server

package
v0.9.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 14, 2022 License: BSD-3-Clause Imports: 37 Imported by: 17

Documentation

Index

Constants

View Source
const (
	PublicCategory     = "public"
	PrivateCategory    = "private"
	UnknownCategory    = "unknown"
	CacheExpirationMax = 7 * 24 * 3600 * time.Second // 7 days
	CacheExpirationMin = 3 * 24 * 3600 * time.Second // 3 days
)
View Source
const (
	UDP   Protocol = "udp"
	DTLS  Protocol = "dtls"
	TCP   Protocol = "tcp"
	HTTP  Protocol = "http"
	HTTPS Protocol = "https"
	NONE  Provider = "none"
)
View Source
const (
	// SubnetSize is a size of the subnet of the global network, e.g.  100.77.0.0/16
	SubnetSize = 16
	// NetSize is a global network size 100.64.0.0/10
	NetSize = 10

	// AllowedIPsFormat generates Wireguard AllowedIPs format (e.g. 100.64.30.1/32)
	AllowedIPsFormat = "%s/32"
)
View Source
const (
	// TrafficFlowBidirect allows traffic to both direction
	TrafficFlowBidirect TrafficFlowType = iota
	// TrafficFlowBidirectString allows traffic to both direction
	TrafficFlowBidirectString = "bidirect"
	// DefaultRuleName is a name for the Default rule that is created for every account
	DefaultRuleName = "Default"
	// DefaultRuleDescription is a description for the Default rule that is created for every account
	DefaultRuleDescription = "This is a default rule that allows connections between all the resources"
)
View Source
const (
	// SetupKeyReusable is a multi-use key (can be used for multiple machines)
	SetupKeyReusable SetupKeyType = "reusable"
	// SetupKeyOneOff is a single use key (can be used only once)
	SetupKeyOneOff SetupKeyType = "one-off"

	// DefaultSetupKeyDuration = 1 month
	DefaultSetupKeyDuration = 24 * 30 * time.Hour
	// DefaultSetupKeyName is a default name of the default setup key
	DefaultSetupKeyName = "Default key"

	// UpdateSetupKeyName indicates a setup key name update operation
	UpdateSetupKeyName SetupKeyUpdateOperationType = iota
	// UpdateSetupKeyRevoked indicates a setup key revoked filed update operation
	UpdateSetupKeyRevoked
	// UpdateSetupKeyAutoGroups indicates a setup key auto-assign groups update operation
	UpdateSetupKeyAutoGroups
	// UpdateSetupKeyExpiresAt indicates a setup key expiration time update operation
	UpdateSetupKeyExpiresAt
)

Variables

This section is empty.

Functions

func AllocatePeerIP

func AllocatePeerIP(ipNet net.IPNet, takenIps []net.IP) (net.IP, error)

AllocatePeerIP pics an available IP from an net.IPNet. This method considers already taken IPs and reuses IPs if there are gaps in takenIps E.g. if ipNet=100.30.0.0/16 and takenIps=[100.30.0.1, 100.30.0.4] then the result would be 100.30.0.2 or 100.30.0.3

func Hash

func Hash(s string) uint32

func ToResponseProto

func ToResponseProto(configProto Protocol) proto.HostConfig_Protocol

Types

type Account

type Account struct {
	Id string
	// User.Id it was created by
	CreatedBy              string
	Domain                 string
	DomainCategory         string
	IsDomainPrimaryAccount bool
	SetupKeys              map[string]*SetupKey
	Network                *Network
	Peers                  map[string]*Peer
	Users                  map[string]*User
	Groups                 map[string]*Group
	Rules                  map[string]*Rule
	Routes                 map[string]*route.Route
}

Account represents a unique account of the system

func (*Account) Copy

func (a *Account) Copy() *Account

func (*Account) GetGroupAll

func (a *Account) GetGroupAll() (*Group, error)

type AccountManager

type AccountManager interface {
	GetOrCreateAccountByUser(userId, domain string) (*Account, error)
	GetAccountByUser(userId string) (*Account, error)
	CreateSetupKey(
		accountId string,
		keyName string,
		keyType SetupKeyType,
		expiresIn time.Duration,
		autoGroups []string,
	) (*SetupKey, error)
	SaveSetupKey(accountID string, key *SetupKey) (*SetupKey, error)
	GetSetupKey(accountID, keyID string) (*SetupKey, error)
	GetAccountById(accountId string) (*Account, error)
	GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error)
	GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error)
	IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
	AccountExists(accountId string) (*bool, error)
	GetPeer(peerKey string) (*Peer, error)
	MarkPeerConnected(peerKey string, connected bool) error
	RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
	DeletePeer(accountId string, peerKey string) (*Peer, error)
	GetPeerByIP(accountId string, peerIP string) (*Peer, error)
	UpdatePeer(accountID string, peer *Peer) (*Peer, error)
	GetNetworkMap(peerKey string) (*NetworkMap, error)
	GetPeerNetwork(peerKey string) (*Network, error)
	AddPeer(setupKey string, userId string, peer *Peer) (*Peer, error)
	UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error
	UpdatePeerSSHKey(peerKey string, sshKey string) error
	GetUsersFromAccount(accountId string) ([]*UserInfo, error)
	GetGroup(accountId, groupID string) (*Group, error)
	SaveGroup(accountId string, group *Group) error
	UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error)
	DeleteGroup(accountId, groupID string) error
	ListGroups(accountId string) ([]*Group, error)
	GroupAddPeer(accountId, groupID, peerKey string) error
	GroupDeletePeer(accountId, groupID, peerKey string) error
	GroupListPeers(accountId, groupID string) ([]*Peer, error)
	GetRule(accountId, ruleID string) (*Rule, error)
	SaveRule(accountID string, rule *Rule) error
	UpdateRule(accountID string, ruleID string, operations []RuleUpdateOperation) (*Rule, error)
	DeleteRule(accountId, ruleID string) error
	ListRules(accountId string) ([]*Rule, error)
	GetRoute(accountID, routeID string) (*route.Route, error)
	CreateRoute(accountID string, prefix, peer, description, netID string, masquerade bool, metric int, enabled bool) (*route.Route, error)
	SaveRoute(accountID string, route *route.Route) error
	UpdateRoute(accountID string, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
	DeleteRoute(accountID, routeID string) error
	ListRoutes(accountID string) ([]*route.Route, error)
	ListSetupKeys(accountID string) ([]*SetupKey, error)
}

type Config

type Config struct {
	Stuns      []*Host
	TURNConfig *TURNConfig
	Signal     *Host

	Datadir string

	HttpConfig *HttpServerConfig

	IdpManagerConfig *idp.Config

	DeviceAuthorizationFlow *DeviceAuthorizationFlow
}

Config of the Management service

type DefaultAccountManager

type DefaultAccountManager struct {
	Store Store
	// contains filtered or unexported fields
}

func BuildManager

func BuildManager(
	store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager,
) (*DefaultAccountManager, error)

BuildManager creates a new DefaultAccountManager with a provided Store

func (*DefaultAccountManager) AccountExists

func (am *DefaultAccountManager) AccountExists(accountId string) (*bool, error)

AccountExists checks whether account exists (returns true) or not (returns false)

func (*DefaultAccountManager) AddPeer

func (am *DefaultAccountManager) AddPeer(
	setupKey string,
	userID string,
	peer *Peer,
) (*Peer, error)

AddPeer adds a new peer to the Store. Each Account has a list of pre-authorised SetupKey and if no Account has a given key err wit ha code codes.Unauthenticated will be returned, meaning the key is invalid If a User ID is provided, it means that we passed the authentication using JWT, then we look for account by User ID and register the peer to it. We also add the User ID to the peer metadata to identify registrant. Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused). The peer property is just a placeholder for the Peer properties to pass further

func (*DefaultAccountManager) CreateRoute added in v0.8.9

func (am *DefaultAccountManager) CreateRoute(accountID string, network, peer, description, netID string, masquerade bool, metric int, enabled bool) (*route.Route, error)

CreateRoute creates and saves a new route

func (*DefaultAccountManager) CreateSetupKey added in v0.9.2

func (am *DefaultAccountManager) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType,
	expiresIn time.Duration, autoGroups []string) (*SetupKey, error)

CreateSetupKey generates a new setup key with a given name, type, list of groups IDs to auto-assign to peers registered with this key, and adds it to the specified account. A list of autoGroups IDs can be empty.

func (*DefaultAccountManager) DeleteGroup

func (am *DefaultAccountManager) DeleteGroup(accountID, groupID string) error

DeleteGroup object of the peers

func (*DefaultAccountManager) DeletePeer

func (am *DefaultAccountManager) DeletePeer(accountId string, peerKey string) (*Peer, error)

DeletePeer removes peer from the account by it's IP

func (*DefaultAccountManager) DeleteRoute added in v0.8.9

func (am *DefaultAccountManager) DeleteRoute(accountID, routeID string) error

DeleteRoute deletes route with routeID

func (*DefaultAccountManager) DeleteRule

func (am *DefaultAccountManager) DeleteRule(accountID, ruleID string) error

DeleteRule of ACL from the store

func (*DefaultAccountManager) GetAccountById

func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error)

GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist

func (*DefaultAccountManager) GetAccountByUser

func (am *DefaultAccountManager) GetAccountByUser(userId string) (*Account, error)

GetAccountByUser returns an existing account for a given user id, NotFound if account couldn't be found

func (*DefaultAccountManager) GetAccountByUserOrAccountId

func (am *DefaultAccountManager) GetAccountByUserOrAccountId(
	userId, accountId, domain string,
) (*Account, error)

GetAccountByUserOrAccountId look for an account by user or account Id, if no account is provided and user id doesn't have an account associated with it, one account is created

func (*DefaultAccountManager) GetAccountWithAuthorizationClaims

func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(
	claims jwtclaims.AuthorizationClaims,
) (*Account, error)

GetAccountWithAuthorizationClaims retrievs an account using JWT Claims. if domain is of the PrivateCategory category, it will evaluate if account is new, existing or if there is another account with the same domain

Use cases:

New user + New account + New domain -> create account, user role = admin (if private domain, index domain)

New user + New account + Existing Private Domain -> add user to the existing account, user role = regular (not admin)

New user + New account + Existing Public Domain -> create account, user role = admin

Existing user + Existing account + Existing Domain -> Nothing changes (if private, index domain)

Existing user + Existing account + Existing Indexed Domain -> Nothing changes

Existing user + Existing account + Existing domain reclassified Domain as private -> Nothing changes (index domain)

func (*DefaultAccountManager) GetGroup

func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, error)

GetGroup object of the peers

func (*DefaultAccountManager) GetNetworkMap

func (am *DefaultAccountManager) GetNetworkMap(peerKey string) (*NetworkMap, error)

GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)

func (*DefaultAccountManager) GetOrCreateAccountByUser

func (am *DefaultAccountManager) GetOrCreateAccountByUser(userId, domain string) (*Account, error)

GetOrCreateAccountByUser returns an existing account for a given user id or creates a new one if doesn't exist

func (*DefaultAccountManager) GetPeer

func (am *DefaultAccountManager) GetPeer(peerKey string) (*Peer, error)

GetPeer returns a peer from a Store

func (*DefaultAccountManager) GetPeerByIP

func (am *DefaultAccountManager) GetPeerByIP(accountId string, peerIP string) (*Peer, error)

GetPeerByIP returns peer by it's IP

func (*DefaultAccountManager) GetPeerNetwork added in v0.8.0

func (am *DefaultAccountManager) GetPeerNetwork(peerKey string) (*Network, error)

GetPeerNetwork returns the Network for a given peer

func (*DefaultAccountManager) GetRoute added in v0.8.9

func (am *DefaultAccountManager) GetRoute(accountID, routeID string) (*route.Route, error)

GetRoute gets a route object from account and route IDs

func (*DefaultAccountManager) GetRule

func (am *DefaultAccountManager) GetRule(accountID, ruleID string) (*Rule, error)

GetRule of ACL from the store

func (*DefaultAccountManager) GetSetupKey added in v0.9.2

func (am *DefaultAccountManager) GetSetupKey(accountID, keyID string) (*SetupKey, error)

GetSetupKey looks up a SetupKey by KeyID, returns NotFound error if not found.

func (*DefaultAccountManager) GetUsersFromAccount

func (am *DefaultAccountManager) GetUsersFromAccount(accountID string) ([]*UserInfo, error)

GetUsersFromAccount performs a batched request for users from IDP by account id

func (*DefaultAccountManager) GroupAddPeer

func (am *DefaultAccountManager) GroupAddPeer(accountID, groupID, peerKey string) error

GroupAddPeer appends peer to the group

func (*DefaultAccountManager) GroupDeletePeer

func (am *DefaultAccountManager) GroupDeletePeer(accountID, groupID, peerKey string) error

GroupDeletePeer removes peer from the group

func (*DefaultAccountManager) GroupListPeers

func (am *DefaultAccountManager) GroupListPeers(accountID, groupID string) ([]*Peer, error)

GroupListPeers returns list of the peers from the group

func (*DefaultAccountManager) IsUserAdmin added in v0.6.0

func (am *DefaultAccountManager) IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)

IsUserAdmin flag for current user authenticated by JWT token

func (*DefaultAccountManager) ListGroups

func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error)

ListGroups objects of the peers

func (*DefaultAccountManager) ListRoutes added in v0.8.9

func (am *DefaultAccountManager) ListRoutes(accountID string) ([]*route.Route, error)

ListRoutes returns a list of routes from account

func (*DefaultAccountManager) ListRules

func (am *DefaultAccountManager) ListRules(accountID string) ([]*Rule, error)

ListRules of ACL from the store

func (*DefaultAccountManager) ListSetupKeys added in v0.9.2

func (am *DefaultAccountManager) ListSetupKeys(accountID string) ([]*SetupKey, error)

ListSetupKeys returns a list of all setup keys of the account

func (*DefaultAccountManager) MarkPeerConnected

func (am *DefaultAccountManager) MarkPeerConnected(peerKey string, connected bool) error

MarkPeerConnected marks peer as connected (true) or disconnected (false)

func (*DefaultAccountManager) RenamePeer

func (am *DefaultAccountManager) RenamePeer(
	accountId string,
	peerKey string,
	newName string,
) (*Peer, error)

RenamePeer changes peer's name

func (*DefaultAccountManager) SaveGroup

func (am *DefaultAccountManager) SaveGroup(accountID string, group *Group) error

SaveGroup object of the peers

func (*DefaultAccountManager) SaveRoute added in v0.8.9

func (am *DefaultAccountManager) SaveRoute(accountID string, routeToSave *route.Route) error

SaveRoute saves route

func (*DefaultAccountManager) SaveRule

func (am *DefaultAccountManager) SaveRule(accountID string, rule *Rule) error

SaveRule of ACL in the store

func (*DefaultAccountManager) SaveSetupKey added in v0.9.2

func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *SetupKey) (*SetupKey, error)

SaveSetupKey saves the provided SetupKey to the database overriding the existing one. Due to the unique nature of a SetupKey certain properties must not be overwritten (e.g. the key itself, creation date, ID, etc). These properties are overwritten: Name, AutoGroups, Revoked. The rest is copied from the existing key.

func (*DefaultAccountManager) UpdateGroup added in v0.7.0

func (am *DefaultAccountManager) UpdateGroup(accountID string,
	groupID string, operations []GroupUpdateOperation) (*Group, error)

UpdateGroup updates a group using a list of operations

func (*DefaultAccountManager) UpdatePeer added in v0.8.0

func (am *DefaultAccountManager) UpdatePeer(accountID string, update *Peer) (*Peer, error)

UpdatePeer updates peer. Only Peer.Name and Peer.SSHEnabled can be updated.

func (*DefaultAccountManager) UpdatePeerMeta

func (am *DefaultAccountManager) UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error

UpdatePeerMeta updates peer's system metadata

func (*DefaultAccountManager) UpdatePeerSSHKey added in v0.8.0

func (am *DefaultAccountManager) UpdatePeerSSHKey(peerKey string, sshKey string) error

UpdatePeerSSHKey updates peer's public SSH key

func (*DefaultAccountManager) UpdateRoute added in v0.8.9

func (am *DefaultAccountManager) UpdateRoute(accountID, routeID string, operations []RouteUpdateOperation) (*route.Route, error)

UpdateRoute updates existing route with set of operations

func (*DefaultAccountManager) UpdateRule added in v0.7.0

func (am *DefaultAccountManager) UpdateRule(accountID string, ruleID string,
	operations []RuleUpdateOperation) (*Rule, error)

UpdateRule updates a rule using a list of operations

type DeviceAuthorizationFlow

type DeviceAuthorizationFlow struct {
	Provider       string
	ProviderConfig ProviderConfig
}

DeviceAuthorizationFlow represents Device Authorization Flow information that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow see https://datatracker.ietf.org/doc/html/rfc8628

type FileStore

type FileStore struct {
	Accounts                map[string]*Account
	SetupKeyId2AccountId    map[string]string              `json:"-"`
	PeerKeyId2AccountId     map[string]string              `json:"-"`
	UserId2AccountId        map[string]string              `json:"-"`
	PrivateDomain2AccountId map[string]string              `json:"-"`
	PeerKeyId2SrcRulesId    map[string]map[string]struct{} `json:"-"`
	PeerKeyId2DstRulesId    map[string]map[string]struct{} `json:"-"`
	PeerKeyID2RouteIDs      map[string]map[string]struct{} `json:"-"`
	AccountPrefix2RouteIDs  map[string]map[string][]string `json:"-"`
	// contains filtered or unexported fields
}

FileStore represents an account storage backed by a file persisted to disk

func NewStore

func NewStore(dataDir string) (*FileStore, error)

NewStore restores a store from the file located in the datadir

func (*FileStore) DeletePeer

func (s *FileStore) DeletePeer(accountId string, peerKey string) (*Peer, error)

DeletePeer deletes peer from the Store

func (*FileStore) GetAccount

func (s *FileStore) GetAccount(accountId string) (*Account, error)

GetAccount returns an account for id

func (*FileStore) GetAccountByPrivateDomain

func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error)

GetAccountByPrivateDomain returns account by private domain

func (*FileStore) GetAccountBySetupKey

func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error)

GetAccountBySetupKey returns account by setup key id

func (*FileStore) GetAccountPeers

func (s *FileStore) GetAccountPeers(accountId string) ([]*Peer, error)

GetAccountPeers returns account peers

func (*FileStore) GetAllAccounts

func (s *FileStore) GetAllAccounts() (all []*Account)

GetAllAccounts returns all accounts

func (*FileStore) GetPeer

func (s *FileStore) GetPeer(peerKey string) (*Peer, error)

GetPeer returns a peer from a Store

func (*FileStore) GetPeerAccount

func (s *FileStore) GetPeerAccount(peerKey string) (*Account, error)

GetPeerAccount returns user account if exists

func (*FileStore) GetPeerDstRules

func (s *FileStore) GetPeerDstRules(accountId, peerKey string) ([]*Rule, error)

GetPeerDstRules return list of destination rules for peer

func (*FileStore) GetPeerRoutes added in v0.8.9

func (s *FileStore) GetPeerRoutes(peerKey string) ([]*route.Route, error)

GetPeerRoutes return list of routes for peer

func (*FileStore) GetPeerSrcRules

func (s *FileStore) GetPeerSrcRules(accountId, peerKey string) ([]*Rule, error)

GetPeerSrcRules return list of source rules for peer

func (*FileStore) GetRoutesByPrefix added in v0.8.9

func (s *FileStore) GetRoutesByPrefix(accountID string, prefix netip.Prefix) ([]*route.Route, error)

GetRoutesByPrefix return list of routes by account and route prefix

func (*FileStore) GetUserAccount

func (s *FileStore) GetUserAccount(userId string) (*Account, error)

GetUserAccount returns a user account

func (*FileStore) SaveAccount

func (s *FileStore) SaveAccount(account *Account) error

SaveAccount updates an existing account or adds a new one

func (*FileStore) SavePeer

func (s *FileStore) SavePeer(accountId string, peer *Peer) error

SavePeer saves updated peer

type GRPCServer added in v0.8.5

type GRPCServer struct {
	proto.UnimplementedManagementServiceServer
	// contains filtered or unexported fields
}

GRPCServer an instance of a Management gRPC API server

func NewServer

func NewServer(config *Config, accountManager AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager) (*GRPCServer, error)

NewServer creates a new Management server

func (*GRPCServer) GetDeviceAuthorizationFlow added in v0.8.5

func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)

GetDeviceAuthorizationFlow returns a device authorization flow information This is used for initiating an Oauth 2 device authorization grant flow which will be used by our clients to Login

func (*GRPCServer) GetServerKey added in v0.8.5

func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error)

func (*GRPCServer) IsHealthy added in v0.8.5

func (s *GRPCServer) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty, error)

IsHealthy indicates whether the service is healthy

func (*GRPCServer) Login added in v0.8.5

Login endpoint first checks whether peer is registered under any account In case it is, the login is successful In case it isn't, the endpoint checks whether setup key is provided within the request and tries to register a peer. In case of the successful registration login is also successful

func (*GRPCServer) Sync added in v0.8.5

Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and notifies the connected peer of any updates (e.g. new peers under the same account)

type Group

type Group struct {
	// ID of the group
	ID string

	// Name visible in the UI
	Name string

	// Peers list of the group
	Peers []string
}

Group of the peers for ACL

func (*Group) Copy

func (g *Group) Copy() *Group

type GroupUpdateOperation added in v0.7.0

type GroupUpdateOperation struct {
	Type   GroupUpdateOperationType
	Values []string
}

GroupUpdateOperation operation object with type and values to be applied

type GroupUpdateOperationType added in v0.7.0

type GroupUpdateOperationType int

GroupUpdateOperationType operation type

const (
	// UpdateGroupName indicates a name update operation
	UpdateGroupName GroupUpdateOperationType = iota
	// InsertPeersToGroup indicates insert peers to group operation
	InsertPeersToGroup
	// RemovePeersFromGroup indicates a remove peers from group operation
	RemovePeersFromGroup
	// UpdateGroupPeers indicates a replacement of group peers list
	UpdateGroupPeers
)

type Host

type Host struct {
	Proto Protocol
	// URI e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000
	URI      string
	Username string
	Password string
}

Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)

type HttpServerConfig

type HttpServerConfig struct {
	LetsEncryptDomain string
	//CertFile is the location of the certificate
	CertFile string
	//CertKey is the location of the certificate private key
	CertKey string
	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
	AuthAudience string
	// AuthIssuer identifies principal that issued the JWT.
	AuthIssuer string
	// AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT
	AuthKeysLocation string
	// OIDCConfigEndpoint is the endpoint of an IDP manager to get OIDC configuration
	OIDCConfigEndpoint string
}

HttpServerConfig is a config of the HTTP Management service server

type Network

type Network struct {
	Id  string
	Net net.IPNet
	Dns string
	// Serial is an ID that increments by 1 when any change to the network happened (e.g. new peer has been added).
	// Used to synchronize state to the client apps.
	Serial uint64
	// contains filtered or unexported fields
}

func NewNetwork

func NewNetwork() *Network

NewNetwork creates a new Network initializing it with a Serial=0 It takes a random /16 subnet from 100.64.0.0/10 (64 different subnets)

func (*Network) Copy

func (n *Network) Copy() *Network

func (*Network) CurrentSerial

func (n *Network) CurrentSerial() uint64

CurrentSerial returns the Network.Serial of the network (latest state id)

func (*Network) IncSerial

func (n *Network) IncSerial()

IncSerial increments Serial by 1 reflecting that the network state has been changed

type NetworkMap

type NetworkMap struct {
	Peers   []*Peer
	Network *Network
	Routes  []*route.Route
}

type Peer

type Peer struct {
	// Wireguard public key
	Key string
	// A setup key this peer was registered with
	SetupKey string
	// IP address of the Peer
	IP net.IP
	// Meta is a Peer system meta data
	Meta PeerSystemMeta
	// Name is peer's name (machine name)
	Name   string
	Status *PeerStatus
	// The user ID that registered the peer
	UserID string
	// SSHKey is a public SSH key of the peer
	SSHKey string
	// SSHEnabled indicated whether SSH server is enabled on the peer
	SSHEnabled bool
}

Peer represents a machine connected to the network. The Peer is a Wireguard peer identified by a public key

func (*Peer) Copy

func (p *Peer) Copy() *Peer

Copy copies Peer object

type PeerStatus

type PeerStatus struct {
	// LastSeen is the last time peer was connected to the management service
	LastSeen time.Time
	// Connected indicates whether peer is connected to the management service or not
	Connected bool
}

type PeerSystemMeta

type PeerSystemMeta struct {
	Hostname  string
	GoOS      string
	Kernel    string
	Core      string
	Platform  string
	OS        string
	WtVersion string
	UIVersion string
}

PeerSystemMeta is a metadata of a Peer machine system

type PeersUpdateManager

type PeersUpdateManager struct {
	// contains filtered or unexported fields
}

func NewPeersUpdateManager

func NewPeersUpdateManager() *PeersUpdateManager

NewPeersUpdateManager returns a new instance of PeersUpdateManager

func (*PeersUpdateManager) CloseChannel

func (p *PeersUpdateManager) CloseChannel(peerKey string)

CloseChannel closes updates channel of a given peer

func (*PeersUpdateManager) CreateChannel

func (p *PeersUpdateManager) CreateChannel(peerKey string) chan *UpdateMessage

CreateChannel creates a go channel for a given peer used to deliver updates relevant to the peer.

func (*PeersUpdateManager) SendUpdate

func (p *PeersUpdateManager) SendUpdate(peer string, update *UpdateMessage) error

SendUpdate sends update message to the peer's channel

type Protocol

type Protocol string

type Provider

type Provider string

type ProviderConfig

type ProviderConfig struct {
	// ClientID An IDP application client id
	ClientID string
	// ClientSecret An IDP application client secret
	ClientSecret string
	// Domain An IDP API domain
	// Deprecated. Use TokenEndpoint and DeviceAuthEndpoint
	Domain string
	// Audience An Audience for to authorization validation
	Audience string
	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
	TokenEndpoint string
	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
	DeviceAuthEndpoint string
}

ProviderConfig has all attributes needed to initiate a device authorization flow

type RouteUpdateOperation added in v0.8.9

type RouteUpdateOperation struct {
	Type   RouteUpdateOperationType
	Values []string
}

RouteUpdateOperation operation object with type and values to be applied

type RouteUpdateOperationType added in v0.8.9

type RouteUpdateOperationType int

RouteUpdateOperationType operation type

const (
	// UpdateRouteDescription indicates a route description update operation
	UpdateRouteDescription RouteUpdateOperationType = iota
	// UpdateRouteNetwork indicates a route IP update operation
	UpdateRouteNetwork
	// UpdateRoutePeer indicates a route peer update operation
	UpdateRoutePeer
	// UpdateRouteMetric indicates a route metric update operation
	UpdateRouteMetric
	// UpdateRouteMasquerade indicates a route masquerade update operation
	UpdateRouteMasquerade
	// UpdateRouteEnabled indicates a route enabled update operation
	UpdateRouteEnabled
	// UpdateRouteNetworkIdentifier indicates a route net ID update operation
	UpdateRouteNetworkIdentifier
)

func (RouteUpdateOperationType) String added in v0.8.9

func (t RouteUpdateOperationType) String() string

type Rule

type Rule struct {
	// ID of the rule
	ID string

	// Name of the rule visible in the UI
	Name string

	// Description of the rule visible in the UI
	Description string

	// Disabled status of rule in the system
	Disabled bool

	// Source list of groups IDs of peers
	Source []string

	// Destination list of groups IDs of peers
	Destination []string

	// Flow of the traffic allowed by the rule
	Flow TrafficFlowType
}

Rule of ACL for groups

func (*Rule) Copy

func (r *Rule) Copy() *Rule

type RuleUpdateOperation added in v0.7.0

type RuleUpdateOperation struct {
	Type   RuleUpdateOperationType
	Values []string
}

RuleUpdateOperation operation object with type and values to be applied

type RuleUpdateOperationType added in v0.7.0

type RuleUpdateOperationType int

RuleUpdateOperationType operation type

const (
	// UpdateRuleName indicates a rule name update operation
	UpdateRuleName RuleUpdateOperationType = iota
	// UpdateRuleDescription indicates a rule description update operation
	UpdateRuleDescription
	// UpdateRuleStatus indicates a rule status update operation
	UpdateRuleStatus
	// UpdateRuleFlow indicates a rule flow update operation
	UpdateRuleFlow
	// InsertGroupsToSource indicates an insert groups to source rule operation
	InsertGroupsToSource
	// RemoveGroupsFromSource indicates an remove groups from source rule operation
	RemoveGroupsFromSource
	// UpdateSourceGroups indicates a replacement of source group list of a rule operation
	UpdateSourceGroups
	// InsertGroupsToDestination indicates an insert groups to destination rule operation
	InsertGroupsToDestination
	// RemoveGroupsFromDestination indicates an remove groups from destination rule operation
	RemoveGroupsFromDestination
	// UpdateDestinationGroups indicates a replacement of destination group list of a rule operation
	UpdateDestinationGroups
)

type SetupKey

type SetupKey struct {
	Id        string
	Key       string
	Name      string
	Type      SetupKeyType
	CreatedAt time.Time
	ExpiresAt time.Time
	UpdatedAt time.Time
	// Revoked indicates whether the key was revoked or not (we don't remove them for tracking purposes)
	Revoked bool
	// UsedTimes indicates how many times the key was used
	UsedTimes int
	// LastUsed last time the key was used for peer registration
	LastUsed time.Time
	// AutoGroups is a list of Group IDs that are auto assigned to a Peer when it uses this key to register
	AutoGroups []string
}

SetupKey represents a pre-authorized key used to register machines (peers)

func GenerateDefaultSetupKey

func GenerateDefaultSetupKey() *SetupKey

GenerateDefaultSetupKey generates a default setup key

func GenerateSetupKey

func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration, autoGroups []string) *SetupKey

GenerateSetupKey generates a new setup key

func (*SetupKey) Copy

func (key *SetupKey) Copy() *SetupKey

Copy copies SetupKey to a new object

func (*SetupKey) IncrementUsage

func (key *SetupKey) IncrementUsage() *SetupKey

IncrementUsage makes a copy of a key, increments the UsedTimes by 1 and sets LastUsed to now

func (*SetupKey) IsExpired

func (key *SetupKey) IsExpired() bool

IsExpired if key was expired

func (*SetupKey) IsOverUsed

func (key *SetupKey) IsOverUsed() bool

IsOverUsed if key was used too many times

func (*SetupKey) IsRevoked

func (key *SetupKey) IsRevoked() bool

IsRevoked if key was revoked

func (*SetupKey) IsValid

func (key *SetupKey) IsValid() bool

IsValid is true if the key was not revoked, is not expired and used not more than it was supposed to

type SetupKeyType

type SetupKeyType string

SetupKeyType is the type of setup key

type SetupKeyUpdateOperation added in v0.9.2

type SetupKeyUpdateOperation struct {
	Type   SetupKeyUpdateOperationType
	Values []string
}

SetupKeyUpdateOperation operation object with type and values to be applied

type SetupKeyUpdateOperationType added in v0.9.2

type SetupKeyUpdateOperationType int

SetupKeyUpdateOperationType operation type

func (SetupKeyUpdateOperationType) String added in v0.9.2

type Store

type Store interface {
	GetPeer(peerKey string) (*Peer, error)
	DeletePeer(accountId string, peerKey string) (*Peer, error)
	SavePeer(accountId string, peer *Peer) error
	GetAllAccounts() []*Account
	GetAccount(accountId string) (*Account, error)
	GetUserAccount(userId string) (*Account, error)
	GetAccountPeers(accountId string) ([]*Peer, error)
	GetPeerAccount(peerKey string) (*Account, error)
	GetPeerSrcRules(accountId, peerKey string) ([]*Rule, error)
	GetPeerDstRules(accountId, peerKey string) ([]*Rule, error)
	GetAccountBySetupKey(setupKey string) (*Account, error)
	GetAccountByPrivateDomain(domain string) (*Account, error)
	SaveAccount(account *Account) error
	GetPeerRoutes(peerKey string) ([]*route.Route, error)
	GetRoutesByPrefix(accountID string, prefix netip.Prefix) ([]*route.Route, error)
}

type StoredAccount

type StoredAccount struct{}

type TURNConfig

type TURNConfig struct {
	TimeBasedCredentials bool
	CredentialsTTL       util.Duration
	Secret               string
	Turns                []*Host
}

TURNConfig is a config of the TURNCredentialsManager

type TURNCredentials

type TURNCredentials struct {
	Username string
	Password string
}

type TURNCredentialsManager

type TURNCredentialsManager interface {
	GenerateCredentials() TURNCredentials
	SetupRefresh(peerKey string)
	CancelRefresh(peerKey string)
}

TURNCredentialsManager used to manage TURN credentials

type TimeBasedAuthSecretsManager

type TimeBasedAuthSecretsManager struct {
	// contains filtered or unexported fields
}

TimeBasedAuthSecretsManager generates credentials with TTL and using pre-shared secret known to TURN server

func NewTimeBasedAuthSecretsManager

func NewTimeBasedAuthSecretsManager(updateManager *PeersUpdateManager, config *TURNConfig) *TimeBasedAuthSecretsManager

func (*TimeBasedAuthSecretsManager) CancelRefresh

func (m *TimeBasedAuthSecretsManager) CancelRefresh(peerKey string)

CancelRefresh cancels scheduled peer credentials refresh

func (*TimeBasedAuthSecretsManager) GenerateCredentials

func (m *TimeBasedAuthSecretsManager) GenerateCredentials() TURNCredentials

GenerateCredentials generates new time-based secret credentials - basically username is a unix timestamp and password is a HMAC hash of a timestamp with a preshared TURN secret

func (*TimeBasedAuthSecretsManager) SetupRefresh

func (m *TimeBasedAuthSecretsManager) SetupRefresh(peerKey string)

SetupRefresh starts peer credentials refresh. Since credentials are expiring (TTL) it is necessary to always generate them and send to the peer. A goroutine is created and put into TimeBasedAuthSecretsManager.cancelMap. This routine should be cancelled if peer is gone.

type TrafficFlowType

type TrafficFlowType int

TrafficFlowType defines allowed direction of the traffic in the rule

type UpdateMessage

type UpdateMessage struct {
	Update *proto.SyncResponse
}

type User

type User struct {
	Id   string
	Role UserRole
}

User represents a user of the system

func NewAdminUser

func NewAdminUser(id string) *User

NewAdminUser creates a new user with role UserRoleAdmin

func NewRegularUser

func NewRegularUser(id string) *User

NewRegularUser creates a new user with role UserRoleAdmin

func NewUser

func NewUser(id string, role UserRole) *User

NewUser creates a new user

func (*User) Copy

func (u *User) Copy() *User

type UserInfo

type UserInfo struct {
	ID    string `json:"id"`
	Email string `json:"email"`
	Name  string `json:"name"`
	Role  string `json:"role"`
}

type UserRole

type UserRole string

UserRole is the role of the User

const (
	UserRoleAdmin UserRole = "admin"
	UserRoleUser  UserRole = "user"
)

Directories

Path Synopsis
api
Package api provides primitives to interact with the openapi HTTP API.
Package api provides primitives to interact with the openapi HTTP API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL