headscale/preauth_keys.go

package headscale

import (
	"crypto/rand"
	"encoding/hex"
	"errors"
	"strconv"
	"time"

	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
	"google.golang.org/protobuf/types/known/timestamppb"
	"gorm.io/gorm"
)

const (
	errPreAuthKeyNotFound          = Error("AuthKey not found")
	errPreAuthKeyExpired           = Error("AuthKey expired")
	errSingleUseAuthKeyHasBeenUsed = Error("AuthKey has already been used")
	errNamespaceMismatch           = Error("namespace mismatch")
)

// PreAuthKey describes a pre-authorization key usable in a particular namespace.
type PreAuthKey struct {
	ID          uint64 `gorm:"primary_key"`
	Key         string
	NamespaceID uint
	Namespace   Namespace
	Reusable    bool
	Ephemeral   bool `gorm:"default:false"`
	Used        bool `gorm:"default:false"`

	CreatedAt  *time.Time
	Expiration *time.Time
}

// CreatePreAuthKey creates a new PreAuthKey in a namespace, and returns it.
func (h *Headscale) CreatePreAuthKey(
	namespaceName string,
	reusable bool,
	ephemeral bool,
	expiration *time.Time,
) (*PreAuthKey, error) {
	namespace, err := h.GetNamespace(namespaceName)
	if err != nil {
		return nil, err
	}

	now := time.Now().UTC()
	kstr, err := h.generateKey()
	if err != nil {
		return nil, err
	}

	key := PreAuthKey{
		Key:         kstr,
		NamespaceID: namespace.ID,
		Namespace:   *namespace,
		Reusable:    reusable,
		Ephemeral:   ephemeral,
		CreatedAt:   &now,
		Expiration:  expiration,
	}
	h.db.Save(&key)

	return &key, nil
}

// ListPreAuthKeys returns the list of PreAuthKeys for a namespace.
func (h *Headscale) ListPreAuthKeys(namespaceName string) ([]PreAuthKey, error) {
	namespace, err := h.GetNamespace(namespaceName)
	if err != nil {
		return nil, err
	}

	keys := []PreAuthKey{}
	if err := h.db.Preload("Namespace").Where(&PreAuthKey{NamespaceID: namespace.ID}).Find(&keys).Error; err != nil {
		return nil, err
	}

	return keys, nil
}

// GetPreAuthKey returns a PreAuthKey for a given key.
func (h *Headscale) GetPreAuthKey(namespace string, key string) (*PreAuthKey, error) {
	pak, err := h.checkKeyValidity(key)
	if err != nil {
		return nil, err
	}

	if pak.Namespace.Name != namespace {
		return nil, errNamespaceMismatch
	}

	return pak, nil
}

// DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey
// does not exist.
func (h *Headscale) DestroyPreAuthKey(pak PreAuthKey) error {
	if result := h.db.Unscoped().Delete(pak); result.Error != nil {
		return result.Error
	}

	return nil
}

// MarkExpirePreAuthKey marks a PreAuthKey as expired.
func (h *Headscale) ExpirePreAuthKey(k *PreAuthKey) error {
	if err := h.db.Model(&k).Update("Expiration", time.Now()).Error; err != nil {
		return err
	}

	return nil
}

// checkKeyValidity does the heavy lifting for validation of the PreAuthKey coming from a node
// If returns no error and a PreAuthKey, it can be used.
func (h *Headscale) checkKeyValidity(k string) (*PreAuthKey, error) {
	pak := PreAuthKey{}
	if result := h.db.Preload("Namespace").First(&pak, "key = ?", k); errors.Is(
		result.Error,
		gorm.ErrRecordNotFound,
	) {
		return nil, errPreAuthKeyNotFound
	}

	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
		return nil, errPreAuthKeyExpired
	}

	if pak.Reusable || pak.Ephemeral { // we don't need to check if has been used before
		return &pak, nil
	}

	machines := []Machine{}
	if err := h.db.Preload("AuthKey").Where(&Machine{AuthKeyID: uint(pak.ID)}).Find(&machines).Error; err != nil {
		return nil, err
	}

	if len(machines) != 0 || pak.Used {
		return nil, errSingleUseAuthKeyHasBeenUsed
	}

	return &pak, nil
}

func (h *Headscale) generateKey() (string, error) {
	size := 24
	bytes := make([]byte, size)
	if _, err := rand.Read(bytes); err != nil {
		return "", err
	}

	return hex.EncodeToString(bytes), nil
}

func (key *PreAuthKey) toProto() *v1.PreAuthKey {
	protoKey := v1.PreAuthKey{
		Namespace: key.Namespace.Name,
		Id:        strconv.FormatUint(key.ID, Base10),
		Key:       key.Key,
		Ephemeral: key.Ephemeral,
		Reusable:  key.Reusable,
		Used:      key.Used,
	}

	if key.Expiration != nil {
		protoKey.Expiration = timestamppb.New(*key.Expiration)
	}

	if key.CreatedAt != nil {
		protoKey.CreatedAt = timestamppb.New(*key.CreatedAt)
	}

	return &protoKey
}
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`package headscale`

			`import (`
			`"crypto/rand"`
			`"encoding/hex"`
Update Headscale to depend on gorm v2 2021-06-24 21:44:19 +08:00			`"errors"`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`"strconv"`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`"time"`
Update Headscale to depend on gorm v2 2021-06-24 21:44:19 +08:00
golangci-lint --fix 2021-11-13 16:39:04 +08:00			`v1 "github.com/juanfont/headscale/gen/go/headscale/v1"`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`"google.golang.org/protobuf/types/known/timestamppb"`
Update Headscale to depend on gorm v2 2021-06-24 21:44:19 +08:00			`"gorm.io/gorm"`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`)`

Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`const (`
Add and fix errname 2021-11-16 00:33:16 +08:00			`errPreAuthKeyNotFound = Error("AuthKey not found")`
			`errPreAuthKeyExpired = Error("AuthKey expired")`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`errSingleUseAuthKeyHasBeenUsed = Error("AuthKey has already been used")`
Get rid of dynamic errors 2021-11-16 03:18:14 +08:00			`errNamespaceMismatch = Error("namespace mismatch")`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`)`
WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00
golangci-lint --fix 2021-11-13 16:39:04 +08:00			`// PreAuthKey describes a pre-authorization key usable in a particular namespace.`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`type PreAuthKey struct {`
			ID uint64 `gorm:"primary_key"`
			`Key string`
			`NamespaceID uint`
			`Namespace Namespace`
			`Reusable bool`
Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			Ephemeral bool `gorm:"default:false"`
Fixed merge 2021-10-14 05:28:47 +08:00			Used bool `gorm:"default:false"`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00
			`CreatedAt *time.Time`
			`Expiration *time.Time`
			`}`

golangci-lint --fix 2021-11-13 16:39:04 +08:00			`// CreatePreAuthKey creates a new PreAuthKey in a namespace, and returns it.`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`func (h *Headscale) CreatePreAuthKey(`
			`namespaceName string,`
			`reusable bool,`
			`ephemeral bool,`
			`expiration *time.Time,`
			`) (*PreAuthKey, error) {`
Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`namespace, err := h.GetNamespace(namespaceName)`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`if err != nil {`
			`return nil, err`
			`}`

			`now := time.Now().UTC()`
			`kstr, err := h.generateKey()`
			`if err != nil {`
			`return nil, err`
			`}`

Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`key := PreAuthKey{`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`Key: kstr,`
Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`NamespaceID: namespace.ID,`
			`Namespace: *namespace,`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`Reusable: reusable,`
Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			`Ephemeral: ephemeral,`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`CreatedAt: &now,`
			`Expiration: expiration,`
			`}`
Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`h.db.Save(&key)`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00
Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`return &key, nil`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`}`

golangci-lint --fix 2021-11-13 16:39:04 +08:00			`// ListPreAuthKeys returns the list of PreAuthKeys for a namespace.`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`func (h *Headscale) ListPreAuthKeys(namespaceName string) ([]PreAuthKey, error) {`
Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`namespace, err := h.GetNamespace(namespaceName)`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`if err != nil {`
			`return nil, err`
			`}`

			`keys := []PreAuthKey{}`
Fix rest of var name in main code 2021-11-16 00:15:50 +08:00			`if err := h.db.Preload("Namespace").Where(&PreAuthKey{NamespaceID: namespace.ID}).Find(&keys).Error; err != nil {`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`return nil, err`
			`}`
Add and fix nlreturn (new line return) 2021-11-14 23:46:09 +08:00
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`return keys, nil`
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`}`

golangci-lint --fix 2021-11-13 16:39:04 +08:00			`// GetPreAuthKey returns a PreAuthKey for a given key.`
Added cmd to expire preauth keys (requested in #78) 2021-08-08 06:10:30 +08:00			`func (h Headscale) GetPreAuthKey(namespace string, key string) (PreAuthKey, error) {`
			`pak, err := h.checkKeyValidity(key)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if pak.Namespace.Name != namespace {`
Get rid of dynamic errors 2021-11-16 03:18:14 +08:00			`return nil, errNamespaceMismatch`
Added cmd to expire preauth keys (requested in #78) 2021-08-08 06:10:30 +08:00			`}`

			`return pak, nil`
			`}`

Improvements for namespace deletion: add a confirmation prompt, and make sure to also delete any associated preauthkeys. 2021-11-14 03:01:05 +08:00			`// DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey`
			`// does not exist.`
Add and fix gosec 2021-11-16 02:31:52 +08:00			`func (h *Headscale) DestroyPreAuthKey(pak PreAuthKey) error {`
			`if result := h.db.Unscoped().Delete(pak); result.Error != nil {`
Improvements for namespace deletion: add a confirmation prompt, and make sure to also delete any associated preauthkeys. 2021-11-14 03:01:05 +08:00			`return result.Error`
			`}`

			`return nil`
			`}`

Fix golanglint 2021-11-14 16:32:58 +08:00			`// MarkExpirePreAuthKey marks a PreAuthKey as expired.`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`func (h Headscale) ExpirePreAuthKey(k PreAuthKey) error {`
Added func to expire PAKs 2021-08-08 05:57:52 +08:00			`if err := h.db.Model(&k).Update("Expiration", time.Now()).Error; err != nil {`
			`return err`
			`}`
Add and fix nlreturn (new line return) 2021-11-14 23:46:09 +08:00
Added func to expire PAKs 2021-08-08 05:57:52 +08:00			`return nil`
			`}`

WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`// checkKeyValidity does the heavy lifting for validation of the PreAuthKey coming from a node`
golangci-lint --fix 2021-11-13 16:39:04 +08:00			`// If returns no error and a PreAuthKey, it can be used.`
WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`func (h Headscale) checkKeyValidity(k string) (PreAuthKey, error) {`
			`pak := PreAuthKey{}`
Go format with shorter lines 2021-11-13 16:36:45 +08:00			`if result := h.db.Preload("Namespace").First(&pak, "key = ?", k); errors.Is(`
			`result.Error,`
			`gorm.ErrRecordNotFound,`
			`) {`
Add and fix errname 2021-11-16 00:33:16 +08:00			`return nil, errPreAuthKeyNotFound`
WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`}`

			`if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {`
Add and fix errname 2021-11-16 00:33:16 +08:00			`return nil, errPreAuthKeyExpired`
WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`}`

Add support for ephemeral nodes via a special type of pre-auth key. Add tests for that feature. Other fixes: clean up a few typos in comments. Fix a bug that caused the tests to run four times each. Be more consistent in the use of log rather than fmt to print errors and notices. 2021-05-23 08:15:29 +08:00			`if pak.Reusable \|\| pak.Ephemeral { // we don't need to check if has been used before`
Added fields in Machine to store authkey + validation tests 2021-05-06 06:08:36 +08:00			`return &pak, nil`
			`}`

			`machines := []Machine{}`
Use gorm connection pool 2021-07-05 03:40:46 +08:00			`if err := h.db.Preload("AuthKey").Where(&Machine{AuthKeyID: uint(pak.ID)}).Find(&machines).Error; err != nil {`
Added fields in Machine to store authkey + validation tests 2021-05-06 06:08:36 +08:00			`return nil, err`
			`}`

Apply suggestions from code review Renamed AlreadyUsed to Used Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no> 2021-10-14 04:51:55 +08:00			`if len(machines) != 0 \|\| pak.Used {`
Reword errSingleUseAuthKeyHasBeenUsed 2021-10-14 05:23:07 +08:00			`return nil, errSingleUseAuthKeyHasBeenUsed`
Added fields in Machine to store authkey + validation tests 2021-05-06 06:08:36 +08:00			`}`

WIP Working on authkeys + tests 2021-05-06 05:00:04 +08:00			`return &pak, nil`
			`}`

WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`func (h *Headscale) generateKey() (string, error) {`
			`size := 24`
			`bytes := make([]byte, size)`
			`if _, err := rand.Read(bytes); err != nil {`
			`return "", err`
			`}`
Add and fix nlreturn (new line return) 2021-11-14 23:46:09 +08:00
WIP on PreAuthKeys 2021-04-23 06:25:01 +08:00			`return hex.EncodeToString(bytes), nil`
			`}`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00
			`func (key PreAuthKey) toProto() v1.PreAuthKey {`
Try to address issue raised by cure 2021-11-09 04:48:20 +08:00			`protoKey := v1.PreAuthKey{`
			`Namespace: key.Namespace.Name,`
Add and fix stylecheck (golint replacement) 2021-11-16 01:24:24 +08:00			`Id: strconv.FormatUint(key.ID, Base10),`
Try to address issue raised by cure 2021-11-09 04:48:20 +08:00			`Key: key.Key,`
			`Ephemeral: key.Ephemeral,`
			`Reusable: key.Reusable,`
			`Used: key.Used,`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`}`
Try to address issue raised by cure 2021-11-09 04:48:20 +08:00
			`if key.Expiration != nil {`
			`protoKey.Expiration = timestamppb.New(*key.Expiration)`
			`}`

			`if key.CreatedAt != nil {`
			`protoKey.CreatedAt = timestamppb.New(*key.CreatedAt)`
			`}`

			`return &protoKey`
Simplify and streamline preauth commands for new cli/rpc/api 2021-11-05 06:14:39 +08:00			`}`