2021-08-15 16:56:26 +02:00
|
|
|
package client
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/tls"
|
2021-11-06 15:00:13 +01:00
|
|
|
"fmt"
|
2021-08-15 16:56:26 +02:00
|
|
|
"github.com/cenkalti/backoff/v4"
|
|
|
|
log "github.com/sirupsen/logrus"
|
2021-08-27 11:34:38 +02:00
|
|
|
"github.com/wiretrustee/wiretrustee/client/system"
|
2021-08-15 16:56:26 +02:00
|
|
|
"github.com/wiretrustee/wiretrustee/encryption"
|
|
|
|
"github.com/wiretrustee/wiretrustee/management/proto"
|
|
|
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
|
|
|
"google.golang.org/grpc"
|
2021-11-06 15:00:13 +01:00
|
|
|
"google.golang.org/grpc/connectivity"
|
2021-08-15 16:56:26 +02:00
|
|
|
"google.golang.org/grpc/credentials"
|
2021-12-21 10:02:25 +01:00
|
|
|
"google.golang.org/grpc/credentials/insecure"
|
2021-08-15 16:56:26 +02:00
|
|
|
"google.golang.org/grpc/keepalive"
|
|
|
|
"io"
|
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Client struct {
|
|
|
|
key wgtypes.Key
|
|
|
|
realClient proto.ManagementServiceClient
|
|
|
|
ctx context.Context
|
|
|
|
conn *grpc.ClientConn
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewClient creates a new client to Management service
|
2021-08-16 23:30:51 +02:00
|
|
|
func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*Client, error) {
|
2021-08-15 16:56:26 +02:00
|
|
|
|
2021-12-21 10:02:25 +01:00
|
|
|
transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
|
2021-08-15 16:56:26 +02:00
|
|
|
|
|
|
|
if tlsEnabled {
|
|
|
|
transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
|
|
|
|
}
|
|
|
|
|
2021-10-31 12:14:00 +01:00
|
|
|
mgmCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
|
2021-08-18 13:35:42 +02:00
|
|
|
defer cancel()
|
2021-08-15 16:56:26 +02:00
|
|
|
conn, err := grpc.DialContext(
|
2021-08-18 13:35:42 +02:00
|
|
|
mgmCtx,
|
2021-08-15 16:56:26 +02:00
|
|
|
addr,
|
|
|
|
transportOption,
|
|
|
|
grpc.WithBlock(),
|
|
|
|
grpc.WithKeepaliveParams(keepalive.ClientParameters{
|
2021-10-31 12:14:00 +01:00
|
|
|
Time: 15 * time.Second,
|
|
|
|
Timeout: 10 * time.Second,
|
2021-08-15 16:56:26 +02:00
|
|
|
}))
|
|
|
|
|
|
|
|
if err != nil {
|
2021-10-18 13:29:26 +02:00
|
|
|
log.Errorf("failed creating connection to Management Service %v", err)
|
2021-08-15 16:56:26 +02:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
realClient := proto.NewManagementServiceClient(conn)
|
|
|
|
|
|
|
|
return &Client{
|
2021-08-16 23:30:51 +02:00
|
|
|
key: ourPrivateKey,
|
2021-08-15 16:56:26 +02:00
|
|
|
realClient: realClient,
|
|
|
|
ctx: ctx,
|
|
|
|
conn: conn,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Close closes connection to the Management Service
|
|
|
|
func (c *Client) Close() error {
|
|
|
|
return c.conn.Close()
|
|
|
|
}
|
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
//defaultBackoff is a basic backoff mechanism for general issues
|
2021-10-17 22:15:38 +02:00
|
|
|
func defaultBackoff(ctx context.Context) backoff.BackOff {
|
|
|
|
return backoff.WithContext(&backoff.ExponentialBackOff{
|
2021-09-07 18:36:46 +02:00
|
|
|
InitialInterval: 800 * time.Millisecond,
|
|
|
|
RandomizationFactor: backoff.DefaultRandomizationFactor,
|
|
|
|
Multiplier: backoff.DefaultMultiplier,
|
2021-11-02 14:51:29 +01:00
|
|
|
MaxInterval: 10 * time.Second,
|
2021-11-06 15:00:13 +01:00
|
|
|
MaxElapsedTime: 12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
|
2021-09-07 18:36:46 +02:00
|
|
|
Stop: backoff.Stop,
|
|
|
|
Clock: backoff.SystemClock,
|
2021-10-17 22:15:38 +02:00
|
|
|
}, ctx)
|
2021-09-07 18:36:46 +02:00
|
|
|
}
|
|
|
|
|
2021-11-06 15:00:13 +01:00
|
|
|
// ready indicates whether the client is okay and ready to be used
|
|
|
|
// for now it just checks whether gRPC connection to the service is ready
|
|
|
|
func (c *Client) ready() bool {
|
2021-12-31 18:11:33 +01:00
|
|
|
return c.conn.GetState() == connectivity.Ready || c.conn.GetState() == connectivity.Idle
|
2021-11-06 15:00:13 +01:00
|
|
|
}
|
|
|
|
|
2021-08-15 16:56:26 +02:00
|
|
|
// Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
|
2021-09-07 18:36:46 +02:00
|
|
|
// Blocking request. The result will be sent via msgHandler callback function
|
|
|
|
func (c *Client) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
|
|
|
|
|
2021-10-17 22:15:38 +02:00
|
|
|
var backOff = defaultBackoff(c.ctx)
|
2021-09-07 18:36:46 +02:00
|
|
|
|
|
|
|
operation := func() error {
|
|
|
|
|
2021-11-06 15:00:13 +01:00
|
|
|
log.Debugf("management connection state %v", c.conn.GetState())
|
|
|
|
|
|
|
|
if !c.ready() {
|
|
|
|
return fmt.Errorf("no connection to management")
|
|
|
|
}
|
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
// todo we already have it since we did the Login, maybe cache it locally?
|
|
|
|
serverPubKey, err := c.GetServerPublicKey()
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed getting Management Service public key: %s", err)
|
|
|
|
return err
|
2021-08-15 16:56:26 +02:00
|
|
|
}
|
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
stream, err := c.connectToStream(*serverPubKey)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed to open Management Service stream: %s", err)
|
|
|
|
return err
|
2021-08-15 16:56:26 +02:00
|
|
|
}
|
|
|
|
|
2021-11-06 15:00:13 +01:00
|
|
|
log.Infof("connected to the Management Service stream")
|
2021-09-07 18:36:46 +02:00
|
|
|
|
|
|
|
// blocking until error
|
|
|
|
err = c.receiveEvents(stream, *serverPubKey, msgHandler)
|
2021-08-15 16:56:26 +02:00
|
|
|
if err != nil {
|
2021-11-01 09:34:06 +01:00
|
|
|
backOff.Reset()
|
2021-09-07 18:36:46 +02:00
|
|
|
return err
|
2021-08-15 16:56:26 +02:00
|
|
|
}
|
2021-11-01 09:34:06 +01:00
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
err := backoff.Retry(operation, backOff)
|
|
|
|
if err != nil {
|
2021-10-17 22:15:38 +02:00
|
|
|
log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
|
2021-09-07 18:36:46 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2021-08-15 16:56:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
|
|
|
|
req := &proto.SyncRequest{}
|
|
|
|
|
|
|
|
myPrivateKey := c.key
|
|
|
|
myPublicKey := myPrivateKey.PublicKey()
|
|
|
|
|
|
|
|
encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed encrypting message: %s", err)
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
|
|
|
|
return c.realClient.Sync(c.ctx, syncReq)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
|
|
|
|
for {
|
|
|
|
update, err := stream.Recv()
|
|
|
|
if err == io.EOF {
|
2021-11-06 15:00:13 +01:00
|
|
|
log.Errorf("Management stream has been closed by server: %s", err)
|
2021-08-15 16:56:26 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err != nil {
|
2021-10-17 22:15:38 +02:00
|
|
|
log.Warnf("disconnected from Management Service sync stream: %v", err)
|
2021-08-15 16:56:26 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Debugf("got an update message from Management Service")
|
|
|
|
decryptedResp := &proto.SyncResponse{}
|
|
|
|
err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed decrypting update message from Management Service: %s", err)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = msgHandler(decryptedResp)
|
|
|
|
if err != nil {
|
2021-10-17 22:15:38 +02:00
|
|
|
log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
|
2021-08-15 16:56:26 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
|
|
|
|
func (c *Client) GetServerPublicKey() (*wgtypes.Key, error) {
|
2021-11-06 15:00:13 +01:00
|
|
|
if !c.ready() {
|
|
|
|
return nil, fmt.Errorf("no connection to management")
|
|
|
|
}
|
|
|
|
|
2021-08-15 16:56:26 +02:00
|
|
|
mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
|
|
|
|
defer cancel()
|
|
|
|
resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
serverKey, err := wgtypes.ParseKey(resp.Key)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &serverKey, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
|
2021-11-06 15:00:13 +01:00
|
|
|
if !c.ready() {
|
|
|
|
return nil, fmt.Errorf("no connection to management")
|
|
|
|
}
|
2021-08-15 16:56:26 +02:00
|
|
|
loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed to encrypt message: %s", err)
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
|
|
|
|
defer cancel()
|
|
|
|
resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
|
|
|
|
WgPubKey: c.key.PublicKey().String(),
|
|
|
|
Body: loginReq,
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
loginResp := &proto.LoginResponse{}
|
|
|
|
err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed to decrypt registration message: %s", err)
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return loginResp, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
|
|
|
|
// Takes care of encrypting and decrypting messages.
|
2021-08-24 11:50:19 +02:00
|
|
|
// This method will also collect system info and send it with the request (e.g. hostname, os, etc)
|
2021-08-15 16:56:26 +02:00
|
|
|
func (c *Client) Register(serverKey wgtypes.Key, setupKey string) (*proto.LoginResponse, error) {
|
2021-08-27 11:34:38 +02:00
|
|
|
gi := system.GetInfo()
|
2021-08-24 11:50:19 +02:00
|
|
|
meta := &proto.PeerSystemMeta{
|
|
|
|
Hostname: gi.Hostname,
|
|
|
|
GoOS: gi.GoOS,
|
|
|
|
OS: gi.OS,
|
2021-08-27 11:34:38 +02:00
|
|
|
Core: gi.OSVersion,
|
2021-08-24 11:50:19 +02:00
|
|
|
Platform: gi.Platform,
|
|
|
|
Kernel: gi.Kernel,
|
|
|
|
WiretrusteeVersion: "",
|
|
|
|
}
|
|
|
|
log.Debugf("detected system %v", meta)
|
|
|
|
return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
|
2021-08-15 16:56:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
|
|
|
|
func (c *Client) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
|
|
|
|
return c.login(serverKey, &proto.LoginRequest{})
|
|
|
|
}
|