2021-04-07 07:13:34 +08:00
|
|
|
package controller
|
|
|
|
|
|
|
|
|
|
import (
|
2022-04-14 23:40:13 +08:00
|
|
|
"crypto/ed25519"
|
2022-04-15 02:14:37 +08:00
|
|
|
"crypto/x509"
|
2022-04-16 20:27:22 +08:00
|
|
|
"crypto/x509/pkix"
|
2021-08-17 04:30:55 +08:00
|
|
|
"encoding/json"
|
2022-04-15 02:14:37 +08:00
|
|
|
"fmt"
|
2021-08-17 04:30:55 +08:00
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/gorilla/mux"
|
2022-04-14 05:33:40 +08:00
|
|
|
"github.com/gravitl/netmaker/logger"
|
2021-10-27 00:27:29 +08:00
|
|
|
"github.com/gravitl/netmaker/logic"
|
2021-08-17 04:30:55 +08:00
|
|
|
"github.com/gravitl/netmaker/models"
|
2022-04-14 06:22:03 +08:00
|
|
|
"github.com/gravitl/netmaker/netclient/config"
|
2021-08-17 04:30:55 +08:00
|
|
|
"github.com/gravitl/netmaker/servercfg"
|
2022-04-14 04:22:46 +08:00
|
|
|
"github.com/gravitl/netmaker/tls"
|
2021-04-07 07:13:34 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func serverHandlers(r *mux.Router) {
|
2022-01-13 08:45:42 +08:00
|
|
|
// r.HandleFunc("/api/server/addnetwork/{network}", securityCheckServer(true, http.HandlerFunc(addNetwork))).Methods("POST")
|
2021-08-17 04:30:55 +08:00
|
|
|
r.HandleFunc("/api/server/getconfig", securityCheckServer(false, http.HandlerFunc(getConfig))).Methods("GET")
|
|
|
|
|
r.HandleFunc("/api/server/removenetwork/{network}", securityCheckServer(true, http.HandlerFunc(removeNetwork))).Methods("DELETE")
|
2022-04-25 22:38:29 +08:00
|
|
|
r.HandleFunc("/api/server/register", authorize(true, false, "node", http.HandlerFunc(register))).Methods("POST")
|
2022-05-31 20:42:12 +08:00
|
|
|
r.HandleFunc("/api/server/getserverinfo", authorize(true, false, "node", http.HandlerFunc(getServerInfo))).Methods("GET")
|
2021-04-07 07:13:34 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Security check is middleware for every function and just checks to make sure that its the master calling
|
2021-04-13 12:42:35 +08:00
|
|
|
//Only admin should have access to all these network-level actions
|
2021-04-07 07:13:34 +08:00
|
|
|
//or maybe some Users once implemented
|
2021-08-10 05:04:16 +08:00
|
|
|
func securityCheckServer(adminonly bool, next http.Handler) http.HandlerFunc {
|
2021-04-07 07:13:34 +08:00
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
var errorResponse = models.ErrorResponse{
|
|
|
|
|
Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bearerToken := r.Header.Get("Authorization")
|
|
|
|
|
|
|
|
|
|
var tokenSplit = strings.Split(bearerToken, " ")
|
2021-08-17 04:30:55 +08:00
|
|
|
var authToken = ""
|
2021-04-07 07:13:34 +08:00
|
|
|
if len(tokenSplit) < 2 {
|
2021-08-17 04:30:55 +08:00
|
|
|
errorResponse = models.ErrorResponse{
|
|
|
|
|
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
|
|
|
|
}
|
|
|
|
|
returnErrorResponse(w, r, errorResponse)
|
|
|
|
|
return
|
|
|
|
|
} else {
|
2021-04-07 07:13:34 +08:00
|
|
|
authToken = tokenSplit[1]
|
|
|
|
|
}
|
|
|
|
|
//all endpoints here require master so not as complicated
|
|
|
|
|
//still might not be a good way of doing this
|
2021-10-27 00:27:29 +08:00
|
|
|
user, _, isadmin, err := logic.VerifyUserToken(authToken)
|
2021-08-17 04:30:55 +08:00
|
|
|
errorResponse = models.ErrorResponse{
|
|
|
|
|
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
|
|
|
|
}
|
|
|
|
|
if !adminonly && (err != nil || user == "") {
|
|
|
|
|
returnErrorResponse(w, r, errorResponse)
|
2021-08-20 07:00:23 +08:00
|
|
|
return
|
2021-10-09 03:07:12 +08:00
|
|
|
}
|
2022-02-14 22:58:50 +08:00
|
|
|
if adminonly && !isadmin && !authenticateMaster(authToken) {
|
2021-08-20 07:03:14 +08:00
|
|
|
returnErrorResponse(w, r, errorResponse)
|
2021-08-20 07:00:23 +08:00
|
|
|
return
|
2021-08-17 04:30:55 +08:00
|
|
|
}
|
2021-06-01 23:14:34 +08:00
|
|
|
next.ServeHTTP(w, r)
|
2021-04-07 07:13:34 +08:00
|
|
|
}
|
|
|
|
|
}
|
2021-08-17 04:30:55 +08:00
|
|
|
|
2021-04-07 07:13:34 +08:00
|
|
|
func removeNetwork(w http.ResponseWriter, r *http.Request) {
|
2021-08-17 04:30:55 +08:00
|
|
|
// Set header
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2021-04-07 07:13:34 +08:00
|
|
|
|
2021-08-17 04:30:55 +08:00
|
|
|
// get params
|
|
|
|
|
var params = mux.Vars(r)
|
2021-04-07 07:13:34 +08:00
|
|
|
|
2022-01-18 06:44:12 +08:00
|
|
|
err := logic.DeleteNetwork(params["network"])
|
|
|
|
|
if err != nil {
|
2021-08-17 04:30:55 +08:00
|
|
|
json.NewEncoder(w).Encode("Could not remove server from network " + params["network"])
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-04-07 07:13:34 +08:00
|
|
|
|
2021-08-17 04:30:55 +08:00
|
|
|
json.NewEncoder(w).Encode("Server removed from network " + params["network"])
|
2021-04-07 07:13:34 +08:00
|
|
|
}
|
|
|
|
|
|
2022-05-31 20:42:12 +08:00
|
|
|
func getServerInfo(w http.ResponseWriter, r *http.Request) {
|
2021-06-01 23:14:34 +08:00
|
|
|
// Set header
|
2021-08-17 04:30:55 +08:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2021-05-06 06:03:37 +08:00
|
|
|
|
2021-08-17 04:30:55 +08:00
|
|
|
// get params
|
2021-05-06 06:03:37 +08:00
|
|
|
|
2022-06-01 00:07:56 +08:00
|
|
|
json.NewEncoder(w).Encode(servercfg.GetServerInfo())
|
2021-08-20 07:00:23 +08:00
|
|
|
//w.WriteHeader(http.StatusOK)
|
2021-05-06 06:03:37 +08:00
|
|
|
}
|
|
|
|
|
|
2022-05-31 20:42:12 +08:00
|
|
|
func getConfig(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
// Set header
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2021-04-07 07:13:34 +08:00
|
|
|
|
2022-05-31 20:42:12 +08:00
|
|
|
// get params
|
2021-04-07 07:13:34 +08:00
|
|
|
|
2022-05-31 20:42:12 +08:00
|
|
|
scfg := servercfg.GetServerConfig()
|
|
|
|
|
json.NewEncoder(w).Encode(scfg)
|
|
|
|
|
//w.WriteHeader(http.StatusOK)
|
|
|
|
|
}
|
2022-04-14 04:22:46 +08:00
|
|
|
|
2022-04-17 04:43:10 +08:00
|
|
|
// register - registers a client with the server and return the CA and cert
|
2022-04-14 04:22:46 +08:00
|
|
|
func register(w http.ResponseWriter, r *http.Request) {
|
2022-04-15 21:54:35 +08:00
|
|
|
logger.Log(2, "processing registration request")
|
2022-04-14 04:22:46 +08:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2022-04-14 19:15:50 +08:00
|
|
|
//decode body
|
|
|
|
|
var request config.RegisterRequest
|
|
|
|
|
if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
|
2022-04-15 02:42:46 +08:00
|
|
|
logger.Log(0, "error decoding request", err.Error())
|
2022-04-14 19:15:50 +08:00
|
|
|
errorResponse := models.ErrorResponse{
|
2022-04-15 02:14:37 +08:00
|
|
|
Code: http.StatusBadRequest, Message: err.Error(),
|
2022-04-14 19:15:50 +08:00
|
|
|
}
|
|
|
|
|
returnErrorResponse(w, r, errorResponse)
|
2022-04-15 02:14:37 +08:00
|
|
|
return
|
2022-04-14 19:15:50 +08:00
|
|
|
}
|
2022-04-16 20:37:55 +08:00
|
|
|
cert, ca, err := genCerts(&request.Key, &request.CommonName)
|
2022-04-14 04:22:46 +08:00
|
|
|
if err != nil {
|
2022-04-15 02:14:37 +08:00
|
|
|
logger.Log(0, "failed to generater certs ", err.Error())
|
2022-04-14 04:22:46 +08:00
|
|
|
errorResponse := models.ErrorResponse{
|
2022-04-15 02:14:37 +08:00
|
|
|
Code: http.StatusNotFound, Message: err.Error(),
|
2022-04-14 04:22:46 +08:00
|
|
|
}
|
|
|
|
|
returnErrorResponse(w, r, errorResponse)
|
|
|
|
|
return
|
2022-04-14 19:15:50 +08:00
|
|
|
}
|
2022-04-17 04:43:10 +08:00
|
|
|
//x509.Certificate.PublicKey is an interface therefore json encoding/decoding result in a string value rather than a []byte
|
|
|
|
|
//include the actual public key so the certificate can be properly reassembled on the other end.
|
2022-04-15 02:14:37 +08:00
|
|
|
response := config.RegisterResponse{
|
2022-04-16 03:20:46 +08:00
|
|
|
CA: *ca,
|
|
|
|
|
CAPubKey: (ca.PublicKey).(ed25519.PublicKey),
|
|
|
|
|
Cert: *cert,
|
|
|
|
|
CertPubKey: (cert.PublicKey).(ed25519.PublicKey),
|
2022-05-31 00:39:33 +08:00
|
|
|
Broker: servercfg.GetServer(),
|
|
|
|
|
Port: servercfg.GetMQPort(),
|
2022-04-15 02:14:37 +08:00
|
|
|
}
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
json.NewEncoder(w).Encode(response)
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-17 04:43:10 +08:00
|
|
|
// genCerts generates a client certificate and returns the certificate and root CA
|
2022-04-16 20:37:55 +08:00
|
|
|
func genCerts(clientKey *ed25519.PrivateKey, name *pkix.Name) (*x509.Certificate, *x509.Certificate, error) {
|
2022-07-01 09:56:11 +08:00
|
|
|
ca, err := tls.ReadCertFromFile("/etc/netmaker/root.pem")
|
2022-04-15 02:14:37 +08:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Log(2, "root ca not found ", err.Error())
|
2022-04-15 02:42:46 +08:00
|
|
|
return nil, nil, fmt.Errorf("root ca not found %w", err)
|
2022-04-15 02:14:37 +08:00
|
|
|
}
|
2022-07-01 09:56:11 +08:00
|
|
|
key, err := tls.ReadKeyFromFile("/etc/netmaker/root.key")
|
2022-04-14 19:15:50 +08:00
|
|
|
if err != nil {
|
2022-04-14 21:22:07 +08:00
|
|
|
logger.Log(2, "root key not found ", err.Error())
|
2022-04-15 02:42:46 +08:00
|
|
|
return nil, nil, fmt.Errorf("root key not found %w", err)
|
2022-04-14 19:15:50 +08:00
|
|
|
}
|
2022-04-16 20:37:55 +08:00
|
|
|
csr, err := tls.NewCSR(*clientKey, *name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Log(2, "failed to generate client certificate requests", err.Error())
|
|
|
|
|
return nil, nil, fmt.Errorf("client certification request generation failed %w", err)
|
|
|
|
|
}
|
2022-04-14 23:40:13 +08:00
|
|
|
cert, err := tls.NewEndEntityCert(*key, csr, ca, tls.CERTIFICATE_VALIDITY)
|
2022-04-14 19:15:50 +08:00
|
|
|
if err != nil {
|
2022-04-14 21:22:07 +08:00
|
|
|
logger.Log(2, "unable to generate client certificate", err.Error())
|
2022-04-15 02:42:46 +08:00
|
|
|
return nil, nil, fmt.Errorf("client certification generation failed %w", err)
|
2022-04-14 04:22:46 +08:00
|
|
|
}
|
2022-04-18 21:22:11 +08:00
|
|
|
return cert, ca, nil
|
2022-04-14 04:22:46 +08:00
|
|
|
}
|
