root
/
telebit
mirror of https://github.com/therootcompany/telebit.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
telebit/cmd/mgmt/route.go

244 lines
6.5 KiB
Go
Raw Blame History

package main
import (
"context"
"encoding/json"
"fmt"
"log"
"net/http"
"strings"
"time"
"git.rootprojects.org/root/telebit/mgmt/authstore"
"github.com/dgrijalva/jwt-go"
"github.com/go-chi/chi"
"github.com/go-chi/chi/middleware"
)
type MgmtClaims struct {
Slug string `json:"slug"`
jwt.StandardClaims
}
var presenters = make(chan *Challenge)
var cleanups = make(chan *Challenge)
func routeAll() chi.Router {
go func() {
for {
// TODO make parallel?
// TODO make cancellable?
ch := <-presenters
err := provider.Present(ch.Domain, ch.Token, ch.KeyAuth)
ch.error <- err
}
}()
go func() {
for {
// TODO make parallel?
// TODO make cancellable?
ch := <-cleanups
ch.error <- provider.CleanUp(ch.Domain, ch.Token, ch.KeyAuth)
}
}()
r := chi.NewRouter()
r.Use(middleware.Logger)
r.Use(middleware.Timeout(15 * time.Second))
r.Use(middleware.Recoverer)
r.Route("/api", func(r chi.Router) {
r.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
var tokenString string
if auth := strings.Split(r.Header.Get("Authorization"), " "); len(auth) > 1 {
// TODO handle Basic auth tokens as well
tokenString = auth[1]
}
//var err2 error = nil
tok, err := jwt.ParseWithClaims(
tokenString,
&MgmtClaims{},
func(token *jwt.Token) (interface{}, error) {
fmt.Println("parsed jwt", token)
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, fmt.Errorf("missing jwt header 'kid' (key id)")
}
auth, err := store.Get(kid)
if nil != err {
return nil, fmt.Errorf("invalid jwt header 'kid' (key id)")
}
claims := token.Claims.(*MgmtClaims)
jti := claims.Id
if "" == jti {
return nil, fmt.Errorf("missing jwt payload 'jti' (jwt id / nonce)")
}
iat := claims.IssuedAt
if 0 == iat {
return nil, fmt.Errorf("missing jwt payload 'iat' (issued at)")
}
exp := claims.ExpiresAt
if 0 == exp {
return nil, fmt.Errorf("missing jwt payload 'exp' (expires at)")
}
if "" != claims.Slug {
return nil, fmt.Errorf("extra jwt payload 'slug' (unknown)")
}
claims.Slug = auth.Slug
if "" != claims.Subject && auth.Slug != claims.Subject {
return nil, fmt.Errorf("invalid jwt payload 'sub' (mismatch)")
}
claims.Issuer = primaryDomain
/*
// a little misdirection there
mac := hmac.New(sha256.New, auth.MachinePPID)
_ = mac.Write([]byte(auth.SharedKey))
_ = mac.Write([]byte(fmt.Sprintf("%d", exp)))
return []byte(auth.SharedKey), nil
*/
//fmt.Println("ppid:", auth.MachinePPID)
return []byte(auth.MachinePPID), nil
},
)
ctx := r.Context()
if nil != err {
fmt.Println("auth err", err)
ctx = context.WithValue(ctx, MWKey("error"), err)
}
if nil != tok {
fmt.Println("any auth?", tok)
if tok.Valid {
ctx = context.WithValue(ctx, MWKey("token"), tok)
ctx = context.WithValue(ctx, MWKey("claims"), tok.Claims)
ctx = context.WithValue(ctx, MWKey("valid"), true)
}
}
fmt.Println("Good Auth?")
fmt.Println(ctx.Value(MWKey("claims")))
next.ServeHTTP(w, r.WithContext(ctx))
})
})
handleDNSRoutes(r)
handleDeviceRoutes(r)
r.Get("/inspect", func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
claims, ok := ctx.Value(MWKey("claims")).(*MgmtClaims)
if !ok {
msg := `{"error":"failure to ping: 3"}`
fmt.Println("touch no claims", claims)
http.Error(w, msg+"\n", http.StatusBadRequest)
return
}
w.Write([]byte(fmt.Sprintf(
`{ "sub": "%s", "domains": [ "%s.%s" ], "ports": [] }`+"\n",
claims.Subject,
claims.Slug,
primaryDomain,
)))
})
r.Route("/register-device", func(r chi.Router) {
// r.Use() // must NOT have slug '*'
r.Post("/{otp}", func(w http.ResponseWriter, r *http.Request) {
sharedKey := chi.URLParam(r, "otp")
original, err := store.Get(sharedKey)
if "" != original.MachinePPID {
msg := `{"error":"the presented key has already been used"}`
log.Printf("/api/register-device/\n")
log.Println(err)
http.Error(w, msg, http.StatusInternalServerError)
return
}
auth := &authstore.Authorization{}
decoder := json.NewDecoder(r.Body)
err = decoder.Decode(&auth)
// MachinePPID and PublicKey are required. ID must NOT be set. Slug is ignored.
epoch := time.Time{}
auth.SharedKey = sharedKey
if nil != err || "" != auth.ID || "" == auth.MachinePPID ||
"" == auth.PublicKey || "" == auth.SharedKey ||
epoch != auth.CreatedAt || epoch != auth.UpdatedAt || epoch != auth.DeletedAt {
msg, _ := json.Marshal(&struct {
Error string `json:"error"`
}{
Error: "expected JSON in the format {\"machine_ppid\":\"\",\"public_key\":\"\"}",
})
http.Error(w, string(msg), http.StatusUnprocessableEntity)
return
}
// TODO hash the PPID and check against the Public Key?
pub := authstore.ToPublicKeyString(auth.MachinePPID)
if pub != auth.PublicKey {
msg, _ := json.Marshal(&struct {
Error string `json:"error"`
}{
Error: "expected `public_key` to be the first 24 bytes of the hash of the `machine_ppid`",
})
http.Error(w, string(msg), http.StatusUnprocessableEntity)
return
}
original.PublicKey = auth.PublicKey
original.MachinePPID = auth.MachinePPID
err = store.Set(original)
if nil != err {
msg := `{"error":"not really sure what happened, but it didn't go well (check the logs)"}`
log.Printf("/api/register-device/\n")
log.Println(err)
http.Error(w, msg, http.StatusInternalServerError)
return
}
result, _ := json.Marshal(auth)
w.Write(result)
})
})
r.Post("/ping", func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
claims, ok := ctx.Value(MWKey("claims")).(*MgmtClaims)
if !ok {
msg := `{"error":"failure to ping: 1"}`
fmt.Println("touch no claims", claims)
http.Error(w, msg+"\n", http.StatusBadRequest)
return
}
fmt.Println("ping pong??", claims)
err := store.Touch(claims.Slug)
if nil != err {
msg := `{"error":"failure to ping: 2"}`
fmt.Println("touch err", err)
http.Error(w, msg+"\n", http.StatusBadRequest)
return
}
w.Write([]byte(`{ "success": true }` + "\n"))
})
r.Get("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Hello\n"))
})
})
return r
}
Reference in New Issue View Git Blame Copy Permalink