mobile_nebula/nebula/api.go

package mobileNebula

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"time"

	"github.com/DefinedNet/dnapi"
	"github.com/DefinedNet/dnapi/keys"
	"github.com/sirupsen/logrus"
	"github.com/slackhq/nebula/cert"
)

type APIClient struct {
	c *dnapi.Client
	l *logrus.Logger
}

type EnrollResult struct {
	Site string
}

type TryUpdateResult struct {
	FetchedUpdate bool
	Site          string
}

func NewAPIClient(useragent string) *APIClient {
	// TODO Use a log file
	l := logrus.New()
	l.SetOutput(io.Discard)

	return &APIClient{
		// TODO Make the server configurable
		c: dnapi.NewClient(useragent, "https://api.defined.net"),
		l: l,
	}
}

type InvalidCredentialsError struct{}

func (e InvalidCredentialsError) Error() string {
	// XXX Type information is not available in Kotlin/Swift. Instead we make use of string matching on the error
	// message. DO NOT CHANGE THIS STRING unless you also update the Kotlin and Swift code that checks for it.
	return "invalid credentials"
}

func (c *APIClient) Enroll(code string) (*EnrollResult, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()
	cfg, pkey, creds, meta, err := c.c.Enroll(ctx, c.l, code)
	var apiError *dnapi.APIError
	switch {
	case errors.As(err, &apiError):
		return nil, fmt.Errorf("%s (request ID: %s)", apiError, apiError.ReqID)
	case errors.Is(err, context.DeadlineExceeded):
		return nil, fmt.Errorf("enrollment request timed out - try again?")
	case err != nil:
		return nil, fmt.Errorf("unexpected failure: %s", err)
	}

	site, err := newDNSite(meta.OrganizationName, cfg, string(pkey), *creds)
	if err != nil {
		return nil, fmt.Errorf("failure generating site: %s", err)
	}

	jsonSite, err := json.Marshal(site)
	if err != nil {
		return nil, fmt.Errorf("failed to marshal site: %s", err)
	}

	return &EnrollResult{Site: string(jsonSite)}, nil
}

func (c *APIClient) TryUpdate(siteName string, hostID string, privateKey string, counter int, trustedKeys string) (*TryUpdateResult, error) {
	// Build dnapi.Credentials struct from inputs
	if counter < 0 {
		return nil, fmt.Errorf("invalid counter value: must be unsigned")
	}

	pk, rest, err := unmarshalHostPrivateKey([]byte(privateKey))
	switch {
	case err != nil:
		return nil, fmt.Errorf("invalid private key: %s", err)
	case len(rest) > 0:
		return nil, fmt.Errorf("invalid private key: %d trailing bytes", len(rest))
	}

	tk, err := keys.TrustedKeysFromPEM([]byte(trustedKeys))
	if err != nil {
		return nil, fmt.Errorf("invalid trusted keys: %s", err)
	}

	creds := keys.Credentials{
		HostID:      hostID,
		PrivateKey:  pk,
		Counter:     uint(counter),
		TrustedKeys: tk,
	}

	// Check for update
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()
	updateAvailable, err := c.c.CheckForUpdate(ctx, creds)
	switch {
	case errors.As(err, &dnapi.InvalidCredentialsError{}):
		return nil, InvalidCredentialsError{}
	case err != nil:
		return nil, fmt.Errorf("CheckForUpdate error: %s", err)
	}

	if !updateAvailable {
		return &TryUpdateResult{FetchedUpdate: false}, nil
	}

	// Perform the update and return the new site object
	updateCtx, updateCancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer updateCancel()
	cfg, pkey, newCreds, err := c.c.DoUpdate(updateCtx, creds)
	switch {
	case errors.As(err, &dnapi.InvalidCredentialsError{}):
		return nil, InvalidCredentialsError{}
	case err != nil:
		return nil, fmt.Errorf("DoUpdate error: %s", err)
	}

	site, err := newDNSite(siteName, cfg, string(pkey), *newCreds)
	if err != nil {
		return nil, fmt.Errorf("failure generating site: %s", err)
	}

	jsonSite, err := json.Marshal(site)
	if err != nil {
		return nil, fmt.Errorf("failed to marshal site: %s", err)
	}

	return &TryUpdateResult{Site: string(jsonSite), FetchedUpdate: true}, nil
}

func unmarshalHostPrivateKey(b []byte) (keys.PrivateKey, []byte, error) {
	k, r, err := keys.UnmarshalHostPrivateKey(b)
	if err != nil {
		// We used to use a Nebula PEM header for these keys, so try that as a fallback
		k, r, err := cert.UnmarshalEd25519PrivateKey(b)
		if err != nil {
			return nil, r, fmt.Errorf("failed fallback unmarshal: %w", err)
		}

		pk, err := keys.NewPrivateKey(k)
		if err != nil {
			return nil, r, err
		}

		return pk, r, nil
	}

	return k, r, nil
}
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`package mobileNebula`

			`import (`
			`"context"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"io"`
			`"time"`

			`"github.com/DefinedNet/dnapi"`
Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00			`"github.com/DefinedNet/dnapi/keys"`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`"github.com/sirupsen/logrus"`
			`"github.com/slackhq/nebula/cert"`
			`)`

			`type APIClient struct {`
			`c *dnapi.Client`
			`l *logrus.Logger`
			`}`

			`type EnrollResult struct {`
			`Site string`
			`}`

			`type TryUpdateResult struct {`
			`FetchedUpdate bool`
			`Site string`
			`}`

			`func NewAPIClient(useragent string) *APIClient {`
			`// TODO Use a log file`
			`l := logrus.New()`
			`l.SetOutput(io.Discard)`

			`return &APIClient{`
			`// TODO Make the server configurable`
			`c: dnapi.NewClient(useragent, "https://api.defined.net"),`
			`l: l,`
			`}`
			`}`

			`type InvalidCredentialsError struct{}`

			`func (e InvalidCredentialsError) Error() string {`
			`// XXX Type information is not available in Kotlin/Swift. Instead we make use of string matching on the error`
			`// message. DO NOT CHANGE THIS STRING unless you also update the Kotlin and Swift code that checks for it.`
			`return "invalid credentials"`
			`}`

			`func (c APIClient) Enroll(code string) (EnrollResult, error) {`
Update Nebula and dnapi (#158) * Update Nebula and dnapi * Update Go 2024-06-20 19:24:00 +00:00			`ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)`
			`defer cancel()`
			`cfg, pkey, creds, meta, err := c.c.Enroll(ctx, c.l, code)`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`var apiError *dnapi.APIError`
			`switch {`
			`case errors.As(err, &apiError):`
			`return nil, fmt.Errorf("%s (request ID: %s)", apiError, apiError.ReqID)`
			`case errors.Is(err, context.DeadlineExceeded):`
			`return nil, fmt.Errorf("enrollment request timed out - try again?")`
			`case err != nil:`
			`return nil, fmt.Errorf("unexpected failure: %s", err)`
			`}`

			`site, err := newDNSite(meta.OrganizationName, cfg, string(pkey), *creds)`
			`if err != nil {`
			`return nil, fmt.Errorf("failure generating site: %s", err)`
			`}`

			`jsonSite, err := json.Marshal(site)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to marshal site: %s", err)`
			`}`

			`return &EnrollResult{Site: string(jsonSite)}, nil`
			`}`

			`func (c APIClient) TryUpdate(siteName string, hostID string, privateKey string, counter int, trustedKeys string) (TryUpdateResult, error) {`
			`// Build dnapi.Credentials struct from inputs`
			`if counter < 0 {`
			`return nil, fmt.Errorf("invalid counter value: must be unsigned")`
			`}`

Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00			`pk, rest, err := unmarshalHostPrivateKey([]byte(privateKey))`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`switch {`
			`case err != nil:`
			`return nil, fmt.Errorf("invalid private key: %s", err)`
			`case len(rest) > 0:`
			`return nil, fmt.Errorf("invalid private key: %d trailing bytes", len(rest))`
			`}`

Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00			`tk, err := keys.TrustedKeysFromPEM([]byte(trustedKeys))`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("invalid trusted keys: %s", err)`
			`}`

Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00			`creds := keys.Credentials{`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`HostID: hostID,`
Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00			`PrivateKey: pk,`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`Counter: uint(counter),`
Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00			`TrustedKeys: tk,`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`}`

			`// Check for update`
Update Nebula and dnapi (#158) * Update Nebula and dnapi * Update Go 2024-06-20 19:24:00 +00:00			`ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)`
			`defer cancel()`
			`updateAvailable, err := c.c.CheckForUpdate(ctx, creds)`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`switch {`
			`case errors.As(err, &dnapi.InvalidCredentialsError{}):`
			`return nil, InvalidCredentialsError{}`
			`case err != nil:`
			`return nil, fmt.Errorf("CheckForUpdate error: %s", err)`
			`}`

			`if !updateAvailable {`
			`return &TryUpdateResult{FetchedUpdate: false}, nil`
			`}`

			`// Perform the update and return the new site object`
Update Nebula and dnapi (#158) * Update Nebula and dnapi * Update Go 2024-06-20 19:24:00 +00:00			`updateCtx, updateCancel := context.WithTimeout(context.Background(), 30*time.Second)`
			`defer updateCancel()`
			`cfg, pkey, newCreds, err := c.c.DoUpdate(updateCtx, creds)`
Support DN host enrollment (#86) Co-authored-by: Nate Brown <nbrown.us@gmail.com> 2022-11-17 21:43:16 +00:00			`switch {`
			`case errors.As(err, &dnapi.InvalidCredentialsError{}):`
			`return nil, InvalidCredentialsError{}`
			`case err != nil:`
			`return nil, fmt.Errorf("DoUpdate error: %s", err)`
			`}`

			`site, err := newDNSite(siteName, cfg, string(pkey), *newCreds)`
			`if err != nil {`
			`return nil, fmt.Errorf("failure generating site: %s", err)`
			`}`

			`jsonSite, err := json.Marshal(site)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to marshal site: %s", err)`
			`}`

			`return &TryUpdateResult{Site: string(jsonSite), FetchedUpdate: true}, nil`
			`}`
Support P256 managed networks (#205) 2024-12-12 21:05:16 +00:00
			`func unmarshalHostPrivateKey(b []byte) (keys.PrivateKey, []byte, error) {`
			`k, r, err := keys.UnmarshalHostPrivateKey(b)`
			`if err != nil {`
			`// We used to use a Nebula PEM header for these keys, so try that as a fallback`
			`k, r, err := cert.UnmarshalEd25519PrivateKey(b)`
			`if err != nil {`
			`return nil, r, fmt.Errorf("failed fallback unmarshal: %w", err)`
			`}`

			`pk, err := keys.NewPrivateKey(k)`
			`if err != nil {`
			`return nil, r, err`
			`}`

			`return pk, r, nil`
			`}`

			`return k, r, nil`
			`}`