Documentation ¶
Index ¶
- Constants
- func AllocatePeerIP(ipNet net.IPNet, takenIps []net.IP) (net.IP, error)
- func Hash(s string) uint32
- func ToResponseProto(configProto Protocol) proto.HostConfig_Protocol
- type Account
- type AccountManager
- type Config
- type DefaultAccountManager
- func (am *DefaultAccountManager) AccountExists(accountId string) (*bool, error)
- func (am *DefaultAccountManager) AddPeer(setupKey string, userID string, peer *Peer) (*Peer, error)
- func (am *DefaultAccountManager) CreateRoute(accountID string, network, peer, description, netID string, masquerade bool, ...) (*route.Route, error)
- func (am *DefaultAccountManager) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType, ...) (*SetupKey, error)
- func (am *DefaultAccountManager) DeleteGroup(accountID, groupID string) error
- func (am *DefaultAccountManager) DeletePeer(accountId string, peerKey string) (*Peer, error)
- func (am *DefaultAccountManager) DeleteRoute(accountID, routeID string) error
- func (am *DefaultAccountManager) DeleteRule(accountID, ruleID string) error
- func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error)
- func (am *DefaultAccountManager) GetAccountByUser(userId string) (*Account, error)
- func (am *DefaultAccountManager) GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error)
- func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error)
- func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, error)
- func (am *DefaultAccountManager) GetNetworkMap(peerKey string) (*NetworkMap, error)
- func (am *DefaultAccountManager) GetOrCreateAccountByUser(userId, domain string) (*Account, error)
- func (am *DefaultAccountManager) GetPeer(peerKey string) (*Peer, error)
- func (am *DefaultAccountManager) GetPeerByIP(accountId string, peerIP string) (*Peer, error)
- func (am *DefaultAccountManager) GetPeerNetwork(peerKey string) (*Network, error)
- func (am *DefaultAccountManager) GetRoute(accountID, routeID string) (*route.Route, error)
- func (am *DefaultAccountManager) GetRule(accountID, ruleID string) (*Rule, error)
- func (am *DefaultAccountManager) GetSetupKey(accountID, keyID string) (*SetupKey, error)
- func (am *DefaultAccountManager) GetUsersFromAccount(accountID string) ([]*UserInfo, error)
- func (am *DefaultAccountManager) GroupAddPeer(accountID, groupID, peerKey string) error
- func (am *DefaultAccountManager) GroupDeletePeer(accountID, groupID, peerKey string) error
- func (am *DefaultAccountManager) GroupListPeers(accountID, groupID string) ([]*Peer, error)
- func (am *DefaultAccountManager) IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
- func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error)
- func (am *DefaultAccountManager) ListRoutes(accountID string) ([]*route.Route, error)
- func (am *DefaultAccountManager) ListRules(accountID string) ([]*Rule, error)
- func (am *DefaultAccountManager) ListSetupKeys(accountID string) ([]*SetupKey, error)
- func (am *DefaultAccountManager) MarkPeerConnected(peerKey string, connected bool) error
- func (am *DefaultAccountManager) RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
- func (am *DefaultAccountManager) SaveGroup(accountID string, group *Group) error
- func (am *DefaultAccountManager) SaveRoute(accountID string, routeToSave *route.Route) error
- func (am *DefaultAccountManager) SaveRule(accountID string, rule *Rule) error
- func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *SetupKey) (*SetupKey, error)
- func (am *DefaultAccountManager) UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error)
- func (am *DefaultAccountManager) UpdatePeer(accountID string, update *Peer) (*Peer, error)
- func (am *DefaultAccountManager) UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error
- func (am *DefaultAccountManager) UpdatePeerSSHKey(peerKey string, sshKey string) error
- func (am *DefaultAccountManager) UpdateRoute(accountID, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
- func (am *DefaultAccountManager) UpdateRule(accountID string, ruleID string, operations []RuleUpdateOperation) (*Rule, error)
- type DeviceAuthorizationFlow
- type FileStore
- func (s *FileStore) DeletePeer(accountId string, peerKey string) (*Peer, error)
- func (s *FileStore) GetAccount(accountId string) (*Account, error)
- func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error)
- func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error)
- func (s *FileStore) GetAccountPeers(accountId string) ([]*Peer, error)
- func (s *FileStore) GetAllAccounts() (all []*Account)
- func (s *FileStore) GetPeer(peerKey string) (*Peer, error)
- func (s *FileStore) GetPeerAccount(peerKey string) (*Account, error)
- func (s *FileStore) GetPeerDstRules(accountId, peerKey string) ([]*Rule, error)
- func (s *FileStore) GetPeerRoutes(peerKey string) ([]*route.Route, error)
- func (s *FileStore) GetPeerSrcRules(accountId, peerKey string) ([]*Rule, error)
- func (s *FileStore) GetRoutesByPrefix(accountID string, prefix netip.Prefix) ([]*route.Route, error)
- func (s *FileStore) GetUserAccount(userId string) (*Account, error)
- func (s *FileStore) SaveAccount(account *Account) error
- func (s *FileStore) SavePeer(accountId string, peer *Peer) error
- type GRPCServer
- func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
- func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error)
- func (s *GRPCServer) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty, error)
- func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
- func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error
- type Group
- type GroupUpdateOperation
- type GroupUpdateOperationType
- type Host
- type HttpServerConfig
- type Network
- type NetworkMap
- type Peer
- type PeerStatus
- type PeerSystemMeta
- type PeersUpdateManager
- type Protocol
- type Provider
- type ProviderConfig
- type RouteUpdateOperation
- type RouteUpdateOperationType
- type Rule
- type RuleUpdateOperation
- type RuleUpdateOperationType
- type SetupKey
- type SetupKeyType
- type SetupKeyUpdateOperation
- type SetupKeyUpdateOperationType
- type Store
- type StoredAccount
- type TURNConfig
- type TURNCredentials
- type TURNCredentialsManager
- type TimeBasedAuthSecretsManager
- type TrafficFlowType
- type UpdateMessage
- type User
- type UserInfo
- type UserRole
Constants ¶
const ( PublicCategory = "public" PrivateCategory = "private" UnknownCategory = "unknown" CacheExpirationMax = 7 * 24 * 3600 * time.Second // 7 days CacheExpirationMin = 3 * 24 * 3600 * time.Second // 3 days )
const ( UDP Protocol = "udp" DTLS Protocol = "dtls" TCP Protocol = "tcp" HTTP Protocol = "http" HTTPS Protocol = "https" NONE Provider = "none" )
const ( // SubnetSize is a size of the subnet of the global network, e.g. 100.77.0.0/16 SubnetSize = 16 // NetSize is a global network size 100.64.0.0/10 NetSize = 10 // AllowedIPsFormat generates Wireguard AllowedIPs format (e.g. 100.64.30.1/32) AllowedIPsFormat = "%s/32" )
const ( // TrafficFlowBidirect allows traffic to both direction TrafficFlowBidirect TrafficFlowType = iota // TrafficFlowBidirectString allows traffic to both direction TrafficFlowBidirectString = "bidirect" // DefaultRuleName is a name for the Default rule that is created for every account DefaultRuleName = "Default" // DefaultRuleDescription is a description for the Default rule that is created for every account DefaultRuleDescription = "This is a default rule that allows connections between all the resources" )
const ( // SetupKeyReusable is a multi-use key (can be used for multiple machines) SetupKeyReusable SetupKeyType = "reusable" // SetupKeyOneOff is a single use key (can be used only once) SetupKeyOneOff SetupKeyType = "one-off" // DefaultSetupKeyDuration = 1 month DefaultSetupKeyDuration = 24 * 30 * time.Hour // DefaultSetupKeyName is a default name of the default setup key DefaultSetupKeyName = "Default key" // UpdateSetupKeyName indicates a setup key name update operation UpdateSetupKeyName SetupKeyUpdateOperationType = iota // UpdateSetupKeyRevoked indicates a setup key revoked filed update operation UpdateSetupKeyRevoked // UpdateSetupKeyAutoGroups indicates a setup key auto-assign groups update operation UpdateSetupKeyAutoGroups // UpdateSetupKeyExpiresAt indicates a setup key expiration time update operation UpdateSetupKeyExpiresAt )
Variables ¶
This section is empty.
Functions ¶
func AllocatePeerIP ¶
AllocatePeerIP pics an available IP from an net.IPNet. This method considers already taken IPs and reuses IPs if there are gaps in takenIps E.g. if ipNet=100.30.0.0/16 and takenIps=[100.30.0.1, 100.30.0.4] then the result would be 100.30.0.2 or 100.30.0.3
func ToResponseProto ¶
func ToResponseProto(configProto Protocol) proto.HostConfig_Protocol
Types ¶
type Account ¶
type Account struct { Id string // User.Id it was created by CreatedBy string Domain string DomainCategory string IsDomainPrimaryAccount bool SetupKeys map[string]*SetupKey Network *Network Peers map[string]*Peer Users map[string]*User Groups map[string]*Group Rules map[string]*Rule Routes map[string]*route.Route }
Account represents a unique account of the system
func (*Account) GetGroupAll ¶
type AccountManager ¶
type AccountManager interface { GetOrCreateAccountByUser(userId, domain string) (*Account, error) GetAccountByUser(userId string) (*Account, error) CreateSetupKey( accountId string, keyName string, keyType SetupKeyType, expiresIn time.Duration, autoGroups []string, ) (*SetupKey, error) SaveSetupKey(accountID string, key *SetupKey) (*SetupKey, error) GetSetupKey(accountID, keyID string) (*SetupKey, error) GetAccountById(accountId string) (*Account, error) GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error) GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error) IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error) AccountExists(accountId string) (*bool, error) GetPeer(peerKey string) (*Peer, error) MarkPeerConnected(peerKey string, connected bool) error RenamePeer(accountId string, peerKey string, newName string) (*Peer, error) DeletePeer(accountId string, peerKey string) (*Peer, error) GetPeerByIP(accountId string, peerIP string) (*Peer, error) UpdatePeer(accountID string, peer *Peer) (*Peer, error) GetNetworkMap(peerKey string) (*NetworkMap, error) GetPeerNetwork(peerKey string) (*Network, error) AddPeer(setupKey string, userId string, peer *Peer) (*Peer, error) UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error UpdatePeerSSHKey(peerKey string, sshKey string) error GetUsersFromAccount(accountId string) ([]*UserInfo, error) GetGroup(accountId, groupID string) (*Group, error) SaveGroup(accountId string, group *Group) error UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error) DeleteGroup(accountId, groupID string) error ListGroups(accountId string) ([]*Group, error) GroupAddPeer(accountId, groupID, peerKey string) error GroupDeletePeer(accountId, groupID, peerKey string) error GroupListPeers(accountId, groupID string) ([]*Peer, error) GetRule(accountId, ruleID string) (*Rule, error) SaveRule(accountID string, rule *Rule) error UpdateRule(accountID string, ruleID string, operations []RuleUpdateOperation) (*Rule, error) DeleteRule(accountId, ruleID string) error ListRules(accountId string) ([]*Rule, error) GetRoute(accountID, routeID string) (*route.Route, error) CreateRoute(accountID string, prefix, peer, description, netID string, masquerade bool, metric int, enabled bool) (*route.Route, error) SaveRoute(accountID string, route *route.Route) error UpdateRoute(accountID string, routeID string, operations []RouteUpdateOperation) (*route.Route, error) DeleteRoute(accountID, routeID string) error ListRoutes(accountID string) ([]*route.Route, error) ListSetupKeys(accountID string) ([]*SetupKey, error) }
type Config ¶
type Config struct { Stuns []*Host TURNConfig *TURNConfig Signal *Host Datadir string HttpConfig *HttpServerConfig IdpManagerConfig *idp.Config DeviceAuthorizationFlow *DeviceAuthorizationFlow }
Config of the Management service
type DefaultAccountManager ¶
type DefaultAccountManager struct { Store Store // contains filtered or unexported fields }
func BuildManager ¶
func BuildManager( store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager, ) (*DefaultAccountManager, error)
BuildManager creates a new DefaultAccountManager with a provided Store
func (*DefaultAccountManager) AccountExists ¶
func (am *DefaultAccountManager) AccountExists(accountId string) (*bool, error)
AccountExists checks whether account exists (returns true) or not (returns false)
func (*DefaultAccountManager) AddPeer ¶
func (am *DefaultAccountManager) AddPeer( setupKey string, userID string, peer *Peer, ) (*Peer, error)
AddPeer adds a new peer to the Store. Each Account has a list of pre-authorised SetupKey and if no Account has a given key err wit ha code codes.Unauthenticated will be returned, meaning the key is invalid If a User ID is provided, it means that we passed the authentication using JWT, then we look for account by User ID and register the peer to it. We also add the User ID to the peer metadata to identify registrant. Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused). The peer property is just a placeholder for the Peer properties to pass further
func (*DefaultAccountManager) CreateRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) CreateRoute(accountID string, network, peer, description, netID string, masquerade bool, metric int, enabled bool) (*route.Route, error)
CreateRoute creates and saves a new route
func (*DefaultAccountManager) CreateSetupKey ¶ added in v0.9.2
func (am *DefaultAccountManager) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType, expiresIn time.Duration, autoGroups []string) (*SetupKey, error)
CreateSetupKey generates a new setup key with a given name, type, list of groups IDs to auto-assign to peers registered with this key, and adds it to the specified account. A list of autoGroups IDs can be empty.
func (*DefaultAccountManager) DeleteGroup ¶
func (am *DefaultAccountManager) DeleteGroup(accountID, groupID string) error
DeleteGroup object of the peers
func (*DefaultAccountManager) DeletePeer ¶
func (am *DefaultAccountManager) DeletePeer(accountId string, peerKey string) (*Peer, error)
DeletePeer removes peer from the account by it's IP
func (*DefaultAccountManager) DeleteRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) DeleteRoute(accountID, routeID string) error
DeleteRoute deletes route with routeID
func (*DefaultAccountManager) DeleteRule ¶
func (am *DefaultAccountManager) DeleteRule(accountID, ruleID string) error
DeleteRule of ACL from the store
func (*DefaultAccountManager) GetAccountById ¶
func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error)
GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist
func (*DefaultAccountManager) GetAccountByUser ¶
func (am *DefaultAccountManager) GetAccountByUser(userId string) (*Account, error)
GetAccountByUser returns an existing account for a given user id, NotFound if account couldn't be found
func (*DefaultAccountManager) GetAccountByUserOrAccountId ¶
func (am *DefaultAccountManager) GetAccountByUserOrAccountId( userId, accountId, domain string, ) (*Account, error)
GetAccountByUserOrAccountId look for an account by user or account Id, if no account is provided and user id doesn't have an account associated with it, one account is created
func (*DefaultAccountManager) GetAccountWithAuthorizationClaims ¶
func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims( claims jwtclaims.AuthorizationClaims, ) (*Account, error)
GetAccountWithAuthorizationClaims retrievs an account using JWT Claims. if domain is of the PrivateCategory category, it will evaluate if account is new, existing or if there is another account with the same domain
Use cases:
New user + New account + New domain -> create account, user role = admin (if private domain, index domain)
New user + New account + Existing Private Domain -> add user to the existing account, user role = regular (not admin)
New user + New account + Existing Public Domain -> create account, user role = admin
Existing user + Existing account + Existing Domain -> Nothing changes (if private, index domain)
Existing user + Existing account + Existing Indexed Domain -> Nothing changes
Existing user + Existing account + Existing domain reclassified Domain as private -> Nothing changes (index domain)
func (*DefaultAccountManager) GetGroup ¶
func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, error)
GetGroup object of the peers
func (*DefaultAccountManager) GetNetworkMap ¶
func (am *DefaultAccountManager) GetNetworkMap(peerKey string) (*NetworkMap, error)
GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
func (*DefaultAccountManager) GetOrCreateAccountByUser ¶
func (am *DefaultAccountManager) GetOrCreateAccountByUser(userId, domain string) (*Account, error)
GetOrCreateAccountByUser returns an existing account for a given user id or creates a new one if doesn't exist
func (*DefaultAccountManager) GetPeer ¶
func (am *DefaultAccountManager) GetPeer(peerKey string) (*Peer, error)
GetPeer returns a peer from a Store
func (*DefaultAccountManager) GetPeerByIP ¶
func (am *DefaultAccountManager) GetPeerByIP(accountId string, peerIP string) (*Peer, error)
GetPeerByIP returns peer by it's IP
func (*DefaultAccountManager) GetPeerNetwork ¶ added in v0.8.0
func (am *DefaultAccountManager) GetPeerNetwork(peerKey string) (*Network, error)
GetPeerNetwork returns the Network for a given peer
func (*DefaultAccountManager) GetRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) GetRoute(accountID, routeID string) (*route.Route, error)
GetRoute gets a route object from account and route IDs
func (*DefaultAccountManager) GetRule ¶
func (am *DefaultAccountManager) GetRule(accountID, ruleID string) (*Rule, error)
GetRule of ACL from the store
func (*DefaultAccountManager) GetSetupKey ¶ added in v0.9.2
func (am *DefaultAccountManager) GetSetupKey(accountID, keyID string) (*SetupKey, error)
GetSetupKey looks up a SetupKey by KeyID, returns NotFound error if not found.
func (*DefaultAccountManager) GetUsersFromAccount ¶
func (am *DefaultAccountManager) GetUsersFromAccount(accountID string) ([]*UserInfo, error)
GetUsersFromAccount performs a batched request for users from IDP by account id
func (*DefaultAccountManager) GroupAddPeer ¶
func (am *DefaultAccountManager) GroupAddPeer(accountID, groupID, peerKey string) error
GroupAddPeer appends peer to the group
func (*DefaultAccountManager) GroupDeletePeer ¶
func (am *DefaultAccountManager) GroupDeletePeer(accountID, groupID, peerKey string) error
GroupDeletePeer removes peer from the group
func (*DefaultAccountManager) GroupListPeers ¶
func (am *DefaultAccountManager) GroupListPeers(accountID, groupID string) ([]*Peer, error)
GroupListPeers returns list of the peers from the group
func (*DefaultAccountManager) IsUserAdmin ¶ added in v0.6.0
func (am *DefaultAccountManager) IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
IsUserAdmin flag for current user authenticated by JWT token
func (*DefaultAccountManager) ListGroups ¶
func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error)
ListGroups objects of the peers
func (*DefaultAccountManager) ListRoutes ¶ added in v0.8.9
func (am *DefaultAccountManager) ListRoutes(accountID string) ([]*route.Route, error)
ListRoutes returns a list of routes from account
func (*DefaultAccountManager) ListRules ¶
func (am *DefaultAccountManager) ListRules(accountID string) ([]*Rule, error)
ListRules of ACL from the store
func (*DefaultAccountManager) ListSetupKeys ¶ added in v0.9.2
func (am *DefaultAccountManager) ListSetupKeys(accountID string) ([]*SetupKey, error)
ListSetupKeys returns a list of all setup keys of the account
func (*DefaultAccountManager) MarkPeerConnected ¶
func (am *DefaultAccountManager) MarkPeerConnected(peerKey string, connected bool) error
MarkPeerConnected marks peer as connected (true) or disconnected (false)
func (*DefaultAccountManager) RenamePeer ¶
func (am *DefaultAccountManager) RenamePeer( accountId string, peerKey string, newName string, ) (*Peer, error)
RenamePeer changes peer's name
func (*DefaultAccountManager) SaveGroup ¶
func (am *DefaultAccountManager) SaveGroup(accountID string, group *Group) error
SaveGroup object of the peers
func (*DefaultAccountManager) SaveRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) SaveRoute(accountID string, routeToSave *route.Route) error
SaveRoute saves route
func (*DefaultAccountManager) SaveRule ¶
func (am *DefaultAccountManager) SaveRule(accountID string, rule *Rule) error
SaveRule of ACL in the store
func (*DefaultAccountManager) SaveSetupKey ¶ added in v0.9.2
func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *SetupKey) (*SetupKey, error)
SaveSetupKey saves the provided SetupKey to the database overriding the existing one. Due to the unique nature of a SetupKey certain properties must not be overwritten (e.g. the key itself, creation date, ID, etc). These properties are overwritten: Name, AutoGroups, Revoked. The rest is copied from the existing key.
func (*DefaultAccountManager) UpdateGroup ¶ added in v0.7.0
func (am *DefaultAccountManager) UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error)
UpdateGroup updates a group using a list of operations
func (*DefaultAccountManager) UpdatePeer ¶ added in v0.8.0
func (am *DefaultAccountManager) UpdatePeer(accountID string, update *Peer) (*Peer, error)
UpdatePeer updates peer. Only Peer.Name and Peer.SSHEnabled can be updated.
func (*DefaultAccountManager) UpdatePeerMeta ¶
func (am *DefaultAccountManager) UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error
UpdatePeerMeta updates peer's system metadata
func (*DefaultAccountManager) UpdatePeerSSHKey ¶ added in v0.8.0
func (am *DefaultAccountManager) UpdatePeerSSHKey(peerKey string, sshKey string) error
UpdatePeerSSHKey updates peer's public SSH key
func (*DefaultAccountManager) UpdateRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) UpdateRoute(accountID, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
UpdateRoute updates existing route with set of operations
func (*DefaultAccountManager) UpdateRule ¶ added in v0.7.0
func (am *DefaultAccountManager) UpdateRule(accountID string, ruleID string, operations []RuleUpdateOperation) (*Rule, error)
UpdateRule updates a rule using a list of operations
type DeviceAuthorizationFlow ¶
type DeviceAuthorizationFlow struct { Provider string ProviderConfig ProviderConfig }
DeviceAuthorizationFlow represents Device Authorization Flow information that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow see https://datatracker.ietf.org/doc/html/rfc8628
type FileStore ¶
type FileStore struct { Accounts map[string]*Account SetupKeyId2AccountId map[string]string `json:"-"` PeerKeyId2AccountId map[string]string `json:"-"` UserId2AccountId map[string]string `json:"-"` PrivateDomain2AccountId map[string]string `json:"-"` PeerKeyId2SrcRulesId map[string]map[string]struct{} `json:"-"` PeerKeyId2DstRulesId map[string]map[string]struct{} `json:"-"` PeerKeyID2RouteIDs map[string]map[string]struct{} `json:"-"` AccountPrefix2RouteIDs map[string]map[string][]string `json:"-"` // contains filtered or unexported fields }
FileStore represents an account storage backed by a file persisted to disk
func (*FileStore) DeletePeer ¶
DeletePeer deletes peer from the Store
func (*FileStore) GetAccount ¶
GetAccount returns an account for id
func (*FileStore) GetAccountByPrivateDomain ¶
GetAccountByPrivateDomain returns account by private domain
func (*FileStore) GetAccountBySetupKey ¶
GetAccountBySetupKey returns account by setup key id
func (*FileStore) GetAccountPeers ¶
GetAccountPeers returns account peers
func (*FileStore) GetAllAccounts ¶
GetAllAccounts returns all accounts
func (*FileStore) GetPeerAccount ¶
GetPeerAccount returns user account if exists
func (*FileStore) GetPeerDstRules ¶
GetPeerDstRules return list of destination rules for peer
func (*FileStore) GetPeerRoutes ¶ added in v0.8.9
GetPeerRoutes return list of routes for peer
func (*FileStore) GetPeerSrcRules ¶
GetPeerSrcRules return list of source rules for peer
func (*FileStore) GetRoutesByPrefix ¶ added in v0.8.9
func (s *FileStore) GetRoutesByPrefix(accountID string, prefix netip.Prefix) ([]*route.Route, error)
GetRoutesByPrefix return list of routes by account and route prefix
func (*FileStore) GetUserAccount ¶
GetUserAccount returns a user account
func (*FileStore) SaveAccount ¶
SaveAccount updates an existing account or adds a new one
type GRPCServer ¶ added in v0.8.5
type GRPCServer struct { proto.UnimplementedManagementServiceServer // contains filtered or unexported fields }
GRPCServer an instance of a Management gRPC API server
func NewServer ¶
func NewServer(config *Config, accountManager AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager) (*GRPCServer, error)
NewServer creates a new Management server
func (*GRPCServer) GetDeviceAuthorizationFlow ¶ added in v0.8.5
func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
GetDeviceAuthorizationFlow returns a device authorization flow information This is used for initiating an Oauth 2 device authorization grant flow which will be used by our clients to Login
func (*GRPCServer) GetServerKey ¶ added in v0.8.5
func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error)
func (*GRPCServer) Login ¶ added in v0.8.5
func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
Login endpoint first checks whether peer is registered under any account In case it is, the login is successful In case it isn't, the endpoint checks whether setup key is provided within the request and tries to register a peer. In case of the successful registration login is also successful
func (*GRPCServer) Sync ¶ added in v0.8.5
func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error
Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and notifies the connected peer of any updates (e.g. new peers under the same account)
type Group ¶
type Group struct { // ID of the group ID string // Name visible in the UI Name string // Peers list of the group Peers []string }
Group of the peers for ACL
type GroupUpdateOperation ¶ added in v0.7.0
type GroupUpdateOperation struct { Type GroupUpdateOperationType Values []string }
GroupUpdateOperation operation object with type and values to be applied
type GroupUpdateOperationType ¶ added in v0.7.0
type GroupUpdateOperationType int
GroupUpdateOperationType operation type
const ( // UpdateGroupName indicates a name update operation UpdateGroupName GroupUpdateOperationType = iota // InsertPeersToGroup indicates insert peers to group operation InsertPeersToGroup // RemovePeersFromGroup indicates a remove peers from group operation RemovePeersFromGroup // UpdateGroupPeers indicates a replacement of group peers list UpdateGroupPeers )
type Host ¶
type Host struct { Proto Protocol // URI e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000 URI string Username string Password string }
Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)
type HttpServerConfig ¶
type HttpServerConfig struct { LetsEncryptDomain string //CertFile is the location of the certificate CertFile string //CertKey is the location of the certificate private key CertKey string // AuthAudience identifies the recipients that the JWT is intended for (aud in JWT) AuthAudience string // AuthIssuer identifies principal that issued the JWT. AuthIssuer string // AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT AuthKeysLocation string // OIDCConfigEndpoint is the endpoint of an IDP manager to get OIDC configuration OIDCConfigEndpoint string }
HttpServerConfig is a config of the HTTP Management service server
type Network ¶
type Network struct { Id string Net net.IPNet Dns string // Serial is an ID that increments by 1 when any change to the network happened (e.g. new peer has been added). // Used to synchronize state to the client apps. Serial uint64 // contains filtered or unexported fields }
func NewNetwork ¶
func NewNetwork() *Network
NewNetwork creates a new Network initializing it with a Serial=0 It takes a random /16 subnet from 100.64.0.0/10 (64 different subnets)
func (*Network) CurrentSerial ¶
CurrentSerial returns the Network.Serial of the network (latest state id)
type Peer ¶
type Peer struct { // Wireguard public key Key string // A setup key this peer was registered with SetupKey string // IP address of the Peer IP net.IP // Meta is a Peer system meta data Meta PeerSystemMeta // Name is peer's name (machine name) Name string Status *PeerStatus // The user ID that registered the peer UserID string // SSHKey is a public SSH key of the peer SSHKey string // SSHEnabled indicated whether SSH server is enabled on the peer SSHEnabled bool }
Peer represents a machine connected to the network. The Peer is a Wireguard peer identified by a public key
type PeerStatus ¶
type PeerSystemMeta ¶
type PeerSystemMeta struct { Hostname string GoOS string Kernel string Core string Platform string OS string WtVersion string UIVersion string }
PeerSystemMeta is a metadata of a Peer machine system
type PeersUpdateManager ¶
type PeersUpdateManager struct {
// contains filtered or unexported fields
}
func NewPeersUpdateManager ¶
func NewPeersUpdateManager() *PeersUpdateManager
NewPeersUpdateManager returns a new instance of PeersUpdateManager
func (*PeersUpdateManager) CloseChannel ¶
func (p *PeersUpdateManager) CloseChannel(peerKey string)
CloseChannel closes updates channel of a given peer
func (*PeersUpdateManager) CreateChannel ¶
func (p *PeersUpdateManager) CreateChannel(peerKey string) chan *UpdateMessage
CreateChannel creates a go channel for a given peer used to deliver updates relevant to the peer.
func (*PeersUpdateManager) SendUpdate ¶
func (p *PeersUpdateManager) SendUpdate(peer string, update *UpdateMessage) error
SendUpdate sends update message to the peer's channel
type ProviderConfig ¶
type ProviderConfig struct { // ClientID An IDP application client id ClientID string // ClientSecret An IDP application client secret ClientSecret string // Domain An IDP API domain // Deprecated. Use TokenEndpoint and DeviceAuthEndpoint Domain string // Audience An Audience for to authorization validation Audience string // TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token TokenEndpoint string // DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code DeviceAuthEndpoint string }
ProviderConfig has all attributes needed to initiate a device authorization flow
type RouteUpdateOperation ¶ added in v0.8.9
type RouteUpdateOperation struct { Type RouteUpdateOperationType Values []string }
RouteUpdateOperation operation object with type and values to be applied
type RouteUpdateOperationType ¶ added in v0.8.9
type RouteUpdateOperationType int
RouteUpdateOperationType operation type
const ( // UpdateRouteDescription indicates a route description update operation UpdateRouteDescription RouteUpdateOperationType = iota // UpdateRouteNetwork indicates a route IP update operation UpdateRouteNetwork // UpdateRoutePeer indicates a route peer update operation UpdateRoutePeer // UpdateRouteMetric indicates a route metric update operation UpdateRouteMetric // UpdateRouteMasquerade indicates a route masquerade update operation UpdateRouteMasquerade // UpdateRouteEnabled indicates a route enabled update operation UpdateRouteEnabled // UpdateRouteNetworkIdentifier indicates a route net ID update operation UpdateRouteNetworkIdentifier )
func (RouteUpdateOperationType) String ¶ added in v0.8.9
func (t RouteUpdateOperationType) String() string
type Rule ¶
type Rule struct { // ID of the rule ID string // Name of the rule visible in the UI Name string // Description of the rule visible in the UI Description string // Disabled status of rule in the system Disabled bool // Source list of groups IDs of peers Source []string // Destination list of groups IDs of peers Destination []string // Flow of the traffic allowed by the rule Flow TrafficFlowType }
Rule of ACL for groups
type RuleUpdateOperation ¶ added in v0.7.0
type RuleUpdateOperation struct { Type RuleUpdateOperationType Values []string }
RuleUpdateOperation operation object with type and values to be applied
type RuleUpdateOperationType ¶ added in v0.7.0
type RuleUpdateOperationType int
RuleUpdateOperationType operation type
const ( // UpdateRuleName indicates a rule name update operation UpdateRuleName RuleUpdateOperationType = iota // UpdateRuleDescription indicates a rule description update operation UpdateRuleDescription // UpdateRuleStatus indicates a rule status update operation UpdateRuleStatus // UpdateRuleFlow indicates a rule flow update operation UpdateRuleFlow // InsertGroupsToSource indicates an insert groups to source rule operation InsertGroupsToSource // RemoveGroupsFromSource indicates an remove groups from source rule operation RemoveGroupsFromSource // UpdateSourceGroups indicates a replacement of source group list of a rule operation UpdateSourceGroups // InsertGroupsToDestination indicates an insert groups to destination rule operation InsertGroupsToDestination // RemoveGroupsFromDestination indicates an remove groups from destination rule operation RemoveGroupsFromDestination // UpdateDestinationGroups indicates a replacement of destination group list of a rule operation UpdateDestinationGroups )
type SetupKey ¶
type SetupKey struct { Id string Key string Name string Type SetupKeyType CreatedAt time.Time ExpiresAt time.Time UpdatedAt time.Time // Revoked indicates whether the key was revoked or not (we don't remove them for tracking purposes) Revoked bool // UsedTimes indicates how many times the key was used UsedTimes int // LastUsed last time the key was used for peer registration LastUsed time.Time // AutoGroups is a list of Group IDs that are auto assigned to a Peer when it uses this key to register AutoGroups []string }
SetupKey represents a pre-authorized key used to register machines (peers)
func GenerateDefaultSetupKey ¶
func GenerateDefaultSetupKey() *SetupKey
GenerateDefaultSetupKey generates a default setup key
func GenerateSetupKey ¶
func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration, autoGroups []string) *SetupKey
GenerateSetupKey generates a new setup key
func (*SetupKey) IncrementUsage ¶
IncrementUsage makes a copy of a key, increments the UsedTimes by 1 and sets LastUsed to now
func (*SetupKey) IsOverUsed ¶
IsOverUsed if key was used too many times
type SetupKeyUpdateOperation ¶ added in v0.9.2
type SetupKeyUpdateOperation struct { Type SetupKeyUpdateOperationType Values []string }
SetupKeyUpdateOperation operation object with type and values to be applied
type SetupKeyUpdateOperationType ¶ added in v0.9.2
type SetupKeyUpdateOperationType int
SetupKeyUpdateOperationType operation type
func (SetupKeyUpdateOperationType) String ¶ added in v0.9.2
func (t SetupKeyUpdateOperationType) String() string
type Store ¶
type Store interface { GetPeer(peerKey string) (*Peer, error) DeletePeer(accountId string, peerKey string) (*Peer, error) SavePeer(accountId string, peer *Peer) error GetAllAccounts() []*Account GetAccount(accountId string) (*Account, error) GetUserAccount(userId string) (*Account, error) GetAccountPeers(accountId string) ([]*Peer, error) GetPeerAccount(peerKey string) (*Account, error) GetPeerSrcRules(accountId, peerKey string) ([]*Rule, error) GetPeerDstRules(accountId, peerKey string) ([]*Rule, error) GetAccountBySetupKey(setupKey string) (*Account, error) GetAccountByPrivateDomain(domain string) (*Account, error) SaveAccount(account *Account) error GetPeerRoutes(peerKey string) ([]*route.Route, error) GetRoutesByPrefix(accountID string, prefix netip.Prefix) ([]*route.Route, error) }
type StoredAccount ¶
type StoredAccount struct{}
type TURNConfig ¶
type TURNConfig struct { TimeBasedCredentials bool CredentialsTTL util.Duration Secret string Turns []*Host }
TURNConfig is a config of the TURNCredentialsManager
type TURNCredentials ¶
type TURNCredentialsManager ¶
type TURNCredentialsManager interface { GenerateCredentials() TURNCredentials SetupRefresh(peerKey string) CancelRefresh(peerKey string) }
TURNCredentialsManager used to manage TURN credentials
type TimeBasedAuthSecretsManager ¶
type TimeBasedAuthSecretsManager struct {
// contains filtered or unexported fields
}
TimeBasedAuthSecretsManager generates credentials with TTL and using pre-shared secret known to TURN server
func NewTimeBasedAuthSecretsManager ¶
func NewTimeBasedAuthSecretsManager(updateManager *PeersUpdateManager, config *TURNConfig) *TimeBasedAuthSecretsManager
func (*TimeBasedAuthSecretsManager) CancelRefresh ¶
func (m *TimeBasedAuthSecretsManager) CancelRefresh(peerKey string)
CancelRefresh cancels scheduled peer credentials refresh
func (*TimeBasedAuthSecretsManager) GenerateCredentials ¶
func (m *TimeBasedAuthSecretsManager) GenerateCredentials() TURNCredentials
GenerateCredentials generates new time-based secret credentials - basically username is a unix timestamp and password is a HMAC hash of a timestamp with a preshared TURN secret
func (*TimeBasedAuthSecretsManager) SetupRefresh ¶
func (m *TimeBasedAuthSecretsManager) SetupRefresh(peerKey string)
SetupRefresh starts peer credentials refresh. Since credentials are expiring (TTL) it is necessary to always generate them and send to the peer. A goroutine is created and put into TimeBasedAuthSecretsManager.cancelMap. This routine should be cancelled if peer is gone.
type TrafficFlowType ¶
type TrafficFlowType int
TrafficFlowType defines allowed direction of the traffic in the rule
type UpdateMessage ¶
type UpdateMessage struct {
Update *proto.SyncResponse
}
type User ¶
User represents a user of the system
func NewAdminUser ¶
NewAdminUser creates a new user with role UserRoleAdmin
func NewRegularUser ¶
NewRegularUser creates a new user with role UserRoleAdmin