283 lines
7.2 KiB
Go
283 lines
7.2 KiB
Go
package main
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"text/template"
|
|
|
|
cfsslconfig "github.com/cloudflare/cfssl/config"
|
|
"github.com/emicklei/go-restful"
|
|
"m.cluseau.fr/go/httperr"
|
|
|
|
"novit.tech/direktil/pkg/localconfig"
|
|
|
|
"novit.tech/direktil/local-server/pkg/mime"
|
|
)
|
|
|
|
func registerWS(rest *restful.Container) {
|
|
// public-level APIs
|
|
{
|
|
ws := &restful.WebService{}
|
|
ws.
|
|
Path("/public").
|
|
Produces(mime.JSON).
|
|
Consumes(mime.JSON).
|
|
Route(ws.POST("/unlock-store").To(wsUnlockStore).
|
|
Reads(NamedPassphrase{}).
|
|
Writes("").
|
|
Doc("Try to unlock the store")).
|
|
Route(ws.GET("/store.tar").To(wsStoreDownload).
|
|
Produces(mime.TAR).
|
|
Param(ws.QueryParameter("token", "the download token")).
|
|
Doc("Fetch the encrypted store")).
|
|
Route(ws.POST("/store.tar").To(wsStoreUpload).
|
|
Consumes(mime.TAR).
|
|
Doc("Upload an existing store")).
|
|
Route(ws.GET("/downloads/{token}/{asset}").To(wsDownload).
|
|
Param(ws.PathParameter("token", "the download token")).
|
|
Param(ws.PathParameter("asset", "the requested asset")).
|
|
Doc("Fetch an asset via a download token"))
|
|
|
|
rest.Add(ws)
|
|
}
|
|
|
|
// Admin-level APIs
|
|
ws := (&restful.WebService{}).
|
|
Filter(requireSecStore).
|
|
Filter(adminAuth).
|
|
Param(restful.HeaderParameter("Authorization", "Admin bearer token").Required(true)).
|
|
Produces(mime.JSON)
|
|
|
|
// - store management
|
|
ws.Route(ws.POST("/store/add-key").To(wsStoreAddKey).
|
|
Consumes(mime.JSON).Reads(NamedPassphrase{}).
|
|
Doc("Add an unlock key to the store"))
|
|
ws.Route(ws.POST("/store/delete-key").To(wsStoreDelKey).
|
|
Consumes(mime.JSON).Reads("").
|
|
Doc("Remove an unlock key to the store (by its name)"))
|
|
|
|
// - downloads
|
|
ws.Route(ws.POST("/authorize-download").To(wsAuthorizeDownload).
|
|
Consumes(mime.JSON).Reads(DownloadSpec{}).
|
|
Produces(mime.JSON).
|
|
Doc("Create a download token for the given download"))
|
|
|
|
// - configs API
|
|
ws.Route(ws.POST("/configs").To(wsUploadConfig).
|
|
Consumes(mime.YAML).Param(ws.BodyParameter("config", "The new full configuration")).
|
|
Produces(mime.JSON).Writes(true).
|
|
Doc("Upload a new current configuration, archiving the previous one"))
|
|
|
|
// - clusters API
|
|
ws.Route(ws.GET("/clusters").To(wsListClusters).
|
|
Doc("List clusters"))
|
|
|
|
const (
|
|
GET = http.MethodGet
|
|
PUT = http.MethodPut
|
|
)
|
|
|
|
cluster := func(method, subPath string) *restful.RouteBuilder {
|
|
return ws.Method(method).Path("/clusters/{cluster-name}" + subPath).
|
|
Param(ws.PathParameter("cluster-name", "name of the cluster"))
|
|
}
|
|
|
|
for _, builder := range []*restful.RouteBuilder{
|
|
cluster(GET, "").To(wsCluster).
|
|
Doc("Get cluster details"),
|
|
|
|
cluster(GET, "/addons").To(wsClusterAddons).
|
|
Produces(mime.YAML).
|
|
Doc("Get cluster addons").
|
|
Returns(http.StatusOK, "OK", nil).
|
|
Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil),
|
|
|
|
cluster(GET, "/tokens").To(wsClusterTokens).
|
|
Doc("List cluster's tokens"),
|
|
cluster(GET, "/tokens/{token-name}").To(wsClusterToken).
|
|
Doc("Get cluster's token"),
|
|
|
|
cluster(GET, "/passwords").To(wsClusterPasswords).
|
|
Doc("List cluster's passwords"),
|
|
cluster(GET, "/passwords/{password-name}").To(wsClusterPassword).
|
|
Doc("Get cluster's password"),
|
|
cluster(PUT, "/passwords/{password-name}").To(wsClusterSetPassword).
|
|
Doc("Set cluster's password"),
|
|
|
|
cluster(GET, "/CAs").To(wsClusterCAs).
|
|
Doc("Get cluster CAs"),
|
|
cluster(GET, "/CAs/{ca-name}/certificate").To(wsClusterCACert).
|
|
Produces(mime.CACERT).
|
|
Doc("Get cluster CA's certificate"),
|
|
cluster(GET, "/CAs/{ca-name}/signed").To(wsClusterSignedCert).
|
|
Produces(mime.CERT).
|
|
Param(ws.QueryParameter("name", "signed reference name").Required(true)).
|
|
Doc("Get cluster's certificate signed by the CA"),
|
|
} {
|
|
ws.Route(builder)
|
|
}
|
|
|
|
ws.Route(ws.GET("/hosts").To(wsListHosts).
|
|
Doc("List hosts"))
|
|
|
|
ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))
|
|
ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))
|
|
ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))
|
|
|
|
rest.Add(ws)
|
|
|
|
// Hosts API
|
|
ws = (&restful.WebService{}).
|
|
Filter(requireSecStore).
|
|
Filter(adminAuth).
|
|
Path("/hosts/{host-name}").
|
|
Param(ws.HeaderParameter("Authorization", "Host or admin bearer token"))
|
|
|
|
(&wsHost{
|
|
hostDoc: "given host",
|
|
getHost: func(req *restful.Request) (string, error) {
|
|
return req.PathParameter("host-name"), nil
|
|
},
|
|
}).register(ws, func(rb *restful.RouteBuilder) {
|
|
rb.Param(ws.PathParameter("host-name", "host's name"))
|
|
})
|
|
|
|
rest.Add(ws)
|
|
|
|
// Detected host API
|
|
ws = (&restful.WebService{}).
|
|
Filter(requireSecStore).
|
|
Path("/me").
|
|
Param(ws.HeaderParameter("Authorization", "Host or admin bearer token"))
|
|
|
|
(&wsHost{
|
|
hostDoc: "detected host",
|
|
getHost: detectHost,
|
|
}).register(ws, func(rb *restful.RouteBuilder) {
|
|
rb.Notes("In this case, the host is detected from the remote IP")
|
|
})
|
|
|
|
// Hosts by token API
|
|
ws = (&restful.WebService{}).
|
|
Filter(requireSecStore).
|
|
Path("/hosts-by-token/{host-token}").
|
|
Param(ws.PathParameter("host-token", "host's download token"))
|
|
|
|
(&wsHost{
|
|
hostDoc: "token's host",
|
|
getHost: func(req *restful.Request) (host string, err error) {
|
|
reqToken := req.PathParameter("host-token")
|
|
|
|
data, err := hostDownloadTokens.Data()
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
for h, token := range data {
|
|
if token == reqToken {
|
|
host = h
|
|
return
|
|
}
|
|
}
|
|
|
|
return
|
|
},
|
|
}).register(ws, func(rb *restful.RouteBuilder) {
|
|
rb.Notes("In this case, the host is detected from the token")
|
|
})
|
|
|
|
rest.Add(ws)
|
|
}
|
|
|
|
func requireSecStore(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
|
|
if !secStore.Unlocked() {
|
|
wsError(resp, ErrStoreLocked)
|
|
return
|
|
}
|
|
chain.ProcessFilter(req, resp)
|
|
}
|
|
|
|
func detectHost(req *restful.Request) (hostName string, err error) {
|
|
if !*allowDetectedHost {
|
|
return
|
|
}
|
|
|
|
r := req.Request
|
|
remoteAddr := r.RemoteAddr
|
|
|
|
if *trustXFF {
|
|
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
|
|
remoteAddr = strings.Split(xff, ",")[0]
|
|
}
|
|
}
|
|
|
|
hostIP, _, err := net.SplitHostPort(remoteAddr)
|
|
|
|
if err != nil {
|
|
hostIP = remoteAddr
|
|
}
|
|
|
|
cfg, err := readConfig()
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
host := cfg.HostByIP(hostIP)
|
|
|
|
if host == nil {
|
|
log.Print("no host found for IP ", hostIP)
|
|
return
|
|
}
|
|
|
|
return host.Name, nil
|
|
}
|
|
|
|
func wsReadConfig(resp *restful.Response) *localconfig.Config {
|
|
cfg, err := readConfig()
|
|
if err != nil {
|
|
log.Print("failed to read config: ", err)
|
|
resp.WriteErrorString(http.StatusServiceUnavailable, "failed to read config")
|
|
return nil
|
|
}
|
|
|
|
return cfg
|
|
}
|
|
|
|
func wsNotFound(resp *restful.Response) {
|
|
wsError(resp, ErrNotFound)
|
|
}
|
|
|
|
func wsBadRequest(resp *restful.Response, err string) {
|
|
httperr.New(http.StatusBadRequest, errors.New(err)).WriteJSON(resp.ResponseWriter)
|
|
}
|
|
|
|
func wsError(resp *restful.Response, err error) {
|
|
log.Output(2, fmt.Sprint("request failed: ", err))
|
|
|
|
switch err := err.(type) {
|
|
case httperr.Error:
|
|
err.WriteJSON(resp.ResponseWriter)
|
|
|
|
default:
|
|
httperr.Internal(err).WriteJSON(resp.ResponseWriter)
|
|
}
|
|
}
|
|
|
|
func wsRender(resp *restful.Response, sslCfg *cfsslconfig.Config, tmplStr string, value interface{}) {
|
|
tmpl, err := template.New("wsRender").Funcs(templateFuncs(sslCfg)).Parse(tmplStr)
|
|
if err != nil {
|
|
wsError(resp, err)
|
|
return
|
|
}
|
|
|
|
err = tmpl.Execute(resp, value)
|
|
if err != nil {
|
|
wsError(resp, err)
|
|
return
|
|
}
|
|
}
|