Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Tree: 1cbbd52e7d
Branches Tags
netmaker
/
controllers
/
server.go

server.go 8.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"crypto/ed25519"
    5. 

  5. 	"crypto/x509"
    6. 

  6. 	"crypto/x509/pkix"
    7. 

  7. 	"encoding/json"
    8. 

  8. 	"fmt"
    9. 

  9. 	"net/http"
    10. 

  10. 	"strings"
    11. 

  11. 

  12. 	"github.com/gorilla/mux"
    13. 

  13. 	"github.com/gravitl/netmaker/logger"
    14. 

  14. 	"github.com/gravitl/netmaker/logic"
    15. 

  15. 	"github.com/gravitl/netmaker/models"
    16. 

  16. 	"github.com/gravitl/netmaker/netclient/config"
    17. 

  17. 	"github.com/gravitl/netmaker/netclient/ncutils"
    18. 

  18. 	"github.com/gravitl/netmaker/servercfg"
    19. 

  19. 	"github.com/gravitl/netmaker/tls"
    20. 

  20. )
    21. 

  21. 

  22. func serverHandlers(r *mux.Router) {
    23. 

  23. 	// r.HandleFunc("/api/server/addnetwork/{network}", securityCheckServer(true, http.HandlerFunc(addNetwork))).Methods("POST")
    24. 

  24. 	r.HandleFunc("/api/server/getconfig", securityCheckServer(false, http.HandlerFunc(getConfig))).Methods("GET")
    25. 

  25. 	r.HandleFunc("/api/server/removenetwork/{network}", securityCheckServer(true, http.HandlerFunc(removeNetwork))).Methods("DELETE")
    26. 

  26. 	r.HandleFunc("/api/server/register", http.HandlerFunc(register)).Methods("POST")
    27. 

  27. }
    28. 

  28. 

  29. //Security check is middleware for every function and just checks to make sure that its the master calling
    30. 

  30. //Only admin should have access to all these network-level actions
    31. 

  31. //or maybe some Users once implemented
    32. 

  32. func securityCheckServer(adminonly bool, next http.Handler) http.HandlerFunc {
    33. 

  33. 	return func(w http.ResponseWriter, r *http.Request) {
    34. 

  34. 		var errorResponse = models.ErrorResponse{
    35. 

  35. 			Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    36. 

  36. 		}
    37. 

  37. 

  38. 		bearerToken := r.Header.Get("Authorization")
    39. 

  39. 

  40. 		var tokenSplit = strings.Split(bearerToken, " ")
    41. 

  41. 		var authToken = ""
    42. 

  42. 		if len(tokenSplit) < 2 {
    43. 

  43. 			errorResponse = models.ErrorResponse{
    44. 

  44. 				Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
    45. 

  45. 			}
    46. 

  46. 			returnErrorResponse(w, r, errorResponse)
    47. 

  47. 			return
    48. 

  48. 		} else {
    49. 

  49. 			authToken = tokenSplit[1]
    50. 

  50. 		}
    51. 

  51. 		//all endpoints here require master so not as complicated
    52. 

  52. 		//still might not be a good  way of doing this
    53. 

  53. 		user, _, isadmin, err := logic.VerifyUserToken(authToken)
    54. 

  54. 		errorResponse = models.ErrorResponse{
    55. 

  55. 			Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
    56. 

  56. 		}
    57. 

  57. 		if !adminonly && (err != nil || user == "") {
    58. 

  58. 			returnErrorResponse(w, r, errorResponse)
    59. 

  59. 			return
    60. 

  60. 		}
    61. 

  61. 		if adminonly && !isadmin && !authenticateMaster(authToken) {
    62. 

  62. 			returnErrorResponse(w, r, errorResponse)
    63. 

  63. 			return
    64. 

  64. 		}
    65. 

  65. 		next.ServeHTTP(w, r)
    66. 

  66. 	}
    67. 

  67. }
    68. 

  68. 

  69. func removeNetwork(w http.ResponseWriter, r *http.Request) {
    70. 

  70. 	// Set header
    71. 

  71. 	w.Header().Set("Content-Type", "application/json")
    72. 

  72. 

  73. 	// get params
    74. 

  74. 	var params = mux.Vars(r)
    75. 

  75. 

  76. 	err := logic.DeleteNetwork(params["network"])
    77. 

  77. 	if err != nil {
    78. 

  78. 		json.NewEncoder(w).Encode("Could not remove server from network " + params["network"])
    79. 

  79. 		return
    80. 

  80. 	}
    81. 

  81. 

  82. 	json.NewEncoder(w).Encode("Server removed from network " + params["network"])
    83. 

  83. }
    84. 

  84. 

  85. func getConfig(w http.ResponseWriter, r *http.Request) {
    86. 

  86. 	// Set header
    87. 

  87. 	w.Header().Set("Content-Type", "application/json")
    88. 

  88. 

  89. 	// get params
    90. 

  90. 

  91. 	scfg := servercfg.GetServerConfig()
    92. 

  92. 	json.NewEncoder(w).Encode(scfg)
    93. 

  93. 	//w.WriteHeader(http.StatusOK)
    94. 

  94. }
    95. 

  95. 

  96. // func addNetwork(w http.ResponseWriter, r *http.Request) {
    97. 

  97. // 	// Set header
    98. 

  98. // 	w.Header().Set("Content-Type", "application/json")
    99. 

  99. 

  100. // 	// get params
    101. 

  101. // 	var params = mux.Vars(r)
    102. 

  102. // 	var networkName = params["network"]
    103. 

  103. // 	var networkSettings, err := logic.GetNetwork(netwnetworkName)
    104. 

  104. 

  105. // 	success, err := serverctl.AddNetwork(params["network"])
    106. 

  106. 

  107. // 	if err != nil || !success {
    108. 

  108. // 		json.NewEncoder(w).Encode("Could not add server to network " + params["network"])
    109. 

  109. // 		return
    110. 

  110. // 	}
    111. 

  111. 

  112. // 	json.NewEncoder(w).Encode("Server added to network " + params["network"])
    113. 

  113. // }
    114. 

  114. 

  115. // register - registers a client with the server and return the CA and cert
    116. 

  116. func register(w http.ResponseWriter, r *http.Request) {
    117. 

  117. 	logger.Log(2, "processing registration request")
    118. 

  118. 	w.Header().Set("Content-Type", "application/json")
    119. 

  119. 	bearerToken := r.Header.Get("Authorization")
    120. 

  120. 	var tokenSplit = strings.Split(bearerToken, " ")
    121. 

  121. 	var token = ""
    122. 

  122. 	if len(tokenSplit) < 2 {
    123. 

  123. 		errorResponse := models.ErrorResponse{
    124. 

  124. 			Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
    125. 

  125. 		}
    126. 

  126. 		returnErrorResponse(w, r, errorResponse)
    127. 

  127. 		return
    128. 

  128. 	} else {
    129. 

  129. 		token = tokenSplit[1]
    130. 

  130. 	}
    131. 

  131. 	//decode body
    132. 

  132. 	var request config.RegisterRequest
    133. 

  133. 	if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
    134. 

  134. 		logger.Log(0, "error decoding request", err.Error())
    135. 

  135. 		errorResponse := models.ErrorResponse{
    136. 

  136. 			Code: http.StatusBadRequest, Message: err.Error(),
    137. 

  137. 		}
    138. 

  138. 		returnErrorResponse(w, r, errorResponse)
    139. 

  139. 		return
    140. 

  140. 	}
    141. 

  141. 	found := false
    142. 

  142. 	networks, err := logic.GetNetworks()
    143. 

  143. 	if err != nil {
    144. 

  144. 		logger.Log(0, "no networks", err.Error())
    145. 

  145. 		errorResponse := models.ErrorResponse{
    146. 

  146. 			Code: http.StatusNotFound, Message: "no networks",
    147. 

  147. 		}
    148. 

  148. 		returnErrorResponse(w, r, errorResponse)
    149. 

  149. 		return
    150. 

  150. 	}
    151. 

  151. 	for _, network := range networks {
    152. 

  152. 		for _, key := range network.AccessKeys {
    153. 

  153. 			if key.Value == token {
    154. 

  154. 				found = true
    155. 

  155. 				break
    156. 

  156. 			}
    157. 

  157. 		}
    158. 

  158. 	}
    159. 

  159. 	if !found {
    160. 

  160. 		logger.Log(0, "valid access key not found")
    161. 

  161. 		errorResponse := models.ErrorResponse{
    162. 

  162. 			Code: http.StatusUnauthorized, Message: "You are unauthorized to access this endpoint.",
    163. 

  163. 		}
    164. 

  164. 		returnErrorResponse(w, r, errorResponse)
    165. 

  165. 		return
    166. 

  166. 	}
    167. 

  167. 	cert, ca, err := genCerts(&request.Key, &request.CommonName)
    168. 

  168. 	if err != nil {
    169. 

  169. 		logger.Log(0, "failed to generater certs ", err.Error())
    170. 

  170. 		errorResponse := models.ErrorResponse{
    171. 

  171. 			Code: http.StatusNotFound, Message: err.Error(),
    172. 

  172. 		}
    173. 

  173. 		returnErrorResponse(w, r, errorResponse)
    174. 

  174. 		return
    175. 

  175. 	}
    176. 

  176. 

  177. 	tls.SaveCert("/tmp/sent/", "root.pem", ca)
    178. 

  178. 	tls.SaveCert("/tmp/sent/", "client.pem", cert)
    179. 

  179. 	//x509.Certificate.PublicKey is an interface therefore json encoding/decoding result in a string value rather than a []byte
    180. 

  180. 	//include the actual public key so the certificate can be properly reassembled on the other end.
    181. 

  181. 	response := config.RegisterResponse{
    182. 

  182. 		CA:         *ca,
    183. 

  183. 		CAPubKey:   (ca.PublicKey).(ed25519.PublicKey),
    184. 

  184. 		Cert:       *cert,
    185. 

  185. 		CertPubKey: (cert.PublicKey).(ed25519.PublicKey),
    186. 

  186. 	}
    187. 

  187. 	w.WriteHeader(http.StatusOK)
    188. 

  188. 	json.NewEncoder(w).Encode(response)
    189. 

  189. }
    190. 

  190. 

  191. // genCerts generates a client certificate and returns the certificate and root CA
    192. 

  192. func genCerts(clientKey *ed25519.PrivateKey, name *pkix.Name) (*x509.Certificate, *x509.Certificate, error) {
    193. 

  193. 	ca, err := tls.ReadCert("/etc/netmaker/root.pem")
    194. 

  194. 	if err != nil {
    195. 

  195. 		logger.Log(2, "root ca not found ", err.Error())
    196. 

  196. 		return nil, nil, fmt.Errorf("root ca not found %w", err)
    197. 

  197. 	}
    198. 

  198. 	key, err := tls.ReadKey("/etc/netmaker/root.key")
    199. 

  199. 	if err != nil {
    200. 

  200. 		logger.Log(2, "root key not found ", err.Error())
    201. 

  201. 		return nil, nil, fmt.Errorf("root key not found %w", err)
    202. 

  202. 	}
    203. 

  203. 	csr, err := tls.NewCSR(*clientKey, *name)
    204. 

  204. 	if err != nil {
    205. 

  205. 		logger.Log(2, "failed to generate client certificate requests", err.Error())
    206. 

  206. 		return nil, nil, fmt.Errorf("client certification request generation failed %w", err)
    207. 

  207. 	}
    208. 

  208. 	cert, err := tls.NewEndEntityCert(*key, csr, ca, tls.CERTIFICATE_VALIDITY)
    209. 

  209. 	if err != nil {
    210. 

  210. 		logger.Log(2, "unable to generate client certificate", err.Error())
    211. 

  211. 		return nil, nil, fmt.Errorf("client certification generation failed %w", err)
    212. 

  212. 	}
    213. 

  213. 	return cert, ca, nil
    214. 

  214. }
    215. 

  215. 

  216. // genOpenSSLCerts generates a client certificate using calls to openssl and returns the certificate and root CA
    217. 

  217. func genOpenSSLCerts(key *ed25519.PrivateKey, name *pkix.Name) (*x509.Certificate, *x509.Certificate, error) {
    218. 

  218. 	if err := tls.SaveKey("/tmp/", "client.key", *key); err != nil {
    219. 

  219. 		return nil, nil, fmt.Errorf("failed to store client key %w", err)
    220. 

  220. 	}
    221. 

  221. 	cmd2 := fmt.Sprintf("openssl req -new -out /tmp/client.csr -key /tmp/client.key -subj /CN=%s", name.CommonName)
    222. 

  222. 	cmd3 := "openssl x509 -req -in /tmp/client.csr -days 365 -CA /etc/netmaker/root.pem -CAkey /etc/netmaker/root.key -CAcreateserial -out /tmp/client.pem"
    223. 

  223. 

  224. 	if _, err := ncutils.RunCmd(cmd2, true); err != nil {
    225. 

  225. 		return nil, nil, fmt.Errorf("client csr error %w", err)
    226. 

  226. 	}
    227. 

  227. 	if _, err := ncutils.RunCmd(cmd3, true); err != nil {
    228. 

  228. 		return nil, nil, fmt.Errorf("client cert error %w", err)
    229. 

  229. 	}
    230. 

  230. 	cert, err := tls.ReadCert("/tmp/client.pem")
    231. 

  231. 	if err != nil {
    232. 

  232. 		return nil, nil, fmt.Errorf("read client cert error %w", err)
    233. 

  233. 	}
    234. 

  234. 	ca, err := tls.ReadCert("/etc/netmaker/root.pem")
    235. 

  235. 	if err != nil {
    236. 

  236. 		return nil, nil, fmt.Errorf("read ca cert error %w", err)
    237. 

  237. 	}
    238. 

  238. 	return cert, ca, nil
    239. 

  239. }
    240.