mirror of
https://github.com/gravitl/netmaker.git
synced 2025-11-03 11:02:11 +08:00
Matthew R. Kasun
@@ -31,7 +31,7 @@ func nodeHandlers(r *mux.Router) {
|
|||||||
r.HandleFunc("/api/nodes/{network}/{nodeid}/createingress", securityCheck(false, http.HandlerFunc(createIngressGateway))).Methods("POST")
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/createingress", securityCheck(false, http.HandlerFunc(createIngressGateway))).Methods("POST")
|
||||||
r.HandleFunc("/api/nodes/{network}/{nodeid}/deleteingress", securityCheck(false, http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/deleteingress", securityCheck(false, http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
|
||||||
r.HandleFunc("/api/nodes/{network}/{nodeid}/approve", authorize(false, true, "user", http.HandlerFunc(uncordonNode))).Methods("POST")
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/approve", authorize(false, true, "user", http.HandlerFunc(uncordonNode))).Methods("POST")
|
||||||
r.HandleFunc("/api/nodes/{network}", createNode).Methods("POST")
|
r.HandleFunc("/api/nodes/{network}", nodeauth(http.HandlerFunc(createNode))).Methods("POST")
|
||||||
r.HandleFunc("/api/nodes/adm/{network}/lastmodified", authorize(false, true, "network", http.HandlerFunc(getLastModified))).Methods("GET")
|
r.HandleFunc("/api/nodes/adm/{network}/lastmodified", authorize(false, true, "network", http.HandlerFunc(getLastModified))).Methods("GET")
|
||||||
r.HandleFunc("/api/nodes/adm/{network}/authenticate", authenticate).Methods("POST")
|
r.HandleFunc("/api/nodes/adm/{network}/authenticate", authenticate).Methods("POST")
|
||||||
}
|
}
|
||||||
@@ -131,6 +131,51 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// auth middleware for api calls from nodes where node is has not yet joined the server (register, join)
|
||||||
|
func nodeauth(next http.Handler) http.HandlerFunc {
|
||||||
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
bearerToken := r.Header.Get("Authorization")
|
||||||
|
var tokenSplit = strings.Split(bearerToken, " ")
|
||||||
|
var token = ""
|
||||||
|
if len(tokenSplit) < 2 {
|
||||||
|
errorResponse := models.ErrorResponse{
|
||||||
|
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
||||||
|
}
|
||||||
|
returnErrorResponse(w, r, errorResponse)
|
||||||
|
return
|
||||||
|
} else {
|
||||||
|
token = tokenSplit[1]
|
||||||
|
}
|
||||||
|
found := false
|
||||||
|
networks, err := logic.GetNetworks()
|
||||||
|
if err != nil {
|
||||||
|
logger.Log(0, "no networks", err.Error())
|
||||||
|
errorResponse := models.ErrorResponse{
|
||||||
|
Code: http.StatusNotFound, Message: "no networks",
|
||||||
|
}
|
||||||
|
returnErrorResponse(w, r, errorResponse)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, network := range networks {
|
||||||
|
for _, key := range network.AccessKeys {
|
||||||
|
if key.Value == token {
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !found {
|
||||||
|
logger.Log(0, "valid access key not found")
|
||||||
|
errorResponse := models.ErrorResponse{
|
||||||
|
Code: http.StatusUnauthorized, Message: "You are unauthorized to access this endpoint.",
|
||||||
|
}
|
||||||
|
returnErrorResponse(w, r, errorResponse)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
next.ServeHTTP(w, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
//The middleware for most requests to the API
|
//The middleware for most requests to the API
|
||||||
//They all pass through here first
|
//They all pass through here first
|
||||||
//This will validate the JWT (or check for master token)
|
//This will validate the JWT (or check for master token)
|
||||||
|
|||||||
@@ -22,7 +22,7 @@ func serverHandlers(r *mux.Router) {
|
|||||||
// r.HandleFunc("/api/server/addnetwork/{network}", securityCheckServer(true, http.HandlerFunc(addNetwork))).Methods("POST")
|
// r.HandleFunc("/api/server/addnetwork/{network}", securityCheckServer(true, http.HandlerFunc(addNetwork))).Methods("POST")
|
||||||
r.HandleFunc("/api/server/getconfig", securityCheckServer(false, http.HandlerFunc(getConfig))).Methods("GET")
|
r.HandleFunc("/api/server/getconfig", securityCheckServer(false, http.HandlerFunc(getConfig))).Methods("GET")
|
||||||
r.HandleFunc("/api/server/removenetwork/{network}", securityCheckServer(true, http.HandlerFunc(removeNetwork))).Methods("DELETE")
|
r.HandleFunc("/api/server/removenetwork/{network}", securityCheckServer(true, http.HandlerFunc(removeNetwork))).Methods("DELETE")
|
||||||
r.HandleFunc("/api/server/register", http.HandlerFunc(register)).Methods("POST")
|
r.HandleFunc("/api/server/register", nodeauth(http.HandlerFunc(register))).Methods("POST")
|
||||||
}
|
}
|
||||||
|
|
||||||
//Security check is middleware for every function and just checks to make sure that its the master calling
|
//Security check is middleware for every function and just checks to make sure that its the master calling
|
||||||
@@ -115,18 +115,6 @@ func getConfig(w http.ResponseWriter, r *http.Request) {
|
|||||||
func register(w http.ResponseWriter, r *http.Request) {
|
func register(w http.ResponseWriter, r *http.Request) {
|
||||||
logger.Log(2, "processing registration request")
|
logger.Log(2, "processing registration request")
|
||||||
w.Header().Set("Content-Type", "application/json")
|
w.Header().Set("Content-Type", "application/json")
|
||||||
bearerToken := r.Header.Get("Authorization")
|
|
||||||
var tokenSplit = strings.Split(bearerToken, " ")
|
|
||||||
var token = ""
|
|
||||||
if len(tokenSplit) < 2 {
|
|
||||||
errorResponse := models.ErrorResponse{
|
|
||||||
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
|
||||||
}
|
|
||||||
returnErrorResponse(w, r, errorResponse)
|
|
||||||
return
|
|
||||||
} else {
|
|
||||||
token = tokenSplit[1]
|
|
||||||
}
|
|
||||||
//decode body
|
//decode body
|
||||||
var request config.RegisterRequest
|
var request config.RegisterRequest
|
||||||
if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
|
if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
|
||||||
@@ -137,32 +125,6 @@ func register(w http.ResponseWriter, r *http.Request) {
|
|||||||
returnErrorResponse(w, r, errorResponse)
|
returnErrorResponse(w, r, errorResponse)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
found := false
|
|
||||||
networks, err := logic.GetNetworks()
|
|
||||||
if err != nil {
|
|
||||||
logger.Log(0, "no networks", err.Error())
|
|
||||||
errorResponse := models.ErrorResponse{
|
|
||||||
Code: http.StatusNotFound, Message: "no networks",
|
|
||||||
}
|
|
||||||
returnErrorResponse(w, r, errorResponse)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
for _, network := range networks {
|
|
||||||
for _, key := range network.AccessKeys {
|
|
||||||
if key.Value == token {
|
|
||||||
found = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !found {
|
|
||||||
logger.Log(0, "valid access key not found")
|
|
||||||
errorResponse := models.ErrorResponse{
|
|
||||||
Code: http.StatusUnauthorized, Message: "You are unauthorized to access this endpoint.",
|
|
||||||
}
|
|
||||||
returnErrorResponse(w, r, errorResponse)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
cert, ca, err := genCerts(&request.Key, &request.CommonName)
|
cert, ca, err := genCerts(&request.Key, &request.CommonName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Log(0, "failed to generater certs ", err.Error())
|
logger.Log(0, "failed to generater certs ", err.Error())
|
||||||
|
|||||||
@@ -352,11 +352,16 @@ func Authenticate(cfg *config.ClientConfig) (string, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
defer response.Body.Close()
|
||||||
|
if response.StatusCode != http.StatusOK {
|
||||||
|
bodybytes, _ := ioutil.ReadAll(response.Body)
|
||||||
|
return "", fmt.Errorf("failed to authenticate %s %s", response.Status, string(bodybytes))
|
||||||
|
}
|
||||||
resp := models.SuccessResponse{}
|
resp := models.SuccessResponse{}
|
||||||
if err := json.NewDecoder(response.Body).Decode(&resp); err != nil {
|
if err := json.NewDecoder(response.Body).Decode(&resp); err != nil {
|
||||||
return "", err
|
return "", fmt.Errorf("error decoding respone %w", err)
|
||||||
}
|
}
|
||||||
tokenData := (resp.Response.(map[string]interface{}))
|
tokenData := resp.Response.(map[string]interface{})
|
||||||
token := tokenData["AuthToken"]
|
token := tokenData["AuthToken"]
|
||||||
return token.(string), nil
|
return token.(string), nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,15 +1,16 @@
|
|||||||
package functions
|
package functions
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
|
"net/http"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
nodepb "github.com/gravitl/netmaker/grpc"
|
|
||||||
"github.com/gravitl/netmaker/logger"
|
"github.com/gravitl/netmaker/logger"
|
||||||
"github.com/gravitl/netmaker/logic"
|
"github.com/gravitl/netmaker/logic"
|
||||||
"github.com/gravitl/netmaker/models"
|
"github.com/gravitl/netmaker/models"
|
||||||
@@ -18,11 +19,9 @@ import (
|
|||||||
"github.com/gravitl/netmaker/netclient/daemon"
|
"github.com/gravitl/netmaker/netclient/daemon"
|
||||||
"github.com/gravitl/netmaker/netclient/local"
|
"github.com/gravitl/netmaker/netclient/local"
|
||||||
"github.com/gravitl/netmaker/netclient/ncutils"
|
"github.com/gravitl/netmaker/netclient/ncutils"
|
||||||
"github.com/gravitl/netmaker/netclient/server"
|
|
||||||
"github.com/gravitl/netmaker/netclient/wireguard"
|
"github.com/gravitl/netmaker/netclient/wireguard"
|
||||||
"golang.org/x/crypto/nacl/box"
|
"golang.org/x/crypto/nacl/box"
|
||||||
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
||||||
"google.golang.org/grpc"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// JoinNetwork - helps a client join a network
|
// JoinNetwork - helps a client join a network
|
||||||
@@ -123,45 +122,28 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string, iscomms bool) erro
|
|||||||
}
|
}
|
||||||
// make sure name is appropriate, if not, give blank name
|
// make sure name is appropriate, if not, give blank name
|
||||||
cfg.Node.Name = formatName(cfg.Node)
|
cfg.Node.Name = formatName(cfg.Node)
|
||||||
// differentiate between client/server here
|
cfg.Node.OS = runtime.GOOS
|
||||||
var node = models.Node{
|
cfg.Node.Version = ncutils.Version
|
||||||
Password: cfg.Node.Password,
|
cfg.Node.AccessKey = cfg.Server.AccessKey
|
||||||
Address: cfg.Node.Address,
|
//not sure why this is needed ... setnode defaults should take care of this on server
|
||||||
Address6: cfg.Node.Address6,
|
cfg.Node.IPForwarding = "yes"
|
||||||
ID: cfg.Node.ID,
|
logger.Log(0, "joining "+cfg.Network+" at "+cfg.Server.API)
|
||||||
MacAddress: cfg.Node.MacAddress,
|
url := "https://" + cfg.Server.API + "/api/nodes/" + cfg.Network
|
||||||
AccessKey: cfg.Server.AccessKey,
|
response, err := API(cfg.Node, http.MethodPost, url, cfg.Server.AccessKey)
|
||||||
IsStatic: cfg.Node.IsStatic,
|
|
||||||
//Roaming: cfg.Node.Roaming,
|
|
||||||
Network: cfg.Network,
|
|
||||||
ListenPort: cfg.Node.ListenPort,
|
|
||||||
PostUp: cfg.Node.PostUp,
|
|
||||||
PostDown: cfg.Node.PostDown,
|
|
||||||
PersistentKeepalive: cfg.Node.PersistentKeepalive,
|
|
||||||
LocalAddress: cfg.Node.LocalAddress,
|
|
||||||
Interface: cfg.Node.Interface,
|
|
||||||
PublicKey: cfg.Node.PublicKey,
|
|
||||||
DNSOn: cfg.Node.DNSOn,
|
|
||||||
Name: cfg.Node.Name,
|
|
||||||
Endpoint: cfg.Node.Endpoint,
|
|
||||||
UDPHolePunch: cfg.Node.UDPHolePunch,
|
|
||||||
TrafficKeys: cfg.Node.TrafficKeys,
|
|
||||||
OS: runtime.GOOS,
|
|
||||||
Version: ncutils.Version,
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Log(0, "joining "+cfg.Network+" at "+cfg.Server.GRPCAddress)
|
|
||||||
var wcclient nodepb.NodeServiceClient
|
|
||||||
|
|
||||||
conn, err := grpc.Dial(cfg.Server.GRPCAddress,
|
|
||||||
ncutils.GRPCRequestOpts(cfg.Server.GRPCSSL))
|
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("Unable to establish client connection to "+cfg.Server.GRPCAddress+": %v", err)
|
return fmt.Errorf("error creating node %w", err)
|
||||||
|
}
|
||||||
|
defer response.Body.Close()
|
||||||
|
if response.StatusCode != http.StatusOK {
|
||||||
|
bodybytes, _ := io.ReadAll(response.Body)
|
||||||
|
return fmt.Errorf("error creating node %s %s", response.Status, string(bodybytes))
|
||||||
|
}
|
||||||
|
var node models.Node
|
||||||
|
if err := json.NewDecoder(response.Body).Decode(&node); err != nil {
|
||||||
|
//not sure the next line will work as response.Body probably needs to be reset before it can be read again
|
||||||
|
bodybytes, _ := ioutil.ReadAll(response.Body)
|
||||||
|
return fmt.Errorf("error decoding node from server %w %s", err, string(bodybytes))
|
||||||
}
|
}
|
||||||
defer conn.Close()
|
|
||||||
wcclient = nodepb.NewNodeServiceClient(conn)
|
|
||||||
|
|
||||||
// safety check. If returned node from server is local, but not currently configured as local, set to local addr
|
// safety check. If returned node from server is local, but not currently configured as local, set to local addr
|
||||||
if cfg.Node.IsLocal != "yes" && node.IsLocal == "yes" && node.LocalRange != "" {
|
if cfg.Node.IsLocal != "yes" && node.IsLocal == "yes" && node.LocalRange != "" {
|
||||||
node.LocalAddress, err = ncutils.GetLocalIP(node.LocalRange)
|
node.LocalAddress, err = ncutils.GetLocalIP(node.LocalRange)
|
||||||
@@ -186,35 +168,11 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string, iscomms bool) erro
|
|||||||
return daemon.InstallDaemon(cfg)
|
return daemon.InstallDaemon(cfg)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
data, err := json.Marshal(&node)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
// Create node on server
|
|
||||||
res, err := wcclient.CreateNode(
|
|
||||||
context.TODO(),
|
|
||||||
&nodepb.Object{
|
|
||||||
Data: string(data),
|
|
||||||
Type: nodepb.NODE_TYPE,
|
|
||||||
},
|
|
||||||
)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
logger.Log(1, "node created on remote server...updating configs")
|
logger.Log(1, "node created on remote server...updating configs")
|
||||||
|
|
||||||
// keep track of the old listenport value
|
// keep track of the old listenport value
|
||||||
oldListenPort := node.ListenPort
|
oldListenPort := node.ListenPort
|
||||||
|
|
||||||
nodeData := res.Data
|
|
||||||
if err = json.Unmarshal([]byte(nodeData), &node); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
cfg.Node = node
|
cfg.Node = node
|
||||||
|
|
||||||
setListenPort(oldListenPort, cfg)
|
setListenPort(oldListenPort, cfg)
|
||||||
|
|
||||||
err = config.ModConfig(&cfg.Node)
|
err = config.ModConfig(&cfg.Node)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@@ -223,45 +181,19 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string, iscomms bool) erro
|
|||||||
if err = config.SaveBackup(node.Network); err != nil {
|
if err = config.SaveBackup(node.Network); err != nil {
|
||||||
logger.Log(0, "failed to make backup, node will not auto restore if config is corrupted")
|
logger.Log(0, "failed to make backup, node will not auto restore if config is corrupted")
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.Log(0, "retrieving peers")
|
|
||||||
peers, hasGateway, gateways, err := server.GetPeers(node.MacAddress, cfg.Network, cfg.Server.GRPCAddress, node.IsDualStack == "yes", node.IsIngressGateway == "yes", node.IsServer == "yes")
|
|
||||||
if err != nil && !ncutils.IsEmptyRecord(err) {
|
|
||||||
logger.Log(0, "failed to retrieve peers")
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.Log(0, "starting wireguard")
|
logger.Log(0, "starting wireguard")
|
||||||
err = wireguard.InitWireguard(&node, privateKey, peers, hasGateway, gateways, false)
|
err = wireguard.InitWireguard(&node, privateKey, []wgtypes.PeerConfig{}, false, []string{}, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
// if node.DNSOn == "yes" {
|
if cfg.Daemon != "off" {
|
||||||
// for _, server := range node.NetworkSettings.DefaultServerAddrs {
|
err = daemon.InstallDaemon(cfg)
|
||||||
// if server.IsLeader {
|
|
||||||
// go func() {
|
|
||||||
// if !local.SetDNSWithRetry(node, server.Address) {
|
|
||||||
// cfg.Node.DNSOn = "no"
|
|
||||||
// var currentCommsCfg = getCommsCfgByNode(&cfg.Node)
|
|
||||||
// PublishNodeUpdate(¤tCommsCfg, &cfg)
|
|
||||||
// }
|
|
||||||
// }()
|
|
||||||
// break
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
|
|
||||||
if !iscomms {
|
|
||||||
if cfg.Daemon != "off" {
|
|
||||||
err = daemon.InstallDaemon(cfg)
|
|
||||||
}
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else {
|
} else {
|
||||||
daemon.Restart()
|
daemon.Restart()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user