chore: update default packaging configuration

feat: authenticate users and agents requests
2023-03-08 17:30:31 +01:00 · 2023-03-08 17:24:12 +01:00
17 changed files with 168 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,4 +8,5 @@ dist/
 /.gitea-release
 /agent-key.json
 /apps
-/server-key.json
+/server-key.json
+/.emissary-token
--- a/5
+++ b/5
@ -137,4 +137,7 @@ gitea-release: tools/gitea-release/bin/gitea-release.sh goreleaser
 tools/gitea-release/bin/gitea-release.sh:
 	mkdir -p tools/gitea-release/bin
 	curl --output tools/gitea-release/bin/gitea-release.sh https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/gitea/gitea-release.sh
-	chmod +x tools/gitea-release/bin/gitea-release.sh
+	chmod +x tools/gitea-release/bin/gitea-release.sh
+
+.emissary-token:
+	$(MAKE) run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server auth create-token > .emissary-token"
--- a/go.mod
+++ b/go.mod
@ -36,6 +36,7 @@ require (
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/mdns v1.0.5 // indirect
 	github.com/igm/sockjs-go/v3 v3.0.2 // indirect
+	github.com/lithammer/shortuuid/v4 v4.0.0 // indirect
 	github.com/miekg/dns v1.1.51 // indirect
 	github.com/oklog/ulid/v2 v2.1.0 // indirect
 	github.com/orcaman/concurrent-map v1.0.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -913,6 +913,8 @@ github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
 github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
+github.com/lithammer/shortuuid/v4 v4.0.0 h1:QRbbVkfgNippHOS8PXDkti4NaWeyYfcBTHtw7k08o4c=
+github.com/lithammer/shortuuid/v4 v4.0.0/go.mod h1:Zs8puNcrvf2rV9rTH51ZLLcj7ZXqQI3lv67aw4KiB1Y=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
--- a/internal/auth/agent/user.go
+++ b/internal/auth/agent/user.go
@ -13,7 +13,7 @@ type User struct {

 // Subject implements auth.User
 func (u *User) Subject() string {
-	return fmt.Sprintf("agent#%d", u.agent.ID)
+	return fmt.Sprintf("agent-%d", u.agent.ID)
 }

 func (u *User) Agent() *datastore.Agent {
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -71,6 +71,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 				return
 			}

+			ctx = logger.With(ctx, logger.F("user", user.Subject()))
 			ctx = context.WithValue(ctx, contextKeyUser, user)

 			h.ServeHTTP(w, r.WithContext(ctx))
--- a/internal/auth/user/jwt.go
+++ b/internal/auth/user/jwt.go
@ -27,9 +27,17 @@ func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken strin
 	return token, nil
 }

-func GenerateToken(ctx context.Context, key jwk.Key, role Role) (string, error) {
+func GenerateToken(ctx context.Context, key jwk.Key, issuer, subject string, role Role) (string, error) {
 	token := jwt.New()

+	if err := token.Set(jwt.SubjectKey, subject); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	if err := token.Set(jwt.IssuerKey, issuer); err != nil {
+		return "", errors.WithStack(err)
+	}
+
 	if err := token.Set(keyRole, role); err != nil {
 		return "", errors.WithStack(err)
 	}
--- a/internal/command/agent/run.go
+++ b/internal/command/agent/run.go
@ -17,7 +17,6 @@ import (
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
 	"forge.cadoles.com/Cadoles/emissary/internal/machineid"
 	"github.com/pkg/errors"
-	_ "github.com/santhosh-tekuri/jsonschema/v5/httploader"
 	"github.com/urfave/cli/v2"
 	"gitlab.com/wpetit/goweb/logger"
 )
--- a/internal/command/client/agent/get.go
+++ b/internal/command/client/agent/get.go
@ -20,12 +20,17 @@ func GetCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)

+			token, err := clientFlag.GetToken(baseFlags)
+			if err != nil {
+				return errors.WithStack(apierr.Wrap(err))
+			}
+
 			agentID, err := agentFlag.AssertAgentID(ctx)
 			if err != nil {
 				return errors.WithStack(err)
 			}

-			client := client.New(baseFlags.ServerURL)
+			client := client.New(baseFlags.ServerURL, client.WithToken(token))

 			agent, err := client.GetAgent(ctx.Context, agentID)
 			if err != nil {
--- a/internal/command/client/agent/query.go
+++ b/internal/command/client/agent/query.go
@ -18,7 +18,13 @@ func QueryCommand() *cli.Command {
 		Flags: clientFlag.ComposeFlags(),
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
-			client := client.New(baseFlags.ServerURL)
+
+			token, err := clientFlag.GetToken(baseFlags)
+			if err != nil {
+				return errors.WithStack(apierr.Wrap(err))
+			}
+
+			client := client.New(baseFlags.ServerURL, client.WithToken(token))

 			agents, _, err := client.QueryAgents(ctx.Context)
 			if err != nil {
--- a/internal/command/client/agent/update.go
+++ b/internal/command/client/agent/update.go
@ -26,6 +26,11 @@ func UpdateCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)

+			token, err := clientFlag.GetToken(baseFlags)
+			if err != nil {
+				return errors.WithStack(apierr.Wrap(err))
+			}
+
 			agentID, err := agentFlag.AssertAgentID(ctx)
 			if err != nil {
 				return errors.WithStack(err)
@ -38,7 +43,7 @@ func UpdateCommand() *cli.Command {
 				options = append(options, client.WithAgentStatus(status))
 			}

-			client := client.New(baseFlags.ServerURL)
+			client := client.New(baseFlags.ServerURL, client.WithToken(token))

 			agent, err := client.UpdateAgent(ctx.Context, agentID, options...)
 			if err != nil {
--- a/internal/command/client/flag/flag.go
+++ b/internal/command/client/flag/flag.go
@ -2,9 +2,13 @@ package flag

 import (
 	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"

 	"forge.cadoles.com/Cadoles/emissary/internal/format"
 	"forge.cadoles.com/Cadoles/emissary/internal/format/table"
+	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )

@ -28,6 +32,17 @@ func ComposeFlags(flags ...cli.Flag) []cli.Flag {
 			Usage:   fmt.Sprintf("use `MODE` as output mode (available: %s)", []format.OutputMode{format.OutputModeCompact, format.OutputModeWide}),
 			Value:   string(format.OutputModeCompact),
 		},
+		&cli.StringFlag{
+			Name:    "token",
+			Aliases: []string{"t"},
+			Usage:   "use `TOKEN` as authentification token",
+		},
+		&cli.StringFlag{
+			Name:      "token-file",
+			Usage:     "use `TOKEN_FILE` as file containing the authentification token",
+			Value:     ".emissary-token",
+			TakesFile: true,
+		},
 	}

 	flags = append(flags, baseFlags...)
@ -39,16 +54,43 @@ type BaseFlags struct {
 	ServerURL  string
 	Format     format.Format
 	OutputMode format.OutputMode
+	Token      string
+	TokenFile  string
 }

 func GetBaseFlags(ctx *cli.Context) *BaseFlags {
 	serverURL := ctx.String("server")
 	rawFormat := ctx.String("format")
 	rawOutputMode := ctx.String("output-mode")
+	tokenFile := ctx.String("token-file")
+	token := ctx.String("token")

 	return &BaseFlags{
 		ServerURL:  serverURL,
 		Format:     format.Format(rawFormat),
 		OutputMode: format.OutputMode(rawOutputMode),
+		Token:      token,
+		TokenFile:  tokenFile,
 	}
 }
+
+func GetToken(flags *BaseFlags) (string, error) {
+	if flags.Token != "" {
+		return flags.Token, nil
+	}
+
+	if flags.TokenFile == "" {
+		return "", nil
+	}
+
+	rawToken, err := ioutil.ReadFile(flags.TokenFile)
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return "", errors.WithStack(err)
+	}
+
+	if rawToken == nil {
+		return "", nil
+	}
+
+	return strings.TrimSpace(string(rawToken)), nil
+}
--- a/internal/command/server/auth/create_token.go
+++ b/internal/command/server/auth/create_token.go
@ -0,0 +1,54 @@
+package auth
+
+import (
+	"fmt"
+
+	"forge.cadoles.com/Cadoles/emissary/internal/auth/user"
+	"forge.cadoles.com/Cadoles/emissary/internal/command/common"
+	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
+	"github.com/lithammer/shortuuid/v4"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli/v2"
+)
+
+func CreateTokenCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "create-token",
+		Usage: "Create a new authentification token",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:  "role",
+				Usage: fmt.Sprintf("associate `ROLE` to the token (available: %v)", []user.Role{user.RoleReader, user.RoleWriter}),
+				Value: string(user.RoleReader),
+			},
+			&cli.StringFlag{
+				Name:  "subject",
+				Usage: "associate `SUBJECT` to the token",
+				Value: fmt.Sprintf("user-%s", shortuuid.New()),
+			},
+		},
+		Action: func(ctx *cli.Context) error {
+			conf, err := common.LoadConfig(ctx)
+			if err != nil {
+				return errors.Wrap(err, "Could not load configuration")
+			}
+
+			subject := ctx.String("subject")
+			role := ctx.String("role")
+
+			key, err := jwk.LoadOrGenerate(string(conf.Server.PrivateKeyPath), jwk.DefaultKeySize)
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			token, err := user.GenerateToken(ctx.Context, key, string(conf.Server.Issuer), subject, user.Role(role))
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			fmt.Println(token)
+
+			return nil
+		},
+	}
+}
--- a/internal/command/server/auth/root.go
+++ b/internal/command/server/auth/root.go
@ -6,8 +6,10 @@ import (

 func Root() *cli.Command {
 	return &cli.Command{
-		Name:        "auth",
-		Usage:       "Authentication related commands",
-		Subcommands: []*cli.Command{},
+		Name:  "auth",
+		Usage: "Authentication related commands",
+		Subcommands: []*cli.Command{
+			CreateTokenCommand(),
+		},
 	}
 }
--- a/misc/packaging/common/config-agent.yml
+++ b/misc/packaging/common/config-agent.yml
@ -1,3 +1,6 @@
+logger:
+  level: 1
+  format: human
 agent:
  serverUrl: http://127.0.0.1:3000
  privateKeyPath: /var/lib/emissary/agent-key.json
--- a/misc/packaging/common/config-server.yml
+++ b/misc/packaging/common/config-server.yml
@ -1,24 +1,27 @@
-http:
-  host: 0.0.0.0
-  port: 3000
 logger:
  level: 1
  format: human
-database:
-  driver: sqlite
-  dsn: sqlite:///var/lib/emissary/data.sqlite
-cors:
-  allowedOrigins: []
-  allowCredentials: true
-  allowMethods:
-    - POST
-    - GET
-    - PUT
-    - DELETE
-  allowedHeaders:
-    - Origin
-    - Accept
-    - Content-Type
-    - Authorization
-    - Sentry-Trace
+server:
+  privateKeyPath: /var/lib/emissary/server-key.json
+  issuer: http://127.0.0.1:3000
+  http:
+    host: 0.0.0.0
+    port: 3000
+  database:
+    driver: sqlite
+    dsn: sqlite:///var/lib/emissary/data.sqlite
+  cors:
+    allowedOrigins: []
+    allowCredentials: true
+    allowMethods:
+      - POST
+      - GET
+      - PUT
+      - DELETE
+    allowedHeaders:
+      - Origin
+      - Accept
+      - Content-Type
+      - Authorization
+      - Sentry-Trace
  debug: false
--- a/modd.conf
+++ b/modd.conf
@ -6,7 +6,8 @@ tmp/config.yml
    prep: make build-emissary
    prep: make tmp/server.yml
    prep: make tmp/agent.yml
-    prep: make run-emissary-server EMISSARY_CMD="--debug --config tmp/agent.yml server database migrate"
+    prep: make run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server database migrate"
+    prep: make .emissary-token
    daemon: make run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server run"
    daemon: make run-emissary-agent EMISSARY_CMD="--debug --config tmp/agent.yml agent run"
 }
Author	SHA1	Message	Date
William Petit	9aca9a6c58	chore: update default packaging configuration	2023-03-08 17:30:31 +01:00
William Petit	0fb0d234d6	feat: authenticate users and agents requests	2023-03-08 17:24:12 +01:00