extend setup key logic (#91)

* feature: extend setup key logic

* fix: login test

* test: change test data to support new setup key fields

* test: add setup key tests

* test: add setup key UUID format validation

* test: add AddAccount test

* test: add more AccountManager tests

* fix: golint errors

* test: increase client interface up timout
This commit is contained in:
Mikhail Bragin 2021-08-20 19:48:42 +02:00 committed by GitHub
parent 8364e03944
commit d75353fbb8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 428 additions and 32 deletions

View File

@ -7,6 +7,7 @@ import (
mgmt "github.com/wiretrustee/wiretrustee/management/server"
"github.com/wiretrustee/wiretrustee/util"
"path/filepath"
"strings"
"testing"
)
@ -38,7 +39,7 @@ func TestLogin(t *testing.T) {
"--config",
confPath,
"--setup-key",
"a2c8e62b-38f5-4553-b31e-dd66c696cebb",
strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
"--management-url",
mgmtURL,
})

View File

@ -9,7 +9,6 @@ import (
"net/url"
"os"
"path/filepath"
"strings"
"testing"
"time"
)
@ -71,7 +70,7 @@ func TestUp(t *testing.T) {
"--config",
confPath,
"--setup-key",
strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
"A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
"--management-url",
mgmtURL.String(),
})
@ -93,7 +92,7 @@ func TestUp(t *testing.T) {
}()
exists := false
for start := time.Now(); time.Since(start) < 7*time.Second; {
for start := time.Now(); time.Since(start) < 15*time.Second; {
e, err := iface.Exists(iface.WgInterfaceDefault)
if err != nil {
continue

View File

@ -3,8 +3,14 @@
"bf1c8084-ba50-4ce7-9439-34653001fc3b": {
"Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
"SetupKeys": {
"a2c8e62b-38f5-4553-b31e-dd66c696cebb": {
"Key": "a2c8e62b-38f5-4553-b31e-dd66c696cebb"
"A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
"Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
"Name": "Default key",
"Type": "reusable",
"CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
"ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
"Revoked": false,
"UsedTimes": 0
}
},
"Network": {

View File

@ -24,19 +24,13 @@ type Account struct {
Peers map[string]*Peer
}
// SetupKey represents a pre-authorized key used to register machines (peers)
// One key might have multiple machines
type SetupKey struct {
Key string
}
// Peer represents a machine connected to the network.
// The Peer is a Wireguard peer identified by a public key
type Peer struct {
// Wireguard public key
Key string
// A setup key this peer was registered with
SetupKey *SetupKey
SetupKey string
// IP address of the Peer
IP net.IP
}
@ -90,7 +84,7 @@ func (manager *AccountManager) GetAccount(accountId string) (*Account, error) {
account, err := manager.Store.GetAccount(accountId)
if err != nil {
return nil, status.Errorf(codes.Internal, "failed retrieving account")
return nil, status.Errorf(codes.NotFound, "account not found")
}
return account, nil
@ -164,23 +158,40 @@ func (manager *AccountManager) createAccount(accountId string) (*Account, error)
// Each Account has a list of pre-authorised SetupKey and if no Account has a given key err wit ha code codes.Unauthenticated
// will be returned, meaning the key is invalid
// Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
// If the specified setupKey is empty then a new Account will be created //todo make it more explicit?
// If the specified setupKey is empty then a new Account will be created //todo remove this part
func (manager *AccountManager) AddPeer(setupKey string, peerKey string) (*Peer, error) {
manager.mux.Lock()
defer manager.mux.Unlock()
upperKey := strings.ToUpper(setupKey)
var account *Account
var err error
var sk *SetupKey
if len(setupKey) == 0 {
if len(upperKey) == 0 {
// Empty setup key, create a new account for it.
account, sk = newAccount()
} else {
sk = &SetupKey{Key: strings.ToUpper(setupKey)}
account, err = manager.Store.GetAccountBySetupKey(sk.Key)
account, err = manager.Store.GetAccountBySetupKey(upperKey)
if err != nil {
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", setupKey)
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", upperKey)
}
for _, key := range account.SetupKeys {
if upperKey == key.Key {
sk = key
break
}
}
if sk == nil {
// shouldn't happen actually
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", upperKey)
}
}
if !sk.IsValid() {
return nil, status.Errorf(codes.FailedPrecondition, "setup key was expired or overused %s", upperKey)
}
var takenIps []net.IP
@ -193,7 +204,7 @@ func (manager *AccountManager) AddPeer(setupKey string, peerKey string) (*Peer,
newPeer := &Peer{
Key: peerKey,
SetupKey: sk,
SetupKey: sk.Key,
IP: nextIp,
}
@ -212,17 +223,16 @@ func newAccountWithId(accountId string) (*Account, *SetupKey) {
log.Debugf("creating new account")
setupKeyId := strings.ToUpper(uuid.New().String())
setupKeys := make(map[string]*SetupKey)
setupKey := &SetupKey{Key: setupKeyId}
setupKeys[setupKeyId] = setupKey
setupKey := GenerateDefaultSetupKey()
setupKeys[setupKey.Key] = setupKey
network := &Network{
Id: uuid.New().String(),
Net: net.IPNet{IP: net.ParseIP("100.64.0.0"), Mask: net.IPMask{255, 192, 0, 0}},
Dns: ""}
peers := make(map[string]*Peer)
log.Debugf("created new account %s with setup key %s", accountId, setupKeyId)
log.Debugf("created new account %s with setup key %s", accountId, setupKey.Key)
return &Account{Id: accountId, SetupKeys: setupKeys, Network: network, Peers: peers}, setupKey
}

View File

@ -0,0 +1,211 @@
package server
import (
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"net"
"testing"
)
func TestAccountManager_AddAccount(t *testing.T) {
manager, err := createManager(t)
if err != nil {
t.Fatal(err)
return
}
expectedId := "test_account"
expectedPeersSize := 0
expectedSetupKeysSize := 1
expectedNetwork := net.IPNet{
IP: net.IP{100, 64, 0, 0},
Mask: net.IPMask{255, 192, 0, 0},
}
account, err := manager.AddAccount(expectedId)
if err != nil {
t.Fatal(err)
}
if account.Id != expectedId {
t.Errorf("expected account to have ID = %s, got %s", expectedId, account.Id)
}
if len(account.Peers) != expectedPeersSize {
t.Errorf("expected account to have len(Peers) = %v, got %v", expectedPeersSize, len(account.Peers))
}
if len(account.SetupKeys) != expectedSetupKeysSize {
t.Errorf("expected account to have len(SetupKeys) = %v, got %v", expectedSetupKeysSize, len(account.SetupKeys))
}
if account.Network.Net.String() != expectedNetwork.String() {
t.Errorf("expected account to have Network = %v, got %v", expectedNetwork.String(), account.Network.Net.String())
}
}
func TestAccountManager_GetOrCreateAccount(t *testing.T) {
manager, err := createManager(t)
if err != nil {
t.Fatal(err)
return
}
expectedId := "test_account"
//make sure account doesn't exist
account, err := manager.GetAccount(expectedId)
if err != nil {
errStatus, ok := status.FromError(err)
if !(ok && errStatus.Code() == codes.NotFound) {
t.Fatal(err)
}
}
if account != nil {
t.Fatal("expecting empty account")
}
account, err = manager.GetOrCreateAccount(expectedId)
if err != nil {
t.Fatal(err)
}
if account.Id != expectedId {
t.Fatalf("expected to create an account, got wrong account")
}
account, err = manager.GetOrCreateAccount(expectedId)
if err != nil {
t.Errorf("expected to get existing account after creation, failed")
}
if account.Id != expectedId {
t.Fatalf("expected to create an account, got wrong account")
}
}
func TestAccountManager_AccountExists(t *testing.T) {
manager, err := createManager(t)
if err != nil {
t.Fatal(err)
return
}
expectedId := "test_account"
_, err = manager.AddAccount(expectedId)
if err != nil {
t.Fatal(err)
}
exists, err := manager.AccountExists(expectedId)
if err != nil {
t.Fatal(err)
}
if !*exists {
t.Errorf("expected account to exist after creation, got false")
}
}
func TestAccountManager_GetAccount(t *testing.T) {
manager, err := createManager(t)
if err != nil {
t.Fatal(err)
return
}
expectedId := "test_account"
account, err := manager.AddAccount(expectedId)
if err != nil {
t.Fatal(err)
}
//AddAccount has been already tested so we can assume it is correct and compare results
getAccount, err := manager.GetAccount(expectedId)
if err != nil {
t.Fatal(err)
return
}
if account.Id != getAccount.Id {
t.Errorf("expected account.ID %s, got %s", account.Id, getAccount.Id)
}
for _, peer := range account.Peers {
if _, ok := getAccount.Peers[peer.Key]; !ok {
t.Errorf("expected account to have peer %s, not found", peer.Key)
}
}
for _, key := range account.SetupKeys {
if _, ok := getAccount.SetupKeys[key.Key]; !ok {
t.Errorf("expected account to have setup key %s, not found", key.Key)
}
}
}
func TestAccountManager_AddPeer(t *testing.T) {
manager, err := createManager(t)
if err != nil {
t.Fatal(err)
return
}
account, err := manager.AddAccount("test_account")
if err != nil {
t.Fatal(err)
}
var setupKey *SetupKey
for _, key := range account.SetupKeys {
setupKey = key
}
if setupKey == nil {
t.Errorf("expecting account to have a default setup key")
return
}
key, err := wgtypes.GenerateKey()
if err != nil {
t.Fatal(err)
return
}
expectedPeerKey := key.PublicKey().String()
expectedPeerIP := "100.64.0.1"
peer, err := manager.AddPeer(setupKey.Key, expectedPeerKey)
if err != nil {
t.Errorf("expecting peer to be added, got failure %v", err)
return
}
if peer.Key != expectedPeerKey {
t.Errorf("expecting just added peer to have key = %s, got %s", expectedPeerKey, peer.Key)
}
if peer.Key != expectedPeerKey {
t.Errorf("expecting just added peer to have IP = %s, got %s", expectedPeerIP, peer.IP.String())
}
}
func createManager(t *testing.T) (*AccountManager, error) {
store, err := createStore(t)
if err != nil {
return nil, err
}
return NewManager(store), nil
}
func createStore(t *testing.T) (Store, error) {
dataDir := t.TempDir()
store, err := NewStore(dataDir)
if err != nil {
return nil, err
}
return store, nil
}

View File

@ -116,7 +116,7 @@ func (s *FileStore) SaveAccount(account *Account) error {
// todo check that account.Id and keyId are not exist already
// because if keyId exists for other accounts this can be bad
for keyId := range account.SetupKeys {
s.SetupKeyId2AccountId[strings.ToLower(keyId)] = account.Id
s.SetupKeyId2AccountId[strings.ToUpper(keyId)] = account.Id
}
for _, peer := range account.Peers {

View File

@ -19,6 +19,7 @@ type SetupKeyResponse struct {
Name string
Expires time.Time
Type string
Valid bool
}
func NewSetupKeysHandler(accountManager *server.AccountManager) *SetupKeys {
@ -45,9 +46,10 @@ func (h *SetupKeys) ServeHTTP(w http.ResponseWriter, r *http.Request) {
for _, key := range account.SetupKeys {
respBody = append(respBody, &SetupKeyResponse{
Key: key.Key,
Name: key.Key,
Expires: time.Now().Add(30 * (time.Second * 60 * 60 * 24)),
Type: "reusable",
Name: key.Name,
Expires: key.ExpiresAt,
Type: string(key.Type),
Valid: key.IsValid(),
})
}

View File

@ -25,8 +25,7 @@ import (
)
const (
ValidSetupKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
InvalidSetupKey = "INVALID_SETUP_KEY"
ValidSetupKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
)
var _ = Describe("Management service", func() {

View File

@ -0,0 +1,61 @@
package server
import (
"github.com/google/uuid"
"strings"
"time"
)
const (
// SetupKeyReusable is a multi-use key (can be used for multiple machines)
SetupKeyReusable SetupKeyType = "reusable"
// SetupKeyOneOff is a single use key (can be used only once)
SetupKeyOneOff SetupKeyType = "one-off"
// DefaultSetupKeyDuration = 1 month
DefaultSetupKeyDuration = 24 * 30 * time.Hour
// DefaultSetupKeyName is a default name of the default setup key
DefaultSetupKeyName = "Default key"
)
// SetupKeyType is the type of setup key
type SetupKeyType string
// SetupKey represents a pre-authorized key used to register machines (peers)
type SetupKey struct {
Key string
Name string
Type SetupKeyType
CreatedAt time.Time
ExpiresAt time.Time
// Revoked indicates whether the key was revoked or not (we don't remove them for tracking purposes)
Revoked bool
// UsedTimes indicates how many times the key was used
UsedTimes int
}
// IsValid is true if the key was not revoked, is not expired and used not more than it was supposed to
func (key *SetupKey) IsValid() bool {
expired := time.Now().After(key.ExpiresAt)
overUsed := key.Type == SetupKeyOneOff && key.UsedTimes >= 1
return !key.Revoked && !expired && !overUsed
}
// GenerateSetupKey generates a new setup key
func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration) *SetupKey {
createdAt := time.Now()
return &SetupKey{
Key: strings.ToUpper(uuid.New().String()),
Name: name,
Type: t,
CreatedAt: createdAt,
ExpiresAt: createdAt.Add(validFor),
Revoked: false,
UsedTimes: 0,
}
}
// GenerateDefaultSetupKey generates a default setup key
func GenerateDefaultSetupKey() *SetupKey {
return GenerateSetupKey(DefaultSetupKeyName, SetupKeyReusable, DefaultSetupKeyDuration)
}

View File

@ -0,0 +1,100 @@
package server
import (
"github.com/google/uuid"
"testing"
"time"
)
func TestGenerateDefaultSetupKey(t *testing.T) {
expectedName := "Default key"
expectedRevoke := false
expectedType := "reusable"
expectedUsedTimes := 0
expectedCreatedAt := time.Now()
expectedExpiresAt := time.Now().Add(24 * 30 * time.Hour)
key := GenerateDefaultSetupKey()
assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt, expectedExpiresAt)
}
func TestGenerateSetupKey(t *testing.T) {
expectedName := "key"
expectedRevoke := false
expectedType := "one-off"
expectedUsedTimes := 0
expectedCreatedAt := time.Now()
expectedExpiresAt := time.Now().Add(time.Hour)
key := GenerateSetupKey(expectedName, SetupKeyOneOff, time.Hour)
assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt, expectedExpiresAt)
}
func TestSetupKey_IsValid(t *testing.T) {
validKey := GenerateSetupKey("valid key", SetupKeyOneOff, time.Hour)
if !validKey.IsValid() {
t.Errorf("expected key to be valid, got invalid %v", validKey)
}
// expired
expiredKey := GenerateSetupKey("invalid key", SetupKeyOneOff, -time.Hour)
if expiredKey.IsValid() {
t.Errorf("expected key to be invalid due to expiration, got valid %v", expiredKey)
}
// revoked
revokedKey := GenerateSetupKey("invalid key", SetupKeyOneOff, time.Hour)
revokedKey.Revoked = true
if revokedKey.IsValid() {
t.Errorf("expected revoked key to be invalid, got valid %v", revokedKey)
}
// overused
overUsedKey := GenerateSetupKey("invalid key", SetupKeyOneOff, time.Hour)
overUsedKey.UsedTimes = 1
if overUsedKey.IsValid() {
t.Errorf("expected overused key to be invalid, got valid %v", overUsedKey)
}
// overused
reusableKey := GenerateSetupKey("valid key", SetupKeyReusable, time.Hour)
reusableKey.UsedTimes = 99
if !reusableKey.IsValid() {
t.Errorf("expected reusable key to be valid when used many times, got valid %v", reusableKey)
}
}
func assertKey(t *testing.T, key *SetupKey, expectedName string, expectedRevoke bool, expectedType string, expectedUsedTimes int, expectedCreatedAt time.Time, expectedExpiresAt time.Time) {
if key.Name != expectedName {
t.Errorf("expected setup key to have Name %v, got %v", expectedName, key.Name)
}
if key.Revoked != expectedRevoke {
t.Errorf("expected setup key to have Revoke %v, got %v", expectedRevoke, key.Revoked)
}
if string(key.Type) != expectedType {
t.Errorf("expected setup key to have Type %v, got %v", expectedType, key.Type)
}
if key.UsedTimes != expectedUsedTimes {
t.Errorf("expected setup key to have UsedTimes = %v, got %v", expectedUsedTimes, key.UsedTimes)
}
if key.ExpiresAt.Sub(expectedExpiresAt).Round(time.Hour) != 0 {
t.Errorf("expected setup key to have ExpiresAt ~ %v, got %v", expectedExpiresAt, key.ExpiresAt)
}
if key.CreatedAt.Sub(expectedCreatedAt).Round(time.Hour) != 0 {
t.Errorf("expected setup key to have CreatedAt ~ %v, got %v", expectedCreatedAt, key.CreatedAt)
}
_, err := uuid.Parse(key.Key)
if err != nil {
t.Errorf("expected key to be a valid UUID, got %v, %v", key.Key, err)
}
}

View File

@ -3,8 +3,15 @@
"bf1c8084-ba50-4ce7-9439-34653001fc3b": {
"Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
"SetupKeys": {
"a2c8e62b-38f5-4553-b31e-dd66c696cebb": {
"Key": "a2c8e62b-38f5-4553-b31e-dd66c696cebb"
"A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
"Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
"Name": "Default key",
"Type": "reusable",
"CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
"ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
"Revoked": false,
"UsedTimes": 0
}
},
"Network": {