Compare commits
	
		
			21 Commits
		
	
	
		
			fbb2381b
			...
			2024.1.5-s
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| db06098fdd | |||
| 20c4bef161 | |||
| e8e484a7ff | |||
| 72f6073e47 | |||
| 1bf8d755ed | |||
| ced46bf6eb | |||
| cf8f026574 | |||
| 891cfa7540 | |||
| d38f0be312 | |||
| 5be381d2b7 | |||
| 7cff0e3f91 | |||
| f872a68906 | |||
| 6257330dd3 | |||
| 9c26b79769 | |||
| 932aa46a18 | |||
| b826f7de2d | |||
| 3c44e82b65 | |||
| e6643cba6b | |||
| e7072ccdb3 | |||
| 5f3f508329 | |||
| dab91eea29 | 
							
								
								
									
										2
									
								
								.env.dist
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								.env.dist
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | GPG_SIGNING_KEY= | ||||||
|  | ARCH_TARGETS='amd64 arm arm64 386' | ||||||
							
								
								
									
										4
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										4
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -3,3 +3,7 @@ | |||||||
| /bin | /bin | ||||||
| /testdata | /testdata | ||||||
| /release | /release | ||||||
|  | /out | ||||||
|  | /.mktools | ||||||
|  | /tools | ||||||
|  | /.env | ||||||
							
								
								
									
										37
									
								
								Jenkinsfile
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								Jenkinsfile
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,37 @@ | |||||||
|  | @Library('cadoles') _ | ||||||
|  |  | ||||||
|  | pipeline { | ||||||
|  |     agent { | ||||||
|  |         dockerfile { | ||||||
|  |             filename 'Dockerfile' | ||||||
|  |             dir 'misc/ci' | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     stages { | ||||||
|  |         stage('Lint') { | ||||||
|  |             steps { | ||||||
|  |                 script { | ||||||
|  |                     catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') { | ||||||
|  |                         sh 'make lint' | ||||||
|  |                     } | ||||||
|  |                 } | ||||||
|  |             } | ||||||
|  |         } | ||||||
|  |         stage('Test') { | ||||||
|  |             steps { | ||||||
|  |                 script { | ||||||
|  |                     sh 'make test' | ||||||
|  |                 } | ||||||
|  |             } | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     post { | ||||||
|  |         always { | ||||||
|  |             script { | ||||||
|  |                 cleanWs() | ||||||
|  |             } | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  | } | ||||||
							
								
								
									
										50
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										50
									
								
								Makefile
									
									
									
									
									
								
							| @@ -1,35 +1,47 @@ | |||||||
|  | SHELL := /bin/bash | ||||||
|  |  | ||||||
| test: | test: | ||||||
| 	go clean -testcache | 	go clean -testcache | ||||||
| 	go test -cover -v ./... | 	go test -cover -v ./... | ||||||
|  |  | ||||||
| watch: | watch: | ||||||
| 	modd	 | 	go run -mod=readonly github.com/cortesi/modd/cmd/modd@latest | ||||||
|  |  | ||||||
| release: | release: tidy .env | ||||||
| 	script/release | 	( set -o allexport && source .env && set +o allexport && script/release ) | ||||||
|  |  | ||||||
| deps: | .env: | ||||||
| 	GO111MODULE=off go get -u golang.org/x/tools/cmd/godoc | 	cp .env.dist .env | ||||||
| 	GO111MODULE=off go get -u github.com/cortesi/modd/cmd/modd |  | ||||||
| 	GO111MODULE=off go get -u github.com/golangci/golangci-lint/cmd/golangci-lint |  | ||||||
| 	GO111MODULE=off go get -u github.com/lmika/goseq |  | ||||||
|  |  | ||||||
| tidy: | tidy: | ||||||
| 	go mod tidy | 	go mod tidy | ||||||
|  |  | ||||||
| lint: | lint: | ||||||
| 	golangci-lint run --tests=false --enable-all | 	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.49.0 run --tests=false --enable-all | ||||||
|  |  | ||||||
| sequence-diagram: sd-advertise sd-update sd-ping |  | ||||||
|  |  | ||||||
| sd-%: |  | ||||||
| 	goseq doc/sequence-diagram/$*.seq > doc/sequence-diagram/$*.svg |  | ||||||
|  |  | ||||||
| doc: |  | ||||||
| 	@echo "open your browser to http://localhost:6060/pkg/forge.cadoles.com/wpetit/go-http-peering to see the documentation" |  | ||||||
| 	godoc -http=:6060 |  | ||||||
|  |  | ||||||
| bin/keygen: | bin/keygen: | ||||||
| 	go build -o bin/keygen ./cmd/keygen | 	CGO_ENABLED=0 go build -o bin/keygen ./cmd/keygen | ||||||
|  |  | ||||||
| .PHONY: test lint doc sequence-diagram bin/keygen release | .PHONY: test lint doc sequence-diagram bin/keygen release | ||||||
|  |  | ||||||
|  | gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh release | ||||||
|  | 	GITEA_RELEASE_PROJECT="go-http-peering" \ | ||||||
|  | 		GITEA_RELEASE_ORG="Cadoles" \ | ||||||
|  | 		GITEA_RELEASE_BASE_URL="https://forge.cadoles.com" \ | ||||||
|  | 		GITEA_RELEASE_VERSION="$(MKT_PROJECT_VERSION)" \ | ||||||
|  | 		GITEA_RELEASE_NAME="$(MKT_PROJECT_VERSION)" \ | ||||||
|  | 		GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \ | ||||||
|  | 		GITEA_RELEASE_IS_DRAFT="false" \ | ||||||
|  | 		GITEA_RELEASE_BODY="" \ | ||||||
|  | 		GITEA_RELEASE_ATTACHMENTS="$$(find release -type f -name '*.tar.gz')" \ | ||||||
|  | 		tools/gitea-release/bin/gitea-release.sh | ||||||
|  |  | ||||||
|  | .PHONY: mktools | ||||||
|  | mktools: | ||||||
|  | 	rm -rf .mktools | ||||||
|  | 	curl -k -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | $(SHELL) | ||||||
|  |  | ||||||
|  | .mktools: | ||||||
|  | 	$(MAKE) mktools | ||||||
|  |  | ||||||
|  | -include .mktools/*.mk | ||||||
							
								
								
									
										10
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								README.md
									
									
									
									
									
								
							| @@ -2,23 +2,21 @@ | |||||||
|  |  | ||||||
| Librairie implémentant un protocole d'authentification par "appairage" d'un serveur et client HTTP basé sur [JWT](https://jwt.io/). | Librairie implémentant un protocole d'authentification par "appairage" d'un serveur et client HTTP basé sur [JWT](https://jwt.io/). | ||||||
|  |  | ||||||
| [Documentation](https://godoc.org/forge.cadoles.com/wpetit/go-http-peering) | [Documentation](https://godoc.org/forge.cadoles.com/Cadoles/go-http-peering) | ||||||
|  |  | ||||||
| ## Séquences | ## Séquences | ||||||
|  |  | ||||||
| ### Annonce du client | ### Annonce du client | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| ### Mise à jour des attributs | ### Mise à jour des attributs | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| ### Ping | ### Ping | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| **Statut** Instable |  | ||||||
|  |  | ||||||
| ## Licence | ## Licence | ||||||
|  |  | ||||||
|   | |||||||
| @@ -3,8 +3,8 @@ package chi | |||||||
| import ( | import ( | ||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/server" | 	"forge.cadoles.com/Cadoles/go-http-peering/server" | ||||||
| 	"github.com/go-chi/chi" | 	"github.com/go-chi/chi" | ||||||
| ) | ) | ||||||
|  |  | ||||||
|   | |||||||
| @@ -3,9 +3,9 @@ package chi | |||||||
| import ( | import ( | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/memory" | 	"forge.cadoles.com/Cadoles/go-http-peering/memory" | ||||||
| 	"github.com/go-chi/chi" | 	"github.com/go-chi/chi" | ||||||
| ) | ) | ||||||
|  |  | ||||||
|   | |||||||
| @@ -9,11 +9,11 @@ import ( | |||||||
| 	"net/http" | 	"net/http" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	"github.com/dgrijalva/jwt-go" | 	jwt "github.com/dgrijalva/jwt-go" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/server" | 	"forge.cadoles.com/Cadoles/go-http-peering/server" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var ( | ||||||
| @@ -153,8 +153,8 @@ func (c *Client) addClientToken(r *http.Request, body []byte) error { | |||||||
|  |  | ||||||
| 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.ClientTokenClaims{ | 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.ClientTokenClaims{ | ||||||
| 		StandardClaims: jwt.StandardClaims{ | 		StandardClaims: jwt.StandardClaims{ | ||||||
| 			NotBefore: time.Now().Unix(), | 			NotBefore: time.Now().Add(time.Minute * -1).Unix(), | ||||||
| 			ExpiresAt: time.Now().Add(time.Minute * 10).Unix(), | 			ExpiresAt: time.Now().Add(time.Minute * 5).Unix(), | ||||||
| 		}, | 		}, | ||||||
| 		BodySum: bodySum, | 		BodySum: bodySum, | ||||||
| 	}) | 	}) | ||||||
|   | |||||||
| @@ -5,9 +5,9 @@ import ( | |||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func TestClientPeerID(t *testing.T) { | func TestClientPeerID(t *testing.T) { | ||||||
|   | |||||||
| @@ -3,21 +3,22 @@ package main | |||||||
| import ( | import ( | ||||||
| 	"fmt" | 	"fmt" | ||||||
|  |  | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func createKey() { | func createKey() { | ||||||
| 	passphrase, err := getPassphrase() | 	passphrase, err := getPassphrase() | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	key, err := crypto.CreateRSAKey(keySize) | 	key, err := crypto.CreateRSAKey(keySize) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	privatePEM, err := crypto.EncodePrivateKeyToEncryptedPEM(key, passphrase) | 	privatePEM, err := crypto.EncodePrivateKeyToEncryptedPEM(key, passphrase) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	fmt.Print(string(privatePEM)) | 	fmt.Print(string(privatePEM)) | ||||||
| } | } | ||||||
|   | |||||||
| @@ -3,19 +3,20 @@ package main | |||||||
| import ( | import ( | ||||||
| 	"fmt" | 	"fmt" | ||||||
|  |  | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func createToken() { | func createToken() { | ||||||
| 	privateKey, err := loadPrivateKey() | 	privateKey, err := loadPrivateKey() | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	token, err := crypto.CreateServerToken(privateKey, tokenIssuer, peering.PeerID(tokenPeerID)) | 	token, err := crypto.CreateServerToken(privateKey, tokenIssuer, peering.PeerID(tokenPeerID)) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	fmt.Println(token) | 	fmt.Println(token) | ||||||
| } | } | ||||||
|   | |||||||
| @@ -3,17 +3,18 @@ package main | |||||||
| import ( | import ( | ||||||
| 	"fmt" | 	"fmt" | ||||||
|  |  | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func getPublicKey() { | func getPublicKey() { | ||||||
| 	privateKey, err := loadPrivateKey() | 	privateKey, err := loadPrivateKey() | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	publicPEM, err := crypto.EncodePublicKeyToPEM(privateKey.Public()) | 	publicPEM, err := crypto.EncodePublicKeyToPEM(privateKey.Public()) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		handleError(err) | 		handleError(errors.WithStack(err)) | ||||||
| 	} | 	} | ||||||
| 	fmt.Print(string(publicPEM)) | 	fmt.Print(string(publicPEM)) | ||||||
| } | } | ||||||
|   | |||||||
| @@ -11,8 +11,10 @@ var ( | |||||||
| 	createKeyCmd    = false | 	createKeyCmd    = false | ||||||
| 	getPublicKeyCmd = false | 	getPublicKeyCmd = false | ||||||
| 	createTokenCmd  = false | 	createTokenCmd  = false | ||||||
|  | 	verifyTokenCmd  = false | ||||||
| 	debug           = false | 	debug           = false | ||||||
| 	keyFile         string | 	keyFile         string | ||||||
|  | 	tokenFile       string | ||||||
| 	tokenIssuer     string | 	tokenIssuer     string | ||||||
| 	tokenPeerID     = uuid.New() | 	tokenPeerID     = uuid.New() | ||||||
| 	keySize         = 2048 | 	keySize         = 2048 | ||||||
| @@ -28,12 +30,17 @@ func init() { | |||||||
| 		&createTokenCmd, "create-token", createTokenCmd, | 		&createTokenCmd, "create-token", createTokenCmd, | ||||||
| 		"Create a new signed authentication token", | 		"Create a new signed authentication token", | ||||||
| 	) | 	) | ||||||
|  | 	flag.BoolVar( | ||||||
|  | 		&verifyTokenCmd, "verify-token", verifyTokenCmd, | ||||||
|  | 		"Verify a token generated with the given key", | ||||||
|  | 	) | ||||||
| 	flag.BoolVar( | 	flag.BoolVar( | ||||||
| 		&getPublicKeyCmd, "get-public-key", getPublicKeyCmd, | 		&getPublicKeyCmd, "get-public-key", getPublicKeyCmd, | ||||||
| 		"Get the PEM encoded public key associated with the private key", | 		"Get the PEM encoded public key associated with the private key", | ||||||
| 	) | 	) | ||||||
| 	flag.BoolVar(&debug, "debug", debug, "Debug mode") | 	flag.BoolVar(&debug, "debug", debug, "Debug mode") | ||||||
| 	flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key") | 	flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key") | ||||||
|  | 	flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify") | ||||||
| 	flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer") | 	flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer") | ||||||
| 	flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID") | 	flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID") | ||||||
| 	flag.IntVar(&keySize, "key-size", keySize, "Size of the private key") | 	flag.IntVar(&keySize, "key-size", keySize, "Size of the private key") | ||||||
| @@ -48,6 +55,8 @@ func main() { | |||||||
| 		getPublicKey() | 		getPublicKey() | ||||||
| 	case createTokenCmd: | 	case createTokenCmd: | ||||||
| 		createToken() | 		createToken() | ||||||
|  | 	case verifyTokenCmd: | ||||||
|  | 		verifyToken() | ||||||
| 	default: | 	default: | ||||||
| 		flag.Usage() | 		flag.Usage() | ||||||
| 	} | 	} | ||||||
|   | |||||||
| @@ -2,17 +2,14 @@ package main | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"bytes" | 	"bytes" | ||||||
| 	"crypto/rand" |  | ||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
| 	"crypto/x509" |  | ||||||
| 	"encoding/pem" |  | ||||||
| 	"errors" |  | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"io/ioutil" | 	"io/ioutil" | ||||||
| 	"os" | 	"os" | ||||||
| 	"syscall" | 	"syscall" | ||||||
|  |  | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
|  |  | ||||||
| 	"golang.org/x/crypto/ssh/terminal" | 	"golang.org/x/crypto/ssh/terminal" | ||||||
| ) | ) | ||||||
| @@ -29,14 +26,14 @@ func askPassphrase() ([]byte, error) { | |||||||
| 	fmt.Print("Passphrase: ") | 	fmt.Print("Passphrase: ") | ||||||
| 	passphrase, err := terminal.ReadPassword(syscall.Stdin) | 	passphrase, err := terminal.ReadPassword(syscall.Stdin) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	fmt.Println() | 	fmt.Println() | ||||||
|  |  | ||||||
| 	fmt.Print("Confirm passphrase: ") | 	fmt.Print("Confirm passphrase: ") | ||||||
| 	passphraseConfirmation, err := terminal.ReadPassword(syscall.Stdin) | 	passphraseConfirmation, err := terminal.ReadPassword(syscall.Stdin) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	fmt.Println() | 	fmt.Println() | ||||||
|  |  | ||||||
| @@ -47,50 +44,43 @@ func askPassphrase() ([]byte, error) { | |||||||
| 	return passphrase, nil | 	return passphrase, nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) { |  | ||||||
|  |  | ||||||
| 	if passphrase == nil { |  | ||||||
| 		return nil, errors.New("passphrase cannot be empty") |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	// Convert it to pem |  | ||||||
| 	block := &pem.Block{ |  | ||||||
| 		Type:  "RSA PRIVATE KEY", |  | ||||||
| 		Bytes: x509.MarshalPKCS1PrivateKey(key), |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	return pem.EncodeToMemory(block), nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func loadPrivateKey() (*rsa.PrivateKey, error) { | func loadPrivateKey() (*rsa.PrivateKey, error) { | ||||||
| 	if keyFile == "" { | 	if keyFile == "" { | ||||||
| 		return nil, errors.New("you must specify a key file to load") | 		return nil, errors.New("you must specify a key file to load") | ||||||
| 	} | 	} | ||||||
| 	pem, err := ioutil.ReadFile(keyFile) | 	pem, err := ioutil.ReadFile(keyFile) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	passphrase, err := getPassphrase() | 	passphrase, err := getPassphrase() | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	privateKey, err := crypto.DecodePEMEncryptedPrivateKey(pem, passphrase) | 	privateKey, err := crypto.DecodePEMEncryptedPrivateKey(pem, passphrase) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	return privateKey, nil | 	return privateKey, nil | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func loadToken() ([]byte, error) { | ||||||
|  | 	if tokenFile == "" { | ||||||
|  | 		return nil, errors.New("you must specify a token file to load") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	token, err := os.ReadFile(tokenFile) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, errors.WithStack(err) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return token, nil | ||||||
|  | } | ||||||
|  |  | ||||||
| func handleError(err error) { | func handleError(err error) { | ||||||
| 	if !debug { | 	if !debug { | ||||||
| 		fmt.Println(err) | 		fmt.Printf("%+v\n", errors.WithStack(err)) | ||||||
| 	} else { | 	} else { | ||||||
| 		panic(err) | 		panic(fmt.Sprintf("%+v", errors.WithStack(err))) | ||||||
| 	} | 	} | ||||||
| 	os.Exit(1) | 	os.Exit(1) | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										55
									
								
								cmd/keygen/verify_token.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								cmd/keygen/verify_token.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | |||||||
|  | package main | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"encoding/json" | ||||||
|  | 	"fmt" | ||||||
|  |  | ||||||
|  | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
|  | 	"github.com/dgrijalva/jwt-go" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | func verifyToken() { | ||||||
|  | 	rawToken, err := loadToken() | ||||||
|  | 	if err != nil { | ||||||
|  | 		handleError(errors.WithStack(err)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	privateKey, err := loadPrivateKey() | ||||||
|  | 	if err != nil { | ||||||
|  | 		handleError(errors.WithStack(err)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	fn := func(token *jwt.Token) (interface{}, error) { | ||||||
|  | 		return &privateKey.PublicKey, nil | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	token, err := jwt.ParseWithClaims(string(rawToken), &peering.ServerTokenClaims{}, fn) | ||||||
|  | 	if err != nil { | ||||||
|  | 		validationError, ok := err.(*jwt.ValidationError) | ||||||
|  | 		if ok { | ||||||
|  | 			handleError(errors.WithStack(validationError.Inner)) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		handleError(errors.WithStack(err)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if !token.Valid { | ||||||
|  | 		handleError(errors.New("token is invalid")) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	claims, ok := token.Claims.(*peering.ServerTokenClaims) | ||||||
|  | 	if !ok { | ||||||
|  | 		handleError(errors.New("unexpected token claims")) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	data, err := json.MarshalIndent(claims, "", "  ") | ||||||
|  | 	if err != nil { | ||||||
|  | 		handleError(errors.WithStack(err)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	fmt.Println("Token OK.") | ||||||
|  | 	fmt.Println("Claims:") | ||||||
|  | 	fmt.Println(string(data)) | ||||||
|  |  | ||||||
|  | } | ||||||
| @@ -6,15 +6,16 @@ import ( | |||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
| 	"crypto/x509" | 	"crypto/x509" | ||||||
| 	"encoding/pem" | 	"encoding/pem" | ||||||
| 	"errors" |  | ||||||
|  |  | ||||||
| 	jwt "github.com/dgrijalva/jwt-go" | 	jwt "github.com/dgrijalva/jwt-go" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
|  | 	"golang.org/x/crypto/ssh" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func EncodePublicKeyToPEM(key crypto.PublicKey) ([]byte, error) { | func EncodePublicKeyToPEM(key crypto.PublicKey) ([]byte, error) { | ||||||
| 	pub, err := x509.MarshalPKIXPublicKey(key) | 	pub, err := x509.MarshalPKIXPublicKey(key) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	data := pem.EncodeToMemory(&pem.Block{ | 	data := pem.EncodeToMemory(&pem.Block{ | ||||||
| 		Type:  "PUBLIC KEY", | 		Type:  "PUBLIC KEY", | ||||||
| @@ -28,27 +29,23 @@ func DecodePEMToPublicKey(pem []byte) (crypto.PublicKey, error) { | |||||||
| } | } | ||||||
|  |  | ||||||
| func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKey, error) { | func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKey, error) { | ||||||
| 	var err error | 	var ( | ||||||
|  | 		rawKey interface{} | ||||||
|  | 		err    error | ||||||
|  | 	) | ||||||
|  |  | ||||||
| 	// Parse PEM block | 	if len(passphrase) == 0 { | ||||||
| 	var block *pem.Block | 		rawKey, err = ssh.ParseRawPrivateKey(key) | ||||||
| 	if block, _ = pem.Decode(key); block == nil { | 	} else { | ||||||
| 		return nil, errors.New("invalid PEM block") | 		rawKey, err = ssh.ParseRawPrivateKeyWithPassphrase(key, passphrase) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	decryptedBlock, err := x509.DecryptPEMBlock(block, passphrase) |  | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	var parsedKey interface{} |  | ||||||
| 	if parsedKey, err = x509.ParsePKCS1PrivateKey(decryptedBlock); err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	var privateKey *rsa.PrivateKey | 	var privateKey *rsa.PrivateKey | ||||||
| 	var ok bool | 	var ok bool | ||||||
| 	if privateKey, ok = parsedKey.(*rsa.PrivateKey); !ok { | 	if privateKey, ok = rawKey.(*rsa.PrivateKey); !ok { | ||||||
| 		return nil, errors.New("invalid RSA private key") | 		return nil, errors.New("invalid RSA private key") | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| @@ -56,21 +53,21 @@ func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKe | |||||||
| } | } | ||||||
|  |  | ||||||
| func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) { | func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) { | ||||||
| 	if passphrase == nil { |  | ||||||
| 		return nil, errors.New("passphrase cannot be empty") |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	block := &pem.Block{ | 	block := &pem.Block{ | ||||||
| 		Type:  "RSA PRIVATE KEY", | 		Type:  "RSA PRIVATE KEY", | ||||||
| 		Bytes: x509.MarshalPKCS1PrivateKey(key), | 		Bytes: x509.MarshalPKCS1PrivateKey(key), | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	block, err := x509.EncryptPEMBlock( | 	if len(passphrase) != 0 { | ||||||
|  | 		encryptedBlock, err := x509.EncryptPEMBlock( | ||||||
| 			rand.Reader, block.Type, | 			rand.Reader, block.Type, | ||||||
| 			block.Bytes, passphrase, x509.PEMCipherAES256, | 			block.Bytes, passphrase, x509.PEMCipherAES256, | ||||||
| 		) | 		) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 		return nil, err | 			return nil, errors.WithStack(err) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		block = encryptedBlock | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	return pem.EncodeToMemory(block), nil | 	return pem.EncodeToMemory(block), nil | ||||||
|   | |||||||
| @@ -5,15 +5,16 @@ import ( | |||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
|  |  | ||||||
| 	jwt "github.com/dgrijalva/jwt-go" | 	jwt "github.com/dgrijalva/jwt-go" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func CreateRSAKey(bits int) (*rsa.PrivateKey, error) { | func CreateRSAKey(bits int) (*rsa.PrivateKey, error) { | ||||||
| 	key, err := rsa.GenerateKey(rand.Reader, bits) | 	key, err := rsa.GenerateKey(rand.Reader, bits) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	return key, nil | 	return key, nil | ||||||
| } | } | ||||||
| @@ -28,7 +29,7 @@ func CreateServerToken(privateKey *rsa.PrivateKey, issuer string, peerID peering | |||||||
| 	}) | 	}) | ||||||
| 	tokenStr, err := token.SignedString(privateKey) | 	tokenStr, err := token.SignedString(privateKey) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return "", err | 		return "", errors.WithStack(err) | ||||||
| 	} | 	} | ||||||
| 	return tokenStr, nil | 	return tokenStr, nil | ||||||
| } | } | ||||||
|   | |||||||
| @@ -1,2 +0,0 @@ | |||||||
| Client -> Server: POST /advertise\nX-Server-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> } |  | ||||||
| Server -> Client: 201 Created |  | ||||||
| @@ -1,36 +0,0 @@ | |||||||
| <?xml version="1.0"?> |  | ||||||
| <!-- Generated by SVGo --> |  | ||||||
| <svg width="589" height="212" |  | ||||||
|      xmlns="http://www.w3.org/2000/svg" |  | ||||||
|      xmlns:xlink="http://www.w3.org/1999/xlink"> |  | ||||||
| <defs> |  | ||||||
| <style> |  | ||||||
| @font-face { |  | ||||||
|   font-family: 'DejaVuSans'; |  | ||||||
|   src: url('https://fontlibrary.org/assets/fonts/dejavu-sans/f5ec8426554a3a67ebcdd39f9c3fee83/49c0f03ec2fa354df7002bcb6331e106/DejaVuSansBook.ttf') format('truetype'); |  | ||||||
|   font-weight: normal; |  | ||||||
|   font-style: normal; |  | ||||||
| } |  | ||||||
| </style> |  | ||||||
| </defs> |  | ||||||
| <line x1="45" y1="24" x2="45" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text> |  | ||||||
| <rect x="8" y="172" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="24" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text> |  | ||||||
| <line x1="539" y1="24" x2="539" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="497" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="513" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text> |  | ||||||
| <rect x="497" y="172" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="513" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text> |  | ||||||
| <rect x="61" y="56" width="462" height="62" style="fill:white;stroke:white;" /> |  | ||||||
| <text x="237" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /advertise</text> |  | ||||||
| <text x="184" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: <JWT_TOKEN></text> |  | ||||||
| <text x="61" y="116" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{"Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> }</text> |  | ||||||
| <line x1="45" y1="122" x2="539" y2="122" style="stroke:black;stroke-width:2px;" /> |  | ||||||
| <polyline points="530,117 539,122 530,127" style="fill:black;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="249" y="138" width="87" height="14" style="fill:white;stroke:white;" /> |  | ||||||
| <text x="249" y="150" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >201 Created</text> |  | ||||||
| <line x1="539" y1="156" x2="45" y2="156" style="stroke:black;stroke-width:2px;" /> |  | ||||||
| <polyline points="54,151 45,156 54,161" style="fill:black;stroke-width:2px;stroke:black;" /> |  | ||||||
| </svg> |  | ||||||
| Before Width: | Height: | Size: 2.4 KiB | 
							
								
								
									
										15
									
								
								doc/sequence-diagram/advertising.plantuml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								doc/sequence-diagram/advertising.plantuml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | |||||||
|  | @startuml | ||||||
|  | Client -> Server: POST /advertise\nX-Server-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> } | ||||||
|  | Server -> Server: Validate server token | ||||||
|  | alt Success | ||||||
|  |     Server -> Server: Create peer with public key and attributes | ||||||
|  |     Server -> Server: Update last contact for peer ID | ||||||
|  |     Server -> Client: 201 Created | ||||||
|  | else Invalid server token | ||||||
|  |     Server -> Client: 401 Unauthorized | ||||||
|  | else Malformed advertising request | ||||||
|  |     Server -> Client: 400 Bad request | ||||||
|  | else Unexpected error | ||||||
|  |     Server -> Client: 500 Server error | ||||||
|  | end | ||||||
|  | @enduml | ||||||
							
								
								
									
										
											BIN
										
									
								
								doc/sequence-diagram/advertising.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/sequence-diagram/advertising.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 24 KiB | 
							
								
								
									
										17
									
								
								doc/sequence-diagram/ping.plantuml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								doc/sequence-diagram/ping.plantuml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | @startuml | ||||||
|  | Client -> Server: POST /ping\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN> | ||||||
|  | Server -> Server: Validate client/server tokens | ||||||
|  | alt Success | ||||||
|  |     Server -> Server: Update last contact for peer ID | ||||||
|  |     Server -> Client: 204 No Content | ||||||
|  | else Invalid client or server token | ||||||
|  |     Server -> Client: 400 Bad request | ||||||
|  | else Peer not found | ||||||
|  |     Server -> Client: 401 Unauthorized | ||||||
|  | else Peer rejected | ||||||
|  |     Server -> Client: 403 Forbidden | ||||||
|  | else Unexpected error | ||||||
|  |     Server -> Client: 500 Server error | ||||||
|  | end | ||||||
|  |  | ||||||
|  | @enduml | ||||||
							
								
								
									
										
											BIN
										
									
								
								doc/sequence-diagram/ping.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/sequence-diagram/ping.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 19 KiB | 
| @@ -1,2 +0,0 @@ | |||||||
| Client -> Server: POST /ping\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN> |  | ||||||
| Server -> Client: 204 No Content |  | ||||||
| @@ -1,36 +0,0 @@ | |||||||
| <?xml version="1.0"?> |  | ||||||
| <!-- Generated by SVGo --> |  | ||||||
| <svg width="343" height="196" |  | ||||||
|      xmlns="http://www.w3.org/2000/svg" |  | ||||||
|      xmlns:xlink="http://www.w3.org/1999/xlink"> |  | ||||||
| <defs> |  | ||||||
| <style> |  | ||||||
| @font-face { |  | ||||||
|   font-family: 'DejaVuSans'; |  | ||||||
|   src: url('https://fontlibrary.org/assets/fonts/dejavu-sans/f5ec8426554a3a67ebcdd39f9c3fee83/49c0f03ec2fa354df7002bcb6331e106/DejaVuSansBook.ttf') format('truetype'); |  | ||||||
|   font-weight: normal; |  | ||||||
|   font-style: normal; |  | ||||||
| } |  | ||||||
| </style> |  | ||||||
| </defs> |  | ||||||
| <line x1="45" y1="24" x2="45" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text> |  | ||||||
| <rect x="8" y="156" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="24" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text> |  | ||||||
| <line x1="293" y1="24" x2="293" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="251" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="267" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text> |  | ||||||
| <rect x="251" y="156" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="267" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text> |  | ||||||
| <rect x="61" y="56" width="216" height="46" style="fill:white;stroke:white;" /> |  | ||||||
| <text x="130" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /ping</text> |  | ||||||
| <text x="61" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: <JWT_TOKEN></text> |  | ||||||
| <text x="63" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Client-Token: <JWT_TOKEN></text> |  | ||||||
| <line x1="45" y1="106" x2="293" y2="106" style="stroke:black;stroke-width:2px;" /> |  | ||||||
| <polyline points="284,101 293,106 284,111" style="fill:black;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="114" y="122" width="111" height="14" style="fill:white;stroke:white;" /> |  | ||||||
| <text x="114" y="134" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text> |  | ||||||
| <line x1="293" y1="140" x2="45" y2="140" style="stroke:black;stroke-width:2px;" /> |  | ||||||
| <polyline points="54,135 45,140 54,145" style="fill:black;stroke-width:2px;stroke:black;" /> |  | ||||||
| </svg> |  | ||||||
| Before Width: | Height: | Size: 2.4 KiB | 
							
								
								
									
										19
									
								
								doc/sequence-diagram/update.plantuml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								doc/sequence-diagram/update.plantuml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | @startuml | ||||||
|  | Client -> Server: POST /update\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>} | ||||||
|  | Server -> Server: Validate client/server tokens | ||||||
|  | alt Success | ||||||
|  |     Server -> Server: Save attributes | ||||||
|  |     Server -> Server: Update last contact for peer ID | ||||||
|  |     Server -> Client: 200 OK {""} | ||||||
|  | else Invalid client or server token | ||||||
|  |     Server -> Client: 400 Bad request | ||||||
|  | else Malformed update request | ||||||
|  |     Server -> Client: 400 Bad request | ||||||
|  | else Peer not found | ||||||
|  |     Server -> Client: 401 Unauthorized | ||||||
|  | else Peer rejected | ||||||
|  |     Server -> Client: 403 Forbidden | ||||||
|  | else Unexpected error | ||||||
|  |     Server -> Client: 500 Server error | ||||||
|  | end | ||||||
|  | @enduml | ||||||
							
								
								
									
										
											BIN
										
									
								
								doc/sequence-diagram/update.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								doc/sequence-diagram/update.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 25 KiB | 
| @@ -1,2 +0,0 @@ | |||||||
| Client -> Server: POST /update\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>} |  | ||||||
| Server -> Client: 204 No Content |  | ||||||
| @@ -1,37 +0,0 @@ | |||||||
| <?xml version="1.0"?> |  | ||||||
| <!-- Generated by SVGo --> |  | ||||||
| <svg width="386" height="228" |  | ||||||
|      xmlns="http://www.w3.org/2000/svg" |  | ||||||
|      xmlns:xlink="http://www.w3.org/1999/xlink"> |  | ||||||
| <defs> |  | ||||||
| <style> |  | ||||||
| @font-face { |  | ||||||
|   font-family: 'DejaVuSans'; |  | ||||||
|   src: url('https://fontlibrary.org/assets/fonts/dejavu-sans/f5ec8426554a3a67ebcdd39f9c3fee83/49c0f03ec2fa354df7002bcb6331e106/DejaVuSansBook.ttf') format('truetype'); |  | ||||||
|   font-weight: normal; |  | ||||||
|   font-style: normal; |  | ||||||
| } |  | ||||||
| </style> |  | ||||||
| </defs> |  | ||||||
| <line x1="45" y1="24" x2="45" y2="204" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text> |  | ||||||
| <rect x="8" y="188" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="24" y="209" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text> |  | ||||||
| <line x1="336" y1="24" x2="336" y2="204" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="294" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="310" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text> |  | ||||||
| <rect x="294" y="188" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" /> |  | ||||||
| <text x="310" y="209" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text> |  | ||||||
| <rect x="61" y="56" width="259" height="78" style="fill:white;stroke:white;" /> |  | ||||||
| <text x="142" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /update</text> |  | ||||||
| <text x="82" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: <JWT_TOKEN></text> |  | ||||||
| <text x="84" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Client-Token: <JWT_TOKEN></text> |  | ||||||
| <text x="61" y="132" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{"Attributes": <PEER_ATTRIBUTES>}</text> |  | ||||||
| <line x1="45" y1="138" x2="336" y2="138" style="stroke:black;stroke-width:2px;" /> |  | ||||||
| <polyline points="327,133 336,138 327,143" style="fill:black;stroke-width:2px;stroke:black;" /> |  | ||||||
| <rect x="136" y="154" width="111" height="14" style="fill:white;stroke:white;" /> |  | ||||||
| <text x="136" y="166" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text> |  | ||||||
| <line x1="336" y1="172" x2="45" y2="172" style="stroke:black;stroke-width:2px;" /> |  | ||||||
| <polyline points="54,167 45,172 54,177" style="fill:black;stroke-width:2px;stroke:black;" /> |  | ||||||
| </svg> |  | ||||||
| Before Width: | Height: | Size: 2.5 KiB | 
							
								
								
									
										15
									
								
								go.mod
									
									
									
									
									
								
							
							
						
						
									
										15
									
								
								go.mod
									
									
									
									
									
								
							| @@ -1,10 +1,17 @@ | |||||||
| module forge.cadoles.com/wpetit/go-http-peering | module forge.cadoles.com/Cadoles/go-http-peering | ||||||
|  |  | ||||||
| require ( | require ( | ||||||
| 	github.com/davecgh/go-spew v1.1.1 |  | ||||||
| 	github.com/dgrijalva/jwt-go v3.2.0+incompatible | 	github.com/dgrijalva/jwt-go v3.2.0+incompatible | ||||||
| 	github.com/go-chi/chi v3.3.3+incompatible | 	github.com/go-chi/chi v3.3.3+incompatible | ||||||
| 	github.com/pborman/uuid v1.2.0 | 	github.com/pborman/uuid v1.2.0 | ||||||
| 	golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 | 	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 | ||||||
| 	golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 // indirect |  | ||||||
| ) | ) | ||||||
|  |  | ||||||
|  | require ( | ||||||
|  | 	github.com/google/uuid v1.0.0 // indirect | ||||||
|  | 	github.com/pkg/errors v0.9.1 | ||||||
|  | 	golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 // indirect | ||||||
|  | 	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 // indirect | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | go 1.18 | ||||||
|   | |||||||
							
								
								
									
										14
									
								
								go.sum
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								go.sum
									
									
									
									
									
								
							| @@ -1,5 +1,3 @@ | |||||||
| github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= |  | ||||||
| github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= |  | ||||||
| github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= | github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= | ||||||
| github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= | github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= | ||||||
| github.com/go-chi/chi v3.3.3+incompatible h1:KHkmBEMNkwKuK4FdQL7N2wOeB9jnIx7jR5wsuSBEFI8= | github.com/go-chi/chi v3.3.3+incompatible h1:KHkmBEMNkwKuK4FdQL7N2wOeB9jnIx7jR5wsuSBEFI8= | ||||||
| @@ -8,7 +6,11 @@ github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA= | |||||||
| github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||||||
| github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= | github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= | ||||||
| github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= | github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= | ||||||
| golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 h1:NwxKRvbkH5MsNkvOtPZi3/3kmI8CAzs3mtv+GLQMkNo= | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | ||||||
| golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||||||
| golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 h1:DH4skfRX4EBpamg7iV4ZlCpblAHI6s6TDM39bFZumv8= | golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM= | ||||||
| golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= | ||||||
|  | golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 h1:v6hYoSR9T5oet+pMXwUWkbiVqx/63mlHjefrHmxwfeY= | ||||||
|  | golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||||||
|  | golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 h1:Q5284mrmYTpACcm+eAKjKJH48BBwSyfJqmmGDTtT8Vc= | ||||||
|  | golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ import ( | |||||||
| 	"sync" | 	"sync" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| type Store struct { | type Store struct { | ||||||
|   | |||||||
							
								
								
									
										5
									
								
								misc/ci/Dockerfile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								misc/ci/Dockerfile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | FROM golang:1.19 | ||||||
|  |  | ||||||
|  | RUN apt-get update && apt-get install -y make upx-ucl curl ca-certificates bash jq | ||||||
|  |  | ||||||
|  | RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash | ||||||
| @@ -3,7 +3,3 @@ | |||||||
|     prep: make test |     prep: make test | ||||||
|     prep: make bin/keygen |     prep: make bin/keygen | ||||||
| } | } | ||||||
|  |  | ||||||
| doc/sequence-diagram/*.seq { |  | ||||||
|     prep: make sequence-diagram |  | ||||||
| } |  | ||||||
| @@ -3,7 +3,9 @@ | |||||||
| set -eo pipefail | set -eo pipefail | ||||||
|  |  | ||||||
| OS_TARGETS=(linux) | OS_TARGETS=(linux) | ||||||
| ARCH_TARGETS=${ARCH_TARGETS:-amd64} | ARCH_TARGETS=${ARCH_TARGETS:-amd64 mipsle} | ||||||
|  |  | ||||||
|  | export GOMIPS=softfloat | ||||||
|  |  | ||||||
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" | ||||||
|  |  | ||||||
| @@ -29,10 +31,16 @@ function build { | |||||||
|     -o "$destdir/$name" \ |     -o "$destdir/$name" \ | ||||||
|     "$srcdir" |     "$srcdir" | ||||||
|  |  | ||||||
|   if [ ! -z "$(which upx)" ]; then |   # Disable UPX compression for MIPS archs | ||||||
|  |   # See https://github.com/upx/upx/issues/339 | ||||||
|  |   if [ ! -z "$(which upx)" ] && [[ ! "$arch" =~ "mips" ]]; then | ||||||
|     upx --best "$destdir/$name" |     upx --best "$destdir/$name" | ||||||
|   fi |   fi | ||||||
|  |  | ||||||
|  |   if [ ! -z "${GPG_SIGNING_KEY}" ]; then | ||||||
|  |     echo "signing '$destdir/$name' with gpg key '$GPG_SIGNING_KEY'..." | ||||||
|  |     gpg --sign --default-key "${GPG_SIGNING_KEY}" --armor --detach-sign --output "$destdir/$name.sig" "$destdir/$name" | ||||||
|  |   fi | ||||||
| } | } | ||||||
|  |  | ||||||
| function copy { | function copy { | ||||||
|   | |||||||
| @@ -3,12 +3,12 @@ package server | |||||||
| import ( | import ( | ||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
| 	"encoding/json" | 	"encoding/json" | ||||||
| 	"errors" |  | ||||||
| 	"net/http" | 	"net/http" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var ( | ||||||
| @@ -34,7 +34,7 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu | |||||||
|  |  | ||||||
| 		serverClaims, err := assertServerToken(key, serverToken) | 		serverClaims, err := assertServerToken(key, serverToken) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			sendError(w, http.StatusUnauthorized) | 			sendError(w, http.StatusUnauthorized) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
| @@ -43,27 +43,26 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu | |||||||
|  |  | ||||||
| 		decoder := json.NewDecoder(r.Body) | 		decoder := json.NewDecoder(r.Body) | ||||||
| 		if err := decoder.Decode(advertising); err != nil { | 		if err := decoder.Decode(advertising); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest) | 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if _, err := peeringCrypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil { | 		if _, err := peeringCrypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest) | 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		peer, err := store.Get(serverClaims.PeerID) | 		peer, err := store.Get(serverClaims.PeerID) | ||||||
|  |  | ||||||
| 		if err == nil { | 		if err == nil { | ||||||
| 			logger.Printf("[ERROR] %s", ErrPeerIDAlreadyInUse) | 			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerIDAlreadyInUse)) | ||||||
| 			options.ErrorHandler(w, r, ErrPeerIDAlreadyInUse) | 			options.ErrorHandler(w, r, ErrPeerIDAlreadyInUse) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if err != peering.ErrPeerNotFound { | 		if err != peering.ErrPeerNotFound { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
| @@ -72,25 +71,25 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu | |||||||
|  |  | ||||||
| 		peer, err = store.Create(serverClaims.PeerID, attrs) | 		peer, err = store.Create(serverClaims.PeerID, attrs) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if err := store.UpdatePublicKey(peer.ID, advertising.PublicKey); err != nil { | 		if err := store.UpdatePublicKey(peer.ID, advertising.PublicKey); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
| @@ -117,39 +116,39 @@ func UpdateHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc { | |||||||
|  |  | ||||||
| 		peerID, err := GetPeerID(r) | 		peerID, err := GetPeerID(r) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		peer, err := store.Get(peerID) | 		peer, err := store.Get(peerID) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if peer == nil { | 		if peer == nil { | ||||||
| 			logger.Printf("[ERROR] %s", ErrUnauthorized) | 			logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized)) | ||||||
| 			options.ErrorHandler(w, r, ErrUnauthorized) | 			options.ErrorHandler(w, r, ErrUnauthorized) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if peer.Status == peering.StatusRejected { | 		if peer.Status == peering.StatusRejected { | ||||||
| 			logger.Printf("[ERROR] %s", ErrPeerRejected) | 			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected)) | ||||||
| 			options.ErrorHandler(w, r, ErrPeerRejected) | 			options.ErrorHandler(w, r, ErrPeerRejected) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		attrs := filterAttributes(options.PeerAttributes, update.Attributes) | 		attrs := filterAttributes(options.PeerAttributes, update.Attributes) | ||||||
| 		if err := store.UpdateAttributes(peer.ID, attrs); err != nil { | 		if err := store.UpdateAttributes(peer.ID, attrs); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
| @@ -176,32 +175,32 @@ func PingHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc { | |||||||
|  |  | ||||||
| 		peerID, err := GetPeerID(r) | 		peerID, err := GetPeerID(r) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		peer, err := store.Get(peerID) | 		peer, err := store.Get(peerID) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if peer == nil { | 		if peer == nil { | ||||||
| 			logger.Printf("[ERROR] %s", ErrUnauthorized) | 			logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized)) | ||||||
| 			options.ErrorHandler(w, r, ErrUnauthorized) | 			options.ErrorHandler(w, r, ErrUnauthorized) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if peer.Status == peering.StatusRejected { | 		if peer.Status == peering.StatusRejected { | ||||||
| 			logger.Printf("[ERROR] %s", ErrPeerRejected) | 			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected)) | ||||||
| 			options.ErrorHandler(w, r, ErrPeerRejected) | 			options.ErrorHandler(w, r, ErrPeerRejected) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 			logger.Printf("[ERROR] %s", err) | 			logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 			options.ErrorHandler(w, r, err) | 			options.ErrorHandler(w, r, err) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|   | |||||||
| @@ -5,17 +5,16 @@ import ( | |||||||
| 	"context" | 	"context" | ||||||
| 	"crypto/rsa" | 	"crypto/rsa" | ||||||
| 	"crypto/sha256" | 	"crypto/sha256" | ||||||
| 	"errors" |  | ||||||
| 	"io" | 	"io" | ||||||
| 	"io/ioutil" | 	"io/ioutil" | ||||||
|  | 	"net/http" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	jwt "github.com/dgrijalva/jwt-go" | 	jwt "github.com/dgrijalva/jwt-go" | ||||||
|  | 	"github.com/pkg/errors" | ||||||
| 	"net/http" |  | ||||||
| ) | ) | ||||||
|  |  | ||||||
| const ( | const ( | ||||||
| @@ -38,7 +37,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc) | |||||||
|  |  | ||||||
| 	middleware := func(next http.Handler) http.Handler { | 	middleware := func(next http.Handler) http.Handler { | ||||||
| 		fn := func(w http.ResponseWriter, r *http.Request) { | 		fn := func(w http.ResponseWriter, r *http.Request) { | ||||||
|  |  | ||||||
| 			serverToken := r.Header.Get(ServerTokenHeader) | 			serverToken := r.Header.Get(ServerTokenHeader) | ||||||
| 			if serverToken == "" { | 			if serverToken == "" { | ||||||
| 				sendError(w, http.StatusUnauthorized) | 				sendError(w, http.StatusUnauthorized) | ||||||
| @@ -53,52 +51,60 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc) | |||||||
|  |  | ||||||
| 			serverClaims, err := assertServerToken(key, serverToken) | 			serverClaims, err := assertServerToken(key, serverToken) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
| 				logger.Printf("[ERROR] %s", err) | 				logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 				sendError(w, http.StatusUnauthorized) | 				sendError(w, http.StatusUnauthorized) | ||||||
| 				return | 				return | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
| 			clientClaims, err := assertClientToken(serverClaims.PeerID, store, clientToken) | 			clientClaims, err := assertClientToken( | ||||||
|  | 				serverClaims.PeerID, | ||||||
|  | 				store, | ||||||
|  | 				clientToken, | ||||||
|  | 				logger, | ||||||
|  | 				options.IgnoredClientTokenErrors..., | ||||||
|  | 			) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
| 				logger.Printf("[ERROR] %s", err) | 				logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 				switch err { | 				switch err { | ||||||
| 				case peering.ErrPeerNotFound: | 				case peering.ErrPeerNotFound: | ||||||
| 					sendError(w, http.StatusUnauthorized) | 					sendError(w, http.StatusUnauthorized) | ||||||
| 				case ErrNotPeered: | 				case ErrNotPeered: | ||||||
| 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { | 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 						logger.Printf("[ERROR] %s", err) | 						logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 						sendError(w, http.StatusInternalServerError) | 						sendError(w, http.StatusInternalServerError) | ||||||
| 						return | 						return | ||||||
| 					} | 					} | ||||||
| 					sendError(w, http.StatusUnauthorized) | 					sendError(w, http.StatusUnauthorized) | ||||||
|  | 					return | ||||||
| 				case ErrPeerRejected: | 				case ErrPeerRejected: | ||||||
| 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { | 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 						logger.Printf("[ERROR] %s", err) | 						logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 						sendError(w, http.StatusInternalServerError) | 						sendError(w, http.StatusInternalServerError) | ||||||
| 						return | 						return | ||||||
| 					} | 					} | ||||||
| 					sendError(w, http.StatusForbidden) | 					sendError(w, http.StatusForbidden) | ||||||
|  | 					return | ||||||
| 				default: | 				default: | ||||||
| 					sendError(w, http.StatusInternalServerError) | 					sendError(w, http.StatusInternalServerError) | ||||||
| 				} |  | ||||||
| 					return | 					return | ||||||
| 				} | 				} | ||||||
|  | 			} | ||||||
|  |  | ||||||
| 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum) | 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
| 				logger.Printf("[ERROR] %s", err) | 				logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 				sendError(w, http.StatusInternalServerError) | 				sendError(w, http.StatusInternalServerError) | ||||||
| 				return | 				return | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
| 			if !match { | 			if !match { | ||||||
| 				logger.Printf("[ERROR] %s", ErrInvalidChecksum) | 				logger.Printf("[ERROR] %+v", errors.WithStack(ErrInvalidChecksum)) | ||||||
| 				sendError(w, http.StatusBadRequest) | 				sendError(w, http.StatusBadRequest) | ||||||
| 				return | 				return | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
| 			if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { | 			if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { | ||||||
| 				logger.Printf("[ERROR] %s", err) | 				logger.Printf("[ERROR] %+v", errors.WithStack(err)) | ||||||
| 				sendError(w, http.StatusInternalServerError) | 				sendError(w, http.StatusInternalServerError) | ||||||
| 				return | 				return | ||||||
| 			} | 			} | ||||||
| @@ -108,7 +114,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc) | |||||||
| 			r.Body = ioutil.NopCloser(bytes.NewBuffer(body)) | 			r.Body = ioutil.NopCloser(bytes.NewBuffer(body)) | ||||||
|  |  | ||||||
| 			next.ServeHTTP(w, r) | 			next.ServeHTTP(w, r) | ||||||
|  |  | ||||||
| 		} | 		} | ||||||
| 		return http.HandlerFunc(fn) | 		return http.HandlerFunc(fn) | ||||||
| 	} | 	} | ||||||
| @@ -145,7 +150,7 @@ func assertServerToken(key *rsa.PublicKey, serverToken string) (*peering.ServerT | |||||||
| 	return claims, nil | 	return claims, nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string) (*peering.ClientTokenClaims, error) { | func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string, logger Logger, ignoredValidationErrors ...uint32) (*peering.ClientTokenClaims, error) { | ||||||
| 	fn := func(token *jwt.Token) (interface{}, error) { | 	fn := func(token *jwt.Token) (interface{}, error) { | ||||||
| 		peer, err := store.Get(peerID) | 		peer, err := store.Get(peerID) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| @@ -163,17 +168,8 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s | |||||||
| 		} | 		} | ||||||
| 		return publicKey, nil | 		return publicKey, nil | ||||||
| 	} | 	} | ||||||
| 	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn) |  | ||||||
| 	if err != nil { | 	getPeeringClaims := func(token *jwt.Token) (*peering.ClientTokenClaims, error) { | ||||||
| 		validationError, ok := err.(*jwt.ValidationError) |  | ||||||
| 		if ok { |  | ||||||
| 			return nil, validationError.Inner |  | ||||||
| 		} |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	if !token.Valid { |  | ||||||
| 		return nil, ErrInvalidClaims |  | ||||||
| 	} |  | ||||||
| 		claims, ok := token.Claims.(*peering.ClientTokenClaims) | 		claims, ok := token.Claims.(*peering.ClientTokenClaims) | ||||||
| 		if !ok { | 		if !ok { | ||||||
| 			return nil, ErrInvalidClaims | 			return nil, ErrInvalidClaims | ||||||
| @@ -181,6 +177,28 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s | |||||||
| 		return claims, nil | 		return claims, nil | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|  | 	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn) | ||||||
|  | 	if err != nil { | ||||||
|  | 		validationError, ok := err.(*jwt.ValidationError) | ||||||
|  | 		if ok { | ||||||
|  | 			for _, c := range ignoredValidationErrors { | ||||||
|  | 				if validationError.Errors&c != 0 { | ||||||
|  | 					logger.Printf("ignoring token validation error: '%+v'", errors.WithStack(validationError.Inner)) | ||||||
|  | 					return getPeeringClaims(token) | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			return nil, validationError.Inner | ||||||
|  | 		} | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if !token.Valid { | ||||||
|  | 		return nil, ErrInvalidClaims | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return getPeeringClaims(token) | ||||||
|  | } | ||||||
|  |  | ||||||
| func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) { | func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) { | ||||||
| 	body, err := ioutil.ReadAll(rc) | 	body, err := ioutil.ReadAll(rc) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| @@ -200,6 +218,15 @@ func sendError(w http.ResponseWriter, status int) { | |||||||
| 	http.Error(w, http.StatusText(status), status) | 	http.Error(w, http.StatusText(status), status) | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func filterIgnoredValidationError(err *jwt.ValidationError, ignored ...uint32) error { | ||||||
|  | 	for _, c := range ignored { | ||||||
|  | 		if err.Errors&c != 0 { | ||||||
|  | 			return nil | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	return err | ||||||
|  | } | ||||||
|  |  | ||||||
| func compareChecksum(body []byte, sum []byte) (bool, error) { | func compareChecksum(body []byte, sum []byte) (bool, error) { | ||||||
| 	sha := sha256.New() | 	sha := sha256.New() | ||||||
| 	_, err := sha.Write(body) | 	_, err := sha.Write(body) | ||||||
|   | |||||||
| @@ -14,6 +14,7 @@ type Options struct { | |||||||
| 	PeerAttributes           []string | 	PeerAttributes           []string | ||||||
| 	ErrorHandler             ErrorHandler | 	ErrorHandler             ErrorHandler | ||||||
| 	Logger                   Logger | 	Logger                   Logger | ||||||
|  | 	IgnoredClientTokenErrors []uint32 | ||||||
| } | } | ||||||
|  |  | ||||||
| type OptionFunc func(*Options) | type OptionFunc func(*Options) | ||||||
| @@ -38,12 +39,19 @@ func WithErrorHandler(handler ErrorHandler) OptionFunc { | |||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func WithIgnoredClientTokenErrors(codes ...uint32) OptionFunc { | ||||||
|  | 	return func(options *Options) { | ||||||
|  | 		options.IgnoredClientTokenErrors = codes | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
| func defaultOptions() *Options { | func defaultOptions() *Options { | ||||||
| 	logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile) | 	logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile) | ||||||
| 	return &Options{ | 	return &Options{ | ||||||
| 		PeerAttributes:           []string{"Label"}, | 		PeerAttributes:           []string{"Label"}, | ||||||
| 		ErrorHandler:             DefaultErrorHandler, | 		ErrorHandler:             DefaultErrorHandler, | ||||||
| 		Logger:                   logger, | 		Logger:                   logger, | ||||||
|  | 		IgnoredClientTokenErrors: make([]uint32, 0), | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -5,13 +5,13 @@ import ( | |||||||
| 	"testing" | 	"testing" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/client" | 	"forge.cadoles.com/Cadoles/go-http-peering/client" | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/memory" | 	"forge.cadoles.com/Cadoles/go-http-peering/memory" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/server" | 	"forge.cadoles.com/Cadoles/go-http-peering/server" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func TestAdvertise(t *testing.T) { | func TestAdvertise(t *testing.T) { | ||||||
|   | |||||||
| @@ -3,11 +3,11 @@ package test | |||||||
| import ( | import ( | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/client" | 	"forge.cadoles.com/Cadoles/go-http-peering/client" | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/memory" | 	"forge.cadoles.com/Cadoles/go-http-peering/memory" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/server" | 	"forge.cadoles.com/Cadoles/go-http-peering/server" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func TestPing(t *testing.T) { | func TestPing(t *testing.T) { | ||||||
|   | |||||||
| @@ -5,12 +5,12 @@ import ( | |||||||
| 	"testing" | 	"testing" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| 	peering "forge.cadoles.com/wpetit/go-http-peering" | 	peering "forge.cadoles.com/Cadoles/go-http-peering" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/client" | 	"forge.cadoles.com/Cadoles/go-http-peering/client" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/crypto" | 	"forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| 	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto" | 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/memory" | 	"forge.cadoles.com/Cadoles/go-http-peering/memory" | ||||||
| 	"forge.cadoles.com/wpetit/go-http-peering/server" | 	"forge.cadoles.com/Cadoles/go-http-peering/server" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func TestUpdate(t *testing.T) { | func TestUpdate(t *testing.T) { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user