zrok/controller/util.go

108 lines
2.4 KiB
Go
Raw Normal View History

2022-07-25 19:17:52 +02:00
package controller
import (
"crypto/sha512"
2022-07-27 19:38:35 +02:00
"crypto/x509"
2022-07-25 19:17:52 +02:00
"encoding/hex"
2022-07-27 20:50:46 +02:00
errors2 "github.com/go-openapi/errors"
2022-10-20 20:16:18 +02:00
"github.com/jaevor/go-nanoid"
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
2022-07-27 19:38:35 +02:00
"github.com/openziti/edge/rest_management_api_client"
"github.com/openziti/edge/rest_util"
"net/http"
"strings"
2022-07-25 19:17:52 +02:00
)
type zrokAuthenticator struct {
cfg *Config
}
func newZrokAuthenticator(cfg *Config) *zrokAuthenticator {
return &zrokAuthenticator{cfg}
}
func (za *zrokAuthenticator) authenticate(token string) (*rest_model_zrok.Principal, error) {
2022-07-29 21:28:40 +02:00
tx, err := str.Begin()
if err != nil {
return nil, err
}
defer func() { _ = tx.Rollback() }()
2022-07-29 21:28:40 +02:00
if a, err := str.FindAccountWithToken(token, tx); err == nil {
principal := &rest_model_zrok.Principal{
2022-09-09 16:20:05 +02:00
ID: int64(a.Id),
Token: a.Token,
Email: a.Email,
2022-07-28 18:12:50 +02:00
}
return principal, nil
} else {
// check for admin secret
if cfg.Admin != nil {
for _, secret := range cfg.Admin.Secrets {
if token == secret {
principal := &rest_model_zrok.Principal{
ID: int64(-1),
Admin: true,
}
return principal, nil
}
}
}
// no match
2022-07-27 20:50:46 +02:00
return nil, errors2.New(401, "invalid api key")
}
}
func edgeClient() (*rest_management_api_client.ZitiEdgeManagement, error) {
caCerts, err := rest_util.GetControllerWellKnownCas(cfg.Ziti.ApiEndpoint)
2022-07-27 19:38:35 +02:00
if err != nil {
return nil, err
}
caPool := x509.NewCertPool()
for _, ca := range caCerts {
caPool.AddCert(ca)
}
return rest_util.NewEdgeManagementClientWithUpdb(cfg.Ziti.Username, cfg.Ziti.Password, cfg.Ziti.ApiEndpoint, caPool)
2022-07-27 19:38:35 +02:00
}
func createServiceToken() (string, error) {
2022-10-20 20:16:18 +02:00
gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyz0123456789", 12)
if err != nil {
return "", err
}
return gen(), nil
2022-10-18 21:49:30 +02:00
}
func createToken() (string, error) {
gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 12)
2022-10-18 21:49:30 +02:00
if err != nil {
return "", err
}
return gen(), nil
}
func hashPassword(raw string) string {
hash := sha512.New()
hash.Write([]byte(raw))
return hex.EncodeToString(hash.Sum(nil))
}
func realRemoteAddress(req *http.Request) string {
ip := strings.Split(req.RemoteAddr, ":")[0]
fwdAddress := req.Header.Get("X-Forwarded-For")
if fwdAddress != "" {
ip = fwdAddress
ips := strings.Split(fwdAddress, ", ")
if len(ips) > 1 {
ip = ips[0]
}
}
return ip
}
2022-11-22 21:31:02 +01:00
func proxyUrl(svcToken string) string {
return strings.Replace(cfg.Proxy.UrlTemplate, "{svcToken}", svcToken, -1)
2022-11-22 21:31:02 +01:00
}