Compare commits
7 Commits
2024.1.4-s
...
master
Author | SHA1 | Date | |
---|---|---|---|
51bdf4d015 | |||
635f170762 | |||
834f6346dd | |||
34adfb3e87 | |||
b28a87cc5d | |||
db06098fdd | |||
20c4bef161 |
11
Makefile
11
Makefile
@ -1,6 +1,8 @@
|
||||
SHELL := /bin/bash
|
||||
|
||||
test:
|
||||
test: go-test keygen-test
|
||||
|
||||
go-test:
|
||||
go clean -testcache
|
||||
go test -cover -v ./...
|
||||
|
||||
@ -36,6 +38,13 @@ gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh release
|
||||
GITEA_RELEASE_ATTACHMENTS="$$(find release -type f -name '*.tar.gz')" \
|
||||
tools/gitea-release/bin/gitea-release.sh
|
||||
|
||||
keygen-test: tools/bash_unit/bin/bash_unit
|
||||
tools/bash_unit/bin/bash_unit misc/bash_unit/keygen_test.sh
|
||||
|
||||
tools/bash_unit/bin/bash_unit:
|
||||
mkdir -p tools/bash_unit/bin
|
||||
cd tools/bash_unit/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
|
||||
|
||||
.PHONY: mktools
|
||||
mktools:
|
||||
rm -rf .mktools
|
||||
|
@ -5,11 +5,11 @@ import (
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
jwt "github.com/dgrijalva/jwt-go"
|
||||
"github.com/pkg/errors"
|
||||
|
||||
peering "forge.cadoles.com/Cadoles/go-http-peering"
|
||||
"forge.cadoles.com/Cadoles/go-http-peering/crypto"
|
||||
@ -52,7 +52,7 @@ func (c *Client) Advertise(attrs peering.PeerAttributes) error {
|
||||
case http.StatusConflict:
|
||||
return peering.ErrPeerExists
|
||||
default:
|
||||
return ErrUnexpectedResponse
|
||||
return errors.Wrapf(ErrUnexpectedResponse, "unexpected http status code '%d'", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
@ -76,7 +76,7 @@ func (c *Client) UpdateAttributes(attrs peering.PeerAttributes) error {
|
||||
case http.StatusForbidden:
|
||||
return ErrRejected
|
||||
default:
|
||||
return ErrUnexpectedResponse
|
||||
return errors.Wrapf(ErrUnexpectedResponse, "unexpected http status code '%d'", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
@ -96,7 +96,7 @@ func (c *Client) Ping() error {
|
||||
case http.StatusForbidden:
|
||||
return ErrRejected
|
||||
default:
|
||||
return ErrUnexpectedResponse
|
||||
return errors.Wrapf(ErrUnexpectedResponse, "unexpected http status code '%d'", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -6,6 +6,7 @@ import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"forge.cadoles.com/Cadoles/go-http-peering/crypto"
|
||||
@ -63,17 +64,17 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
|
||||
return privateKey, nil
|
||||
}
|
||||
|
||||
func loadToken() ([]byte, error) {
|
||||
func loadToken() (string, error) {
|
||||
if tokenFile == "" {
|
||||
return nil, errors.New("you must specify a token file to load")
|
||||
return "", errors.New("you must specify a token file to load")
|
||||
}
|
||||
|
||||
token, err := os.ReadFile(tokenFile)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
return token, nil
|
||||
return strings.TrimSpace(string(token)), nil
|
||||
}
|
||||
|
||||
func handleError(err error) {
|
||||
|
@ -24,7 +24,7 @@ func verifyToken() {
|
||||
return &privateKey.PublicKey, nil
|
||||
}
|
||||
|
||||
token, err := jwt.ParseWithClaims(string(rawToken), &peering.ServerTokenClaims{}, fn)
|
||||
token, err := jwt.ParseWithClaims(rawToken, &peering.ServerTokenClaims{}, fn)
|
||||
if err != nil {
|
||||
validationError, ok := err.(*jwt.ValidationError)
|
||||
if ok {
|
||||
|
@ -53,21 +53,21 @@ func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKe
|
||||
}
|
||||
|
||||
func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
|
||||
if passphrase == nil {
|
||||
return nil, errors.New("passphrase cannot be empty")
|
||||
}
|
||||
|
||||
block := &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
}
|
||||
|
||||
block, err := x509.EncryptPEMBlock(
|
||||
rand.Reader, block.Type,
|
||||
block.Bytes, passphrase, x509.PEMCipherAES256,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
if len(passphrase) != 0 {
|
||||
encryptedBlock, err := x509.EncryptPEMBlock(
|
||||
rand.Reader, block.Type,
|
||||
block.Bytes, passphrase, x509.PEMCipherAES256,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
block = encryptedBlock
|
||||
}
|
||||
|
||||
return pem.EncodeToMemory(block), nil
|
||||
|
49
misc/bash_unit/keygen_test.sh
Normal file
49
misc/bash_unit/keygen_test.sh
Normal file
@ -0,0 +1,49 @@
|
||||
#!/bin/bash
|
||||
|
||||
KEYGEN_BIN=${KEYGEN_BIN:-go run ../../cmd/keygen}
|
||||
|
||||
test_create_key_without_passphrase() {
|
||||
local workspace=$(mktemp -d)
|
||||
|
||||
# Generate a new private key without passphrase
|
||||
local key_path="${workspace}/private.key"
|
||||
KEY_PASSPHRASE= $KEYGEN_BIN -create-key > "${key_path}"
|
||||
}
|
||||
|
||||
test_create_key_with_passphrase() {
|
||||
local workspace=$(mktemp -d)
|
||||
|
||||
# Generate a new private key with passphrase
|
||||
local key_path="${workspace}/private.key"
|
||||
KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-key > "${key_path}"
|
||||
}
|
||||
|
||||
test_verify_token_without_passphrase() {
|
||||
local workspace=$(mktemp -d)
|
||||
|
||||
# Generate a new private key without passphrase
|
||||
local key_path="${workspace}/private.key"
|
||||
KEY_PASSPHRASE= $KEYGEN_BIN -create-key > "${key_path}"
|
||||
|
||||
# Generate a new token
|
||||
local token_path="${workspace}/token.jwt"
|
||||
KEY_PASSPHRASE= $KEYGEN_BIN -create-token -key "${key_path}" > "${token_path}"
|
||||
|
||||
# Verify token
|
||||
KEY_PASSPHRASE= $KEYGEN_BIN -verify-token -key "${key_path}" -token "${token_path}" 1>/dev/null
|
||||
}
|
||||
|
||||
test_verify_token_with_passphrase() {
|
||||
local workspace=$(mktemp -d)
|
||||
|
||||
# Generate a new private key with passphrase
|
||||
local key_path="${workspace}/private.key"
|
||||
KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-key > "${key_path}"
|
||||
|
||||
# Generate a new token
|
||||
local token_path="${workspace}/token.jwt"
|
||||
KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-token -key "${key_path}" > "${token_path}"
|
||||
|
||||
# Verify token
|
||||
KEY_PASSPHRASE=foobar $KEYGEN_BIN -verify-token -key "${key_path}" -token "${token_path}" 1>/dev/null
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
FROM golang:1.19
|
||||
FROM reg.cadoles.com/proxy_cache/library/golang:1.21
|
||||
|
||||
RUN apt-get update && apt-get install -y make upx-ucl curl ca-certificates bash jq
|
||||
RUN apt-get update && apt-get install -y make curl ca-certificates bash jq
|
||||
|
||||
RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
|
||||
|
@ -3,12 +3,12 @@ package server
|
||||
import (
|
||||
"crypto/rsa"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
peering "forge.cadoles.com/Cadoles/go-http-peering"
|
||||
peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -34,7 +34,7 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
|
||||
|
||||
serverClaims, err := assertServerToken(key, serverToken)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.Wrapf(err, "could not validate token '%s'", serverToken))
|
||||
sendError(w, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
@ -43,54 +43,53 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
|
||||
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
if err := decoder.Decode(advertising); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if _, err := peeringCrypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
|
||||
return
|
||||
}
|
||||
|
||||
peer, err := store.Get(serverClaims.PeerID)
|
||||
|
||||
_, err = store.Get(serverClaims.PeerID)
|
||||
if err == nil {
|
||||
logger.Printf("[ERROR] %s", ErrPeerIDAlreadyInUse)
|
||||
logger.Printf("[WARN] %s", errors.WithStack(ErrPeerIDAlreadyInUse))
|
||||
options.ErrorHandler(w, r, ErrPeerIDAlreadyInUse)
|
||||
return
|
||||
}
|
||||
|
||||
if err != peering.ErrPeerNotFound {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
if !errors.Is(err, peering.ErrPeerNotFound) {
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
attrs := filterAttributes(options.PeerAttributes, advertising.Attributes)
|
||||
|
||||
peer, err = store.Create(serverClaims.PeerID, attrs)
|
||||
peer, err := store.Create(serverClaims.PeerID, attrs)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdatePublicKey(peer.ID, advertising.PublicKey); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
@ -117,39 +116,39 @@ func UpdateHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
|
||||
|
||||
peerID, err := GetPeerID(r)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
peer, err := store.Get(peerID)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
if peer == nil {
|
||||
logger.Printf("[ERROR] %s", ErrUnauthorized)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized))
|
||||
options.ErrorHandler(w, r, ErrUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
if peer.Status == peering.StatusRejected {
|
||||
logger.Printf("[ERROR] %s", ErrPeerRejected)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected))
|
||||
options.ErrorHandler(w, r, ErrPeerRejected)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
attrs := filterAttributes(options.PeerAttributes, update.Attributes)
|
||||
if err := store.UpdateAttributes(peer.ID, attrs); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
@ -176,32 +175,32 @@ func PingHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
|
||||
|
||||
peerID, err := GetPeerID(r)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
peer, err := store.Get(peerID)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
if peer == nil {
|
||||
logger.Printf("[ERROR] %s", ErrUnauthorized)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized))
|
||||
options.ErrorHandler(w, r, ErrUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
if peer.Status == peering.StatusRejected {
|
||||
logger.Printf("[ERROR] %s", ErrPeerRejected)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected))
|
||||
options.ErrorHandler(w, r, ErrPeerRejected)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
options.ErrorHandler(w, r, err)
|
||||
return
|
||||
}
|
||||
|
@ -5,7 +5,6 @@ import (
|
||||
"context"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"errors"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
@ -15,6 +14,7 @@ import (
|
||||
|
||||
peering "forge.cadoles.com/Cadoles/go-http-peering"
|
||||
jwt "github.com/dgrijalva/jwt-go"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -51,7 +51,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
||||
|
||||
serverClaims, err := assertServerToken(key, serverToken)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
sendError(w, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
@ -64,13 +64,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
||||
options.IgnoredClientTokenErrors...,
|
||||
)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
switch err {
|
||||
case peering.ErrPeerNotFound:
|
||||
sendError(w, http.StatusUnauthorized)
|
||||
case ErrNotPeered:
|
||||
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
@ -78,7 +78,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
||||
return
|
||||
case ErrPeerRejected:
|
||||
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
@ -92,19 +92,19 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
||||
|
||||
match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if !match {
|
||||
logger.Printf("[ERROR] %s", ErrInvalidChecksum)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(ErrInvalidChecksum))
|
||||
sendError(w, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", errors.WithStack(err))
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
@ -183,7 +183,7 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s
|
||||
if ok {
|
||||
for _, c := range ignoredValidationErrors {
|
||||
if validationError.Errors&c != 0 {
|
||||
logger.Printf("ignoring token validation error: '%s'", validationError.Inner)
|
||||
logger.Printf("ignoring token validation error: '%+v'", errors.WithStack(validationError.Inner))
|
||||
return getPeeringClaims(token)
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user