trifid/dnapi-rs/src/client_blocking.rs

203 lines
8.4 KiB
Rust
Raw Normal View History

2023-03-29 18:31:07 +00:00
//! Client structs to handle communication with the Defined Networking API. This is the blocking client API - if you want async instead, set no-default-features and enable the async feature instead.
use std::error::Error;
use chrono::Local;
use log::{debug, error};
2023-03-29 20:55:51 +00:00
use reqwest::StatusCode;
2023-03-29 18:31:07 +00:00
use url::Url;
use trifid_pki::cert::serialize_ed25519_public;
2023-03-29 21:42:16 +00:00
use trifid_pki::ed25519_dalek::{Signature, Signer, SigningKey, Verifier};
2023-03-29 18:31:07 +00:00
use crate::credentials::{Credentials, ed25519_public_keys_from_pem};
2023-03-29 21:42:16 +00:00
use crate::crypto::{new_keys, nonce};
use crate::message::{CHECK_FOR_UPDATE, CheckForUpdateResponseWrapper, DO_UPDATE, DoUpdateRequest, DoUpdateResponse, ENDPOINT_V1, ENROLL_ENDPOINT, EnrollRequest, EnrollResponse, RequestV1, RequestWrapper, SignedResponseWrapper};
2023-03-29 18:31:07 +00:00
/// A type alias to abstract return types
pub type NebulaConfig = Vec<u8>;
/// A type alias to abstract DH private keys
pub type DHPrivateKeyPEM = Vec<u8>;
/// A combination of persistent data and HTTP client used for communicating with the API.
pub struct Client {
http_client: reqwest::blocking::Client,
server_url: Url
}
/// A struct containing organization metadata returned as a result of enrollment
pub struct EnrollMeta {
/// The server organization ID this node is now a member of
pub organization_id: String,
/// The server organization name this node is now a member of
pub organization_name: String
}
impl Client {
/// Create a new `Client` configured with the given User-Agent and API base.
/// # Errors
/// This function will return an error if the reqwest Client could not be created.
pub fn new(user_agent: String, api_base: Url) -> Result<Self, Box<dyn Error>> {
let client = reqwest::blocking::Client::builder().user_agent(user_agent).build()?;
Ok(Self {
http_client: client,
server_url: api_base
})
}
/// Issues an enrollment request against the REST API using the given enrollment code, passing along a
/// locally generated DH X25519 Nebula key to be signed by the CA, and an Ed25519 key for future API
/// authentication. On success it returns the Nebula config generated by the server, a Nebula private key PEM,
/// credentials to be used for future DN API requests, and an object containing organization information.
/// # Errors
/// This function will return an error in any of the following situations:
/// - the server_url is invalid
/// - the HTTP request fails
/// - the HTTP response is missing X-Request-ID
/// - X-Request-ID isn't valid UTF-8
/// - the server returns an error
/// - the server returns invalid JSON
/// - the `trusted_keys` field is invalid
pub fn enroll(&self, code: &str) -> Result<(NebulaConfig, DHPrivateKeyPEM, Credentials, EnrollMeta), Box<dyn Error>> {
debug!("making enrollment request to API {{server: {}, code: {}}}", self.server_url, code);
let (dh_pubkey_pem, dh_privkey_pem, ed_pubkey, ed_privkey) = new_keys();
let req_json = serde_json::to_string(&EnrollRequest {
code: code.to_string(),
dh_pubkey: dh_pubkey_pem,
ed_pubkey: serialize_ed25519_public(ed_pubkey.as_bytes()),
timestamp: Local::now().format("%Y-%m-%dT%H:%M:%S.%f%:z").to_string(),
})?;
let resp = self.http_client.post(self.server_url.join(ENROLL_ENDPOINT)?).body(req_json).send()?;
let req_id = resp.headers().get("X-Request-ID").ok_or("Response missing X-Request-ID")?.to_str()?;
debug!("enrollment request complete {{req_id: {}}}", req_id);
let resp: EnrollResponse = resp.json()?;
let r = match resp {
EnrollResponse::Success { data } => data,
EnrollResponse::Error { errors } => {
error!("unexpected error during enrollment: {}", errors[0].message);
return Err(errors[0].message.clone().into());
}
};
let meta = EnrollMeta {
organization_id: r.organization.id,
organization_name: r.organization.name,
};
let trusted_keys = ed25519_public_keys_from_pem(&r.trusted_keys)?;
let creds = Credentials {
host_id: r.host_id,
ed_privkey,
counter: r.counter,
trusted_keys,
};
Ok((r.config, dh_privkey_pem, creds, meta))
}
2023-03-29 21:42:16 +00:00
/// Send a signed message to the DNClient API to learn if there is a new configuration available.
pub fn check_for_update(&self, creds: &Credentials) -> Result<bool, Box<dyn Error>> {
let body = self.post_dnclient(CHECK_FOR_UPDATE, &[], &creds.host_id, creds.counter, &creds.ed_privkey)?;
let result: CheckForUpdateResponseWrapper = serde_json::from_slice(&body)?;
Ok(result.data.update_available)
}
/// Send a signed message to the DNClient API to fetch the new configuration update. During this call a new
/// DH X25519 keypair is generated for the new Nebula certificate as well as a new Ed25519 keypair for DNClient API
/// communication. On success it returns the new config, a Nebula private key PEM to be inserted into the config
/// and new DNClient API credentials
pub fn do_update(&self, creds: &Credentials) -> Result<(NebulaConfig, DHPrivateKeyPEM, Credentials), Box<dyn Error>> {
let (dh_pubkey_pem, dh_privkey_pem, ed_pubkey, ed_privkey) = new_keys();
let update_keys = DoUpdateRequest {
ed_pubkey_pem: serialize_ed25519_public(ed_pubkey.as_bytes()),
dh_pubkey_pem,
nonce: nonce().to_vec(),
};
let update_keys_blob = serde_json::to_vec(&update_keys)?;
let resp = self.post_dnclient(DO_UPDATE, &update_keys_blob, &creds.host_id, creds.counter, &creds.ed_privkey)?;
let result_wrapper: SignedResponseWrapper = serde_json::from_slice(&resp)?;
let mut valid = false;
for ca_pubkey in creds.trusted_keys {
if ca_pubkey.verify(&result_wrapper.data.message, &Signature::from_slice(&result_wrapper.data.signature)?).is_ok() {
valid = true;
break;
}
}
if !valid {
return Err("Failed to verify signed API result".into())
}
let result: DoUpdateResponse = serde_json::from_slice(&result_wrapper.data.message)?;
if result.nonce != update_keys.nonce {
error!("nonce mismatch between request {:x?} and response {:x?}", result.nonce, update_keys.nonce);
return Err(format!("nonce mismatch between request and response").into())
}
let trusted_keys = ed25519_public_keys_from_pem(&result.trusted_keys)?;
let new_creds = Credentials {
host_id: creds.host_id.clone(),
ed_privkey,
counter: result.counter,
trusted_keys,
};
Ok((result.config, dh_privkey_pem, new_creds))
}
2023-03-29 20:55:51 +00:00
/// Wraps and signs the given req_type and value, and then makes the API call.
/// On success, returns the response body.
/// # Errors
/// This function will return an error if:
/// - serialization in any step fails
/// - if the server_url is invalid
/// - if the request could not be sent
2023-03-29 21:42:16 +00:00
pub fn post_dnclient(&self, req_type: &str, value: &[u8], host_id: &str, counter: u32, ed_privkey: &SigningKey) -> Result<Vec<u8>, Box<dyn Error>> {
2023-03-29 20:55:51 +00:00
let encoded_msg = serde_json::to_string(&RequestWrapper {
message_type: req_type.to_string(),
value: value.to_vec(),
timestamp: Local::now().format("%Y-%m-%dT%H:%M:%S.%f%:z").to_string(),
})?;
let encoded_msg_bytes = encoded_msg.into_bytes();
let signature = ed_privkey.sign(&encoded_msg_bytes).to_vec();
let body = RequestV1 {
version: 1,
host_id: host_id.to_string(),
counter,
message: encoded_msg_bytes,
signature,
};
2023-03-29 18:31:07 +00:00
2023-03-29 20:55:51 +00:00
let post_body = serde_json::to_string(&body)?;
let resp = self.http_client.post(self.server_url.join(ENDPOINT_V1)?).body(post_body).send()?;
match resp.status() {
StatusCode::OK => {
Ok(resp.bytes()?.to_vec())
},
StatusCode::FORBIDDEN => {
Err("Forbidden".into())
},
_ => {
error!("dnclient endpoint returned bad status code {}", resp.status());
Err("dnclient endpoint returned error".into())
}
}
}
2023-03-29 18:31:07 +00:00
}