Compare commits
20 Commits
v2023.6.23
...
feature/te
Author | SHA1 | Date | |
---|---|---|---|
c55c723868 | |||
3d7a094cb8 | |||
077964c7b9 | |||
3af6324121 | |||
b31900ae2f | |||
777648ff44 | |||
d9919c888f | |||
1eb3de4f16 | |||
9326bac792 | |||
3c1f5042c8 | |||
14eecbf01e | |||
c51ac0adc7 | |||
3e168dadf6 | |||
61ac5e8ae0 | |||
929394c479 | |||
a1ec5b87c8 | |||
5c36955c13 | |||
6cf01adb61 | |||
8e88b5a7f1 | |||
42d49eb090 |
44
.chglog/CHANGELOG.tpl.md
Normal file
44
.chglog/CHANGELOG.tpl.md
Normal file
@ -0,0 +1,44 @@
|
||||
{{ if .Versions -}}
|
||||
{{ if .Unreleased.CommitGroups -}}
|
||||
<a name="unreleased"></a>
|
||||
## [Unreleased]
|
||||
|
||||
{{ range .Unreleased.CommitGroups -}}
|
||||
### {{ .Title }}
|
||||
{{ range .Commits -}}
|
||||
- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
|
||||
{{ end }}
|
||||
{{ end -}}
|
||||
{{ end -}}
|
||||
{{ end -}}
|
||||
|
||||
{{ range .Versions }}
|
||||
<a name="{{ .Tag.Name }}"></a>
|
||||
## {{ if .Tag.Previous }}[{{ .Tag.Name }}]{{ else }}{{ .Tag.Name }}{{ end }} - {{ datetime "2006-01-02" .Tag.Date }}
|
||||
{{ range .CommitGroups -}}
|
||||
### {{ .Title }}
|
||||
{{ range .Commits -}}
|
||||
- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
|
||||
{{ end }}
|
||||
{{ else }}
|
||||
_Nothing functionally significant._
|
||||
{{ end -}}
|
||||
|
||||
{{- if .NoteGroups -}}
|
||||
{{ range .NoteGroups -}}
|
||||
### {{ .Title }}
|
||||
{{ range .Notes }}
|
||||
{{ .Body }}
|
||||
{{ end }}
|
||||
{{ end -}}
|
||||
{{ end -}}
|
||||
{{ end -}}
|
||||
|
||||
{{- if .Versions }}
|
||||
[Unreleased]: {{ .Info.RepositoryURL }}/compare/{{ $latest := index .Versions 0 }}{{ $latest.Tag.Name }}...HEAD
|
||||
{{ range .Versions -}}
|
||||
{{ if .Tag.Previous -}}
|
||||
[{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}
|
||||
{{ end -}}
|
||||
{{ end -}}
|
||||
{{ end -}}
|
33
.chglog/config.yml
Normal file
33
.chglog/config.yml
Normal file
@ -0,0 +1,33 @@
|
||||
style: github
|
||||
template: CHANGELOG.tpl.md
|
||||
info:
|
||||
title: CHANGELOG
|
||||
repository_url: https://forge.cadoles.com//
|
||||
options:
|
||||
commits:
|
||||
filters:
|
||||
Type:
|
||||
- feat
|
||||
- fix
|
||||
- perf
|
||||
- refactor
|
||||
- docs
|
||||
commit_groups:
|
||||
title_maps:
|
||||
feat: Features
|
||||
fix: Bug Fixes
|
||||
perf: Performance Improvements
|
||||
refactor: Code Refactoring
|
||||
docs: Documentation
|
||||
header:
|
||||
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
|
||||
pattern_maps:
|
||||
- Type
|
||||
- Scope
|
||||
- Subject
|
||||
notes:
|
||||
keywords:
|
||||
- BREAKING CHANGE
|
||||
issues:
|
||||
prefix:
|
||||
- '#'
|
4
.gitignore
vendored
4
.gitignore
vendored
@ -10,4 +10,6 @@ dist/
|
||||
/apps
|
||||
/server-key.json
|
||||
/.emissary-token
|
||||
/out
|
||||
/out
|
||||
.mktools/
|
||||
/CHANGELOG.md
|
||||
|
30
Jenkinsfile
vendored
30
Jenkinsfile
vendored
@ -19,7 +19,7 @@ pipeline {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
stage('Run unit tests') {
|
||||
steps {
|
||||
script {
|
||||
@ -58,20 +58,22 @@ pipeline {
|
||||
passwordVariable: 'GITEA_RELEASE_PASSWORD'
|
||||
])
|
||||
]) {
|
||||
sh 'make gitea-release'
|
||||
}
|
||||
def currentVersion = sh(returnStdout: true, script: 'make full-version').trim()
|
||||
if (currentVersion.endsWith('-dirty')) {
|
||||
unstable('Could not trigger emissary-firmware build, dirty version !')
|
||||
} else {
|
||||
build(
|
||||
job: "../emissary-firmware/${env.GIT_BRANCH}",
|
||||
parameters: [
|
||||
[$class: 'StringParameterValue', name: 'emissaryRelease', value: currentVersion]
|
||||
],
|
||||
wait: false
|
||||
)
|
||||
sh """
|
||||
export MKT_PROJECT_VERSION_BRANCH_NAME=${env.BRANCH_NAME}
|
||||
make mktools
|
||||
make gitea-release
|
||||
"""
|
||||
}
|
||||
|
||||
String currentVersion = sh(script: "MKT_PROJECT_VERSION_BRANCH_NAME=${env.BRANCH_NAME} make version", returnStdout: true).trim()
|
||||
|
||||
build(
|
||||
job: "../emissary-firmware/${env.GIT_BRANCH}",
|
||||
parameters: [
|
||||
[$class: 'StringParameterValue', name: 'emissaryRelease', value: currentVersion]
|
||||
],
|
||||
wait: false
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
66
Makefile
66
Makefile
@ -5,12 +5,9 @@ GITCHLOG_ARGS ?=
|
||||
SHELL := /bin/bash
|
||||
|
||||
EMISSARY_VERSION ?=
|
||||
GIT_VERSION := $(shell git describe --always)
|
||||
DATE_VERSION := $(shell date +%Y.%-m.%-d)
|
||||
FULL_VERSION := v$(DATE_VERSION)-$(GIT_VERSION)$(if $(shell git diff --stat),-dirty,)
|
||||
|
||||
DOCKER_IMAGE_NAME ?= bornholm/emissary
|
||||
DOCKER_IMAGE_TAG ?= $(FULL_VERSION)
|
||||
DOCKER_IMAGE_TAG ?= $(MKT_PROJECT_VERSION)
|
||||
|
||||
GOTEST_ARGS ?= -short
|
||||
|
||||
@ -45,7 +42,7 @@ build-emissary-%: deps ## Build executable
|
||||
-v \
|
||||
-ldflags "\
|
||||
-X 'main.GitRef=$(shell git rev-parse --short HEAD)' \
|
||||
-X 'main.ProjectVersion=$(FULL_VERSION)' \
|
||||
-X 'main.ProjectVersion=$(MKT_PROJECT_VERSION)' \
|
||||
-X 'main.BuildDate=$(shell date --utc --rfc-3339=seconds)' \
|
||||
" \
|
||||
-o ./bin/$* \
|
||||
@ -66,7 +63,7 @@ run-emissary-%: .env
|
||||
( set -o allexport && source .env && set +o allexport && bin/$* $(EMISSARY_CMD))
|
||||
|
||||
.PHONY: deps
|
||||
deps: .env
|
||||
deps: .env .mktools
|
||||
|
||||
.PHONY: dump-config
|
||||
dump-config: build-emissary
|
||||
@ -74,27 +71,8 @@ dump-config: build-emissary
|
||||
./bin/emissary config dump > tmp/config.yml
|
||||
|
||||
.PHONY: goreleaser
|
||||
goreleaser: deps
|
||||
( set -o allexport && source .env && set +o allexport && VERSION=$(GORELEASER_VERSION) curl -sfL https://goreleaser.com/static/run | GORELEASER_CURRENT_TAG="$(FULL_VERSION)" bash /dev/stdin $(GORELEASER_ARGS) )
|
||||
|
||||
.PHONY: start-release
|
||||
start-release:
|
||||
if [ -z "$(EMISSARY_VERSION)" ]; then echo "You must define environment variable FAQD_VERSION"; exit 1; fi
|
||||
|
||||
git flow release start $(EMISSARY_VERSION)
|
||||
|
||||
# Update package.json version
|
||||
jq '.version = "$(EMISSARY_VERSION)"' package.json | sponge package.json
|
||||
git add package.json
|
||||
git commit -m "chore: bump to version $(EMISSARY_VERSION)" --allow-empty
|
||||
|
||||
echo "Commit you additional modifications then execute 'make finish-release'"
|
||||
|
||||
.PHONY: finish-release
|
||||
finish-release:
|
||||
git flow release finish -m "v$(EMISSARY_VERSION)"
|
||||
git push --all
|
||||
git push --tags
|
||||
goreleaser: .mktools
|
||||
( set -o allexport && source .env && set +o allexport && VERSION=$(GORELEASER_VERSION) curl -sfL https://goreleaser.com/static/run | GORELEASER_CURRENT_TAG="$(MKT_PROJECT_VERSION)" bash /dev/stdin $(GORELEASER_ARGS) )
|
||||
|
||||
install-git-hooks:
|
||||
git config core.hooksPath .githooks
|
||||
@ -119,32 +97,28 @@ deploy-openwrt-agent:
|
||||
scp dist/emissary-agent_linux_arm_6/emissary root@$(OPENWRT_DEVICE):/usr/bin/emissary
|
||||
ssh root@$(OPENWRT_DEVICE) /etc/init.d/emissary-agent start
|
||||
|
||||
gitea-release: tools/gitea-release/bin/gitea-release.sh goreleaser
|
||||
gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh goreleaser changelog
|
||||
mkdir -p .gitea-release
|
||||
rm -rf .gitea-release/*
|
||||
|
||||
cp dist/*.tar.gz .gitea-release/
|
||||
cp dist/*.apk .gitea-release/
|
||||
cp dist/*.deb .gitea-release/
|
||||
cp CHANGELOG.md .gitea-release/
|
||||
|
||||
GITEA_RELEASE_PROJECT="emissary" \
|
||||
GITEA_RELEASE_ORG="arcad" \
|
||||
GITEA_RELEASE_BASE_URL="https://forge.cadoles.com" \
|
||||
GITEA_RELEASE_VERSION="$(FULL_VERSION)" \
|
||||
GITEA_RELEASE_NAME="$(FULL_VERSION)" \
|
||||
GITEA_RELEASE_VERSION="$(MKT_PROJECT_VERSION)" \
|
||||
GITEA_RELEASE_NAME="$(MKT_PROJECT_VERSION)" \
|
||||
GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \
|
||||
GITEA_RELEASE_IS_DRAFT="false" \
|
||||
GITEA_RELEASE_BODY="" \
|
||||
GITEA_RELEASE_ATTACHMENTS="$$(find .gitea-release/* -type f)" \
|
||||
tools/gitea-release/bin/gitea-release.sh
|
||||
|
||||
tools/gitea-release/bin/gitea-release.sh:
|
||||
mkdir -p tools/gitea-release/bin
|
||||
curl --output tools/gitea-release/bin/gitea-release.sh https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/gitea/gitea-release.sh
|
||||
chmod +x tools/gitea-release/bin/gitea-release.sh
|
||||
|
||||
.emissary-token:
|
||||
$(MAKE) run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server auth create-token --role writer > .emissary-token"
|
||||
$(MAKE) run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server auth create-token --role writer --output .emissary-token"
|
||||
|
||||
AGENT_ID ?= 1
|
||||
|
||||
@ -153,8 +127,8 @@ load-sample-specs:
|
||||
cat misc/spec-samples/proxy.emissary.cadoles.com.json | ./bin/server api agent spec update -a $(AGENT_ID) --no-patch --spec-data - --spec-name proxy.emissary.cadoles.com
|
||||
cat misc/spec-samples/mdns.emissary.cadoles.com.json | ./bin/server api agent spec update -a $(AGENT_ID) --no-patch --spec-data - --spec-name mdns.emissary.cadoles.com
|
||||
|
||||
full-version:
|
||||
@echo $(FULL_VERSION)
|
||||
version: .mktools
|
||||
@echo $(MKT_PROJECT_VERSION)
|
||||
|
||||
update-edge-lib:
|
||||
git pull --rebase
|
||||
@ -163,4 +137,18 @@ update-edge-lib:
|
||||
$(MAKE) test
|
||||
git add go.mod go.sum
|
||||
git commit -m "feat: update arcad/edge dependency"
|
||||
git push
|
||||
git push
|
||||
|
||||
.PHONY: changelog
|
||||
changelog: .mktools
|
||||
$(MAKE) MKT_GIT_CHGLOG_ARGS='--next-tag $(MKT_PROJECT_VERSION) --tag-filter-pattern $(MKT_PROJECT_VERSION_CHANNEL) --output CHANGELOG.md' mkt-changelog
|
||||
|
||||
.PHONY: mktools
|
||||
mktools:
|
||||
rm -rf .mktools
|
||||
curl -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | $(SHELL)
|
||||
|
||||
.mktools:
|
||||
$(MAKE) mktools
|
||||
|
||||
-include .mktools/*.mk
|
@ -24,3 +24,7 @@ See:
|
||||
|
||||
- [`misc/packaging/common/config-agent.yml`](../misc/packaging/common/config-agent.yml)
|
||||
- [`misc/packaging/common/config-server.yml`](../misc/packaging/common/config-server.yml)
|
||||
|
||||
### Other projects
|
||||
|
||||
- [`emissary-firmware`](https://forge.cadoles.com/arcad/emissary-firmware) - Preconfigured OpenWRT firmwares with an agent
|
@ -36,7 +36,7 @@
|
||||
```bash
|
||||
sudo nmap -sP 192.168.0.* # À modifier par le préfixe correspondant à votre réseau local
|
||||
```
|
||||
|
||||
|
||||
Une entrée équivalente à la suivante devrait être affichée:
|
||||
|
||||
```bash
|
||||
@ -80,9 +80,11 @@
|
||||
5. Créer un jeton d'administration:
|
||||
|
||||
```shell
|
||||
sudo emissary --workdir /usr/share/emissary --config /etc/emissary/server.yml server auth create-token --role writer --subject $(whoami) > .emissary-token
|
||||
sudo emissary --workdir /usr/share/emissary --config /etc/emissary/server.yml server auth create-token --role writer --subject $(whoami)
|
||||
```
|
||||
|
||||
> **Note** Le jeton sera stocké dans le répertoire `$HOME/.config/emissary`.
|
||||
|
||||
6. Vérifier l'authentification sur l'API:
|
||||
|
||||
```shell
|
||||
|
1
go.mod
1
go.mod
@ -7,6 +7,7 @@ require (
|
||||
github.com/Masterminds/sprig/v3 v3.2.3
|
||||
github.com/alecthomas/participle/v2 v2.0.0-beta.5
|
||||
github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
|
||||
github.com/antonmedv/expr v1.12.7
|
||||
github.com/brutella/dnssd v1.2.6
|
||||
github.com/btcsuite/btcd/btcutil v1.1.3
|
||||
github.com/davecgh/go-spew v1.1.1
|
||||
|
2
go.sum
2
go.sum
@ -149,6 +149,8 @@ github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY
|
||||
github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
|
||||
github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
|
||||
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
|
||||
github.com/antonmedv/expr v1.12.7 h1:jfV/l/+dHWAadLwAtESXNxXdfbK9bE4+FNMHYCMntwk=
|
||||
github.com/antonmedv/expr v1.12.7/go.mod h1:FPC8iWArxls7axbVLsW+kpg1mz29A1b2M6jt+hZfDkU=
|
||||
github.com/apache/arrow/go/arrow v0.0.0-20210818145353-234c94e4ce64/go.mod h1:2qMFB56yOP3KzkB3PbYZ4AlUFg3a88F67TIx5lB/WwY=
|
||||
github.com/apache/arrow/go/arrow v0.0.0-20211013220434-5962184e7a30/go.mod h1:Q7yQnSMnLvcXlZ8RV+jwz/6y1rQTqbX6C82SndT52Zs=
|
||||
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
|
||||
|
@ -6,8 +6,8 @@ import (
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/agent/metadata"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth/agent"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/api"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
|
@ -3,7 +3,7 @@ package agent
|
||||
import (
|
||||
"context"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
|
@ -4,8 +4,8 @@ import (
|
||||
"context"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/agent"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
)
|
||||
|
@ -4,7 +4,7 @@ import (
|
||||
"time"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/agent/metadata"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
)
|
||||
|
||||
type Options struct {
|
||||
|
@ -11,7 +11,6 @@ import (
|
||||
"github.com/lestrrat-go/jwx/v2/jws"
|
||||
"github.com/lestrrat-go/jwx/v2/jwt"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
)
|
||||
|
||||
const DefaultAcceptableSkew = 5 * time.Minute
|
||||
@ -23,8 +22,6 @@ type Authenticator struct {
|
||||
|
||||
// Authenticate implements auth.Authenticator.
|
||||
func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
|
||||
ctx = logger.With(r.Context(), logger.F("remoteAddr", r.RemoteAddr))
|
||||
|
||||
authorization := r.Header.Get("Authorization")
|
||||
if authorization == "" {
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
|
39
internal/auth/thirdparty/authenticator.go
vendored
39
internal/auth/thirdparty/authenticator.go
vendored
@ -8,22 +8,25 @@ import (
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"github.com/lestrrat-go/jwx/v2/jwt"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
)
|
||||
|
||||
const DefaultAcceptableSkew = 5 * time.Minute
|
||||
|
||||
type (
|
||||
GetKeySet func(context.Context) (jwk.Set, error)
|
||||
GetTokenRole func(context.Context, jwt.Token) (string, error)
|
||||
)
|
||||
|
||||
type Authenticator struct {
|
||||
keys jwk.Set
|
||||
issuer string
|
||||
getKeySet GetKeySet
|
||||
getTokenRole GetTokenRole
|
||||
acceptableSkew time.Duration
|
||||
}
|
||||
|
||||
// Authenticate implements auth.Authenticator.
|
||||
func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
|
||||
ctx = logger.With(r.Context(), logger.F("remoteAddr", r.RemoteAddr))
|
||||
|
||||
authorization := r.Header.Get("Authorization")
|
||||
if authorization == "" {
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
@ -34,37 +37,37 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
}
|
||||
|
||||
token, err := parseToken(ctx, a.keys, a.issuer, rawToken, a.acceptableSkew)
|
||||
keys, err := a.getKeySet(ctx)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
rawRole, exists := token.Get(keyRole)
|
||||
if !exists {
|
||||
return nil, errors.New("could not find 'thumbprint' claim")
|
||||
token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
role, ok := rawRole.(string)
|
||||
if !ok {
|
||||
return nil, errors.Errorf("unexpected '%s' claim value: '%v'", keyRole, rawRole)
|
||||
rawRole, err := a.getTokenRole(ctx, token)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
if !isValidRole(role) {
|
||||
return nil, errors.Errorf("invalid role '%s'", role)
|
||||
if !isValidRole(rawRole) {
|
||||
return nil, errors.Errorf("invalid role '%s'", rawRole)
|
||||
}
|
||||
|
||||
user := &User{
|
||||
subject: token.Subject(),
|
||||
role: Role(role),
|
||||
role: Role(rawRole),
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
func NewAuthenticator(keys jwk.Set, issuer string, acceptableSkew time.Duration) *Authenticator {
|
||||
func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, acceptableSkew time.Duration) *Authenticator {
|
||||
return &Authenticator{
|
||||
keys: keys,
|
||||
issuer: issuer,
|
||||
getTokenRole: getTokenRole,
|
||||
getKeySet: getKeySet,
|
||||
acceptableSkew: acceptableSkew,
|
||||
}
|
||||
}
|
||||
|
16
internal/auth/thirdparty/jwt.go
vendored
16
internal/auth/thirdparty/jwt.go
vendored
@ -11,15 +11,13 @@ import (
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
const keyRole = "role"
|
||||
|
||||
func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
|
||||
func parseToken(ctx context.Context, keys jwk.Set, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
|
||||
token, err := jwt.Parse(
|
||||
[]byte(rawToken),
|
||||
jwt.WithKeySet(keys, jws.WithRequireKid(false)),
|
||||
jwt.WithIssuer(issuer),
|
||||
jwt.WithValidate(true),
|
||||
jwt.WithAcceptableSkew(acceptableSkew),
|
||||
jwt.WithContext(ctx),
|
||||
)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
@ -28,18 +26,16 @@ func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken strin
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func GenerateToken(ctx context.Context, key jwk.Key, issuer, subject string, role Role) (string, error) {
|
||||
const DefaultRoleKey string = "role"
|
||||
|
||||
func GenerateToken(ctx context.Context, key jwk.Key, subject string, role Role) (string, error) {
|
||||
token := jwt.New()
|
||||
|
||||
if err := token.Set(jwt.SubjectKey, subject); err != nil {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := token.Set(jwt.IssuerKey, issuer); err != nil {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := token.Set(keyRole, role); err != nil {
|
||||
if err := token.Set(DefaultRoleKey, role); err != nil {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
|
@ -3,10 +3,10 @@ package agent
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -3,12 +3,12 @@ package agent
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
agentFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/agent/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -3,11 +3,11 @@ package agent
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
agentFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/agent/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -3,11 +3,11 @@ package agent
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -3,12 +3,12 @@ package spec
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
agentFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/agent/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/spec"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -3,11 +3,11 @@ package spec
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
agentFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/agent/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -4,12 +4,12 @@ import (
|
||||
"encoding/json"
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
agentFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/agent/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/spec"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
jsonpatch "github.com/evanphx/json-patch/v5"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
|
@ -3,11 +3,11 @@ package agent
|
||||
import (
|
||||
"os"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/client"
|
||||
agentFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/agent/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/apierr"
|
||||
clientFlag "forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/format"
|
||||
"forge.cadoles.com/Cadoles/emissary/pkg/client"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
@ -2,7 +2,6 @@ package flag
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
@ -12,6 +11,11 @@ import (
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
AuthTokenDefaultHomePath = "$HOME/.config/emissary/auth-token"
|
||||
AuthTokenDefaultLocalPath = ".emissary-token"
|
||||
)
|
||||
|
||||
func ComposeFlags(flags ...cli.Flag) []cli.Flag {
|
||||
baseFlags := []cli.Flag{
|
||||
&cli.StringFlag{
|
||||
@ -37,10 +41,10 @@ func ComposeFlags(flags ...cli.Flag) []cli.Flag {
|
||||
Aliases: []string{"t"},
|
||||
Usage: "use `TOKEN` as authentication token",
|
||||
},
|
||||
&cli.StringFlag{
|
||||
&cli.StringSliceFlag{
|
||||
Name: "token-file",
|
||||
Usage: "use `TOKEN_FILE` as file containing the authentication token",
|
||||
Value: ".emissary-token",
|
||||
Value: cli.NewStringSlice(AuthTokenDefaultLocalPath, AuthTokenDefaultHomePath),
|
||||
TakesFile: true,
|
||||
},
|
||||
}
|
||||
@ -55,14 +59,14 @@ type BaseFlags struct {
|
||||
Format format.Format
|
||||
OutputMode format.OutputMode
|
||||
Token string
|
||||
TokenFile string
|
||||
TokenFiles []string
|
||||
}
|
||||
|
||||
func GetBaseFlags(ctx *cli.Context) *BaseFlags {
|
||||
serverURL := ctx.String("server")
|
||||
rawFormat := ctx.String("format")
|
||||
rawOutputMode := ctx.String("output-mode")
|
||||
tokenFile := ctx.String("token-file")
|
||||
tokenFiles := ctx.StringSlice("token-file")
|
||||
token := ctx.String("token")
|
||||
|
||||
return &BaseFlags{
|
||||
@ -70,7 +74,7 @@ func GetBaseFlags(ctx *cli.Context) *BaseFlags {
|
||||
Format: format.Format(rawFormat),
|
||||
OutputMode: format.OutputMode(rawOutputMode),
|
||||
Token: token,
|
||||
TokenFile: tokenFile,
|
||||
TokenFiles: tokenFiles,
|
||||
}
|
||||
}
|
||||
|
||||
@ -79,18 +83,20 @@ func GetToken(flags *BaseFlags) (string, error) {
|
||||
return flags.Token, nil
|
||||
}
|
||||
|
||||
if flags.TokenFile == "" {
|
||||
return "", nil
|
||||
for _, tokenFile := range flags.TokenFiles {
|
||||
tokenFile = os.ExpandEnv(tokenFile)
|
||||
|
||||
rawToken, err := os.ReadFile(tokenFile)
|
||||
if err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
if rawToken == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
return strings.TrimSpace(string(rawToken)), nil
|
||||
}
|
||||
|
||||
rawToken, err := ioutil.ReadFile(flags.TokenFile)
|
||||
if err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
if rawToken == nil {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
return strings.TrimSpace(string(rawToken)), nil
|
||||
return "", nil
|
||||
}
|
||||
|
@ -2,8 +2,11 @@ package auth
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth/thirdparty"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/api/flag"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/command/common"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"github.com/lithammer/shortuuid/v4"
|
||||
@ -26,6 +29,13 @@ func CreateTokenCommand() *cli.Command {
|
||||
Usage: "associate `SUBJECT` to the token",
|
||||
Value: fmt.Sprintf("user-%s", shortuuid.New()),
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Name: "output",
|
||||
Aliases: []string{"o"},
|
||||
TakesFile: true,
|
||||
Usage: "output token to `OUTPUT` (or '-' to print to stdout)",
|
||||
Value: flag.AuthTokenDefaultHomePath,
|
||||
},
|
||||
},
|
||||
Action: func(ctx *cli.Context) error {
|
||||
conf, err := common.LoadConfig(ctx)
|
||||
@ -35,18 +45,40 @@ func CreateTokenCommand() *cli.Command {
|
||||
|
||||
subject := ctx.String("subject")
|
||||
role := ctx.String("role")
|
||||
output := ctx.String("output")
|
||||
|
||||
key, err := jwk.LoadOrGenerate(string(conf.Server.PrivateKeyPath), jwk.DefaultKeySize)
|
||||
localAuth := conf.Server.Auth.Local
|
||||
if localAuth == nil {
|
||||
return errors.New("local auth is disabled")
|
||||
}
|
||||
|
||||
key, err := jwk.LoadOrGenerate(string(localAuth.PrivateKeyPath), jwk.DefaultKeySize)
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
token, err := thirdparty.GenerateToken(ctx.Context, key, string(conf.Server.Issuer), subject, thirdparty.Role(role))
|
||||
token, err := thirdparty.GenerateToken(ctx.Context, key, subject, thirdparty.Role(role))
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
fmt.Println(token)
|
||||
output = os.ExpandEnv(output)
|
||||
|
||||
if output == "-" {
|
||||
fmt.Println(token)
|
||||
} else {
|
||||
outputDirectory := filepath.Dir(output)
|
||||
|
||||
if err := os.MkdirAll(outputDirectory, os.FileMode(0o700)); err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := os.WriteFile(output, []byte(token), os.FileMode(0o600)); err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
fmt.Printf("Token written to '%s'.\n", output)
|
||||
}
|
||||
|
||||
return nil
|
||||
},
|
||||
|
@ -4,6 +4,7 @@ import (
|
||||
"os"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"gopkg.in/yaml.v3"
|
||||
@ -123,3 +124,37 @@ func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
type InterpolatedDuration time.Duration
|
||||
|
||||
func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {
|
||||
var str string
|
||||
|
||||
if err := value.Decode(&str); err != nil {
|
||||
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
|
||||
}
|
||||
|
||||
if match := reVar.FindStringSubmatch(str); len(match) > 0 {
|
||||
str = os.Getenv(match[1])
|
||||
}
|
||||
|
||||
duration, err := time.ParseDuration(str)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "could not parse duration '%v', line '%d'", str, value.Line)
|
||||
}
|
||||
|
||||
*id = InterpolatedDuration(duration)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *InterpolatedDuration) MarshalYAML() (interface{}, error) {
|
||||
duration := time.Duration(*id)
|
||||
|
||||
return duration.String(), nil
|
||||
}
|
||||
|
||||
func NewInterpolatedDuration(d time.Duration) *InterpolatedDuration {
|
||||
id := InterpolatedDuration(d)
|
||||
return &id
|
||||
}
|
||||
|
@ -1,19 +1,50 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth/thirdparty"
|
||||
)
|
||||
|
||||
type ServerConfig struct {
|
||||
PrivateKeyPath InterpolatedString `yaml:"privateKeyPath"`
|
||||
Issuer InterpolatedString `yaml:"issuer"`
|
||||
HTTP HTTPConfig `yaml:"http"`
|
||||
Database DatabaseConfig `yaml:"database"`
|
||||
CORS CORSConfig `yaml:"cors"`
|
||||
HTTP HTTPConfig `yaml:"http"`
|
||||
Database DatabaseConfig `yaml:"database"`
|
||||
CORS CORSConfig `yaml:"cors"`
|
||||
Auth AuthConfig `yaml:"auth"`
|
||||
}
|
||||
|
||||
func NewDefaultServerConfig() ServerConfig {
|
||||
return ServerConfig{
|
||||
PrivateKeyPath: "server-key.json",
|
||||
Issuer: "http://127.0.0.1:3000",
|
||||
HTTP: NewDefaultHTTPConfig(),
|
||||
Database: NewDefaultDatabaseConfig(),
|
||||
CORS: NewDefaultCORSConfig(),
|
||||
HTTP: NewDefaultHTTPConfig(),
|
||||
Database: NewDefaultDatabaseConfig(),
|
||||
CORS: NewDefaultCORSConfig(),
|
||||
Auth: NewDefaultAuthConfig(),
|
||||
}
|
||||
}
|
||||
|
||||
type AuthConfig struct {
|
||||
Local *LocalAuthConfig `yaml:"local"`
|
||||
Remote *RemoteAuthConfig `yaml:"remote"`
|
||||
RoleExtractionRules []string `yaml:"roleExtractionRules"`
|
||||
}
|
||||
|
||||
func NewDefaultAuthConfig() AuthConfig {
|
||||
return AuthConfig{
|
||||
Local: &LocalAuthConfig{
|
||||
PrivateKeyPath: "server-key.json",
|
||||
},
|
||||
Remote: nil,
|
||||
RoleExtractionRules: []string{
|
||||
fmt.Sprintf("jwt.%s != nil ? str(jwt.%s) : ''", thirdparty.DefaultRoleKey, thirdparty.DefaultRoleKey),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
type LocalAuthConfig struct {
|
||||
PrivateKeyPath InterpolatedString `yaml:"privateKeyPath"`
|
||||
}
|
||||
|
||||
type RemoteAuthConfig struct {
|
||||
JsonWebKeySetURL InterpolatedString `yaml:"jwksUrl"`
|
||||
RefreshInterval *InterpolatedDuration `yaml:"refreshInterval"`
|
||||
}
|
||||
|
@ -1,11 +1,13 @@
|
||||
package jwk
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"encoding/json"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/btcsuite/btcd/btcutil/base58"
|
||||
"github.com/lestrrat-go/jwx/v2/jwa"
|
||||
@ -34,7 +36,7 @@ func Parse(src []byte, options ...jwk.ParseOption) (Set, error) {
|
||||
return jwk.Parse(src, options...)
|
||||
}
|
||||
|
||||
func PublicKeySet(keys ...jwk.Key) (jwk.Set, error) {
|
||||
func RS256PublicKeySet(keys ...jwk.Key) (jwk.Set, error) {
|
||||
set := jwk.NewSet()
|
||||
|
||||
for _, k := range keys {
|
||||
@ -85,6 +87,27 @@ func LoadOrGenerate(path string, size int) (jwk.Key, error) {
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func CreateCachedRemoteKeySet(ctx context.Context, url string, refreshInterval time.Duration) (func(context.Context) (jwk.Set, error), error) {
|
||||
cache := jwk.NewCache(ctx)
|
||||
|
||||
if err := cache.Register(url, jwk.WithMinRefreshInterval(refreshInterval)); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
if _, err := cache.Refresh(ctx, url); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return func(ctx context.Context) (jwk.Set, error) {
|
||||
keySet, err := cache.Get(ctx, url)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return keySet, nil
|
||||
}, nil
|
||||
}
|
||||
|
||||
func Generate(size int) (jwk.Key, error) {
|
||||
privKey, err := rsa.GenerateKey(rand.Reader, size)
|
||||
if err != nil {
|
||||
|
@ -12,7 +12,7 @@ func TestJWK(t *testing.T) {
|
||||
t.Fatalf("%+v", errors.WithStack(err))
|
||||
}
|
||||
|
||||
keySet, err := PublicKeySet(privateKey)
|
||||
keySet, err := RS256PublicKeySet(privateKey)
|
||||
if err != nil {
|
||||
t.Fatalf("%+v", errors.WithStack(err))
|
||||
}
|
||||
|
@ -6,6 +6,9 @@ import (
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth/agent"
|
||||
@ -13,9 +16,13 @@ import (
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/config"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"github.com/antonmedv/expr"
|
||||
"github.com/antonmedv/expr/vm"
|
||||
"github.com/go-chi/chi"
|
||||
"github.com/go-chi/chi/middleware"
|
||||
"github.com/go-chi/cors"
|
||||
"github.com/lestrrat-go/jwx/v2/jwa"
|
||||
"github.com/lestrrat-go/jwx/v2/jwt"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
)
|
||||
@ -72,20 +79,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
|
||||
}
|
||||
}()
|
||||
|
||||
key, err := jwk.LoadOrGenerate(string(s.conf.PrivateKeyPath), jwk.DefaultKeySize)
|
||||
if err != nil {
|
||||
errs <- errors.WithStack(err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
keys, err := jwk.PublicKeySet(key)
|
||||
if err != nil {
|
||||
errs <- errors.WithStack(err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
router := chi.NewRouter()
|
||||
|
||||
router.Use(middleware.Logger)
|
||||
@ -100,12 +93,19 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
|
||||
|
||||
router.Use(corsMiddleware.Handler)
|
||||
|
||||
thirdPartyAuth, err := s.getThirdPartyAuthenticator()
|
||||
if err != nil {
|
||||
errs <- errors.WithStack(err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
router.Route("/api/v1", func(r chi.Router) {
|
||||
r.Post("/register", s.registerAgent)
|
||||
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(auth.Middleware(
|
||||
thirdparty.NewAuthenticator(keys, string(s.conf.Issuer), thirdparty.DefaultAcceptableSkew),
|
||||
thirdPartyAuth,
|
||||
agent.NewAuthenticator(s.agentRepo, agent.DefaultAcceptableSkew),
|
||||
))
|
||||
|
||||
@ -131,6 +131,151 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
|
||||
logger.Info(ctx, "http server exiting")
|
||||
}
|
||||
|
||||
func (s *Server) getThirdPartyAuthenticator() (*thirdparty.Authenticator, error) {
|
||||
var localPublicKey jwk.Key
|
||||
|
||||
localAuth := s.conf.Auth.Local
|
||||
if localAuth != nil {
|
||||
key, err := jwk.LoadOrGenerate(string(localAuth.PrivateKeyPath), jwk.DefaultKeySize)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
publicKey, err := key.PublicKey()
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := publicKey.Set(jwk.AlgorithmKey, jwa.RS256); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
localPublicKey = publicKey
|
||||
}
|
||||
|
||||
var getRemoteKeySet thirdparty.GetKeySet
|
||||
|
||||
remoteAuth := s.conf.Auth.Remote
|
||||
if remoteAuth != nil {
|
||||
refreshInterval := time.Minute * 15
|
||||
if remoteAuth.RefreshInterval != nil {
|
||||
refreshInterval = time.Duration(*remoteAuth.RefreshInterval)
|
||||
}
|
||||
|
||||
fn, err := jwk.CreateCachedRemoteKeySet(context.Background(), string(remoteAuth.JsonWebKeySetURL), refreshInterval)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
getRemoteKeySet = fn
|
||||
}
|
||||
|
||||
getKeySet := func(ctx context.Context) (jwk.Set, error) {
|
||||
keySet := jwk.NewSet()
|
||||
|
||||
if localPublicKey != nil {
|
||||
if err := keySet.AddKey(localPublicKey); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
}
|
||||
|
||||
if getRemoteKeySet != nil {
|
||||
remoteKeySet, err := getRemoteKeySet(ctx)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
for idx := 0; idx < remoteKeySet.Len(); idx++ {
|
||||
key, ok := remoteKeySet.Key(idx)
|
||||
if !ok {
|
||||
break
|
||||
}
|
||||
|
||||
if err := keySet.AddKey(key); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return keySet, nil
|
||||
}
|
||||
|
||||
getTokenRole, err := s.createGetTokenRoleFunc()
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return thirdparty.NewAuthenticator(getKeySet, getTokenRole, thirdparty.DefaultAcceptableSkew), nil
|
||||
}
|
||||
|
||||
func (s *Server) createGetTokenRoleFunc() (func(ctx context.Context, token jwt.Token) (string, error), error) {
|
||||
rawRules := s.conf.Auth.RoleExtractionRules
|
||||
rules := make([]*vm.Program, 0, len(rawRules))
|
||||
|
||||
type Env struct {
|
||||
JWT map[string]any `expr:"jwt"`
|
||||
}
|
||||
|
||||
strFunc := expr.Function(
|
||||
"str",
|
||||
func(params ...any) (any, error) {
|
||||
var builder strings.Builder
|
||||
|
||||
for _, p := range params {
|
||||
if _, err := builder.WriteString(fmt.Sprintf("%v", p)); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
}
|
||||
|
||||
return builder.String(), nil
|
||||
},
|
||||
new(func(any) string),
|
||||
)
|
||||
|
||||
for _, rr := range rawRules {
|
||||
r, err := expr.Compile(rr,
|
||||
expr.Env(Env{}),
|
||||
expr.AsKind(reflect.String),
|
||||
strFunc,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "could not compile role extraction rule '%s'", rr)
|
||||
}
|
||||
|
||||
rules = append(rules, r)
|
||||
}
|
||||
|
||||
return func(ctx context.Context, token jwt.Token) (string, error) {
|
||||
jwt, err := token.AsMap(ctx)
|
||||
if err != nil {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
vm := vm.VM{}
|
||||
|
||||
for _, r := range rules {
|
||||
result, err := vm.Run(r, Env{
|
||||
JWT: jwt,
|
||||
})
|
||||
if err != nil {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
role, ok := result.(string)
|
||||
if !ok {
|
||||
logger.Debug(ctx, "ignoring unexpected role extraction result", logger.F("result", result))
|
||||
continue
|
||||
}
|
||||
|
||||
if role != "" {
|
||||
return role, nil
|
||||
}
|
||||
}
|
||||
|
||||
return "", errors.New("could not extract role from token")
|
||||
}, nil
|
||||
}
|
||||
|
||||
func New(funcs ...OptionFunc) *Server {
|
||||
opt := defaultOption()
|
||||
for _, fn := range funcs {
|
||||
|
@ -1,26 +1,55 @@
|
||||
# Emissary agent configuration
|
||||
|
||||
# Logger configuration
|
||||
logger:
|
||||
# Logging verbosity
|
||||
# DEBUG: 0
|
||||
# INFO: 1
|
||||
# WARN: 2
|
||||
# ERROR: 3
|
||||
# CRITICAL: 4
|
||||
level: 1
|
||||
# Logging format
|
||||
# Possible values: human, json
|
||||
format: human
|
||||
|
||||
# Agent configuration
|
||||
agent:
|
||||
# Emissary server URL
|
||||
serverUrl: http://127.0.0.1:3000
|
||||
# Agent private key path
|
||||
privateKeyPath: /var/lib/emissary/agent-key.json
|
||||
reconciliationInterval: 5
|
||||
# Agent reconciliation interval (in seconds)
|
||||
reconciliationInterval: 30
|
||||
|
||||
# Controllers configuration
|
||||
controllers:
|
||||
# Persistence controller configuration
|
||||
persistence:
|
||||
enabled: true
|
||||
stateFile: /var/lib/emissary/state.json
|
||||
|
||||
# Spec controller configuration
|
||||
spec:
|
||||
enabled: true
|
||||
|
||||
# Proxy controller configuration
|
||||
proxy:
|
||||
enabled: true
|
||||
|
||||
# UCI controller configuration
|
||||
uci:
|
||||
enabled: true
|
||||
binPath: uci
|
||||
configBackupFile: /var/lib/emissary/uci-backup.conf
|
||||
|
||||
# App controller configuration
|
||||
app:
|
||||
enabled: true
|
||||
dataDir: /var/lib/emissary/apps/data
|
||||
downloadDir: /var/lib/emissary/apps/bundles
|
||||
|
||||
# Sysupgrade controller configuration
|
||||
sysupgrade:
|
||||
enabled: true
|
||||
sysupgradeCommand:
|
||||
@ -33,6 +62,8 @@ agent:
|
||||
- sh
|
||||
- -c
|
||||
- source /etc/openwrt_release && echo "$DISTRIB_ID-$DISTRIB_RELEASE-$DISTRIB_REVISION"
|
||||
|
||||
# Collectors configuration
|
||||
collectors:
|
||||
- name: uname
|
||||
command: uname
|
||||
|
@ -1,15 +1,38 @@
|
||||
# Emissary server configuration
|
||||
|
||||
# Logger configuration
|
||||
logger:
|
||||
# Logging verbosity
|
||||
# DEBUG: 0
|
||||
# INFO: 1
|
||||
# WARN: 2
|
||||
# ERROR: 3
|
||||
# CRITICAL: 4
|
||||
level: 1
|
||||
# Logging format
|
||||
# Possible values: human, json
|
||||
format: human
|
||||
|
||||
# Server configuration
|
||||
server:
|
||||
privateKeyPath: /var/lib/emissary/server-key.json
|
||||
issuer: http://127.0.0.1:3000
|
||||
# HTTP server configuration
|
||||
http:
|
||||
# Listening address (0.0.0.0 to listen on all interfaces)
|
||||
host: 0.0.0.0
|
||||
# Listening port
|
||||
port: 3000
|
||||
|
||||
# Database configuration
|
||||
database:
|
||||
# Database driver
|
||||
# Possible values: sqlite
|
||||
driver: sqlite
|
||||
# Database DSN
|
||||
# sqlite: see https://github.com/mattn/go-sqlite3#connection-string
|
||||
dsn: sqlite:///var/lib/emissary/data.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000
|
||||
|
||||
# CORS configuration
|
||||
# See https://developer.mozilla.org/en/docs/Glossary/CORS
|
||||
cors:
|
||||
allowedOrigins: []
|
||||
allowCredentials: true
|
||||
@ -24,4 +47,25 @@ server:
|
||||
- Content-Type
|
||||
- Authorization
|
||||
- Sentry-Trace
|
||||
debug: false
|
||||
|
||||
# Auth configuration
|
||||
auth:
|
||||
# Local authentication configuration
|
||||
local:
|
||||
privateKeyPath: /var/lib/emissary/server-key.json
|
||||
|
||||
# Remote authentication configuration
|
||||
# Disabled by default
|
||||
remote: ~
|
||||
# jwksUrl: https://my-server/.well-known/jwks.json
|
||||
|
||||
# Role extraction rules
|
||||
# Permit to derivate user's role
|
||||
# from the received JWT.
|
||||
#
|
||||
# The first rule returning a non empty
|
||||
# string will define the role of the user.
|
||||
#
|
||||
# The role should be 'reader' or 'writer'.
|
||||
roleExtractionRules:
|
||||
- "jwt.role != nil ? str(jwt.role) : ''"
|
||||
|
23
pkg/client/alias.go
Normal file
23
pkg/client/alias.go
Normal file
@ -0,0 +1,23 @@
|
||||
package client
|
||||
|
||||
import (
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/agent/metadata"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/spec"
|
||||
)
|
||||
|
||||
type (
|
||||
Spec = spec.Spec
|
||||
SpecName = spec.Name
|
||||
)
|
||||
|
||||
type (
|
||||
AgentID = datastore.AgentID
|
||||
Agent = datastore.Agent
|
||||
AgentStatus = datastore.AgentStatus
|
||||
)
|
||||
|
||||
type MetadataTuple = metadata.Tuple
|
||||
|
||||
type Key = jwk.Key
|
@ -8,7 +8,7 @@ import (
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func (c *Client) DeleteAgent(ctx context.Context, agentID datastore.AgentID, funcs ...OptionFunc) (datastore.AgentID, error) {
|
||||
func (c *Client) DeleteAgent(ctx context.Context, agentID AgentID, funcs ...OptionFunc) (AgentID, error) {
|
||||
response := withResponse[struct {
|
||||
AgentID int64 `json:"agentId"`
|
||||
}]()
|
@ -4,12 +4,11 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/spec"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func (c *Client) DeleteAgentSpec(ctx context.Context, agentID datastore.AgentID, name spec.Name, funcs ...OptionFunc) (spec.Name, error) {
|
||||
func (c *Client) DeleteAgentSpec(ctx context.Context, agentID AgentID, name SpecName, funcs ...OptionFunc) (SpecName, error) {
|
||||
payload := struct {
|
||||
Name spec.Name `json:"name"`
|
||||
}{
|
@ -4,13 +4,12 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func (c *Client) GetAgent(ctx context.Context, agentID datastore.AgentID, funcs ...OptionFunc) (*datastore.Agent, error) {
|
||||
func (c *Client) GetAgent(ctx context.Context, agentID AgentID, funcs ...OptionFunc) (*Agent, error) {
|
||||
response := withResponse[struct {
|
||||
Agent *datastore.Agent `json:"agent"`
|
||||
Agent *Agent `json:"agent"`
|
||||
}]()
|
||||
|
||||
path := fmt.Sprintf("/api/v1/agents/%d", agentID)
|
@ -4,12 +4,11 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/spec"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func (c *Client) GetAgentSpecs(ctx context.Context, agentID datastore.AgentID, funcs ...OptionFunc) ([]spec.Spec, error) {
|
||||
func (c *Client) GetAgentSpecs(ctx context.Context, agentID AgentID, funcs ...OptionFunc) ([]Spec, error) {
|
||||
response := withResponse[struct {
|
||||
Specs []*spec.RawSpec `json:"specs"`
|
||||
}]()
|
@ -16,8 +16,8 @@ type QueryAgentsOptions struct {
|
||||
Limit *int
|
||||
Offset *int
|
||||
Thumbprints []string
|
||||
IDs []datastore.AgentID
|
||||
Statuses []datastore.AgentStatus
|
||||
IDs []AgentID
|
||||
Statuses []AgentStatus
|
||||
}
|
||||
|
||||
func WithQueryAgentsOptions(funcs ...OptionFunc) QueryAgentsOptionFunc {
|
||||
@ -56,7 +56,7 @@ func WithQueryAgentsStatus(statuses ...datastore.AgentStatus) QueryAgentsOptionF
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Client) QueryAgents(ctx context.Context, funcs ...QueryAgentsOptionFunc) ([]*datastore.Agent, int, error) {
|
||||
func (c *Client) QueryAgents(ctx context.Context, funcs ...QueryAgentsOptionFunc) ([]*Agent, int, error) {
|
||||
options := &QueryAgentsOptions{}
|
||||
for _, fn := range funcs {
|
||||
fn(options)
|
@ -9,8 +9,8 @@ import (
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func (c *Client) RegisterAgent(ctx context.Context, key jwk.Key, thumbprint string, meta []metadata.Tuple, funcs ...OptionFunc) (*datastore.Agent, error) {
|
||||
keySet, err := jwk.PublicKeySet(key)
|
||||
func (c *Client) RegisterAgent(ctx context.Context, key Key, thumbprint string, meta []MetadataTuple, funcs ...OptionFunc) (*Agent, error) {
|
||||
keySet, err := jwk.RS256PublicKeySet(key)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
@ -10,7 +10,7 @@ import (
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func (c *Client) UpdateAgentSpec(ctx context.Context, agentID datastore.AgentID, spc spec.Spec, funcs ...OptionFunc) (*datastore.Spec, error) {
|
||||
func (c *Client) UpdateAgentSpec(ctx context.Context, agentID AgentID, spc Spec, funcs ...OptionFunc) (Spec, error) {
|
||||
payload := struct {
|
||||
Name spec.Name `json:"name"`
|
||||
Revision int `json:"revision"`
|
Reference in New Issue
Block a user