local-server/cmd/dkl-local-server/ws.go

254 lines
6.3 KiB
Go
Raw Normal View History

2019-02-01 07:28:08 +00:00
package main
import (
2023-02-13 12:03:42 +00:00
"errors"
"fmt"
2019-02-01 07:28:08 +00:00
"log"
"net"
2019-02-01 07:35:50 +00:00
"net/http"
2019-02-01 07:28:08 +00:00
"strings"
"text/template"
2019-02-01 07:28:08 +00:00
cfsslconfig "github.com/cloudflare/cfssl/config"
2019-02-01 07:28:08 +00:00
"github.com/emicklei/go-restful"
2023-02-13 12:03:42 +00:00
"m.cluseau.fr/go/httperr"
2021-11-14 14:28:40 +00:00
2022-04-28 01:33:19 +00:00
"novit.tech/direktil/pkg/localconfig"
"novit.tech/direktil/local-server/pkg/mime"
2019-02-01 07:28:08 +00:00
)
2019-04-15 17:56:31 +00:00
func registerWS(rest *restful.Container) {
2023-02-07 20:29:19 +00:00
// public-level APIs
{
ws := &restful.WebService{}
ws.
Path("/public").
Produces("application/json").
Consumes("application/json").
Route(ws.POST("/unlock-store").To(wsUnlockStore).
Reads("").
Writes("").
Doc("Try to unlock the store")).
2023-02-13 12:03:42 +00:00
Route(ws.GET("/store.tar").To(wsStoreDownload).
Produces(mime.TAR).
Param(ws.QueryParameter("token", "the download token")).
Doc("Fetch the encrypted store")).
2023-02-07 20:29:19 +00:00
Route(ws.GET("/downloads/{token}/{asset}").To(wsDownload).
Param(ws.PathParameter("token", "the download token")).
Param(ws.PathParameter("asset", "the requested asset")).
Doc("Fetch an asset via a download token"))
rest.Add(ws)
}
2019-04-19 16:07:22 +00:00
// Admin-level APIs
ws := &restful.WebService{}
2023-02-07 20:29:19 +00:00
ws.
Filter(adminAuth).
2019-04-15 17:56:31 +00:00
HeaderParameter("Authorization", "Admin bearer token")
2019-02-01 07:28:08 +00:00
2023-02-13 12:03:42 +00:00
// - store management
ws.Route(ws.POST("/store/add-key").To(wsStoreAddKey).
Consumes("application/json").Reads("").
Produces("application/json").
Doc("Add an unlock key to the store"))
2023-02-07 20:29:19 +00:00
// - downloads
ws.Route(ws.POST("/authorize-download").To(wsAuthorizeDownload).
2023-02-13 12:03:42 +00:00
Consumes("application/json").Reads(DownloadSpec{}).
Produces("application/json").
2023-02-07 20:29:19 +00:00
Doc("Create a download token for the given download"))
2019-04-15 17:56:31 +00:00
// - configs API
ws.Route(ws.POST("/configs").To(wsUploadConfig).
2023-02-13 12:03:42 +00:00
Consumes(mime.YAML).
2019-02-04 02:56:43 +00:00
Doc("Upload a new current configuration, archiving the previous one"))
2019-04-15 17:56:31 +00:00
// - clusters API
ws.Route(ws.GET("/clusters").To(wsListClusters).
2019-02-04 02:56:43 +00:00
Doc("List clusters"))
2019-02-04 04:46:03 +00:00
2023-02-12 10:58:26 +00:00
const (
GET = http.MethodGet
PUT = http.MethodPut
)
cluster := func(method, subPath string) *restful.RouteBuilder {
return ws.Method(method).Path("/clusters/{cluster-name}" + subPath).
Param(ws.PathParameter("cluster-name", "name of the cluster"))
}
for _, builder := range []*restful.RouteBuilder{
cluster(GET, "").To(wsCluster).
Doc("Get cluster details"),
cluster(GET, "/addons").To(wsClusterAddons).
Produces(mime.YAML).
Doc("Get cluster addons").
Returns(http.StatusOK, "OK", nil).
Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil),
cluster(GET, "/tokens").To(wsClusterTokens).
Doc("List cluster's tokens"),
cluster(GET, "/tokens/{token-name}").To(wsClusterToken).
Doc("Get cluster's token"),
cluster(GET, "/passwords").To(wsClusterPasswords).
Doc("List cluster's passwords"),
cluster(GET, "/passwords/{password-name}").To(wsClusterPassword).
Doc("Get cluster's password"),
cluster(PUT, "/passwords/{password-name}").To(wsClusterSetPassword).
Doc("Set cluster's password"),
cluster(GET, "/CAs").To(wsClusterCAs).
Doc("Get cluster CAs"),
cluster(GET, "/CAs/{ca-name}/certificate").To(wsClusterCACert).
Produces(mime.CACERT).
Doc("Get cluster CA's certificate"),
cluster(GET, "/CAs/{ca-name}/signed").To(wsClusterSignedCert).
Produces(mime.CERT).
Param(ws.QueryParameter("name", "signed reference name").Required(true)).
Doc("Get cluster's certificate signed by the CA"),
} {
ws.Route(builder)
}
2019-12-16 07:00:57 +00:00
ws.Route(ws.GET("/hosts").To(wsListHosts).
Doc("List hosts"))
2019-04-15 17:56:31 +00:00
(&wsHost{
prefix: "/hosts/{host-name}",
hostDoc: "given host",
2023-02-13 14:57:30 +00:00
getHost: func(req *restful.Request) (string, error) {
return req.PathParameter("host-name"), nil
2019-04-15 17:56:31 +00:00
},
}).register(ws, func(rb *restful.RouteBuilder) {
2019-04-15 17:56:31 +00:00
})
2021-11-14 14:28:40 +00:00
ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))
ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))
ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))
rest.Add(ws)
2019-04-15 17:56:31 +00:00
// Hosts API
ws = &restful.WebService{}
2023-02-07 20:29:19 +00:00
ws.Produces("application/json")
ws.Path("/me")
2019-04-15 17:56:31 +00:00
ws.Filter(hostsAuth).
HeaderParameter("Authorization", "Host or admin bearer token")
2019-02-01 07:28:08 +00:00
(&wsHost{
2019-02-04 04:46:03 +00:00
hostDoc: "detected host",
2019-02-01 07:28:08 +00:00
getHost: detectHost,
2019-02-04 02:56:43 +00:00
}).register(ws, func(rb *restful.RouteBuilder) {
rb.Notes("In this case, the host is detected from the remote IP")
})
2019-02-01 07:28:08 +00:00
2023-02-13 14:57:30 +00:00
// Hosts by token API
ws = &restful.WebService{}
ws.Path("/hosts-by-token/{host-token}")
(&wsHost{
hostDoc: "token's host",
getHost: func(req *restful.Request) (host string, err error) {
reqToken := req.PathParameter("host-name")
data, err := hostDownloadTokens.Data()
if err != nil {
return
}
for h, token := range data {
if token == reqToken {
host = h
return
}
}
return
},
}).register(ws, func(rb *restful.RouteBuilder) {
rb.Notes("In this case, the host is detected from the remote IP")
})
rest.Add(ws)
2019-02-01 07:28:08 +00:00
}
2023-02-13 14:57:30 +00:00
func detectHost(req *restful.Request) (hostName string, err error) {
2019-02-01 07:28:08 +00:00
r := req.Request
remoteAddr := r.RemoteAddr
if *trustXFF {
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
remoteAddr = strings.Split(xff, ",")[0]
}
}
hostIP, _, err := net.SplitHostPort(remoteAddr)
if err != nil {
hostIP = remoteAddr
}
cfg, err := readConfig()
if err != nil {
2023-02-13 14:57:30 +00:00
return
2019-02-01 07:28:08 +00:00
}
host := cfg.HostByIP(hostIP)
if host == nil {
log.Print("no host found for IP ", hostIP)
2023-02-13 14:57:30 +00:00
return
2019-02-01 07:28:08 +00:00
}
2023-02-13 14:57:30 +00:00
return host.Name, nil
2019-02-01 07:28:08 +00:00
}
2019-02-04 02:56:43 +00:00
func wsReadConfig(resp *restful.Response) *localconfig.Config {
cfg, err := readConfig()
2019-02-01 07:35:50 +00:00
if err != nil {
2019-02-04 02:56:43 +00:00
log.Print("failed to read config: ", err)
resp.WriteErrorString(http.StatusServiceUnavailable, "failed to read config")
return nil
2019-02-01 07:35:50 +00:00
}
2019-02-04 02:56:43 +00:00
return cfg
}
2019-02-01 07:35:50 +00:00
2019-02-04 02:56:43 +00:00
func wsNotFound(req *restful.Request, resp *restful.Response) {
http.NotFound(resp.ResponseWriter, req.Request)
}
2019-02-01 07:35:50 +00:00
2023-02-13 12:03:42 +00:00
func wsBadRequest(resp *restful.Response, err string) {
httperr.New(http.StatusBadRequest, errors.New(err)).WriteJSON(resp.ResponseWriter)
}
2019-02-04 02:56:43 +00:00
func wsError(resp *restful.Response, err error) {
log.Output(2, fmt.Sprint("request failed: ", err))
2023-02-13 12:03:42 +00:00
switch err := err.(type) {
case httperr.Error:
err.WriteJSON(resp.ResponseWriter)
default:
httperr.Internal(err).WriteJSON(resp.ResponseWriter)
}
2019-02-01 07:28:08 +00:00
}
func wsRender(resp *restful.Response, sslCfg *cfsslconfig.Config, tmplStr string, value interface{}) {
tmpl, err := template.New("wsRender").Funcs(templateFuncs(sslCfg)).Parse(tmplStr)
if err != nil {
wsError(resp, err)
return
}
err = tmpl.Execute(resp, value)
if err != nil {
wsError(resp, err)
return
}
}