local-server/cmd/dkl-local-server/ws.go

package main

import (
	"errors"
	"fmt"
	"log"
	"net"
	"net/http"
	"strings"
	"text/template"

	cfsslconfig "github.com/cloudflare/cfssl/config"
	"github.com/emicklei/go-restful"
	"m.cluseau.fr/go/httperr"

	"novit.tech/direktil/pkg/localconfig"

	"novit.tech/direktil/local-server/pkg/mime"
)

func registerWS(rest *restful.Container) {
	// public-level APIs
	{
		ws := &restful.WebService{}
		ws.
			Path("/public").
			Produces("application/json").
			Consumes("application/json").
			Route(ws.POST("/unlock-store").To(wsUnlockStore).
				Reads("").
				Writes("").
				Doc("Try to unlock the store")).
			Route(ws.GET("/store.tar").To(wsStoreDownload).
				Produces(mime.TAR).
				Param(ws.QueryParameter("token", "the download token")).
				Doc("Fetch the encrypted store")).
			Route(ws.GET("/downloads/{token}/{asset}").To(wsDownload).
				Param(ws.PathParameter("token", "the download token")).
				Param(ws.PathParameter("asset", "the requested asset")).
				Doc("Fetch an asset via a download token"))

		rest.Add(ws)
	}

	// Admin-level APIs
	ws := &restful.WebService{}
	ws.
		Filter(adminAuth).
		HeaderParameter("Authorization", "Admin bearer token")

	// - store management
	ws.Route(ws.POST("/store/add-key").To(wsStoreAddKey).
		Consumes("application/json").Reads("").
		Produces("application/json").
		Doc("Add an unlock key to the store"))

	// - downloads
	ws.Route(ws.POST("/authorize-download").To(wsAuthorizeDownload).
		Consumes("application/json").Reads(DownloadSpec{}).
		Produces("application/json").
		Doc("Create a download token for the given download"))

	// - configs API
	ws.Route(ws.POST("/configs").To(wsUploadConfig).
		Consumes(mime.YAML).
		Doc("Upload a new current configuration, archiving the previous one"))

	// - clusters API
	ws.Route(ws.GET("/clusters").To(wsListClusters).
		Doc("List clusters"))

	const (
		GET = http.MethodGet
		PUT = http.MethodPut
	)

	cluster := func(method, subPath string) *restful.RouteBuilder {
		return ws.Method(method).Path("/clusters/{cluster-name}" + subPath).
			Param(ws.PathParameter("cluster-name", "name of the cluster"))
	}

	for _, builder := range []*restful.RouteBuilder{
		cluster(GET, "").To(wsCluster).
			Doc("Get cluster details"),

		cluster(GET, "/addons").To(wsClusterAddons).
			Produces(mime.YAML).
			Doc("Get cluster addons").
			Returns(http.StatusOK, "OK", nil).
			Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil),

		cluster(GET, "/tokens").To(wsClusterTokens).
			Doc("List cluster's tokens"),
		cluster(GET, "/tokens/{token-name}").To(wsClusterToken).
			Doc("Get cluster's token"),

		cluster(GET, "/passwords").To(wsClusterPasswords).
			Doc("List cluster's passwords"),
		cluster(GET, "/passwords/{password-name}").To(wsClusterPassword).
			Doc("Get cluster's password"),
		cluster(PUT, "/passwords/{password-name}").To(wsClusterSetPassword).
			Doc("Set cluster's password"),

		cluster(GET, "/CAs").To(wsClusterCAs).
			Doc("Get cluster CAs"),
		cluster(GET, "/CAs/{ca-name}/certificate").To(wsClusterCACert).
			Produces(mime.CACERT).
			Doc("Get cluster CA's certificate"),
		cluster(GET, "/CAs/{ca-name}/signed").To(wsClusterSignedCert).
			Produces(mime.CERT).
			Param(ws.QueryParameter("name", "signed reference name").Required(true)).
			Doc("Get cluster's certificate signed by the CA"),
	} {
		ws.Route(builder)
	}

	ws.Route(ws.GET("/hosts").To(wsListHosts).
		Doc("List hosts"))

	(&wsHost{
		prefix:  "/hosts/{host-name}",
		hostDoc: "given host",
		getHost: func(req *restful.Request) (string, error) {
			return req.PathParameter("host-name"), nil
		},
	}).register(ws, func(rb *restful.RouteBuilder) {
	})

	ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))
	ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))
	ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))

	rest.Add(ws)

	// Hosts API
	ws = &restful.WebService{}
	ws.Produces("application/json")
	ws.Path("/me")
	ws.Filter(hostsAuth).
		HeaderParameter("Authorization", "Host or admin bearer token")

	(&wsHost{
		hostDoc: "detected host",
		getHost: detectHost,
	}).register(ws, func(rb *restful.RouteBuilder) {
		rb.Notes("In this case, the host is detected from the remote IP")
	})

	// Hosts by token API
	ws = &restful.WebService{}
	ws.Path("/hosts-by-token/{host-token}")

	(&wsHost{
		hostDoc: "token's host",
		getHost: func(req *restful.Request) (host string, err error) {
			reqToken := req.PathParameter("host-name")

			data, err := hostDownloadTokens.Data()
			if err != nil {
				return
			}

			for h, token := range data {
				if token == reqToken {
					host = h
					return
				}
			}

			return
		},
	}).register(ws, func(rb *restful.RouteBuilder) {
		rb.Notes("In this case, the host is detected from the remote IP")
	})

	rest.Add(ws)
}

func detectHost(req *restful.Request) (hostName string, err error) {
	r := req.Request
	remoteAddr := r.RemoteAddr

	if *trustXFF {
		if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
			remoteAddr = strings.Split(xff, ",")[0]
		}
	}

	hostIP, _, err := net.SplitHostPort(remoteAddr)

	if err != nil {
		hostIP = remoteAddr
	}

	cfg, err := readConfig()
	if err != nil {
		return
	}

	host := cfg.HostByIP(hostIP)

	if host == nil {
		log.Print("no host found for IP ", hostIP)
		return
	}

	return host.Name, nil
}

func wsReadConfig(resp *restful.Response) *localconfig.Config {
	cfg, err := readConfig()
	if err != nil {
		log.Print("failed to read config: ", err)
		resp.WriteErrorString(http.StatusServiceUnavailable, "failed to read config")
		return nil
	}

	return cfg
}

func wsNotFound(req *restful.Request, resp *restful.Response) {
	http.NotFound(resp.ResponseWriter, req.Request)
}

func wsBadRequest(resp *restful.Response, err string) {
	httperr.New(http.StatusBadRequest, errors.New(err)).WriteJSON(resp.ResponseWriter)
}

func wsError(resp *restful.Response, err error) {
	log.Output(2, fmt.Sprint("request failed: ", err))

	switch err := err.(type) {
	case httperr.Error:
		err.WriteJSON(resp.ResponseWriter)

	default:
		httperr.Internal(err).WriteJSON(resp.ResponseWriter)
	}
}

func wsRender(resp *restful.Response, sslCfg *cfsslconfig.Config, tmplStr string, value interface{}) {
	tmpl, err := template.New("wsRender").Funcs(templateFuncs(sslCfg)).Parse(tmplStr)
	if err != nil {
		wsError(resp, err)
		return
	}

	err = tmpl.Execute(resp, value)
	if err != nil {
		wsError(resp, err)
		return
	}
}
begin move to go-restful 2019-02-01 07:28:08 +00:00			`package main`

			`import (`
store download & add key 2023-02-13 12:03:42 +00:00			`"errors"`
fix: upload config without previous config + bump deps 2019-12-07 20:09:12 +00:00			`"fmt"`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`"log"`
			`"net"`
restful /configs 2019-02-01 07:35:50 +00:00			`"net/http"`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`"strings"`
fix: render template for addons and bootstrap pods 2019-12-26 10:10:23 +00:00			`"text/template"`
begin move to go-restful 2019-02-01 07:28:08 +00:00
migration to new secrets nearly complete 2023-02-12 14:18:42 +00:00			`cfsslconfig "github.com/cloudflare/cfssl/config"`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`"github.com/emicklei/go-restful"`
store download & add key 2023-02-13 12:03:42 +00:00			`"m.cluseau.fr/go/httperr"`
ssh acls preliminary support 2021-11-14 14:28:40 +00:00
bootv2 support 2022-04-28 01:33:19 +00:00			`"novit.tech/direktil/pkg/localconfig"`

			`"novit.tech/direktil/local-server/pkg/mime"`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`)`

factorize filter clauses 2019-04-15 17:56:31 +00:00			`func registerWS(rest *restful.Container) {`
downloads API, UI 2023-02-07 20:29:19 +00:00			`// public-level APIs`
			`{`
			`ws := &restful.WebService{}`
			`ws.`
			`Path("/public").`
			`Produces("application/json").`
			`Consumes("application/json").`
			`Route(ws.POST("/unlock-store").To(wsUnlockStore).`
			`Reads("").`
			`Writes("").`
			`Doc("Try to unlock the store")).`
store download & add key 2023-02-13 12:03:42 +00:00			`Route(ws.GET("/store.tar").To(wsStoreDownload).`
			`Produces(mime.TAR).`
			`Param(ws.QueryParameter("token", "the download token")).`
			`Doc("Fetch the encrypted store")).`
downloads API, UI 2023-02-07 20:29:19 +00:00			`Route(ws.GET("/downloads/{token}/{asset}").To(wsDownload).`
			`Param(ws.PathParameter("token", "the download token")).`
			`Param(ws.PathParameter("asset", "the requested asset")).`
			`Doc("Fetch an asset via a download token"))`

			`rest.Add(ws)`
			`}`

better map merge 2019-04-19 16:07:22 +00:00			`// Admin-level APIs`
so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`ws := &restful.WebService{}`
downloads API, UI 2023-02-07 20:29:19 +00:00			`ws.`
			`Filter(adminAuth).`
factorize filter clauses 2019-04-15 17:56:31 +00:00			`HeaderParameter("Authorization", "Admin bearer token")`
begin move to go-restful 2019-02-01 07:28:08 +00:00
store download & add key 2023-02-13 12:03:42 +00:00			`// - store management`
			`ws.Route(ws.POST("/store/add-key").To(wsStoreAddKey).`
			`Consumes("application/json").Reads("").`
			`Produces("application/json").`
			`Doc("Add an unlock key to the store"))`

downloads API, UI 2023-02-07 20:29:19 +00:00			`// - downloads`
			`ws.Route(ws.POST("/authorize-download").To(wsAuthorizeDownload).`
store download & add key 2023-02-13 12:03:42 +00:00			`Consumes("application/json").Reads(DownloadSpec{}).`
			`Produces("application/json").`
downloads API, UI 2023-02-07 20:29:19 +00:00			`Doc("Create a download token for the given download"))`

factorize filter clauses 2019-04-15 17:56:31 +00:00			`// - configs API`
			`ws.Route(ws.POST("/configs").To(wsUploadConfig).`
store download & add key 2023-02-13 12:03:42 +00:00			`Consumes(mime.YAML).`
refactor to go-restful 2019-02-04 02:56:43 +00:00			`Doc("Upload a new current configuration, archiving the previous one"))`

factorize filter clauses 2019-04-15 17:56:31 +00:00			`// - clusters API`
			`ws.Route(ws.GET("/clusters").To(wsListClusters).`
refactor to go-restful 2019-02-04 02:56:43 +00:00			`Doc("List clusters"))`
cleanup 2019-02-04 04:46:03 +00:00
secrets migration & restitution 2023-02-12 10:58:26 +00:00			`const (`
			`GET = http.MethodGet`
			`PUT = http.MethodPut`
			`)`

			`cluster := func(method, subPath string) *restful.RouteBuilder {`
			`return ws.Method(method).Path("/clusters/{cluster-name}" + subPath).`
			`Param(ws.PathParameter("cluster-name", "name of the cluster"))`
			`}`

			`for _, builder := range []*restful.RouteBuilder{`
			`cluster(GET, "").To(wsCluster).`
			`Doc("Get cluster details"),`

			`cluster(GET, "/addons").To(wsClusterAddons).`
			`Produces(mime.YAML).`
			`Doc("Get cluster addons").`
			`Returns(http.StatusOK, "OK", nil).`
			`Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil),`

			`cluster(GET, "/tokens").To(wsClusterTokens).`
			`Doc("List cluster's tokens"),`
			`cluster(GET, "/tokens/{token-name}").To(wsClusterToken).`
			`Doc("Get cluster's token"),`

			`cluster(GET, "/passwords").To(wsClusterPasswords).`
			`Doc("List cluster's passwords"),`
			`cluster(GET, "/passwords/{password-name}").To(wsClusterPassword).`
			`Doc("Get cluster's password"),`
			`cluster(PUT, "/passwords/{password-name}").To(wsClusterSetPassword).`
			`Doc("Set cluster's password"),`

			`cluster(GET, "/CAs").To(wsClusterCAs).`
			`Doc("Get cluster CAs"),`
			`cluster(GET, "/CAs/{ca-name}/certificate").To(wsClusterCACert).`
			`Produces(mime.CACERT).`
			`Doc("Get cluster CA's certificate"),`
			`cluster(GET, "/CAs/{ca-name}/signed").To(wsClusterSignedCert).`
			`Produces(mime.CERT).`
			`Param(ws.QueryParameter("name", "signed reference name").Required(true)).`
			`Doc("Get cluster's certificate signed by the CA"),`
			`} {`
			`ws.Route(builder)`
			`}`
sanity commit 2019-12-16 07:00:57 +00:00
so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`ws.Route(ws.GET("/hosts").To(wsListHosts).`
			`Doc("List hosts"))`

factorize filter clauses 2019-04-15 17:56:31 +00:00			`(&wsHost{`
			`prefix: "/hosts/{host-name}",`
			`hostDoc: "given host",`
host download tokens 2023-02-13 14:57:30 +00:00			`getHost: func(req *restful.Request) (string, error) {`
			`return req.PathParameter("host-name"), nil`
factorize filter clauses 2019-04-15 17:56:31 +00:00			`},`
so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`}).register(ws, func(rb *restful.RouteBuilder) {`
factorize filter clauses 2019-04-15 17:56:31 +00:00			`})`

ssh acls preliminary support 2021-11-14 14:28:40 +00:00			`ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))`
			`ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))`
			`ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))`

so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`rest.Add(ws)`

factorize filter clauses 2019-04-15 17:56:31 +00:00			`// Hosts API`
so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`ws = &restful.WebService{}`
downloads API, UI 2023-02-07 20:29:19 +00:00			`ws.Produces("application/json")`
so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`ws.Path("/me")`
factorize filter clauses 2019-04-15 17:56:31 +00:00			`ws.Filter(hostsAuth).`
			`HeaderParameter("Authorization", "Host or admin bearer token")`

begin move to go-restful 2019-02-01 07:28:08 +00:00			`(&wsHost{`
cleanup 2019-02-04 04:46:03 +00:00			`hostDoc: "detected host",`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`getHost: detectHost,`
refactor to go-restful 2019-02-04 02:56:43 +00:00			`}).register(ws, func(rb *restful.RouteBuilder) {`
			`rb.Notes("In this case, the host is detected from the remote IP")`
			`})`
begin move to go-restful 2019-02-01 07:28:08 +00:00
host download tokens 2023-02-13 14:57:30 +00:00			`// Hosts by token API`
			`ws = &restful.WebService{}`
			`ws.Path("/hosts-by-token/{host-token}")`

			`(&wsHost{`
			`hostDoc: "token's host",`
			`getHost: func(req *restful.Request) (host string, err error) {`
			`reqToken := req.PathParameter("host-name")`

			`data, err := hostDownloadTokens.Data()`
			`if err != nil {`
			`return`
			`}`

			`for h, token := range data {`
			`if token == reqToken {`
			`host = h`
			`return`
			`}`
			`}`

			`return`
			`},`
			`}).register(ws, func(rb *restful.RouteBuilder) {`
			`rb.Notes("In this case, the host is detected from the remote IP")`
			`})`

so go-restful require different prefixes now 2019-04-18 17:47:31 +00:00			`rest.Add(ws)`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`}`

host download tokens 2023-02-13 14:57:30 +00:00			`func detectHost(req *restful.Request) (hostName string, err error) {`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`r := req.Request`
			`remoteAddr := r.RemoteAddr`

			`if *trustXFF {`
			`if xff := r.Header.Get("X-Forwarded-For"); xff != "" {`
			`remoteAddr = strings.Split(xff, ",")[0]`
			`}`
			`}`

			`hostIP, _, err := net.SplitHostPort(remoteAddr)`

			`if err != nil {`
			`hostIP = remoteAddr`
			`}`

			`cfg, err := readConfig()`
			`if err != nil {`
host download tokens 2023-02-13 14:57:30 +00:00			`return`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`}`

			`host := cfg.HostByIP(hostIP)`

			`if host == nil {`
			`log.Print("no host found for IP ", hostIP)`
host download tokens 2023-02-13 14:57:30 +00:00			`return`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`}`

host download tokens 2023-02-13 14:57:30 +00:00			`return host.Name, nil`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`}`

refactor to go-restful 2019-02-04 02:56:43 +00:00			`func wsReadConfig(resp restful.Response) localconfig.Config {`
			`cfg, err := readConfig()`
restful /configs 2019-02-01 07:35:50 +00:00			`if err != nil {`
refactor to go-restful 2019-02-04 02:56:43 +00:00			`log.Print("failed to read config: ", err)`
			`resp.WriteErrorString(http.StatusServiceUnavailable, "failed to read config")`
			`return nil`
restful /configs 2019-02-01 07:35:50 +00:00			`}`

refactor to go-restful 2019-02-04 02:56:43 +00:00			`return cfg`
			`}`
restful /configs 2019-02-01 07:35:50 +00:00
refactor to go-restful 2019-02-04 02:56:43 +00:00			`func wsNotFound(req restful.Request, resp restful.Response) {`
			`http.NotFound(resp.ResponseWriter, req.Request)`
			`}`
restful /configs 2019-02-01 07:35:50 +00:00
store download & add key 2023-02-13 12:03:42 +00:00			`func wsBadRequest(resp *restful.Response, err string) {`
			`httperr.New(http.StatusBadRequest, errors.New(err)).WriteJSON(resp.ResponseWriter)`
			`}`

refactor to go-restful 2019-02-04 02:56:43 +00:00			`func wsError(resp *restful.Response, err error) {`
fix: upload config without previous config + bump deps 2019-12-07 20:09:12 +00:00			`log.Output(2, fmt.Sprint("request failed: ", err))`
store download & add key 2023-02-13 12:03:42 +00:00
			`switch err := err.(type) {`
			`case httperr.Error:`
			`err.WriteJSON(resp.ResponseWriter)`

			`default:`
			`httperr.Internal(err).WriteJSON(resp.ResponseWriter)`
			`}`
begin move to go-restful 2019-02-01 07:28:08 +00:00			`}`
fix: render template for addons and bootstrap pods 2019-12-26 10:10:23 +00:00
migration to new secrets nearly complete 2023-02-12 14:18:42 +00:00			`func wsRender(resp restful.Response, sslCfg cfsslconfig.Config, tmplStr string, value interface{}) {`
			`tmpl, err := template.New("wsRender").Funcs(templateFuncs(sslCfg)).Parse(tmplStr)`
fix: render template for addons and bootstrap pods 2019-12-26 10:10:23 +00:00			`if err != nil {`
			`wsError(resp, err)`
			`return`
			`}`

			`err = tmpl.Execute(resp, value)`
			`if err != nil {`
			`wsError(resp, err)`
			`return`
			`}`
			`}`