feat(auth): accept clock skew for token validation

feat(agent): add contactedAt attribute to agent
feat(storage,agent): add label attribute
2023-04-01 19:30:45 +02:00 · 2023-04-01 14:33:19 +02:00 · 2023-04-01 13:28:18 +02:00 · 2023-03-31 17:31:44 +02:00 · 2023-03-31 17:29:33 +02:00 · 2023-03-31 17:28:52 +02:00
32 changed files with 408 additions and 91 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,7 +4,7 @@ dist/
 /tools
 /tmp
 /state.json
-/emissary.sqlite
+/emissary.sqlite*
 /.gitea-release
 /agent-key.json
 /apps
--- a/70
+++ b/70
@ -0,0 +1,70 @@
@Library('cadoles') _
 pipeline {
    agent {
        dockerfile {
            label 'docker'
            filename 'Dockerfile'
            dir 'misc/jenkins'
        }
    }
    stages {
        stage('Run unit tests') {
            steps {
                script {
                    withCredentials([
                        usernamePassword([
                        credentialsId: 'forge-jenkins',
                        usernameVariable: 'GIT_USERNAME',
                        passwordVariable: 'GIT_PASSWORD'
                        ])
                    ]) {
                        sh '''
                        git config --global credential.https://forge.cadoles.com.username "$GIT_USERNAME"
                        git config --global credential.https://forge.cadoles.com.helper '!f() { test "$1" = get && echo "password=$GIT_PASSWORD"; }; f'
                        export GOPRIVATE=forge.cadoles.com/arcad/edge
                        make test
                        '''
                    }
                }
            }
        }
        stage('Release') {
            when {
                anyOf {
                    branch 'master'
                    branch 'develop'
                }
            }
            steps {
                script {
                    withCredentials([
                        usernamePassword([
                        credentialsId: 'forge-jenkins',
                        usernameVariable: 'GITEA_RELEASE_USERNAME',
                        passwordVariable: 'GITEA_RELEASE_PASSWORD'
                        ])
                    ]) {
                        sh 'make gitea-release'
                    }
                    def currentVersion = sh(returnStdout: true, script: 'make full-version').trim()
                    build(
                        job: "../emissary-firmware/${env.GIT_BRANCH}",
                        parameters: [
                            [$class: 'StringParameterValue', name: 'emissaryRelease', value: currentVersion]
                        ]
                    )
                }
            }
        }
    }
    post {
        always {
            cleanWs()
        }
    }
 }
--- a/7
+++ b/7
@ -135,7 +135,7 @@ gitea-release: tools/gitea-release/bin/gitea-release.sh goreleaser
 		GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \
 		GITEA_RELEASE_IS_DRAFT="false" \
 		GITEA_RELEASE_BODY="" \
-		GITEA_RELEASE_ATTACHMENTS="$(shell find .gitea-release/* -type f)" \
+		GITEA_RELEASE_ATTACHMENTS="$$(find .gitea-release/* -type f)" \
 		tools/gitea-release/bin/gitea-release.sh
 tools/gitea-release/bin/gitea-release.sh:
@ -150,4 +150,7 @@ AGENT_ID ?= 1
 load-sample-specs:
 	cat misc/spec-samples/app.emissary.cadoles.com.json | ./bin/server api agent spec update -a $(AGENT_ID) --no-patch --spec-data - --spec-name app.emissary.cadoles.com
-	cat misc/spec-samples/proxy.emissary.cadoles.com.json | ./bin/server api agent spec update -a $(AGENT_ID) --no-patch --spec-data - --spec-name proxy.emissary.cadoles.com
+	cat misc/spec-samples/proxy.emissary.cadoles.com.json | ./bin/server api agent spec update -a $(AGENT_ID) --no-patch --spec-data - --spec-name proxy.emissary.cadoles.com
 full-version:
 	@echo $(FULL_VERSION)
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@ -7,6 +7,7 @@ import (
 	"forge.cadoles.com/Cadoles/emissary/internal/command/agent"
 	"forge.cadoles.com/Cadoles/emissary/internal/command/api"
 	_ "forge.cadoles.com/Cadoles/emissary/internal/imports/format"
 	_ "forge.cadoles.com/Cadoles/emissary/internal/imports/spec"
 )
--- a/go.mod
+++ b/go.mod
@ -4,6 +4,7 @@ go 1.19
 require (
 	forge.cadoles.com/arcad/edge v0.0.0-20230328183829-d8ce2901d2ab
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/alecthomas/participle/v2 v2.0.0-beta.5
 	github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
 	github.com/btcsuite/btcd/btcutil v1.1.3
@ -31,7 +32,6 @@ require (
 require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/barnybug/go-cast v0.0.0-20201201064555-a87ccbc26692 // indirect
 	github.com/dop251/goja_nodejs v0.0.0-20230320130059-dcf93ba651dd // indirect
 	github.com/gabriel-vasile/mimetype v1.4.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -54,10 +54,6 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 forge.cadoles.com/arcad/edge v0.0.0-20230322170544-cf8a3f8ac077 h1:vsYcNHZevZrs0VeOTasvJoqvPynb8OvH+MMpIUvNT6Q=
 forge.cadoles.com/arcad/edge v0.0.0-20230322170544-cf8a3f8ac077/go.mod h1:ONd6vyQ0IM0vHi1i+bmZBRc1Fd0BoXMuDdY/+0sZefw=
 forge.cadoles.com/arcad/edge v0.0.0-20230328081549-e09de0b0a4f4 h1:ZBBOOKqCEt6F9/Ikkwc2xwYDr7JpLybvxtoRJwXt7Gw=
 forge.cadoles.com/arcad/edge v0.0.0-20230328081549-e09de0b0a4f4/go.mod h1:ONd6vyQ0IM0vHi1i+bmZBRc1Fd0BoXMuDdY/+0sZefw=
 forge.cadoles.com/arcad/edge v0.0.0-20230328183829-d8ce2901d2ab h1:xOtzLAYOUcKd/VBx/PzL2riC0zNuQ/cxxf5r3AmEvJE=
 forge.cadoles.com/arcad/edge v0.0.0-20230328183829-d8ce2901d2ab/go.mod h1:ONd6vyQ0IM0vHi1i+bmZBRc1Fd0BoXMuDdY/+0sZefw=
 gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
--- a/internal/agent/controller/app/app_handler.go
+++ b/internal/agent/controller/app/app_handler.go
@ -28,6 +28,8 @@ import (
 	"github.com/pkg/errors"
 )
 const defaultSQLiteParams = "?_pragma=foreign_keys(1)&_pragma=journal_mode(WAL)&_txlock=immediate"
 func (c *Controller) getHandlerOptions(ctx context.Context, appKey string, specs *spec.Spec) ([]edgeHTTP.HandlerOptionFunc, error) {
 	dataDir, err := c.ensureAppDataDir(ctx, appKey)
 	if err != nil {
@ -35,7 +37,7 @@ func (c *Controller) getHandlerOptions(ctx context.Context, appKey string, specs
 	}
 	dbFile := filepath.Join(dataDir, appKey+".sqlite")
-	db, err := sqlite.Open(dbFile)
+	db, err := sqlite.Open(dbFile + defaultSQLiteParams)
 	if err != nil {
 		return nil, errors.Wrapf(err, "could not open database file '%s'", dbFile)
 	}
@ -51,10 +53,8 @@ func (c *Controller) getHandlerOptions(ctx context.Context, appKey string, specs
 		bundles = append(bundles, path)
 	}
 	getAppURL := createGetAppURL(specs)
 	bus := memory.NewBus()
-	modules := getAppModules(bus, db, specs, keySet, getAppURL, bundles)
+	modules := c.getAppModules(bus, db, specs, keySet)
 	options := []edgeHTTP.HandlerOptionFunc{
 		edgeHTTP.WithBus(bus),
@ -148,7 +148,7 @@ func createGetAppURL(specs *spec.Spec) GetURLFunc {
 	}
 }
-func getAppModules(bus bus.Bus, db *sql.DB, spec *appSpec.Spec, keySet jwk.Set, getAppURL GetURLFunc, bundles []string) []app.ServerModuleFactory {
+func (c *Controller) getAppModules(bus bus.Bus, db *sql.DB, spec *appSpec.Spec, keySet jwk.Set) []app.ServerModuleFactory {
 	ds := sqlite.NewDocumentStoreWithDB(db)
 	bs := sqlite.NewBlobStoreWithDB(db)
@ -185,6 +185,6 @@ func getAppModules(bus bus.Bus, db *sql.DB, spec *appSpec.Spec, keySet jwk.Set,
 				}
 			},
 		),
-		appModule.ModuleFactory(NewAppRepository(getAppURL, bundles...)),
+		appModule.ModuleFactory(c.appRepository),
 	}
 }
--- a/internal/agent/controller/app/app_repository.go
+++ b/internal/agent/controller/app/app_repository.go
@ -2,6 +2,7 @@ package app
 import (
 	"context"
 	"sync"
 	"forge.cadoles.com/arcad/edge/pkg/app"
 	"forge.cadoles.com/arcad/edge/pkg/bundle"
@ -15,10 +16,14 @@ type GetURLFunc func(context.Context, *app.Manifest) (string, error)
 type AppRepository struct {
 	getURL  GetURLFunc
 	bundles []string
 	mutex   sync.RWMutex
 }
 // Get implements app.Repository
 func (r *AppRepository) Get(ctx context.Context, id app.ID) (*app.Manifest, error) {
 	r.mutex.RLock()
 	defer r.mutex.RUnlock()
 	manifest, err := r.findManifest(ctx, id)
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -29,6 +34,9 @@ func (r *AppRepository) Get(ctx context.Context, id app.ID) (*app.Manifest, erro
 // GetURL implements app.Repository
 func (r *AppRepository) GetURL(ctx context.Context, id app.ID) (string, error) {
 	r.mutex.RLock()
 	defer r.mutex.RUnlock()
 	manifest, err := r.findManifest(ctx, id)
 	if err != nil {
 		return "", errors.WithStack(err)
@ -44,6 +52,9 @@ func (r *AppRepository) GetURL(ctx context.Context, id app.ID) (string, error) {
 // List implements app.Repository
 func (r *AppRepository) List(ctx context.Context) ([]*app.Manifest, error) {
 	r.mutex.RLock()
 	defer r.mutex.RUnlock()
 	manifests := make([]*app.Manifest, 0)
 	for _, path := range r.bundles {
@ -69,6 +80,14 @@ func (r *AppRepository) List(ctx context.Context) ([]*app.Manifest, error) {
 	return manifests, nil
 }
 func (r *AppRepository) Update(getURL GetURLFunc, bundles []string) {
 	r.mutex.Lock()
 	defer r.mutex.Unlock()
 	r.getURL = getURL
 	r.bundles = bundles
 }
 func (r *AppRepository) findManifest(ctx context.Context, id app.ID) (*app.Manifest, error) {
 	for _, path := range r.bundles {
 		bundleCtx := logger.With(ctx, logger.F("path", path))
@ -97,8 +116,13 @@ func (r *AppRepository) findManifest(ctx context.Context, id app.ID) (*app.Manif
 	return nil, errors.WithStack(appModule.ErrNotFound)
 }
-func NewAppRepository(getURL GetURLFunc, bundles ...string) *AppRepository {
+func NewAppRepository() *AppRepository {
-	return &AppRepository{getURL, bundles}
+	return &AppRepository{
 		getURL: func(ctx context.Context, m *app.Manifest) (string, error) {
 			return "", errors.New("unavailable")
 		},
 		bundles: []string{},
 	}
 }
 var _ appModule.Repository = &AppRepository{}
--- a/internal/agent/controller/app/controller.go
+++ b/internal/agent/controller/app/controller.go
@ -16,15 +16,16 @@ import (
 )
 type serverEntry struct {
-	SpecHash uint64
+	AppDefHash uint64
-	Server   *Server
+	Server     *Server
 }
 type Controller struct {
-	client      *http.Client
+	client        *http.Client
-	downloadDir string
+	downloadDir   string
-	dataDir     string
+	dataDir       string
-	servers     map[string]*serverEntry
+	servers       map[string]*serverEntry
 	appRepository *AppRepository
 }
 // Name implements node.Controller.
@ -95,7 +96,9 @@ func (c *Controller) updateApps(ctx context.Context, specs *spec.Spec) {
 		}
 	}
-	// (Re)start apps
+	c.updateAppRepository(ctx, specs)
 	// (Re)start apps if necessary
 	for appKey := range specs.Apps {
 		appCtx := logger.With(ctx, logger.F("appKey", appKey))
@ -106,10 +109,35 @@ func (c *Controller) updateApps(ctx context.Context, specs *spec.Spec) {
 	}
 }
 func (c *Controller) updateAppRepository(ctx context.Context, specs *spec.Spec) {
 	bundles := make([]string, 0, len(specs.Apps))
 	for appKey, app := range specs.Apps {
 		path := c.getAppBundlePath(appKey, app.Format)
 		bundles = append(bundles, path)
 	}
 	getURL := createGetAppURL(specs)
 	c.appRepository.Update(getURL, bundles)
 }
 func (c *Controller) updateApp(ctx context.Context, specs *spec.Spec, appKey string) (err error) {
 	appEntry := specs.Apps[appKey]
-	newAppSpecHash, err := hashstructure.Hash(appEntry, hashstructure.FormatV2, nil)
+	var auth *spec.Auth
 	if specs.Config != nil {
 		auth = specs.Config.Auth
 	}
 	appDef := struct {
 		App  spec.AppEntry
 		Auth *spec.Auth
 	}{
 		App:  appEntry,
 		Auth: auth,
 	}
 	newAppDefHash, err := hashstructure.Hash(appDef, hashstructure.FormatV2, nil)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -148,20 +176,20 @@ func (c *Controller) updateApp(ctx context.Context, specs *spec.Spec, appKey str
 		}
 		server = &serverEntry{
-			Server:   NewServer(bundle, auth, options...),
+			Server:     NewServer(bundle, auth, options...),
-			SpecHash: 0,
+			AppDefHash: 0,
 		}
 		c.servers[appKey] = server
 	}
-	specChanged := newAppSpecHash != server.SpecHash
+	defChanged := newAppDefHash != server.AppDefHash
-	if server.Server.Running() && !specChanged {
+	if server.Server.Running() && !defChanged {
 		return nil
 	}
-	if specChanged && server.SpecHash != 0 {
+	if defChanged && server.AppDefHash != 0 {
 		logger.Info(
 			ctx, "restarting app",
 			logger.F("address", appEntry.Address),
@ -179,7 +207,7 @@ func (c *Controller) updateApp(ctx context.Context, specs *spec.Spec, appKey str
 		return errors.Wrap(err, "could not start app")
 	}
-	server.SpecHash = newAppSpecHash
+	server.AppDefHash = newAppDefHash
 	return nil
 }
@ -294,10 +322,11 @@ func NewController(funcs ...OptionFunc) *Controller {
 	}
 	return &Controller{
-		client:      opts.Client,
+		client:        opts.Client,
-		downloadDir: opts.DownloadDir,
+		downloadDir:   opts.DownloadDir,
-		dataDir:     opts.DataDir,
+		dataDir:       opts.DataDir,
-		servers:     make(map[string]*serverEntry),
+		servers:       make(map[string]*serverEntry),
 		appRepository: NewAppRepository(),
 	}
 }
--- a/internal/agent/controller/app/server.go
+++ b/internal/agent/controller/app/server.go
@ -3,11 +3,13 @@ package app
 import (
 	"context"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
 	"forge.cadoles.com/Cadoles/emissary/internal/agent/controller/app/spec"
 	appSpec "forge.cadoles.com/Cadoles/emissary/internal/agent/controller/app/spec"
 	"forge.cadoles.com/Cadoles/emissary/internal/proxy/wildcard"
 	edgeHTTP "forge.cadoles.com/arcad/edge/pkg/http"
 	authHTTP "forge.cadoles.com/arcad/edge/pkg/module/auth/http"
 	"gitlab.com/wpetit/goweb/logger"
@ -33,12 +35,15 @@ type Server struct {
 }
 func (s *Server) Start(ctx context.Context, addr string) (err error) {
-	if s.server != nil {
+	if s.Running() {
 		if err := s.Stop(); err != nil {
 			return errors.WithStack(err)
 		}
 	}
 	s.serverMutex.Lock()
 	defer s.serverMutex.Unlock()
 	router := chi.NewRouter()
 	router.Use(middleware.Logger)
@ -83,9 +88,7 @@ func (s *Server) Start(ctx context.Context, addr string) (err error) {
 		}
 	}()
 	s.serverMutex.Lock()
 	s.server = server
 	s.serverMutex.Unlock()
 	return nil
 }
@ -98,20 +101,25 @@ func (s *Server) Running() bool {
 }
 func (s *Server) Stop() error {
 	if !s.Running() {
 		return nil
 	}
 	s.serverMutex.Lock()
 	defer s.serverMutex.Unlock()
 	if s.server == nil {
 		return nil
 	}
 	defer func() {
 		s.serverMutex.Lock()
 		s.server = nil
 		s.serverMutex.Unlock()
 	}()
 	if err := s.server.Close(); err != nil {
-		panic(errors.WithStack(err))
+		s.server = nil
 		return errors.WithStack(err)
 	}
 	s.server = nil
 	return nil
 }
@ -140,6 +148,10 @@ func (s *Server) configureAuth(router chi.Router, auth *spec.Auth) error {
 			}
 		}
 		if s.auth.Local.CookieDomain != "" {
 			router.Use(invalidCookieDomainRedirect(s.auth.Local.CookieDomain))
 		}
 		router.Handle("/auth/*", authHTTP.NewLocalHandler(
 			jwa.HS256, key,
 			authHTTP.WithRoutePrefix("/auth"),
@ -158,3 +170,33 @@ func NewServer(bundle bundle.Bundle, auth *appSpec.Auth, handlerOptions ...edgeH
 		handlerOptions: handlerOptions,
 	}
 }
 func invalidCookieDomainRedirect(cookieDomain string) func(http.Handler) http.Handler {
 	domain := strings.TrimPrefix(cookieDomain, ".")
 	hostPattern := "*" + domain
 	return func(h http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
 			hostParts := strings.SplitN(r.Host, ":", 2)
 			if !wildcard.Match(hostParts[0], hostPattern) {
 				url := r.URL
 				newHost := domain
 				if len(hostParts) > 1 {
 					newHost += ":" + hostParts[1]
 				}
 				url.Host = newHost
 				http.Redirect(w, r, url.String(), http.StatusTemporaryRedirect)
 				return
 			}
 			h.ServeHTTP(w, r)
 		}
 		return http.HandlerFunc(fn)
 	}
 }
--- a/internal/auth/agent/authenticator.go
+++ b/internal/auth/agent/authenticator.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"strings"
 	"time"
 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
 	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
@ -13,8 +14,11 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )
 const DefaultAcceptableSkew = 5 * time.Minute
 type Authenticator struct {
-	repo datastore.AgentRepository
+	repo           datastore.AgentRepository
 	acceptableSkew time.Duration
 }
 // Authenticate implements auth.Authenticator.
@ -71,11 +75,19 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 		[]byte(rawToken),
 		jwt.WithKeySet(agent.KeySet.Set, jws.WithRequireKid(false)),
 		jwt.WithValidate(true),
 		jwt.WithAcceptableSkew(a.acceptableSkew),
 	)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 	contactedAt := time.Now()
 	agent, err = a.repo.Update(ctx, agent.ID, datastore.WithAgentUpdateContactedAt(contactedAt))
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 	user := &User{
 		agent: agent,
 	}
@ -83,9 +95,10 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 	return user, nil
 }
-func NewAuthenticator(repo datastore.AgentRepository) *Authenticator {
+func NewAuthenticator(repo datastore.AgentRepository, acceptableSkew time.Duration) *Authenticator {
 	return &Authenticator{
-		repo: repo,
+		repo:           repo,
 		acceptableSkew: acceptableSkew,
 	}
 }
--- a/internal/auth/agent/jwt.go
+++ b/internal/auth/agent/jwt.go
@ -18,7 +18,7 @@ func GenerateToken(key jwk.Key, thumbprint string) (string, error) {
 		return "", errors.WithStack(err)
 	}
-	now := time.Now()
+	now := time.Now().UTC()
 	if err := token.Set(jwt.NotBeforeKey, now); err != nil {
 		return "", errors.WithStack(err)
--- a/internal/auth/thirdparty/authenticator.go
+++ b/internal/auth/thirdparty/authenticator.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"strings"
 	"time"
 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
@ -11,9 +12,12 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )
 const DefaultAcceptableSkew = 5 * time.Minute
 type Authenticator struct {
-	keys   jwk.Set
+	keys           jwk.Set
-	issuer string
+	issuer         string
 	acceptableSkew time.Duration
 }
 // Authenticate implements auth.Authenticator.
@ -30,7 +34,7 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}
-	token, err := parseToken(ctx, a.keys, a.issuer, rawToken)
+	token, err := parseToken(ctx, a.keys, a.issuer, rawToken, a.acceptableSkew)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -57,10 +61,11 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 	return user, nil
 }
-func NewAuthenticator(keys jwk.Set, issuer string) *Authenticator {
+func NewAuthenticator(keys jwk.Set, issuer string, acceptableSkew time.Duration) *Authenticator {
 	return &Authenticator{
-		keys:   keys,
+		keys:           keys,
-		issuer: issuer,
+		issuer:         issuer,
 		acceptableSkew: acceptableSkew,
 	}
 }
--- a/internal/auth/thirdparty/jwt.go
+++ b/internal/auth/thirdparty/jwt.go
@ -13,12 +13,13 @@ import (
 const keyRole = "role"
-func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken string) (jwt.Token, error) {
+func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
 	token, err := jwt.Parse(
 		[]byte(rawToken),
 		jwt.WithKeySet(keys, jws.WithRequireKid(false)),
 		jwt.WithIssuer(issuer),
 		jwt.WithValidate(true),
 		jwt.WithAcceptableSkew(acceptableSkew),
 	)
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -42,7 +43,7 @@ func GenerateToken(ctx context.Context, key jwk.Key, issuer, subject string, rol
 		return "", errors.WithStack(err)
 	}
-	now := time.Now()
+	now := time.Now().UTC()
 	if err := token.Set(jwt.NotBeforeKey, now); err != nil {
 		return "", errors.WithStack(err)
--- a/internal/client/update_agent.go
+++ b/internal/client/update_agent.go
@ -10,6 +10,7 @@ import (
 type UpdateAgentOptions struct {
 	Status  *int
 	Label   *string
 	Options []OptionFunc
 }
@ -21,6 +22,12 @@ func WithAgentStatus(status int) UpdateAgentOptionFunc {
 	}
 }
 func WithAgentLabel(label string) UpdateAgentOptionFunc {
 	return func(opts *UpdateAgentOptions) {
 		opts.Label = &label
 	}
 }
 func WithUpdateAgentsOptions(funcs ...OptionFunc) UpdateAgentOptionFunc {
 	return func(opts *UpdateAgentOptions) {
 		opts.Options = funcs
@ -39,6 +46,10 @@ func (c *Client) UpdateAgent(ctx context.Context, agentID datastore.AgentID, fun
 		payload["status"] = *opts.Status
 	}
 	if opts.Label != nil {
 		payload["label"] = *opts.Label
 	}
 	response := withResponse[struct {
 		Agent *datastore.Agent `json:"agent"`
 	}]()
--- a/internal/command/agent/run.go
+++ b/internal/command/agent/run.go
@ -49,10 +49,6 @@ func RunCommand() *cli.Command {
 				controllers = append(controllers, spec.NewController())
 			}
 			if ctrlConf.Proxy.Enabled {
 				controllers = append(controllers, proxy.NewController())
 			}
 			if ctrlConf.UCI.Enabled {
 				controllers = append(controllers, openwrt.NewUCIController(
 					string(ctrlConf.UCI.BinPath),
@ -66,6 +62,10 @@ func RunCommand() *cli.Command {
 				))
 			}
 			if ctrlConf.Proxy.Enabled {
 				controllers = append(controllers, proxy.NewController())
 			}
 			if ctrlConf.SysUpgrade.Enabled {
 				sysUpgradeArgs := make([]string, 0)
 				if len(ctrlConf.SysUpgrade.SysUpgradeCommand) > 1 {
--- a/internal/command/api/agent/update.go
+++ b/internal/command/api/agent/update.go
@ -22,6 +22,11 @@ func UpdateCommand() *cli.Command {
 				Usage: "Set `STATUS` to selected agent",
 				Value: -1,
 			},
 			&cli.StringFlag{
 				Name:  "label",
 				Usage: "Set `LABEL` to selected agent",
 				Value: "",
 			},
 		),
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
@ -43,6 +48,11 @@ func UpdateCommand() *cli.Command {
 				options = append(options, client.WithAgentStatus(status))
 			}
 			label := ctx.String("label")
 			if label != "" {
 				options = append(options, client.WithAgentLabel(label))
 			}
 			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 			agent, err := client.UpdateAgent(ctx.Context, agentID, options...)
--- a/internal/command/api/agent/util.go
+++ b/internal/command/api/agent/util.go
@ -7,9 +7,10 @@ func agentHints(outputMode format.OutputMode) format.Hints {
 		OutputMode: outputMode,
 		Props: []format.Prop{
 			format.NewProp("ID", "ID"),
 			format.NewProp("Label", "Label"),
 			format.NewProp("Thumbprint", "Thumbprint"),
 			format.NewProp("Status", "Status"),
-			format.NewProp("CreatedAt", "CreatedAt"),
+			format.NewProp("ContactedAt", "ContactedAt"),
 			format.NewProp("UpdatedAt", "UpdatedAt"),
 		},
 	}
--- a/internal/config/database.go
+++ b/internal/config/database.go
@ -15,6 +15,6 @@ type DatabaseConfig struct {
 func NewDefaultDatabaseConfig() DatabaseConfig {
 	return DatabaseConfig{
 		Driver: "sqlite",
-		DSN:    "sqlite://emissary.sqlite",
+		DSN:    "sqlite://emissary.sqlite?_pragma=foreign_keys(1)&_pragma=journal_mode(WAL)&_txlock=immediate",
 	}
 }
--- a/internal/datastore/agent.go
+++ b/internal/datastore/agent.go
@ -20,13 +20,15 @@ const (
 )
 type Agent struct {
-	ID         AgentID             `json:"id"`
+	ID          AgentID             `json:"id"`
-	Thumbprint string              `json:"thumbprint"`
+	Label       string              `json:"label"`
-	KeySet     *SerializableKeySet `json:"keyset,omitempty"`
+	Thumbprint  string              `json:"thumbprint"`
-	Metadata   map[string]any      `json:"metadata,omitempty"`
+	KeySet      *SerializableKeySet `json:"keyset,omitempty"`
-	Status     AgentStatus         `json:"status"`
+	Metadata    map[string]any      `json:"metadata,omitempty"`
-	CreatedAt  time.Time           `json:"createdAt"`
+	Status      AgentStatus         `json:"status"`
-	UpdatedAt  time.Time           `json:"updatedAt"`
+	CreatedAt   time.Time           `json:"createdAt"`
 	UpdatedAt   time.Time           `json:"updatedAt"`
 	ContactedAt *time.Time          `json:"contactedAt,omitempty"`
 }
 type SerializableKeySet struct {
--- a/internal/datastore/agent_repository.go
+++ b/internal/datastore/agent_repository.go
@ -2,6 +2,7 @@ package datastore
 import (
 	"context"
 	"time"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 )
@ -68,10 +69,12 @@ func WithAgentQueryThumbprints(thumbprints ...string) AgentQueryOptionFunc {
 type AgentUpdateOptionFunc func(*AgentUpdateOptions)
 type AgentUpdateOptions struct {
-	Status     *AgentStatus
+	Label       *string
-	Metadata   *map[string]any
+	Status      *AgentStatus
-	KeySet     *jwk.Set
+	ContactedAt *time.Time
-	Thumbprint *string
+	Metadata    *map[string]any
 	KeySet      *jwk.Set
 	Thumbprint  *string
 }
 func WithAgentUpdateStatus(status AgentStatus) AgentUpdateOptionFunc {
@ -97,3 +100,15 @@ func WithAgentUpdateThumbprint(thumbprint string) AgentUpdateOptionFunc {
 		opts.Thumbprint = &thumbprint
 	}
 }
 func WithAgentUpdateLabel(label string) AgentUpdateOptionFunc {
 	return func(opts *AgentUpdateOptions) {
 		opts.Label = &label
 	}
 }
 func WithAgentUpdateContactedAt(contactedAt time.Time) AgentUpdateOptionFunc {
 	return func(opts *AgentUpdateOptions) {
 		opts.ContactedAt = &contactedAt
 	}
 }
--- a/internal/datastore/sqlite/agent_repository.go
+++ b/internal/datastore/sqlite/agent_repository.go
@ -45,7 +45,11 @@ func (r *AgentRepository) GetSpecs(ctx context.Context, agentID datastore.AgentI
 		return nil, errors.WithStack(err)
 	}
-	defer rows.Close()
+	defer func() {
 		if err := rows.Close(); err != nil {
 			logger.Error(ctx, "could not close rows", logger.E(errors.WithStack(err)))
 		}
 	}()
 	for rows.Next() {
 		spec := &datastore.Spec{}
@ -61,6 +65,10 @@ func (r *AgentRepository) GetSpecs(ctx context.Context, agentID datastore.AgentI
 		specs = append(specs, spec)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return specs, nil
 }
@ -119,7 +127,7 @@ func (r *AgentRepository) Query(ctx context.Context, opts ...datastore.AgentQuer
 	count := 0
 	err := r.withTx(ctx, func(tx *sql.Tx) error {
-		query := `SELECT id, thumbprint, status, created_at, updated_at FROM agents`
+		query := `SELECT id, label, thumbprint, status, contacted_at, created_at, updated_at FROM agents`
 		limit := 10
 		if options.Limit != nil {
@ -176,22 +184,34 @@ func (r *AgentRepository) Query(ctx context.Context, opts ...datastore.AgentQuer
 			return errors.WithStack(err)
 		}
-		defer rows.Close()
+		defer func() {
 			if err := rows.Close(); err != nil {
 				logger.Error(ctx, "could not close rows", logger.E(errors.WithStack(err)))
 			}
 		}()
 		for rows.Next() {
 			agent := &datastore.Agent{}
 			metadata := JSONMap{}
 			contactedAt := sql.NullTime{}
-			if err := rows.Scan(&agent.ID, &agent.Thumbprint, &agent.Status, &agent.CreatedAt, &agent.UpdatedAt); err != nil {
+			if err := rows.Scan(&agent.ID, &agent.Label, &agent.Thumbprint, &agent.Status, &contactedAt, &agent.CreatedAt, &agent.UpdatedAt); err != nil {
 				return errors.WithStack(err)
 			}
 			agent.Metadata = metadata
 			if contactedAt.Valid {
 				agent.ContactedAt = &contactedAt.Time
 			}
 			agents = append(agents, agent)
 		}
 		if err := rows.Err(); err != nil {
 			return errors.WithStack(err)
 		}
 		row := tx.QueryRowContext(ctx, `SELECT count(id) FROM agents `+filters, args...)
 		if err := row.Scan(&count); err != nil {
 			return errors.WithStack(err)
@ -299,7 +319,7 @@ func (r *AgentRepository) Get(ctx context.Context, id datastore.AgentID) (*datas
 	err := r.withTx(ctx, func(tx *sql.Tx) error {
 		query := `
-		SELECT "id", "thumbprint", "keyset", "metadata", "status", "created_at", "updated_at"
+		SELECT "id", "label", "thumbprint", "keyset", "metadata", "status", "contacted_at", "created_at", "updated_at"
 		FROM agents
 		WHERE id = $1
 		`
@ -307,9 +327,10 @@ func (r *AgentRepository) Get(ctx context.Context, id datastore.AgentID) (*datas
 		row := r.db.QueryRowContext(ctx, query, id)
 		metadata := JSONMap{}
 		contactedAt := sql.NullTime{}
 		var rawKeySet []byte
-		if err := row.Scan(&agent.ID, &agent.Thumbprint, &rawKeySet, &metadata, &agent.Status, &agent.CreatedAt, &agent.UpdatedAt); err != nil {
+		if err := row.Scan(&agent.ID, &agent.Label, &agent.Thumbprint, &rawKeySet, &metadata, &agent.Status, &contactedAt, &agent.CreatedAt, &agent.UpdatedAt); err != nil {
 			if errors.Is(err, sql.ErrNoRows) {
 				return datastore.ErrNotFound
 			}
@ -318,6 +339,9 @@ func (r *AgentRepository) Get(ctx context.Context, id datastore.AgentID) (*datas
 		}
 		agent.Metadata = metadata
 		if contactedAt.Valid {
 			agent.ContactedAt = &contactedAt.Time
 		}
 		keySet := jwk.NewSet()
 		if err := json.Unmarshal(rawKeySet, &keySet); err != nil {
@ -346,15 +370,11 @@ func (r *AgentRepository) Update(ctx context.Context, id datastore.AgentID, opts
 	err := r.withTx(ctx, func(tx *sql.Tx) error {
 		query := `
-			UPDATE agents SET updated_at = $2
+			UPDATE agents SET id = $1
 		`
-		now := time.Now().UTC()
+		args := []any{id}
-
+		index := 2
 		args := []any{
 			id, now,
 		}
 		index := 3
 		if options.Status != nil {
 			query += fmt.Sprintf(`, status = $%d`, index)
@ -379,23 +399,51 @@ func (r *AgentRepository) Update(ctx context.Context, id datastore.AgentID, opts
 			index++
 		}
 		if options.Label != nil {
 			query += fmt.Sprintf(`, label = $%d`, index)
 			args = append(args, *options.Label)
 			index++
 		}
 		if options.ContactedAt != nil {
 			query += fmt.Sprintf(`, contacted_at = $%d`, index)
 			utc := options.ContactedAt.UTC()
 			args = append(args, utc)
 			index++
 		}
 		if options.Metadata != nil {
 			query += fmt.Sprintf(`, metadata = $%d`, index)
 			args = append(args, JSONMap(*options.Metadata))
 			index++
 		}
 		updated := options.Metadata != nil ||
 			options.Status != nil ||
 			options.Label != nil ||
 			options.KeySet != nil ||
 			options.Thumbprint != nil
 		if updated {
 			now := time.Now().UTC()
 			query += fmt.Sprintf(`, updated_at = $%d`, index)
 			args = append(args, now)
 			index++
 		}
 		query += `
 			WHERE id = $1 
-			RETURNING "id", "thumbprint", "keyset", "metadata", "status", "created_at", "updated_at"
+			RETURNING "id", "label", "thumbprint", "keyset", "metadata", "status", "contacted_at", "created_at", "updated_at"
 		`
 		logger.Debug(ctx, "executing query", logger.F("query", query), logger.F("args", args))
 		row := tx.QueryRowContext(ctx, query, args...)
 		metadata := JSONMap{}
 		contactedAt := sql.NullTime{}
 		var rawKeySet []byte
-		if err := row.Scan(&agent.ID, &agent.Thumbprint, &rawKeySet, &metadata, &agent.Status, &agent.CreatedAt, &agent.UpdatedAt); err != nil {
+		if err := row.Scan(&agent.ID, &agent.Label, &agent.Thumbprint, &rawKeySet, &metadata, &agent.Status, &contactedAt, &agent.CreatedAt, &agent.UpdatedAt); err != nil {
 			if errors.Is(err, sql.ErrNoRows) {
 				return datastore.ErrNotFound
 			}
@ -404,6 +452,9 @@ func (r *AgentRepository) Update(ctx context.Context, id datastore.AgentID, opts
 		}
 		agent.Metadata = metadata
 		if contactedAt.Valid {
 			agent.ContactedAt = &contactedAt.Time
 		}
 		keySet := jwk.NewSet()
 		if err := json.Unmarshal(rawKeySet, &keySet); err != nil {
--- a/internal/server/agent_api.go
+++ b/internal/server/agent_api.go
@ -145,6 +145,7 @@ func (s *Server) registerAgent(w http.ResponseWriter, r *http.Request) {
 type updateAgentRequest struct {
 	Status *datastore.AgentStatus `json:"status" validate:"omitempty,oneof=0 1 2 3"`
 	Label  *string                `json:"label" validate:"omitempty"`
 }
 func (s *Server) updateAgent(w http.ResponseWriter, r *http.Request) {
@ -166,6 +167,10 @@ func (s *Server) updateAgent(w http.ResponseWriter, r *http.Request) {
 		options = append(options, datastore.WithAgentUpdateStatus(*updateAgentReq.Status))
 	}
 	if updateAgentReq.Label != nil {
 		options = append(options, datastore.WithAgentUpdateLabel(*updateAgentReq.Label))
 	}
 	agent, err := s.agentRepo.Update(
 		ctx,
 		datastore.AgentID(agentID),
--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -105,8 +105,8 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(
-				thirdparty.NewAuthenticator(keys, string(s.conf.Issuer)),
+				thirdparty.NewAuthenticator(keys, string(s.conf.Issuer), thirdparty.DefaultAcceptableSkew),
-				agent.NewAuthenticator(s.agentRepo),
+				agent.NewAuthenticator(s.agentRepo, agent.DefaultAcceptableSkew),
 			))
 			r.Route("/agents", func(r chi.Router) {
--- a/migrations/sqlite/0000001_agent_label.down.sql
+++ b/migrations/sqlite/0000001_agent_label.down.sql
@ -0,0 +1 @@
 ALTER TABLE agents DROP COLUMN label;
--- a/migrations/sqlite/0000001_agent_label.up.sql
+++ b/migrations/sqlite/0000001_agent_label.up.sql
@ -0,0 +1 @@
 ALTER TABLE agents ADD COLUMN label TEXT DEFAULT "";
--- a/migrations/sqlite/0000002_agent_contactedat.down.sql
+++ b/migrations/sqlite/0000002_agent_contactedat.down.sql
@ -0,0 +1 @@
 ALTER TABLE agents DROP COLUMN contacted_at;
--- a/migrations/sqlite/0000002_agent_contactedat.up.sql
+++ b/migrations/sqlite/0000002_agent_contactedat.up.sql
@ -0,0 +1 @@
 ALTER TABLE agents ADD COLUMN contacted_at datetime;
--- a/misc/jenkins/Dockerfile
+++ b/misc/jenkins/Dockerfile
@ -0,0 +1,24 @@
 FROM reg.cadoles.com/proxy_cache/library/ubuntu:22.04
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
 ARG http_proxy=
 ARG https_proxy=
 ARG GO_VERSION=1.19.2
 # Install dev environment dependencies
 RUN export DEBIAN_FRONTEND=noninteractive &&\
    apt-get update -y &&\
    apt-get install -y --no-install-recommends curl ca-certificates build-essential wget unzip tar git jq
 # Install Go
 RUN mkdir -p /tmp \
    && wget -O /tmp/go${GO_VERSION}.linux-amd64.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
    && rm -rf /usr/local/go \
    && mkdir -p /usr/local \
    && tar -C /usr/local -xzf /tmp/go${GO_VERSION}.linux-amd64.tar.gz
 ENV PATH="${PATH}:/usr/local/go/bin"
 # Add LetsEncrypt certificates
 RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
--- a/misc/packaging/common/config-server.yml
+++ b/misc/packaging/common/config-server.yml
@ -9,7 +9,7 @@ server:
    port: 3000
  database:
    driver: sqlite
-    dsn: sqlite:///var/lib/emissary/data.sqlite
+    dsn: sqlite:///var/lib/emissary/data.sqlite?_pragma=foreign_keys(1)&_pragma=journal_mode(WAL)&_txlock=immediate
  cors:
    allowedOrigins: []
    allowCredentials: true
--- a/misc/spec-samples/app.emissary.cadoles.com.json
+++ b/misc/spec-samples/app.emissary.cadoles.com.json
@ -17,6 +17,12 @@
            "sha256sum": "e97b7b79159bb5d6a13b05644c091272b02a1a3cbb1b613dd5eda37e1eb84623",
            "address": "127.0.0.1:8084",
            "format": "zip"
        },
        "diffusion": {
            "url": "https://emissary.cadol.es/files/apps/arcad.diffusion_v2023.3.29-5b3fab4.zip",
            "sha256sum": "1282e75719beedbc7c7e67879389d0f3e11c86d3d2c37cf13da624a66faaeb58",
            "address": "127.0.0.1:8085",
            "format": "zip"
        }
    },
    "config": {
--- a/misc/spec-samples/proxy.emissary.cadoles.com.json
+++ b/misc/spec-samples/proxy.emissary.cadoles.com.json
@ -15,6 +15,10 @@
                    "hostPattern": "test.arcad.local:*",
                    "target": "http://localhost:8084"
                },
                {
                    "hostPattern": "diffusion.arcad.local:*",
                    "target": "http://localhost:8085"
                },
                {
                    "hostPattern": "*",
                    "target": "http://localhost:8082"
Author	SHA1	Message	Date
William Petit	7d551a8312	feat(auth): accept clock skew for token validation Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2023-04-01 19:30:45 +02:00
William Petit	d02eb91b11	feat(agent): add contactedAt attribute to agent Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2023-04-01 14:33:19 +02:00
William Petit	d2bcdd2999	feat(storage,agent): add label attribute Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2023-04-01 13:28:18 +02:00
William Petit	c638fe102b	chore(jenkins): use global git config for credentials Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2023-03-31 17:31:44 +02:00
William Petit	273265c3ef	feat(agent,run): start proxy controller after app one Some checks failed arcad/emissary/pipeline/head There was a failure building this commit Details	2023-03-31 17:29:33 +02:00
William Petit	3e02a9f031	chore(controller,app): refactor app server mutex usage Some checks failed arcad/emissary/pipeline/head There was a failure building this commit Details	2023-03-31 17:28:52 +02:00
William Petit	b52c687643	feat(sqlite): add default pragmas to dsn	2023-03-31 17:27:54 +02:00
William Petit	8119a01bf6	chore: add jenkins pipeline Some checks failed arcad/emissary/pipeline/head There was a failure building this commit Details	2023-03-31 17:24:33 +02:00
William Petit	e5b6c5e949	chore(sqlite): use wal journal mode and enable fk checks by default	2023-03-29 20:58:46 +02:00
William Petit	9c69dc7ec8	feat(auth): use utc time	2023-03-29 20:49:44 +02:00
William Petit	4e6b450338	feat(storage,sqlite): log row closing errors	2023-03-29 20:10:06 +02:00
William Petit	351f22e216	feat(controller,app): automatically redirect requests to cookie domain	2023-03-29 17:29:16 +02:00
William Petit	854a6ae41b	fix(controller,app): include auth configuration in changes detection	2023-03-29 15:32:23 +02:00
William Petit	a48c2ebe14	fix(controller,app): update app repository on spec changes	2023-03-29 11:27:47 +02:00
William Petit	cdd78e4031	chore: update go.mod	2023-03-28 20:48:00 +02:00
		`@ -0,0 +1 @@`
							`ALTER TABLE agents ADD COLUMN label TEXT DEFAULT "";`
		`@ -0,0 +1 @@`
							`ALTER TABLE agents DROP COLUMN contacted_at;`
		`@ -0,0 +1 @@`
							`ALTER TABLE agents ADD COLUMN contacted_at datetime;`