feat(server): assert agent is accepted for api operations

feat(server): allow registering renewal for forgotten agents
feat(client): show response body on json parsing error
2024-03-04 19:03:17 +01:00 · 2024-03-04 18:52:19 +01:00 · 2024-03-04 18:51:36 +01:00 · 2024-03-04 09:09:44 +01:00 · 2024-03-03 18:40:56 +01:00
9 changed files with 113 additions and 27 deletions
--- a/internal/auth/agent/user.go
+++ b/internal/auth/agent/user.go
@ -1,6 +1,7 @@
 package agent
 import (
 	"encoding/json"
 	"fmt"
 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
@ -29,4 +30,18 @@ func (u *User) Agent() *datastore.Agent {
 	return u.agent
 }
 func (u *User) MarshalJSON() ([]byte, error) {
 	type user struct {
 		Subject string `json:"subject"`
 		Tenant  string `json:"tenant"`
 	}
 	jsonUser := user{
 		Subject: u.Subject(),
 		Tenant:  string(u.Tenant()),
 	}
 	return json.Marshal(jsonUser)
 }
 var _ auth.User = &User{}
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -64,16 +64,16 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			}
 			if user == nil {
-				isUnauthorized, isUnauthenticated, isUnknown := checkErrors(errs)
+				hasUnauthorized, hasUnauthenticated, hasUnknown := checkErrors(errs)
 				switch {
-				case isUnauthorized && !isUnknown:
+				case hasUnauthorized && !hasUnknown:
 					api.ErrorResponse(w, http.StatusForbidden, api.ErrCodeForbidden, nil)
 					return
-				case isUnauthenticated && !isUnknown:
+				case hasUnauthenticated && !hasUnknown:
-					api.ErrorResponse(w, http.StatusForbidden, api.ErrCodeForbidden, nil)
+					api.ErrorResponse(w, http.StatusUnauthorized, api.ErrCodeUnauthorized, nil)
 					return
-				case isUnknown:
+				case hasUnknown:
 					api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil)
 					return
 				default:
@ -101,10 +101,8 @@ func checkErrors(errs []error) (isUnauthorized bool, isUnauthenticated bool, isU
 		switch {
 		case errors.Is(e, ErrUnauthorized):
 			isUnauthorized = true
 			continue
 		case errors.Is(e, ErrUnauthenticated):
 			isUnauthenticated = true
 			continue
 		default:
 			isUnknown = true
 		}
--- a/internal/auth/user/user.go
+++ b/internal/auth/user/user.go
@ -1,6 +1,8 @@
 package user
 import (
 	"encoding/json"
 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
 	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
 )
@ -39,4 +41,20 @@ func (u *User) Role() Role {
 	return u.role
 }
 func (u *User) MarshalJSON() ([]byte, error) {
 	type user struct {
 		Subject string `json:"subject"`
 		Tenant  string `json:"tenant"`
 		Role    string `json:"role"`
 	}
 	jsonUser := user{
 		Subject: u.Subject(),
 		Tenant:  string(u.Tenant()),
 		Role:    string(u.Role()),
 	}
 	return json.Marshal(jsonUser)
 }
 var _ auth.User = &User{}
--- a/internal/server/api/authorization.go
+++ b/internal/server/api/authorization.go
@ -183,7 +183,7 @@ func assertMatchingAgent() assertAgent {
 		}
 		agent := u.Agent()
-		if agent != nil && agent.ID == agentID {
+		if agent != nil && agent.ID == agentID && agent.Status == datastore.AgentStatusAccepted {
 			return true
 		}
--- a/internal/server/api/get_session.go
+++ b/internal/server/api/get_session.go
@ -0,0 +1,35 @@
 package api
 import (
 	"net/http"
 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
 	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/api"
 	"gitlab.com/wpetit/goweb/logger"
 )
 func (m *Mount) getSession(w http.ResponseWriter, r *http.Request) {
 	user, ok := assertRequestUser(w, r)
 	if !ok {
 		return
 	}
 	ctx := r.Context()
 	tenant, err := m.tenantRepo.Get(ctx, user.Tenant())
 	if err != nil && !errors.Is(err, datastore.ErrNotFound) {
 		err = errors.WithStack(err)
 		logger.Error(ctx, "could not retrieve user tenant", logger.CapturedE(err))
 		api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil)
 	}
 	api.DataResponse(w, http.StatusOK, struct {
 		User   auth.User         `json:"user"`
 		Tenant *datastore.Tenant `json:"tenant"`
 	}{
 		User:   user,
 		Tenant: tenant,
 	})
 }
--- a/internal/server/api/mount.go
+++ b/internal/server/api/mount.go
@ -23,6 +23,8 @@ func (m *Mount) Mount(r chi.Router) {
 	r.Group(func(r chi.Router) {
 		r.Use(auth.Middleware(m.authenticators...))
 		r.Get("/session", m.getSession)
 		r.Route("/agents", func(r chi.Router) {
 			r.With(assertUserWithWriteAccess).Post("/claim", m.claimAgent)
--- a/internal/server/api/register_agent.go
+++ b/internal/server/api/register_agent.go
@ -50,8 +50,8 @@ func (m *Mount) registerAgent(w http.ResponseWriter, r *http.Request) {
 	}
 	if !validSignature {
-		logger.Warn(ctx, "conflicting signature", logger.F("signature", registerAgentReq.Signature))
+		logger.Warn(ctx, "invalid thumbprint signature", logger.F("signature", registerAgentReq.Signature))
-		api.ErrorResponse(w, http.StatusConflict, ErrCodeConflict, nil)
+		api.ErrorResponse(w, http.StatusBadRequest, api.ErrCodeInvalidRequest, nil)
 		return
 	}
@ -109,6 +109,7 @@ func (m *Mount) registerAgent(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		if agent.Status != datastore.AgentStatusForgotten {
 			validSignature, err = jwk.Verify(agent.KeySet.Set, registerAgentReq.Signature, registerAgentReq.Thumbprint, registerAgentReq.Metadata)
 			if err != nil {
 				err = errors.WithStack(err)
@ -121,17 +122,26 @@ func (m *Mount) registerAgent(w http.ResponseWriter, r *http.Request) {
 			if !validSignature {
 				logger.Error(ctx, "invalid signature")
-			api.ErrorResponse(w, http.StatusBadRequest, api.ErrCodeInvalidRequest, nil)
+				api.ErrorResponse(w, http.StatusConflict, ErrCodeConflict, nil)
 				return
 			}
 		}
 		updates := []datastore.AgentUpdateOptionFunc{
 			datastore.WithAgentUpdateKeySet(keySet),
 			datastore.WithAgentUpdateMetadata(metadata),
 			datastore.WithAgentUpdateThumbprint(registerAgentReq.Thumbprint),
 		}
 		if agent.Status == datastore.AgentStatusForgotten {
 			updates = append(updates, datastore.WithAgentUpdateStatus(datastore.AgentStatusPending))
 		}
 		agent, err = m.agentRepo.Update(
 			ctx,
 			agents[0].ID,
-			datastore.WithAgentUpdateKeySet(keySet),
+			updates...,
 			datastore.WithAgentUpdateMetadata(metadata),
 			datastore.WithAgentUpdateThumbprint(registerAgentReq.Thumbprint),
 		)
 		if err != nil {
 			err = errors.WithStack(err)
--- a/migrations/sqlite/0000003_tenant.up.sql
+++ b/migrations/sqlite/0000003_tenant.up.sql
@ -1,3 +1,5 @@
 PRAGMA foreign_keys = 0;
 CREATE TABLE tenants (
    id TEXT PRIMARY KEY,
    label TEXT NOT NULL,
@ -50,3 +52,5 @@ CREATE TABLE specs
 INSERT INTO specs SELECT id, agent_id, name, revision, data, created_at, updated_at, 0 FROM _specs;
 DROP TABLE _specs;
 PRAGMA foreign_keys = 1;
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"github.com/pkg/errors"
@ -95,12 +96,15 @@ func (c *Client) apiDo(ctx context.Context, method string, path string, payload
 	defer res.Body.Close()
-	decoder := json.NewDecoder(res.Body)
+	data, err := io.ReadAll(res.Body)
-
+	if err != nil {
 	if err := decoder.Decode(&response); err != nil {
 		return errors.WithStack(err)
 	}
 	if err := json.Unmarshal(data, &response); err != nil {
 		return errors.Wrapf(err, "could not parse json: got '%s'", data)
 	}
 	return nil
 }
Author	SHA1	Message	Date
William Petit	0b34b485da	feat(server): assert agent is accepted for api operations All checks were successful arcad/emissary/pipeline/head This commit looks good Details	2024-03-04 19:03:17 +01:00
William Petit	ab08d30d2a	feat(server): allow registering renewal for forgotten agents All checks were successful arcad/emissary/pipeline/head This commit looks good Details	2024-03-04 18:52:19 +01:00
William Petit	f6ffb68c43	feat(client): show response body on json parsing error Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2024-03-04 18:51:36 +01:00
William Petit	4a1a434556	fix(migrations): disable foreign keys for migrating tenants All checks were successful arcad/emissary/pipeline/head This commit looks good Details	2024-03-04 09:09:44 +01:00
William Petit	76718722cc	feat(server): add /api/v1/session endpoint All checks were successful arcad/emissary/pipeline/head This commit looks good Details	2024-03-03 18:40:56 +01:00