netmaker/netclient/functions/join.go

package functions

import (
	"crypto/rand"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"log"
	"net/http"
	"os"
	"os/signal"
	"runtime"
	"strings"
	"syscall"

	"github.com/gorilla/websocket"
	"github.com/gravitl/netmaker/logger"
	"github.com/gravitl/netmaker/logic"
	"github.com/gravitl/netmaker/models"
	"github.com/gravitl/netmaker/models/promodels"
	"github.com/gravitl/netmaker/netclient/auth"
	"github.com/gravitl/netmaker/netclient/config"
	"github.com/gravitl/netmaker/netclient/daemon"
	"github.com/gravitl/netmaker/netclient/global_settings"
	"github.com/gravitl/netmaker/netclient/local"
	"github.com/gravitl/netmaker/netclient/ncutils"
	"github.com/gravitl/netmaker/netclient/wireguard"
	"golang.org/x/crypto/nacl/box"
	"golang.org/x/term"
	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)

// JoinViaSso - Handles the Single Sign-On flow on the end point VPN client side
// Contacts the server provided by the user (and thus specified in cfg.SsoServer)
// get the URL to authenticate with a provider and shows the user the URL.
// Then waits for user to authenticate with the URL.
// Upon user successful auth flow finished - server should return access token to the requested network
// Otherwise the error message is sent which can be displayed to the user
func JoinViaSSo(cfg *config.ClientConfig, privateKey string) error {

	// User must tell us which network he is joining
	if cfg.Node.Network == "" {
		return errors.New("no network provided")
	}

	// Prepare a channel for interrupt
	// Channel to listen for interrupt signal to terminate gracefully
	interrupt := make(chan os.Signal, 1)
	// Notify the interrupt channel for SIGINT
	signal.Notify(interrupt, os.Interrupt)

	// Web Socket is used, construct the URL accordingly ...
	socketUrl := fmt.Sprintf("wss://%s/api/oauth/node-handler", cfg.SsoServer)
	// Dial the netmaker server controller
	conn, _, err := websocket.DefaultDialer.Dial(socketUrl, nil)
	if err != nil {
		logger.Log(0, fmt.Sprintf("error connecting to %s : %s", cfg.Server.API, err.Error()))
		return err
	}
	// Don't forget to close when finished
	defer conn.Close()
	// Find and set node MacAddress
	if cfg.Node.MacAddress == "" {
		macs, err := ncutils.GetMacAddr()
		if err != nil {
			//if macaddress can't be found set to random string
			cfg.Node.MacAddress = ncutils.MakeRandomString(18)
		} else {
			cfg.Node.MacAddress = macs[0]
		}
	}

	var loginMsg promodels.LoginMsg
	loginMsg.Mac = cfg.Node.MacAddress
	loginMsg.Network = cfg.Node.Network
	if global_settings.User != "" {
		fmt.Printf("Continuing with user, %s.\nPlease input password:\n", global_settings.User)
		pass, err := term.ReadPassword(int(syscall.Stdin))
		if err != nil || string(pass) == "" {
			logger.FatalLog("no password provided, exiting")
		}
		loginMsg.User = global_settings.User
		loginMsg.Password = string(pass)
		fmt.Println("attempting login...")
	}

	msgTx, err := json.Marshal(loginMsg)
	if err != nil {
		logger.Log(0, fmt.Sprintf("failed to marshal message %+v", loginMsg))
		return err
	}
	err = conn.WriteMessage(websocket.TextMessage, []byte(msgTx))
	if err != nil {
		logger.FatalLog("Error during writing to websocket:", err.Error())
		return err
	}

	// if user provided, server will handle authentication
	if loginMsg.User == "" {
		// We are going to get instructions on how to authenticate
		// Wait to receive something from server
		_, msg, err := conn.ReadMessage()
		if err != nil {
			return err
		}
		// Print message from the netmaker controller to the user
		fmt.Printf("Please visit:\n %s \n to authenticate", string(msg))
	}

	// Now the user is authenticating and we need to block until received
	// An answer from the server.
	// Server waits ~5 min - If takes too long timeout will be triggered by the server
	done := make(chan struct{})
	defer close(done)
	// Following code will run in a separate go routine
	// it reads a message from the server which either contains 'AccessToken:' string or not
	// if not - then it contains an Error to display.
	// if yes - then AccessToken is to be used to proceed joining the network
	go func() {
		for {
			msgType, msg, err := conn.ReadMessage()
			if err != nil {
				if msgType < 0 {
					logger.Log(1, "received close message from server")
					done <- struct{}{}
					return
				}
				// Error reading a message from the server
				if !strings.Contains(err.Error(), "normal") {
					logger.Log(0, "read:", err.Error())
				}
				return
			}

			if msgType == websocket.CloseMessage {
				logger.Log(1, "received close message from server")
				done <- struct{}{}
				return
			}
			// Get the access token from the response
			if strings.Contains(string(msg), "AccessToken: ") {
				// Access was granted
				rxToken := strings.TrimPrefix(string(msg), "AccessToken: ")
				accesstoken, err := config.ParseAccessToken(rxToken)
				if err != nil {
					logger.Log(0, fmt.Sprintf("failed to parse received access token %s,err=%s\n", accesstoken, err.Error()))
					return
				}

				cfg.Network = accesstoken.ClientConfig.Network
				cfg.Node.Network = accesstoken.ClientConfig.Network
				cfg.AccessKey = accesstoken.ClientConfig.Key
				cfg.Node.LocalRange = accesstoken.ClientConfig.LocalRange
				//cfg.Server.Server = accesstoken.ServerConfig.Server
				cfg.Server.API = accesstoken.APIConnString
			} else {
				// Access was not granted. Display a message from the server
				logger.Log(0, "Message from server:", string(msg))
				cfg.AccessKey = ""
				return
			}
		}
	}()

	for {
		select {
		case <-done:
			logger.Log(1, "finished")
			return nil
		case <-interrupt:
			logger.Log(0, "interrupt received, closing connection")
			// Cleanly close the connection by sending a close message and then
			// waiting (with timeout) for the server to close the connection.
			err := conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
			if err != nil {
				logger.Log(0, "write close:", err.Error())
				return err
			}
			return nil
		}
	}
}

// JoinNetwork - helps a client join a network
func JoinNetwork(cfg *config.ClientConfig, privateKey string) error {
	if cfg.Node.Network == "" {
		return errors.New("no network provided")
	}

	var err error
	if local.HasNetwork(cfg.Network) {
		err := errors.New("ALREADY_INSTALLED. Netclient appears to already be installed for " + cfg.Network + ". To re-install, please remove by executing 'sudo netclient leave -n " + cfg.Network + "'. Then re-run the install command.")
		return err
	}

	err = config.Write(cfg, cfg.Network)
	if err != nil {
		return err
	}
	if cfg.Node.Password == "" {
		cfg.Node.Password = logic.GenPassWord()
	}
	//check if ListenPort was set on command line
	if cfg.Node.ListenPort != 0 {
		cfg.Node.UDPHolePunch = "no"
	}
	var trafficPubKey, trafficPrivKey, errT = box.GenerateKey(rand.Reader) // generate traffic keys
	if errT != nil {
		return errT
	}

	// == handle keys ==
	if err = auth.StoreSecret(cfg.Node.Password, cfg.Node.Network); err != nil {
		return err
	}

	if err = auth.StoreTrafficKey(trafficPrivKey, cfg.Node.Network); err != nil {
		return err
	}

	trafficPubKeyBytes, err := ncutils.ConvertKeyToBytes(trafficPubKey)
	if err != nil {
		return err
	} else if trafficPubKeyBytes == nil {
		return fmt.Errorf("traffic key is nil")
	}

	cfg.Node.TrafficKeys.Mine = trafficPubKeyBytes
	cfg.Node.TrafficKeys.Server = nil
	// == end handle keys ==

	if cfg.Node.LocalAddress == "" {
		intIP, err := getPrivateAddr()
		if err == nil {
			cfg.Node.LocalAddress = intIP
		} else {
			logger.Log(1, "network:", cfg.Network, "error retrieving private address: ", err.Error())
		}
	}

	// set endpoint if blank. set to local if local net, retrieve from function if not
	if cfg.Node.Endpoint == "" {
		if cfg.Node.IsLocal == "yes" && cfg.Node.LocalAddress != "" {
			cfg.Node.Endpoint = cfg.Node.LocalAddress
		} else {
			cfg.Node.Endpoint, err = ncutils.GetPublicIP(cfg.Server.API)
		}
		if err != nil || cfg.Node.Endpoint == "" {
			logger.Log(0, "network:", cfg.Network, "error setting cfg.Node.Endpoint.")
			return err
		}
	}
	// Generate and set public/private WireGuard Keys
	if privateKey == "" {
		wgPrivatekey, err := wgtypes.GeneratePrivateKey()
		if err != nil {
			log.Fatal(err)
		}
		privateKey = wgPrivatekey.String()
		cfg.Node.PublicKey = wgPrivatekey.PublicKey().String()
	}
	// Find and set node MacAddress
	if cfg.Node.MacAddress == "" {
		macs, err := ncutils.GetMacAddr()
		if err != nil || len(macs) == 0 {
			//if macaddress can't be found set to random string
			cfg.Node.MacAddress = ncutils.MakeRandomString(18)
		} else {
			cfg.Node.MacAddress = macs[0]
		}
	}

	if ncutils.IsFreeBSD() {
		cfg.Node.UDPHolePunch = "no"
		cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES // nftables not supported by FreeBSD
	}

	if cfg.Node.FirewallInUse == "" {
		if ncutils.IsNFTablesPresent() {
			cfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
		} else if ncutils.IsIPTablesPresent() {
			cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
		} else {
			cfg.Node.FirewallInUse = models.FIREWALL_NONE
		}
	}

	// make sure name is appropriate, if not, give blank name
	cfg.Node.Name = formatName(cfg.Node)
	cfg.Node.OS = runtime.GOOS
	cfg.Node.Version = ncutils.Version
	cfg.Node.AccessKey = cfg.AccessKey
	//not sure why this is needed ... setnode defaults should take care of this on server
	cfg.Node.IPForwarding = "yes"
	logger.Log(0, "joining "+cfg.Network+" at "+cfg.Server.API)
	url := "https://" + cfg.Server.API + "/api/nodes/" + cfg.Network
	response, err := API(cfg.Node, http.MethodPost, url, cfg.AccessKey)
	if err != nil {
		return fmt.Errorf("error creating node %w", err)
	}
	defer response.Body.Close()
	if response.StatusCode != http.StatusOK {
		bodybytes, _ := io.ReadAll(response.Body)
		return fmt.Errorf("error creating node %s %s", response.Status, string(bodybytes))
	}
	var nodeGET models.NodeGet
	if err := json.NewDecoder(response.Body).Decode(&nodeGET); err != nil {
		//not sure the next line will work as response.Body probably needs to be reset before it can be read again
		bodybytes, _ := io.ReadAll(response.Body)
		return fmt.Errorf("error decoding node from server %w %s", err, string(bodybytes))
	}
	node := nodeGET.Node
	if nodeGET.Peers == nil {
		nodeGET.Peers = []wgtypes.PeerConfig{}
	}

	// safety check. If returned node from server is local, but not currently configured as local, set to local addr
	if cfg.Node.IsLocal != "yes" && node.IsLocal == "yes" && node.LocalRange != "" {
		node.LocalAddress, err = ncutils.GetLocalIP(node.LocalRange)
		if err != nil {
			return err
		}
		node.Endpoint = node.LocalAddress
	}
	if ncutils.IsFreeBSD() {
		node.UDPHolePunch = "no"
		cfg.Node.IsStatic = "yes"
	}
	cfg.Server = nodeGET.ServerConfig

	err = wireguard.StorePrivKey(privateKey, cfg.Network)
	if err != nil {
		return err
	}
	if node.IsPending == "yes" {
		logger.Log(0, "network:", cfg.Network, "node is marked as PENDING.")
		logger.Log(0, "network:", cfg.Network, "awaiting approval from Admin before configuring WireGuard.")
		if cfg.Daemon != "off" {
			return daemon.InstallDaemon()
		}
	}
	logger.Log(1, "network:", cfg.Node.Network, "node created on remote server...updating configs")
	err = ncutils.ModPort(&node)
	if err != nil {
		return err
	}
	informPortChange(&node)

	err = config.ModNodeConfig(&node)
	if err != nil {
		return err
	}
	err = config.ModServerConfig(&cfg.Server, node.Network)
	if err != nil {
		return err
	}
	// attempt to make backup
	if err = config.SaveBackup(node.Network); err != nil {
		logger.Log(0, "network:", node.Network, "failed to make backup, node will not auto restore if config is corrupted")
	}

	local.SetNetmakerDomainRoute(cfg.Server.API)
	cfg.Node = node
	logger.Log(0, "starting wireguard")
	err = wireguard.InitWireguard(&node, privateKey, nodeGET.Peers[:])
	if err != nil {
		return err
	}
	if cfg.Server.Server == "" {
		return errors.New("did not receive broker address from registration")
	}
	if cfg.Daemon == "install" || ncutils.IsFreeBSD() {
		err = daemon.InstallDaemon()
		if err != nil {
			return err
		}
	}

	if err := daemon.Restart(); err != nil {
		logger.Log(3, "daemon restart failed:", err.Error())
		if err := daemon.Start(); err != nil {
			return err
		}
	}
	return nil
}

// format name appropriately. Set to blank on failure
func formatName(node models.Node) string {
	// Logic to properly format name
	if !node.NameInNodeCharSet() {
		node.Name = ncutils.DNSFormatString(node.Name)
	}
	if len(node.Name) > models.MAX_NAME_LENGTH {
		node.Name = ncutils.ShortenString(node.Name, models.MAX_NAME_LENGTH)
	}
	if !node.NameInNodeCharSet() || len(node.Name) > models.MAX_NAME_LENGTH {
		logger.Log(1, "network:", node.Network, "could not properly format name: "+node.Name)
		logger.Log(1, "network:", node.Network, "setting name to blank")
		node.Name = ""
	}
	return node.Name
}