chore: update default packaging configuration

.gitignore

@@ -9,3 +9,4 @@ dist/
 /agent-key.json
 /apps
 /server-key.json
+/.emissary-token

Makefile

@@ -138,3 +138,6 @@ tools/gitea-release/bin/gitea-release.sh:
 	mkdir -p tools/gitea-release/bin
 	curl --output tools/gitea-release/bin/gitea-release.sh https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/gitea/gitea-release.sh
 	chmod +x tools/gitea-release/bin/gitea-release.sh
+
+.emissary-token:
+	$(MAKE) run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server auth create-token > .emissary-token"

go.mod

@@ -36,6 +36,7 @@ require (
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/mdns v1.0.5 // indirect
 	github.com/igm/sockjs-go/v3 v3.0.2 // indirect
+	github.com/lithammer/shortuuid/v4 v4.0.0 // indirect
 	github.com/miekg/dns v1.1.51 // indirect
 	github.com/oklog/ulid/v2 v2.1.0 // indirect
 	github.com/orcaman/concurrent-map v1.0.0 // indirect

go.sum

@@ -913,6 +913,8 @@ github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
 github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
+github.com/lithammer/shortuuid/v4 v4.0.0 h1:QRbbVkfgNippHOS8PXDkti4NaWeyYfcBTHtw7k08o4c=
+github.com/lithammer/shortuuid/v4 v4.0.0/go.mod h1:Zs8puNcrvf2rV9rTH51ZLLcj7ZXqQI3lv67aw4KiB1Y=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=

internal/auth/agent/user.go

@@ -13,7 +13,7 @@ type User struct {
 
 // Subject implements auth.User
 func (u *User) Subject() string {
-	return fmt.Sprintf("agent#%d", u.agent.ID)
+	return fmt.Sprintf("agent-%d", u.agent.ID)
 }
 
 func (u *User) Agent() *datastore.Agent {

internal/auth/middleware.go

@@ -71,6 +71,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 				return
 			}
 
+			ctx = logger.With(ctx, logger.F("user", user.Subject()))
 			ctx = context.WithValue(ctx, contextKeyUser, user)
 
 			h.ServeHTTP(w, r.WithContext(ctx))

internal/auth/user/jwt.go

@@ -27,9 +27,17 @@ func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken strin
 	return token, nil
 }
 
-func GenerateToken(ctx context.Context, key jwk.Key, role Role) (string, error) {
+func GenerateToken(ctx context.Context, key jwk.Key, issuer, subject string, role Role) (string, error) {
 	token := jwt.New()
 
+	if err := token.Set(jwt.SubjectKey, subject); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	if err := token.Set(jwt.IssuerKey, issuer); err != nil {
+		return "", errors.WithStack(err)
+	}
+
 	if err := token.Set(keyRole, role); err != nil {
 		return "", errors.WithStack(err)
 	}

internal/command/agent/run.go

@@ -17,7 +17,6 @@ import (
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
 	"forge.cadoles.com/Cadoles/emissary/internal/machineid"
 	"github.com/pkg/errors"
-	_ "github.com/santhosh-tekuri/jsonschema/v5/httploader"
 	"github.com/urfave/cli/v2"
 	"gitlab.com/wpetit/goweb/logger"
 )

internal/command/client/agent/get.go

@@ -20,12 +20,17 @@ func GetCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
 
+			token, err := clientFlag.GetToken(baseFlags)
+			if err != nil {
+				return errors.WithStack(apierr.Wrap(err))
+			}
+
 			agentID, err := agentFlag.AssertAgentID(ctx)
 			if err != nil {
 				return errors.WithStack(err)
 			}
 
-			client := client.New(baseFlags.ServerURL)
+			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			agent, err := client.GetAgent(ctx.Context, agentID)
 			if err != nil {

internal/command/client/agent/query.go

@@ -18,7 +18,13 @@ func QueryCommand() *cli.Command {
 		Flags: clientFlag.ComposeFlags(),
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
-			client := client.New(baseFlags.ServerURL)
+
+			token, err := clientFlag.GetToken(baseFlags)
+			if err != nil {
+				return errors.WithStack(apierr.Wrap(err))
+			}
+
+			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			agents, _, err := client.QueryAgents(ctx.Context)
 			if err != nil {

internal/command/client/agent/update.go

@@ -26,6 +26,11 @@ func UpdateCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
 
+			token, err := clientFlag.GetToken(baseFlags)
+			if err != nil {
+				return errors.WithStack(apierr.Wrap(err))
+			}
+
 			agentID, err := agentFlag.AssertAgentID(ctx)
 			if err != nil {
 				return errors.WithStack(err)
@@ -38,7 +43,7 @@ func UpdateCommand() *cli.Command {
 				options = append(options, client.WithAgentStatus(status))
 			}
 
-			client := client.New(baseFlags.ServerURL)
+			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			agent, err := client.UpdateAgent(ctx.Context, agentID, options...)
 			if err != nil {

internal/command/client/flag/flag.go

@@ -2,9 +2,13 @@ package flag
 
 import (
 	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
 
 	"forge.cadoles.com/Cadoles/emissary/internal/format"
 	"forge.cadoles.com/Cadoles/emissary/internal/format/table"
+	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 
@@ -28,6 +32,17 @@ func ComposeFlags(flags ...cli.Flag) []cli.Flag {
 			Usage:   fmt.Sprintf("use `MODE` as output mode (available: %s)", []format.OutputMode{format.OutputModeCompact, format.OutputModeWide}),
 			Value:   string(format.OutputModeCompact),
 		},
+		&cli.StringFlag{
+			Name:    "token",
+			Aliases: []string{"t"},
+			Usage:   "use `TOKEN` as authentification token",
+		},
+		&cli.StringFlag{
+			Name:      "token-file",
+			Usage:     "use `TOKEN_FILE` as file containing the authentification token",
+			Value:     ".emissary-token",
+			TakesFile: true,
+		},
 	}
 
 	flags = append(flags, baseFlags...)
@@ -39,16 +54,43 @@ type BaseFlags struct {
 	ServerURL  string
 	Format     format.Format
 	OutputMode format.OutputMode
+	Token      string
+	TokenFile  string
 }
 
 func GetBaseFlags(ctx *cli.Context) *BaseFlags {
 	serverURL := ctx.String("server")
 	rawFormat := ctx.String("format")
 	rawOutputMode := ctx.String("output-mode")
+	tokenFile := ctx.String("token-file")
+	token := ctx.String("token")
 
 	return &BaseFlags{
 		ServerURL:  serverURL,
 		Format:     format.Format(rawFormat),
 		OutputMode: format.OutputMode(rawOutputMode),
+		Token:      token,
+		TokenFile:  tokenFile,
 	}
 }
+
+func GetToken(flags *BaseFlags) (string, error) {
+	if flags.Token != "" {
+		return flags.Token, nil
+	}
+
+	if flags.TokenFile == "" {
+		return "", nil
+	}
+
+	rawToken, err := ioutil.ReadFile(flags.TokenFile)
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return "", errors.WithStack(err)
+	}
+
+	if rawToken == nil {
+		return "", nil
+	}
+
+	return strings.TrimSpace(string(rawToken)), nil
+}

internal/command/server/auth/create_token.go

@@ -0,0 +1,54 @@
+package auth
+
+import (
+	"fmt"
+
+	"forge.cadoles.com/Cadoles/emissary/internal/auth/user"
+	"forge.cadoles.com/Cadoles/emissary/internal/command/common"
+	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
+	"github.com/lithammer/shortuuid/v4"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli/v2"
+)
+
+func CreateTokenCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "create-token",
+		Usage: "Create a new authentification token",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:  "role",
+				Usage: fmt.Sprintf("associate `ROLE` to the token (available: %v)", []user.Role{user.RoleReader, user.RoleWriter}),
+				Value: string(user.RoleReader),
+			},
+			&cli.StringFlag{
+				Name:  "subject",
+				Usage: "associate `SUBJECT` to the token",
+				Value: fmt.Sprintf("user-%s", shortuuid.New()),
+			},
+		},
+		Action: func(ctx *cli.Context) error {
+			conf, err := common.LoadConfig(ctx)
+			if err != nil {
+				return errors.Wrap(err, "Could not load configuration")
+			}
+
+			subject := ctx.String("subject")
+			role := ctx.String("role")
+
+			key, err := jwk.LoadOrGenerate(string(conf.Server.PrivateKeyPath), jwk.DefaultKeySize)
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			token, err := user.GenerateToken(ctx.Context, key, string(conf.Server.Issuer), subject, user.Role(role))
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			fmt.Println(token)
+
+			return nil
+		},
+	}
+}

internal/command/server/auth/root.go

@@ -8,6 +8,8 @@ func Root() *cli.Command {
 	return &cli.Command{
 		Name:  "auth",
 		Usage: "Authentication related commands",
-		Subcommands: []*cli.Command{},
+		Subcommands: []*cli.Command{
+			CreateTokenCommand(),
+		},
 	}
 }

misc/packaging/common/config-agent.yml

@@ -1,3 +1,6 @@
+logger:
+  level: 1
+  format: human
 agent:
   serverUrl: http://127.0.0.1:3000
   privateKeyPath: /var/lib/emissary/agent-key.json

misc/packaging/common/config-server.yml

@@ -1,9 +1,12 @@
-http:
-  host: 0.0.0.0
-  port: 3000
 logger:
   level: 1
   format: human
+server:
+  privateKeyPath: /var/lib/emissary/server-key.json
+  issuer: http://127.0.0.1:3000
+  http:
+    host: 0.0.0.0
+    port: 3000
   database:
     driver: sqlite
     dsn: sqlite:///var/lib/emissary/data.sqlite

modd.conf

@@ -6,7 +6,8 @@ tmp/config.yml
     prep: make build-emissary
     prep: make tmp/server.yml
     prep: make tmp/agent.yml
-    prep: make run-emissary-server EMISSARY_CMD="--debug --config tmp/agent.yml server database migrate"
+    prep: make run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server database migrate"
+    prep: make .emissary-token
     daemon: make run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server run"
     daemon: make run-emissary-agent EMISSARY_CMD="--debug --config tmp/agent.yml agent run"
 }