isle/go/cmd/entrypoint/admin.go

package main

import (
	"crypto/rand"
	"encoding/hex"
	"errors"
	"fmt"
	"isle/admin"
	"isle/bootstrap"
	"isle/nebula"
	"net/netip"
	"os"
)

func randStr(l int) string {
	b := make([]byte, l)
	if _, err := rand.Read(b); err != nil {
		panic(err)
	}
	return hex.EncodeToString(b)
}

func readAdmin(path string) (admin.Admin, error) {

	if path == "-" {

		adm, err := admin.FromReader(os.Stdin)
		if err != nil {
			return admin.Admin{}, fmt.Errorf("parsing admin.json from stdin: %w", err)
		}

		return adm, nil
	}

	f, err := os.Open(path)
	if err != nil {
		return admin.Admin{}, fmt.Errorf("opening file: %w", err)
	}
	defer f.Close()

	return admin.FromReader(f)
}

var subCmdAdminCreateBootstrap = subCmd{
	name:  "create-bootstrap",
	descr: "Creates a new bootstrap.json file for a particular host and writes it to stdout",
	do: func(subCmdCtx subCmdCtx) error {
		var (
			flags    = subCmdCtx.flagSet(false)
			hostName nebula.HostName
			ip       netip.Addr
		)

		hostNameF := flags.VarPF(
			textUnmarshalerFlag{&hostName},
			"hostname", "h",
			"Name of the host to generate bootstrap.json for",
		)

		ipF := flags.VarPF(
			textUnmarshalerFlag{&ip}, "ip", "i", "IP of the new host",
		)

		adminPath := flags.StringP(
			"admin-path", "a", "",
			`Path to admin.json file. If the given path is "-" then stdin is used.`,
		)

		if err := flags.Parse(subCmdCtx.args); err != nil {
			return fmt.Errorf("parsing flags: %w", err)
		}

		if !hostNameF.Changed ||
			!ipF.Changed ||
			*adminPath == "" {
			return errors.New("--hostname, --ip, and --admin-path are required")
		}

		adm, err := readAdmin(*adminPath)
		if err != nil {
			return fmt.Errorf("reading admin.json with --admin-path of %q: %w", *adminPath, err)
		}

		garageBootstrap := bootstrap.Garage{
			RPCSecret:                    adm.Garage.RPCSecret,
			AdminToken:                   randStr(32),
			GlobalBucketS3APICredentials: adm.Garage.GlobalBucketS3APICredentials,
		}

		newHostBootstrap, err := bootstrap.New(
			adm.Nebula.CACredentials,
			adm.CreationParams,
			garageBootstrap,
			hostName,
			ip,
		)
		if err != nil {
			return fmt.Errorf("initializing bootstrap data: %w", err)
		}

		hostsRes, err := subCmdCtx.getHosts()
		if err != nil {
			return fmt.Errorf("getting hosts: %w", err)
		}

		for _, host := range hostsRes.Hosts {
			newHostBootstrap.Hosts[host.Name] = host
		}

		return newHostBootstrap.WriteTo(os.Stdout)
	},
}

var subCmdAdminCreateNebulaCert = subCmd{
	name:  "create-nebula-cert",
	descr: "Creates a signed nebula certificate file and writes it to stdout",
	do: func(subCmdCtx subCmdCtx) error {
		var (
			flags    = subCmdCtx.flagSet(false)
			hostName nebula.HostName
			ip       netip.Addr
		)

		hostNameF := flags.VarPF(
			textUnmarshalerFlag{&hostName},
			"hostname", "h",
			"Name of the host to generate a certificate for",
		)

		ipF := flags.VarPF(
			textUnmarshalerFlag{&ip}, "ip", "i", "IP of the new host",
		)

		adminPath := flags.StringP(
			"admin-path", "a", "",
			`Path to admin.json file. If the given path is "-" then stdin is used.`,
		)

		pubKeyPath := flags.StringP(
			"public-key-path", "p", "",
			`Path to PEM file containing public key which will be embedded in the cert.`,
		)

		if err := flags.Parse(subCmdCtx.args); err != nil {
			return fmt.Errorf("parsing flags: %w", err)
		}

		if !hostNameF.Changed ||
			!ipF.Changed ||
			*adminPath == "" ||
			*pubKeyPath == "" {
			return errors.New("--hostname, --ip, --admin-path, and --pub-key-path are required")
		}

		adm, err := readAdmin(*adminPath)
		if err != nil {
			return fmt.Errorf("reading admin.json with --admin-path of %q: %w", *adminPath, err)
		}

		hostPubPEM, err := os.ReadFile(*pubKeyPath)
		if err != nil {
			return fmt.Errorf("reading public key from %q: %w", *pubKeyPath, err)
		}

		var hostPub nebula.EncryptingPublicKey
		if err := hostPub.UnmarshalNebulaPEM(hostPubPEM); err != nil {
			return fmt.Errorf("unmarshaling public key as PEM: %w", err)
		}

		nebulaHostCert, err := nebula.NewHostCert(
			adm.Nebula.CACredentials, hostPub, hostName, ip,
		)
		if err != nil {
			return fmt.Errorf("creating cert: %w", err)
		}

		nebulaHostCertPEM, err := nebulaHostCert.Unwrap().MarshalToPEM()
		if err != nil {
			return fmt.Errorf("marshaling cert to PEM: %w", err)
		}

		if _, err := os.Stdout.Write([]byte(nebulaHostCertPEM)); err != nil {
			return fmt.Errorf("writing to stdout: %w", err)
		}

		return nil
	},
}

var subCmdAdmin = subCmd{
	name:  "admin",
	descr: "Sub-commands which only admins can run",
	do: func(subCmdCtx subCmdCtx) error {
		return subCmdCtx.doSubCmd(
			subCmdAdminCreateBootstrap,
			subCmdAdminCreateNebulaCert,
		)
	},
}
Factor out nebula-entrypoint As part of this all "wait" constraints have been migrated to pure-go implementations, taking advantage of pmux's `StartAfterFunc` argument. nebula-entrypoint was the final main process besides the entrypoint itself, allowing us to get rid of cryptic-net-main. 2022-10-20 19:59:46 +00:00			`package main`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00
			`import (`
Enable the garage admin interface 2022-10-16 19:22:58 +00:00			`"crypto/rand"`
			`"encoding/hex"`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`"errors"`
			`"fmt"`
Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`"isle/admin"`
			`"isle/bootstrap"`
			`"isle/nebula"`
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`"net/netip"`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`"os"`
			`)`

Enable the garage admin interface 2022-10-16 19:22:58 +00:00			`func randStr(l int) string {`
			`b := make([]byte, l)`
			`if _, err := rand.Read(b); err != nil {`
			`panic(err)`
			`}`
			`return hex.EncodeToString(b)`
			`}`

Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`func readAdmin(path string) (admin.Admin, error) {`

			`if path == "-" {`

			`adm, err := admin.FromReader(os.Stdin)`
			`if err != nil {`
Use JSON instead of YAML for files which aren't intended for human editing 2024-06-10 16:56:36 +00:00			`return admin.Admin{}, fmt.Errorf("parsing admin.json from stdin: %w", err)`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`}`

			`return adm, nil`
			`}`

			`f, err := os.Open(path)`
			`if err != nil {`
			`return admin.Admin{}, fmt.Errorf("opening file: %w", err)`
			`}`
			`defer f.Close()`

			`return admin.FromReader(f)`
			`}`

Rename to make-bootstrap to create-bootstrap 2022-11-05 15:41:14 +00:00			`var subCmdAdminCreateBootstrap = subCmd{`
Remove runtime dir locking code 2024-07-12 14:13:44 +00:00			`name: "create-bootstrap",`
			`descr: "Creates a new bootstrap.json file for a particular host and writes it to stdout",`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`do: func(subCmdCtx subCmdCtx) error {`
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`var (`
			`flags = subCmdCtx.flagSet(false)`
			`hostName nebula.HostName`
			`ip netip.Addr`
			`)`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`hostNameF := flags.VarPF(`
			`textUnmarshalerFlag{&hostName},`
			`"hostname", "h",`
Use JSON instead of YAML for files which aren't intended for human editing 2024-06-10 16:56:36 +00:00			`"Name of the host to generate bootstrap.json for",`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`)`

Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`ipF := flags.VarPF(`
			`textUnmarshalerFlag{&ip}, "ip", "i", "IP of the new host",`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`)`

Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`adminPath := flags.StringP(`
			`"admin-path", "a", "",`
Use JSON instead of YAML for files which aren't intended for human editing 2024-06-10 16:56:36 +00:00			`Path to admin.json file. If the given path is "-" then stdin is used.`,
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`)`

			`if err := flags.Parse(subCmdCtx.args); err != nil {`
			`return fmt.Errorf("parsing flags: %w", err)`
			`}`

Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`if !hostNameF.Changed \|\|`
			`!ipF.Changed \|\|`
			`*adminPath == "" {`
Add Name field to admin.CreationParams 2022-11-05 11:34:49 +00:00			`return errors.New("--hostname, --ip, and --admin-path are required")`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`}`

			`adm, err := readAdmin(*adminPath)`
			`if err != nil {`
Use JSON instead of YAML for files which aren't intended for human editing 2024-06-10 16:56:36 +00:00			`return fmt.Errorf("reading admin.json with --admin-path of %q: %w", *adminPath, err)`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`}`

Refactor how host data is signed, now it's simpler and probably more secure 2024-06-10 20:31:29 +00:00			`garageBootstrap := bootstrap.Garage{`
			`RPCSecret: adm.Garage.RPCSecret,`
			`AdminToken: randStr(32),`
			`GlobalBucketS3APICredentials: adm.Garage.GlobalBucketS3APICredentials,`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`}`

Refactor how host data is signed, now it's simpler and probably more secure 2024-06-10 20:31:29 +00:00			`newHostBootstrap, err := bootstrap.New(`
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it. 2022-11-05 14:23:29 +00:00			`adm.Nebula.CACredentials,`
Refactor how host data is signed, now it's simpler and probably more secure 2024-06-10 20:31:29 +00:00			`adm.CreationParams,`
			`garageBootstrap,`
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`hostName,`
Refactor how host data is signed, now it's simpler and probably more secure 2024-06-10 20:31:29 +00:00			`ip,`
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it. 2022-11-05 14:23:29 +00:00			`)`
			`if err != nil {`
Refactor how host data is signed, now it's simpler and probably more secure 2024-06-10 20:31:29 +00:00			`return fmt.Errorf("initializing bootstrap data: %w", err)`
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it. 2022-11-05 14:23:29 +00:00			`}`

Use RPC for create-bootstrap 2024-07-09 13:14:29 +00:00			`hostsRes, err := subCmdCtx.getHosts()`
Refactor how host data is signed, now it's simpler and probably more secure 2024-06-10 20:31:29 +00:00			`if err != nil {`
Use RPC for create-bootstrap 2024-07-09 13:14:29 +00:00			`return fmt.Errorf("getting hosts: %w", err)`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`}`

Use RPC for create-bootstrap 2024-07-09 13:14:29 +00:00			`for _, host := range hostsRes.Hosts {`
			`newHostBootstrap.Hosts[host.Name] = host`
			`}`
Use yaml instead of tgz for bootstrap file 2022-11-02 13:34:40 +00:00
Remove Bootstrap from Env 2022-10-26 22:23:39 +00:00			`return newHostBootstrap.WriteTo(os.Stdout)`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`},`
			`}`

Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`var subCmdAdminCreateNebulaCert = subCmd{`
Remove runtime dir locking code 2024-07-12 14:13:44 +00:00			`name: "create-nebula-cert",`
			`descr: "Creates a signed nebula certificate file and writes it to stdout",`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`do: func(subCmdCtx subCmdCtx) error {`
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`var (`
			`flags = subCmdCtx.flagSet(false)`
			`hostName nebula.HostName`
			`ip netip.Addr`
			`)`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`hostNameF := flags.VarPF(`
			`textUnmarshalerFlag{&hostName},`
			`"hostname", "h",`
			`"Name of the host to generate a certificate for",`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`)`

Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`ipF := flags.VarPF(`
			`textUnmarshalerFlag{&ip}, "ip", "i", "IP of the new host",`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`)`

			`adminPath := flags.StringP(`
			`"admin-path", "a", "",`
Use JSON instead of YAML for files which aren't intended for human editing 2024-06-10 16:56:36 +00:00			`Path to admin.json file. If the given path is "-" then stdin is used.`,
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`)`

			`pubKeyPath := flags.StringP(`
			`"public-key-path", "p", "",`
			`Path to PEM file containing public key which will be embedded in the cert.`,
			`)`

			`if err := flags.Parse(subCmdCtx.args); err != nil {`
			`return fmt.Errorf("parsing flags: %w", err)`
			`}`

Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`if !hostNameF.Changed \|\|`
			`!ipF.Changed \|\|`
			`*adminPath == "" \|\|`
			`*pubKeyPath == "" {`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`return errors.New("--hostname, --ip, --admin-path, and --pub-key-path are required")`
			`}`

			`adm, err := readAdmin(*adminPath)`
			`if err != nil {`
Use JSON instead of YAML for files which aren't intended for human editing 2024-06-10 16:56:36 +00:00			`return fmt.Errorf("reading admin.json with --admin-path of %q: %w", *adminPath, err)`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`}`

			`hostPubPEM, err := os.ReadFile(*pubKeyPath)`
			`if err != nil {`
			`return fmt.Errorf("reading public key from %q: %w", *pubKeyPath, err)`
			`}`

Refactor how signing/encryption keys are typed and (un)marshaled 2024-06-15 21:02:24 +00:00			`var hostPub nebula.EncryptingPublicKey`
			`if err := hostPub.UnmarshalNebulaPEM(hostPubPEM); err != nil {`
			`return fmt.Errorf("unmarshaling public key as PEM: %w", err)`
			`}`

			`nebulaHostCert, err := nebula.NewHostCert(`
Do proper type-based validation or hostnames and ipnets 2024-07-12 13:30:21 +00:00			`adm.Nebula.CACredentials, hostPub, hostName, ip,`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`)`
			`if err != nil {`
			`return fmt.Errorf("creating cert: %w", err)`
			`}`

Implement RPC socket and use it to list hosts 2024-06-23 12:37:10 +00:00			`nebulaHostCertPEM, err := nebulaHostCert.Unwrap().MarshalToPEM()`
Refactor how signing/encryption keys are typed and (un)marshaled 2024-06-15 21:02:24 +00:00			`if err != nil {`
			`return fmt.Errorf("marshaling cert to PEM: %w", err)`
			`}`

Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`if _, err := os.Stdout.Write([]byte(nebulaHostCertPEM)); err != nil {`
			`return fmt.Errorf("writing to stdout: %w", err)`
			`}`

			`return nil`
			`},`
			`}`

Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`var subCmdAdmin = subCmd{`
			`name: "admin",`
			`descr: "Sub-commands which only admins can run",`
			`do: func(subCmdCtx subCmdCtx) error {`
			`return subCmdCtx.doSubCmd(`
Rename to make-bootstrap to create-bootstrap 2022-11-05 15:41:14 +00:00			`subCmdAdminCreateBootstrap,`
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server. 2023-08-27 14:09:03 +00:00			`subCmdAdminCreateNebulaCert,`
Re-arrange sub-commands in entrypoint somewhat 2022-10-16 15:18:50 +00:00			`)`
			`},`
			`}`