||||
httpshim "git.coolaj86.com/coolaj86/go-telebitd/relay/tunnel"
|
httpshim "git.coolaj86.com/coolaj86/go-telebitd/relay/tunnel"
|
||||||
"git.coolaj86.com/coolaj86/go-telebitd/table"
|
"git.coolaj86.com/coolaj86/go-telebitd/table"
|
||||||
|
legoDns01 "github.com/go-acme/lego/v3/challenge/dns01"
|
||||||
|
|
||||||
"github.com/caddyserver/certmagic"
|
"github.com/caddyserver/certmagic"
|
||||||
"github.com/denisbrodbeck/machineid"
|
"github.com/denisbrodbeck/machineid"
|
||||||
|
@ -78,8 +79,6 @@ func main() {
|
||||||
portToPorts := flag.String("port-forward", "", "a list of <from-port>:<to-port> for raw port-forwarding")
|
portToPorts := flag.String("port-forward", "", "a list of <from-port>:<to-port> for raw port-forwarding")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
authorizer = NewAuthorizer(*authURL)
|
|
||||||
|
|
||||||
if len(os.Args) >= 2 {
|
if len(os.Args) >= 2 {
|
||||||
if "version" == os.Args[1] {
|
if "version" == os.Args[1] {
|
||||||
fmt.Printf("telebit %s %s %s", GitVersion, GitRev[:7], GitTimestamp)
|
fmt.Printf("telebit %s %s %s", GitVersion, GitRev[:7], GitTimestamp)
|
||||||
|
@ -164,14 +163,21 @@ func main() {
|
||||||
*relay = os.Getenv("RELAY") // "wss://example.com:443"
|
*relay = os.Getenv("RELAY") // "wss://example.com:443"
|
||||||
}
|
}
|
||||||
if 0 == len(*relay) {
|
if 0 == len(*relay) {
|
||||||
fmt.Fprintf(os.Stderr, "Missing relay url\n")
|
if len(bindAddrs) > 0 {
|
||||||
|
fmt.Fprintf(os.Stderr, "Acting as Relay\n")
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(os.Stderr, "error: must provider or act as Relay\n")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if 0 == len(*acmeRelay) {
|
if 0 == len(*acmeRelay) {
|
||||||
*acmeRelay = strings.Replace(*relay, "ws", "http", 1) // "https://example.com:443"
|
*acmeRelay = strings.Replace(*relay, "ws", "http", 1) // "https://example.com:443"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if 0 == len(*authURL) {
|
||||||
|
*authURL = os.Getenv("AUTH_URL")
|
||||||
|
}
|
||||||
if len(*relay) > 0 || len(*acmeRelay) > 0 {
|
if len(*relay) > 0 || len(*acmeRelay) > 0 {
|
||||||
if "" == *authURL {
|
if "" == *authURL {
|
||||||
*authURL = strings.Replace(*relay, "ws", "http", 1) // "https://example.com:443"
|
*authURL = strings.Replace(*relay, "ws", "http", 1) // "https://example.com:443"
|
||||||
|
@ -192,6 +198,7 @@ func main() {
|
||||||
}
|
}
|
||||||
fmt.Println("grants", grants)
|
fmt.Println("grants", grants)
|
||||||
}
|
}
|
||||||
|
authorizer = NewAuthorizer(*authURL)
|
||||||
|
|
||||||
provider, err := getACMEProvider(acmeRelay, token)
|
provider, err := getACMEProvider(acmeRelay, token)
|
||||||
if nil != err {
|
if nil != err {
|
||||||
|
@ -199,12 +206,22 @@ func main() {
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
fmt.Printf("Email: %q\n", *email)
|
||||||
acme := &telebit.ACME{
|
acme := &telebit.ACME{
|
||||||
Email: *email,
|
Email: *email,
|
||||||
StoragePath: *certpath,
|
StoragePath: *certpath,
|
||||||
Agree: *acmeAgree,
|
Agree: *acmeAgree,
|
||||||
Directory: *acmeDirectory,
|
Directory: *acmeDirectory,
|
||||||
DNSProvider: provider,
|
DNSProvider: provider,
|
||||||
|
//DNSChallengeOption: legoDns01.DNSProviderOption,
|
||||||
|
DNSChallengeOption: legoDns01.WrapPreCheck(func(domain, fqdn, value string, orig legoDns01.PreCheckFunc) (bool, error) {
|
||||||
|
ok, err := orig(fqdn, value)
|
||||||
|
if ok {
|
||||||
|
fmt.Println("[Telebit-ACME-DNS] sleeping an additional 5 seconds")
|
||||||
|
time.Sleep(5 * time.Second)
|
||||||
|
}
|
||||||
|
return ok, err
|
||||||
|
}),
|
||||||
EnableHTTPChallenge: *enableHTTP01,
|
EnableHTTPChallenge: *enableHTTP01,
|
||||||
EnableTLSALPNChallenge: *enableTLSALPN01,
|
EnableTLSALPNChallenge: *enableTLSALPN01,
|
||||||
}
|
}
|
||||||
|
@ -229,8 +246,11 @@ func main() {
|
||||||
go func() {
|
go func() {
|
||||||
httpsrv.Serve(listener)
|
httpsrv.Serve(listener)
|
||||||
}()
|
}()
|
||||||
|
fmt.Printf("Will respond to Websocket and API requests to %q\n", *apiHostname)
|
||||||
mux.HandleTCP(*apiHostname, telebit.HandlerFunc(func(client net.Conn) error {
|
mux.HandleTCP(*apiHostname, telebit.HandlerFunc(func(client net.Conn) error {
|
||||||
|
fmt.Printf("[debug] Accepting API or WebSocket client %q\n", *apiHostname)
|
||||||
listener.Feed(client)
|
listener.Feed(client)
|
||||||
|
fmt.Printf("[debug] done with %q client\n", *apiHostname)
|
||||||
// TODO use a more correct non-error error?
|
// TODO use a more correct non-error error?
|
||||||
// or perhaps (ok, error) or (handled, error)?
|
// or perhaps (ok, error) or (handled, error)?
|
||||||
return io.EOF
|
return io.EOF
|
||||||
|
@ -332,6 +352,7 @@ func routeSubscribersAndClients(client net.Conn) error {
|
||||||
servername := strings.ToLower(wconn.Servername())
|
servername := strings.ToLower(wconn.Servername())
|
||||||
if "" != servername && !isHostname(servername) {
|
if "" != servername && !isHostname(servername) {
|
||||||
_ = client.Close()
|
_ = client.Close()
|
||||||
|
fmt.Println("[debug] invalid servername")
|
||||||
return fmt.Errorf("invalid servername")
|
return fmt.Errorf("invalid servername")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -365,6 +386,7 @@ func routeSubscribersAndClients(client net.Conn) error {
|
||||||
func tryToServeName(servername string, wconn *telebit.ConnWrap) bool {
|
func tryToServeName(servername string, wconn *telebit.ConnWrap) bool {
|
||||||
srv, ok := table.GetServer(servername)
|
srv, ok := table.GetServer(servername)
|
||||||
if !ok {
|
if !ok {
|
||||||
|
fmt.Println("[debug] no server to server", servername)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -493,15 +515,15 @@ func newGoDaddyDNSProvider(id, secret string) (*godaddy.DNSProvider, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// newAPIDNSProvider is for the sake of demoing the tunnel
|
// newAPIDNSProvider is for the sake of demoing the tunnel
|
||||||
func newAPIDNSProvider(baseURL string, token string) (*dns01.DNSProvider, error) {
|
func newAPIDNSProvider(baseURL string, token string) (*tbDns01.DNSProvider, error) {
|
||||||
config := dns01.NewDefaultConfig()
|
config := tbDns01.NewDefaultConfig()
|
||||||
config.Token = token
|
config.Token = token
|
||||||
endpoint, err := url.Parse(baseURL)
|
endpoint, err := url.Parse(baseURL)
|
||||||
if nil != err {
|
if nil != err {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
config.Endpoint = endpoint
|
config.Endpoint = endpoint
|
||||||
return dns01.NewDNSProviderConfig(config)
|
return tbDns01.NewDNSProviderConfig(config)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -138,8 +138,9 @@ func (c *ConnWrap) isTerminated() bool {
|
||||||
c.SetDeadline(time.Now().Add(5 * time.Second))
|
c.SetDeadline(time.Now().Add(5 * time.Second))
|
||||||
n := 6
|
n := 6
|
||||||
b, _ := c.Peek(n)
|
b, _ := c.Peek(n)
|
||||||
fmt.Println("Peek(n)", b)
|
fmt.Println("Peek(n)", b, string(b))
|
||||||
defer c.SetDeadline(time.Time{})
|
defer c.SetDeadline(time.Time{})
|
||||||
|
var encrypted bool
|
||||||
if len(b) >= n {
|
if len(b) >= n {
|
||||||
// SSL v3.x / TLS v1.x
|
// SSL v3.x / TLS v1.x
|
||||||
// 0: TLS Byte
|
// 0: TLS Byte
|
||||||
|
@ -153,15 +154,16 @@ func (c *ConnWrap) isTerminated() bool {
|
||||||
length := (int(b[3]) << 8) + int(b[4])
|
length := (int(b[3]) << 8) + int(b[4])
|
||||||
b, err := c.Peek(n - 1 + length)
|
b, err := c.Peek(n - 1 + length)
|
||||||
if nil != err {
|
if nil != err {
|
||||||
*c.encrypted = false
|
c.encrypted = &encrypted
|
||||||
return !*c.encrypted
|
return !*c.encrypted
|
||||||
}
|
}
|
||||||
c.servername, _ = sni.GetHostname(b)
|
c.servername, _ = sni.GetHostname(b)
|
||||||
*c.encrypted = true
|
encrypted = true
|
||||||
|
c.encrypted = &encrypted
|
||||||
return !*c.encrypted
|
return !*c.encrypted
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
*c.encrypted = false
|
c.encrypted = &encrypted
|
||||||
return !*c.encrypted
|
return !*c.encrypted
|
||||||
/*
|
/*
|
||||||
if nil != err {
|
if nil != err {
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
|
|
||||||
"github.com/caddyserver/certmagic"
|
"github.com/caddyserver/certmagic"
|
||||||
"github.com/go-acme/lego/v3/challenge"
|
"github.com/go-acme/lego/v3/challenge"
|
||||||
|
"github.com/go-acme/lego/v3/challenge/dns01"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Note: 64k is the TCP max, but 1460b is the 100mbit Ethernet max (1500 MTU - overhead),
|
// Note: 64k is the TCP max, but 1460b is the 100mbit Ethernet max (1500 MTU - overhead),
|
||||||
|
@ -176,6 +177,7 @@ type ACME struct {
|
||||||
Email string
|
Email string
|
||||||
Directory string
|
Directory string
|
||||||
DNSProvider challenge.Provider
|
DNSProvider challenge.Provider
|
||||||
|
DNSChallengeOption dns01.ChallengeOption
|
||||||
Storage certmagic.Storage
|
Storage certmagic.Storage
|
||||||
StoragePath string
|
StoragePath string
|
||||||
EnableHTTPChallenge bool
|
EnableHTTPChallenge bool
|
||||||
|
@ -205,7 +207,7 @@ func TerminateTLS(client net.Conn, acme *ACME) net.Conn {
|
||||||
}
|
}
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
magic, err = newCertMagic(acme)
|
magic, err = NewCertMagic(acme)
|
||||||
if nil != err {
|
if nil != err {
|
||||||
fmt.Fprintf(
|
fmt.Fprintf(
|
||||||
os.Stderr,
|
os.Stderr,
|
||||||
|
@ -276,7 +278,7 @@ func TerminateTLS(client net.Conn, acme *ACME) net.Conn {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func newCertMagic(acme *ACME) (*certmagic.Config, error) {
|
func NewCertMagic(acme *ACME) (*certmagic.Config, error) {
|
||||||
if !acme.Agree {
|
if !acme.Agree {
|
||||||
fmt.Fprintf(
|
fmt.Fprintf(
|
||||||
os.Stderr,
|
os.Stderr,
|
||||||
|
@ -304,8 +306,10 @@ func newCertMagic(acme *ACME) (*certmagic.Config, error) {
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
// yes, a circular reference, passing `magic` to its own Issuer
|
// yes, a circular reference, passing `magic` to its own Issuer
|
||||||
|
fmt.Printf("[debug] ACME Email: %q\n", acme.Email)
|
||||||
magic.Issuer = certmagic.NewACMEManager(magic, certmagic.ACMEManager{
|
magic.Issuer = certmagic.NewACMEManager(magic, certmagic.ACMEManager{
|
||||||
DNSProvider: acme.DNSProvider,
|
DNSProvider: acme.DNSProvider,
|
||||||
|
DNSChallengeOption: acme.DNSChallengeOption,
|
||||||
CA: acme.Directory,
|
CA: acme.Directory,
|
||||||
Email: acme.Email,
|
Email: acme.Email,
|
||||||
Agreed: acme.Agree,
|
Agreed: acme.Agree,
|
||||||
|
|
Loading…
Reference in New Issue