netmaker/controllers/server.go

238 lines
7.8 KiB
Go
Raw Normal View History

package controller
import (
2022-04-14 23:40:13 +08:00
"crypto/ed25519"
2022-04-15 02:14:37 +08:00
"crypto/x509"
2022-04-16 20:27:22 +08:00
"crypto/x509/pkix"
"encoding/json"
2022-04-15 02:14:37 +08:00
"fmt"
"net/http"
"strings"
"github.com/gorilla/mux"
2022-04-14 05:33:40 +08:00
"github.com/gravitl/netmaker/logger"
2021-10-27 00:27:29 +08:00
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/models"
2022-04-14 06:22:03 +08:00
"github.com/gravitl/netmaker/netclient/config"
2022-04-16 01:32:10 +08:00
"github.com/gravitl/netmaker/netclient/ncutils"
"github.com/gravitl/netmaker/servercfg"
2022-04-14 04:22:46 +08:00
"github.com/gravitl/netmaker/tls"
)
func serverHandlers(r *mux.Router) {
2022-01-13 08:45:42 +08:00
// r.HandleFunc("/api/server/addnetwork/{network}", securityCheckServer(true, http.HandlerFunc(addNetwork))).Methods("POST")
r.HandleFunc("/api/server/getconfig", securityCheckServer(false, http.HandlerFunc(getConfig))).Methods("GET")
r.HandleFunc("/api/server/removenetwork/{network}", securityCheckServer(true, http.HandlerFunc(removeNetwork))).Methods("DELETE")
2022-04-14 05:57:04 +08:00
r.HandleFunc("/api/server/register", http.HandlerFunc(register)).Methods("POST")
}
//Security check is middleware for every function and just checks to make sure that its the master calling
//Only admin should have access to all these network-level actions
//or maybe some Users once implemented
2021-08-10 05:04:16 +08:00
func securityCheckServer(adminonly bool, next http.Handler) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
var errorResponse = models.ErrorResponse{
Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
}
bearerToken := r.Header.Get("Authorization")
var tokenSplit = strings.Split(bearerToken, " ")
var authToken = ""
if len(tokenSplit) < 2 {
errorResponse = models.ErrorResponse{
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
}
returnErrorResponse(w, r, errorResponse)
return
} else {
authToken = tokenSplit[1]
}
//all endpoints here require master so not as complicated
//still might not be a good way of doing this
2021-10-27 00:27:29 +08:00
user, _, isadmin, err := logic.VerifyUserToken(authToken)
errorResponse = models.ErrorResponse{
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
}
if !adminonly && (err != nil || user == "") {
returnErrorResponse(w, r, errorResponse)
2021-08-20 07:00:23 +08:00
return
2021-10-09 03:07:12 +08:00
}
if adminonly && !isadmin && !authenticateMaster(authToken) {
2021-08-20 07:03:14 +08:00
returnErrorResponse(w, r, errorResponse)
2021-08-20 07:00:23 +08:00
return
}
2021-06-01 23:14:34 +08:00
next.ServeHTTP(w, r)
}
}
func removeNetwork(w http.ResponseWriter, r *http.Request) {
// Set header
w.Header().Set("Content-Type", "application/json")
// get params
var params = mux.Vars(r)
2022-01-18 06:44:12 +08:00
err := logic.DeleteNetwork(params["network"])
if err != nil {
json.NewEncoder(w).Encode("Could not remove server from network " + params["network"])
return
}
json.NewEncoder(w).Encode("Server removed from network " + params["network"])
}
func getConfig(w http.ResponseWriter, r *http.Request) {
2021-06-01 23:14:34 +08:00
// Set header
w.Header().Set("Content-Type", "application/json")
// get params
scfg := servercfg.GetServerConfig()
json.NewEncoder(w).Encode(scfg)
2021-08-20 07:00:23 +08:00
//w.WriteHeader(http.StatusOK)
}
2022-01-13 08:45:42 +08:00
// func addNetwork(w http.ResponseWriter, r *http.Request) {
// // Set header
// w.Header().Set("Content-Type", "application/json")
2022-01-13 08:45:42 +08:00
// // get params
// var params = mux.Vars(r)
// var networkName = params["network"]
// var networkSettings, err := logic.GetNetwork(netwnetworkName)
2022-01-13 08:45:42 +08:00
// success, err := serverctl.AddNetwork(params["network"])
2022-01-13 08:45:42 +08:00
// if err != nil || !success {
// json.NewEncoder(w).Encode("Could not add server to network " + params["network"])
// return
// }
2022-01-13 08:45:42 +08:00
// json.NewEncoder(w).Encode("Server added to network " + params["network"])
// }
2022-04-14 04:22:46 +08:00
// register - registers a client with the server and return the CA cert
func register(w http.ResponseWriter, r *http.Request) {
2022-04-15 21:54:35 +08:00
logger.Log(2, "processing registration request")
2022-04-14 04:22:46 +08:00
w.Header().Set("Content-Type", "application/json")
2022-04-14 05:57:04 +08:00
bearerToken := r.Header.Get("Authorization")
var tokenSplit = strings.Split(bearerToken, " ")
var token = ""
if len(tokenSplit) < 2 {
errorResponse := models.ErrorResponse{
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
}
returnErrorResponse(w, r, errorResponse)
return
} else {
token = tokenSplit[1]
}
2022-04-14 19:15:50 +08:00
//decode body
var request config.RegisterRequest
if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
2022-04-15 02:42:46 +08:00
logger.Log(0, "error decoding request", err.Error())
2022-04-14 19:15:50 +08:00
errorResponse := models.ErrorResponse{
2022-04-15 02:14:37 +08:00
Code: http.StatusBadRequest, Message: err.Error(),
2022-04-14 19:15:50 +08:00
}
returnErrorResponse(w, r, errorResponse)
2022-04-15 02:14:37 +08:00
return
2022-04-14 19:15:50 +08:00
}
2022-04-14 04:22:46 +08:00
found := false
networks, err := logic.GetNetworks()
if err != nil {
2022-04-15 02:42:46 +08:00
logger.Log(0, "no networks", err.Error())
2022-04-14 04:22:46 +08:00
errorResponse := models.ErrorResponse{
Code: http.StatusNotFound, Message: "no networks",
}
returnErrorResponse(w, r, errorResponse)
2022-04-15 02:14:37 +08:00
return
2022-04-14 04:22:46 +08:00
}
for _, network := range networks {
for _, key := range network.AccessKeys {
2022-04-14 21:22:07 +08:00
if key.Value == token {
2022-04-14 04:22:46 +08:00
found = true
break
}
}
}
if !found {
2022-04-15 02:42:46 +08:00
logger.Log(0, "valid access key not found")
2022-04-14 04:22:46 +08:00
errorResponse := models.ErrorResponse{
Code: http.StatusUnauthorized, Message: "You are unauthorized to access this endpoint.",
}
returnErrorResponse(w, r, errorResponse)
return
}
2022-04-16 01:32:10 +08:00
// not working --- use openssl instead
2022-04-16 20:37:55 +08:00
cert, ca, err := genCerts(&request.Key, &request.CommonName)
//cert, ca, err := genOpenSSLCerts(&request.Key, &request.CommonName)
2022-04-14 04:22:46 +08:00
if err != nil {
2022-04-15 02:14:37 +08:00
logger.Log(0, "failed to generater certs ", err.Error())
2022-04-14 04:22:46 +08:00
errorResponse := models.ErrorResponse{
2022-04-15 02:14:37 +08:00
Code: http.StatusNotFound, Message: err.Error(),
2022-04-14 04:22:46 +08:00
}
returnErrorResponse(w, r, errorResponse)
return
2022-04-14 19:15:50 +08:00
}
2022-04-16 01:32:10 +08:00
2022-04-16 04:07:19 +08:00
tls.SaveCert("/tmp/sent/", "root.pem", ca)
tls.SaveCert("/tmp/sent/", "client.pem", cert)
2022-04-15 02:14:37 +08:00
response := config.RegisterResponse{
2022-04-16 03:20:46 +08:00
CA: *ca,
CAPubKey: (ca.PublicKey).(ed25519.PublicKey),
Cert: *cert,
CertPubKey: (cert.PublicKey).(ed25519.PublicKey),
2022-04-15 02:14:37 +08:00
}
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(response)
}
2022-04-16 20:37:55 +08:00
func genCerts(clientKey *ed25519.PrivateKey, name *pkix.Name) (*x509.Certificate, *x509.Certificate, error) {
ca, err := tls.ReadCert("/etc/netmaker/root.pem")
2022-04-15 02:14:37 +08:00
if err != nil {
logger.Log(2, "root ca not found ", err.Error())
2022-04-15 02:42:46 +08:00
return nil, nil, fmt.Errorf("root ca not found %w", err)
2022-04-15 02:14:37 +08:00
}
2022-04-16 20:37:55 +08:00
key, err := tls.ReadKey("/etc/netmaker/root.key")
2022-04-14 19:15:50 +08:00
if err != nil {
2022-04-14 21:22:07 +08:00
logger.Log(2, "root key not found ", err.Error())
2022-04-15 02:42:46 +08:00
return nil, nil, fmt.Errorf("root key not found %w", err)
2022-04-14 19:15:50 +08:00
}
2022-04-16 20:37:55 +08:00
csr, err := tls.NewCSR(*clientKey, *name)
if err != nil {
logger.Log(2, "failed to generate client certificate requests", err.Error())
return nil, nil, fmt.Errorf("client certification request generation failed %w", err)
}
2022-04-14 23:40:13 +08:00
cert, err := tls.NewEndEntityCert(*key, csr, ca, tls.CERTIFICATE_VALIDITY)
2022-04-14 19:15:50 +08:00
if err != nil {
2022-04-14 21:22:07 +08:00
logger.Log(2, "unable to generate client certificate", err.Error())
2022-04-15 02:42:46 +08:00
return nil, nil, fmt.Errorf("client certification generation failed %w", err)
2022-04-14 04:22:46 +08:00
}
2022-04-15 02:42:46 +08:00
return ca, cert, nil
2022-04-14 04:22:46 +08:00
}
2022-04-16 01:32:10 +08:00
2022-04-16 20:27:22 +08:00
func genOpenSSLCerts(key *ed25519.PrivateKey, name *pkix.Name) (*x509.Certificate, *x509.Certificate, error) {
if err := tls.SaveKey("/tmp/", "client.key", *key); err != nil {
return nil, nil, fmt.Errorf("failed to store client key %w", err)
}
cmd2 := fmt.Sprintf("openssl req -new -out /tmp/client.csr -key /tmp/client.key -subj /CN=%s", name.CommonName)
2022-04-16 01:32:10 +08:00
cmd3 := "openssl x509 -req -in /tmp/client.csr -days 365 -CA /etc/netmaker/root.pem -CAkey /etc/netmaker/root.key -CAcreateserial -out /tmp/client.pem"
if _, err := ncutils.RunCmd(cmd2, true); err != nil {
2022-04-16 20:27:22 +08:00
return nil, nil, fmt.Errorf("client csr error %w", err)
2022-04-16 01:32:10 +08:00
}
if _, err := ncutils.RunCmd(cmd3, true); err != nil {
2022-04-16 20:27:22 +08:00
return nil, nil, fmt.Errorf("client cert error %w", err)
2022-04-16 01:32:10 +08:00
}
cert, err := tls.ReadCert("/tmp/client.pem")
if err != nil {
2022-04-16 20:27:22 +08:00
return nil, nil, fmt.Errorf("read client cert error %w", err)
2022-04-16 01:32:10 +08:00
}
ca, err := tls.ReadCert("/etc/netmaker/root.pem")
if err != nil {
2022-04-16 20:27:22 +08:00
return nil, nil, fmt.Errorf("read ca cert error %w", err)
2022-04-16 01:32:10 +08:00
}
2022-04-16 20:27:22 +08:00
return cert, ca, nil
2022-04-16 01:32:10 +08:00
}