headscale/preauth_keys.go

package headscale

import (
	"crypto/rand"
	"encoding/hex"
	"errors"
	"log"
	"time"

	"gorm.io/gorm"
)

const errorAuthKeyNotFound = Error("AuthKey not found")
const errorAuthKeyExpired = Error("AuthKey expired")
const errorAuthKeyNotReusableAlreadyUsed = Error("AuthKey not reusable already used")

// PreAuthKey describes a pre-authorization key usable in a particular namespace
type PreAuthKey struct {
	ID          uint64 `gorm:"primary_key"`
	Key         string
	NamespaceID uint
	Namespace   Namespace
	Reusable    bool
	Ephemeral   bool `gorm:"default:false"`

	CreatedAt  *time.Time
	Expiration *time.Time
}

// CreatePreAuthKey creates a new PreAuthKey in a namespace, and returns it
func (h *Headscale) CreatePreAuthKey(namespaceName string, reusable bool, ephemeral bool, expiration *time.Time) (*PreAuthKey, error) {
	n, err := h.GetNamespace(namespaceName)
	if err != nil {
		return nil, err
	}

	db, err := h.db()
	if err != nil {
		log.Printf("Cannot open DB: %s", err)
		return nil, err
	}

	now := time.Now().UTC()
	kstr, err := h.generateKey()
	if err != nil {
		return nil, err
	}

	k := PreAuthKey{
		Key:         kstr,
		NamespaceID: n.ID,
		Namespace:   *n,
		Reusable:    reusable,
		Ephemeral:   ephemeral,
		CreatedAt:   &now,
		Expiration:  expiration,
	}
	db.Save(&k)

	return &k, nil
}

// GetPreAuthKeys returns the list of PreAuthKeys for a namespace
func (h *Headscale) GetPreAuthKeys(namespaceName string) (*[]PreAuthKey, error) {
	n, err := h.GetNamespace(namespaceName)
	if err != nil {
		return nil, err
	}
	db, err := h.db()
	if err != nil {
		log.Printf("Cannot open DB: %s", err)
		return nil, err
	}

	keys := []PreAuthKey{}
	if err := db.Preload("Namespace").Where(&PreAuthKey{NamespaceID: n.ID}).Find(&keys).Error; err != nil {
		return nil, err
	}
	return &keys, nil
}

// checkKeyValidity does the heavy lifting for validation of the PreAuthKey coming from a node
// If returns no error and a PreAuthKey, it can be used
func (h *Headscale) checkKeyValidity(k string) (*PreAuthKey, error) {
	db, err := h.db()
	if err != nil {
		return nil, err
	}

	pak := PreAuthKey{}
	if result := db.Preload("Namespace").First(&pak, "key = ?", k); errors.Is(result.Error, gorm.ErrRecordNotFound) {
		return nil, errorAuthKeyNotFound
	}

	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
		return nil, errorAuthKeyExpired
	}

	if pak.Reusable || pak.Ephemeral { // we don't need to check if has been used before
		return &pak, nil
	}

	machines := []Machine{}
	if err := db.Preload("AuthKey").Where(&Machine{AuthKeyID: uint(pak.ID)}).Find(&machines).Error; err != nil {
		return nil, err
	}

	if len(machines) != 0 {
		return nil, errorAuthKeyNotReusableAlreadyUsed
	}

	// missing here validation on current usage
	return &pak, nil
}

func (h *Headscale) generateKey() (string, error) {
	size := 24
	bytes := make([]byte, size)
	if _, err := rand.Read(bytes); err != nil {
		return "", err
	}
	return hex.EncodeToString(bytes), nil
}
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`package headscale`

			`import (`
			`"crypto/rand"`
			`"encoding/hex"`
Update Headscale to depend on gorm v2 2021-06-24 21:44:19 +08:00			`"errors"`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`"log"`
			`"time"`
Update Headscale to depend on gorm v2 2021-06-24 21:44:19 +08:00
			`"gorm.io/gorm"`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`)`

WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`const errorAuthKeyNotFound = Error("AuthKey not found")`
			`const errorAuthKeyExpired = Error("AuthKey expired")`
Added fields in Machine to store authkey + validation tests 2021-05-06 06:08:36 +08:00			`const errorAuthKeyNotReusableAlreadyUsed = Error("AuthKey not reusable already used")`
WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00
Address a bunch of golint warnings. 2021-04-24 23:26:50 +08:00			`// PreAuthKey describes a pre-authorization key usable in a particular namespace`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`type PreAuthKey struct {`
			ID uint64 `gorm:"primary_key"`
			`Key string`
			`NamespaceID uint`
			`Namespace Namespace`
			`Reusable bool`
Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			Ephemeral bool `gorm:"default:false"`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00
			`CreatedAt *time.Time`
			`Expiration *time.Time`
			`}`

Address a bunch of golint warnings. 2021-04-24 23:26:50 +08:00			`// CreatePreAuthKey creates a new PreAuthKey in a namespace, and returns it`
Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			`func (h Headscale) CreatePreAuthKey(namespaceName string, reusable bool, ephemeral bool, expiration time.Time) (*PreAuthKey, error) {`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`n, err := h.GetNamespace(namespaceName)`
			`if err != nil {`
			`return nil, err`
			`}`

			`db, err := h.db()`
			`if err != nil {`
			`log.Printf("Cannot open DB: %s", err)`
			`return nil, err`
			`}`

			`now := time.Now().UTC()`
			`kstr, err := h.generateKey()`
			`if err != nil {`
			`return nil, err`
			`}`

			`k := PreAuthKey{`
			`Key: kstr,`
			`NamespaceID: n.ID,`
Fix bug in preauthkeys: namespace object was not populated in the return value from CreatePreAuthKey and GetPreAuthKeys. Add tests for that bug, and the rest of the preauthkeys functionality. Fix path in `compress` Makefile target. 2021-05-03 02:47:36 +08:00			`Namespace: *n,`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`Reusable: reusable,`
Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			`Ephemeral: ephemeral,`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`CreatedAt: &now,`
			`Expiration: expiration,`
			`}`
			`db.Save(&k)`

			`return &k, nil`
			`}`

Address a bunch of golint warnings. 2021-04-24 23:26:50 +08:00			`// GetPreAuthKeys returns the list of PreAuthKeys for a namespace`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`func (h Headscale) GetPreAuthKeys(namespaceName string) ([]PreAuthKey, error) {`
			`n, err := h.GetNamespace(namespaceName)`
			`if err != nil {`
			`return nil, err`
			`}`
			`db, err := h.db()`
			`if err != nil {`
			`log.Printf("Cannot open DB: %s", err)`
			`return nil, err`
			`}`

			`keys := []PreAuthKey{}`
Fix bug in preauthkeys: namespace object was not populated in the return value from CreatePreAuthKey and GetPreAuthKeys. Add tests for that bug, and the rest of the preauthkeys functionality. Fix path in `compress` Makefile target. 2021-05-03 02:47:36 +08:00			`if err := db.Preload("Namespace").Where(&PreAuthKey{NamespaceID: n.ID}).Find(&keys).Error; err != nil {`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`return nil, err`
			`}`
			`return &keys, nil`
			`}`

WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`// checkKeyValidity does the heavy lifting for validation of the PreAuthKey coming from a node`
			`// If returns no error and a PreAuthKey, it can be used`
			`func (h Headscale) checkKeyValidity(k string) (PreAuthKey, error) {`
			`db, err := h.db()`
			`if err != nil {`
			`return nil, err`
			`}`

			`pak := PreAuthKey{}`
Update Headscale to depend on gorm v2 2021-06-24 21:44:19 +08:00			`if result := db.Preload("Namespace").First(&pak, "key = ?", k); errors.Is(result.Error, gorm.ErrRecordNotFound) {`
WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`return nil, errorAuthKeyNotFound`
			`}`

			`if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {`
			`return nil, errorAuthKeyExpired`
			`}`

Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			`if pak.Reusable \|\| pak.Ephemeral { // we don't need to check if has been used before`
Added fields in Machine to store authkey + validation tests 2021-05-06 06:08:36 +08:00			`return &pak, nil`
			`}`

			`machines := []Machine{}`
			`if err := db.Preload("AuthKey").Where(&Machine{AuthKeyID: uint(pak.ID)}).Find(&machines).Error; err != nil {`
			`return nil, err`
			`}`

			`if len(machines) != 0 {`
			`return nil, errorAuthKeyNotReusableAlreadyUsed`
			`}`

WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`// missing here validation on current usage`
			`return &pak, nil`
			`}`

WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`func (h *Headscale) generateKey() (string, error) {`
			`size := 24`
			`bytes := make([]byte, size)`
			`if _, err := rand.Read(bytes); err != nil {`
			`return "", err`
			`}`
			`return hex.EncodeToString(bytes), nil`
			`}`