package api import ( "encoding/json" "net/http" "forge.cadoles.com/Cadoles/emissary/internal/agent/metadata" "forge.cadoles.com/Cadoles/emissary/internal/datastore" "forge.cadoles.com/Cadoles/emissary/internal/jwk" "github.com/pkg/errors" "gitlab.com/wpetit/goweb/api" "gitlab.com/wpetit/goweb/logger" ) type registerAgentRequest struct { KeySet json.RawMessage `json:"keySet" validate:"required"` Metadata []metadata.Tuple `json:"metadata" validate:"required"` Thumbprint string `json:"thumbprint" validate:"required"` Signature string `json:"signature" validate:"required"` } func (m *Mount) registerAgent(w http.ResponseWriter, r *http.Request) { registerAgentReq := ®isterAgentRequest{} if ok := api.Bind(w, r, registerAgentReq); !ok { return } ctx := r.Context() keySet, err := jwk.Parse(registerAgentReq.KeySet) if err != nil { err = errors.WithStack(err) logger.Error(ctx, "could not parse key set", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil) return } ctx = logger.With(ctx, logger.F("agentThumbprint", registerAgentReq.Thumbprint)) // Validate that the existing signature validates the request validSignature, err := jwk.Verify(keySet, registerAgentReq.Signature, registerAgentReq.Thumbprint, registerAgentReq.Metadata) if err != nil { err = errors.WithStack(err) logger.Error(ctx, "could not validate signature", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil) return } if !validSignature { logger.Warn(ctx, "conflicting signature", logger.F("signature", registerAgentReq.Signature)) api.ErrorResponse(w, http.StatusConflict, ErrCodeConflict, nil) return } metadata := metadata.FromSorted(registerAgentReq.Metadata) agent, err := m.agentRepo.Create( ctx, registerAgentReq.Thumbprint, keySet, metadata, ) if err != nil { if !errors.Is(err, datastore.ErrAlreadyExist) { err = errors.WithStack(err) logger.Error(ctx, "could not create agent", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil) return } agents, _, err := m.agentRepo.Query( ctx, datastore.WithAgentQueryThumbprints(registerAgentReq.Thumbprint), datastore.WithAgentQueryLimit(1), ) if err != nil { err = errors.WithStack(err) logger.Error(ctx, "could not retrieve agents", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil) return } if len(agents) == 0 { err = errors.WithStack(err) logger.Error(ctx, "could not retrieve matching agent", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeNotFound, nil) return } agentID := agents[0].ID agent, err = m.agentRepo.Get(ctx, agentID) if err != nil { err = errors.WithStack(err) logger.Error( ctx, "could not retrieve agent", logger.CapturedE(err), logger.F("agentID", agentID), ) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil) return } validSignature, err = jwk.Verify(agent.KeySet.Set, registerAgentReq.Signature, registerAgentReq.Thumbprint, registerAgentReq.Metadata) if err != nil { err = errors.WithStack(err) logger.Error(ctx, "could not validate signature using previous keyset", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusConflict, ErrCodeConflict, nil) return } if !validSignature { logger.Error(ctx, "invalid signature") api.ErrorResponse(w, http.StatusBadRequest, api.ErrCodeInvalidRequest, nil) return } agent, err = m.agentRepo.Update( ctx, agents[0].ID, datastore.WithAgentUpdateKeySet(keySet), datastore.WithAgentUpdateMetadata(metadata), datastore.WithAgentUpdateThumbprint(registerAgentReq.Thumbprint), ) if err != nil { err = errors.WithStack(err) logger.Error(ctx, "could not update agent", logger.CapturedE(err)) api.ErrorResponse(w, http.StatusInternalServerError, ErrCodeUnknownError, nil) return } } api.DataResponse(w, http.StatusCreated, struct { Agent *datastore.Agent `json:"agent"` }{ Agent: agent, }) }