From b1d92b395322f2164ccfb44b0f7caebbaece6b62 Mon Sep 17 00:00:00 2001 From: jwijenbergh Date: Fri, 22 Apr 2022 16:29:59 +0200 Subject: Refactor: Restructure project - Add an internal folder where all the internal code lives - Make a state.go and state_test.go for the public interface This gives a more clear separation between functions and modules. It also makes this a more typical Go project setup. --- Makefile | 2 +- ci/docker/go-test.docker | 5 +- cli/go.mod | 7 - cli/go.sum | 45 --- cli/main.go | 84 ----- cmd/cli/main.go | 55 +++ exports/Makefile | 2 +- exports/exports.go | 22 +- go.mod | 4 +- go.sum | 32 +- internal/api.go | 110 ++++++ internal/config.go | 43 +++ internal/discovery.go | 172 +++++++++ internal/fsm.go | 187 ++++++++++ internal/http.go | 172 +++++++++ internal/log.go | 65 ++++ internal/oauth.go | 379 ++++++++++++++++++++ internal/openvpn.go | 12 + internal/server.go | 196 ++++++++++ internal/test_data/empty | 0 internal/test_data/generate.sh | 58 +++ internal/test_data/generate_forged.py | 37 ++ internal/test_data/organization_list.json | 1 + internal/test_data/organization_list.json.minisig | 4 + .../organization_list.json.tc_servlist.minisig | 4 + internal/test_data/other_list.json | 1 + internal/test_data/other_list.json.minisig | 4 + internal/test_data/public.key | 2 + internal/test_data/random.txt | 1 + internal/test_data/secret.key | 2 + internal/test_data/server_list.json | 3 + internal/test_data/server_list.json.blake2b | Bin 0 -> 64 bytes .../server_list.json.forged_keyid.minisig | 4 + .../test_data/server_list.json.forged_pure.minisig | 4 + .../test_data/server_list.json.large_time.minisig | 4 + internal/test_data/server_list.json.minisig | 4 + internal/test_data/server_list.json.pure.minisig | 4 + .../server_list.json.tc_earliertime.minisig | 4 + .../server_list.json.tc_emptyfile.minisig | 4 + .../server_list.json.tc_emptytime.minisig | 4 + .../server_list.json.tc_latertime.minisig | 4 + .../test_data/server_list.json.tc_nofile.minisig | 4 + .../test_data/server_list.json.tc_nohashed.minisig | 4 + .../test_data/server_list.json.tc_notime.minisig | 4 + .../test_data/server_list.json.tc_orglist.minisig | 4 + .../server_list.json.tc_otherfile.minisig | 4 + .../test_data/server_list.json.tc_random.minisig | 4 + .../test_data/server_list.json.wrong_key.minisig | 4 + internal/test_data/wrong_public.key | 2 + internal/test_data/wrong_secret.key | 2 + internal/util.go | 30 ++ internal/verify.go | 205 +++++++++++ internal/verify_test.go | 140 ++++++++ internal/wireguard.go | 52 +++ src/api.go | 110 ------ src/config.go | 42 --- src/discovery.go | 165 --------- src/fsm.go | 197 ----------- src/http.go | 172 --------- src/log.go | 66 ---- src/oauth.go | 393 --------------------- src/openvpn.go | 12 - src/server.go | 178 ---------- src/server_test.go | 214 ----------- src/state.go | 108 ------ src/test_data/empty | 0 src/test_data/generate.sh | 58 --- src/test_data/generate_forged.py | 37 -- src/test_data/organization_list.json | 1 - src/test_data/organization_list.json.minisig | 4 - .../organization_list.json.tc_servlist.minisig | 4 - src/test_data/other_list.json | 1 - src/test_data/other_list.json.minisig | 4 - src/test_data/public.key | 2 - src/test_data/random.txt | 1 - src/test_data/secret.key | 2 - src/test_data/server_list.json | 3 - src/test_data/server_list.json.blake2b | Bin 64 -> 0 bytes .../server_list.json.forged_keyid.minisig | 4 - src/test_data/server_list.json.forged_pure.minisig | 4 - src/test_data/server_list.json.large_time.minisig | 4 - src/test_data/server_list.json.minisig | 4 - src/test_data/server_list.json.pure.minisig | 4 - .../server_list.json.tc_earliertime.minisig | 4 - .../server_list.json.tc_emptyfile.minisig | 4 - .../server_list.json.tc_emptytime.minisig | 4 - .../server_list.json.tc_latertime.minisig | 4 - src/test_data/server_list.json.tc_nofile.minisig | 4 - src/test_data/server_list.json.tc_nohashed.minisig | 4 - src/test_data/server_list.json.tc_notime.minisig | 4 - src/test_data/server_list.json.tc_orglist.minisig | 4 - .../server_list.json.tc_otherfile.minisig | 4 - src/test_data/server_list.json.tc_random.minisig | 4 - src/test_data/server_list.json.wrong_key.minisig | 4 - src/test_data/wrong_public.key | 2 - src/test_data/wrong_secret.key | 2 - src/util.go | 21 -- src/verify.go | 205 ----------- src/verify_test.go | 140 -------- src/wireguard.go | 52 --- state.go | 143 ++++++++ state_test.go | 212 +++++++++++ 102 files changed, 2389 insertions(+), 2432 deletions(-) delete mode 100644 cli/go.mod delete mode 100644 cli/go.sum delete mode 100644 cli/main.go create mode 100644 cmd/cli/main.go create mode 100644 internal/api.go create mode 100644 internal/config.go create mode 100644 internal/discovery.go create mode 100644 internal/fsm.go create mode 100644 internal/http.go create mode 100644 internal/log.go create mode 100644 internal/oauth.go create mode 100644 internal/openvpn.go create mode 100644 internal/server.go create mode 100644 internal/test_data/empty create mode 100644 internal/test_data/generate.sh create mode 100644 internal/test_data/generate_forged.py create mode 100644 internal/test_data/organization_list.json create mode 100644 internal/test_data/organization_list.json.minisig create mode 100644 internal/test_data/organization_list.json.tc_servlist.minisig create mode 100644 internal/test_data/other_list.json create mode 100644 internal/test_data/other_list.json.minisig create mode 100644 internal/test_data/public.key create mode 100644 internal/test_data/random.txt create mode 100644 internal/test_data/secret.key create mode 100644 internal/test_data/server_list.json create mode 100644 internal/test_data/server_list.json.blake2b create mode 100644 internal/test_data/server_list.json.forged_keyid.minisig create mode 100644 internal/test_data/server_list.json.forged_pure.minisig create mode 100644 internal/test_data/server_list.json.large_time.minisig create mode 100644 internal/test_data/server_list.json.minisig create mode 100644 internal/test_data/server_list.json.pure.minisig create mode 100644 internal/test_data/server_list.json.tc_earliertime.minisig create mode 100644 internal/test_data/server_list.json.tc_emptyfile.minisig create mode 100644 internal/test_data/server_list.json.tc_emptytime.minisig create mode 100644 internal/test_data/server_list.json.tc_latertime.minisig create mode 100644 internal/test_data/server_list.json.tc_nofile.minisig create mode 100644 internal/test_data/server_list.json.tc_nohashed.minisig create mode 100644 internal/test_data/server_list.json.tc_notime.minisig create mode 100644 internal/test_data/server_list.json.tc_orglist.minisig create mode 100644 internal/test_data/server_list.json.tc_otherfile.minisig create mode 100644 internal/test_data/server_list.json.tc_random.minisig create mode 100644 internal/test_data/server_list.json.wrong_key.minisig create mode 100644 internal/test_data/wrong_public.key create mode 100644 internal/test_data/wrong_secret.key create mode 100644 internal/util.go create mode 100644 internal/verify.go create mode 100644 internal/verify_test.go create mode 100644 internal/wireguard.go delete mode 100644 src/api.go delete mode 100644 src/config.go delete mode 100644 src/discovery.go delete mode 100644 src/fsm.go delete mode 100644 src/http.go delete mode 100644 src/log.go delete mode 100644 src/oauth.go delete mode 100644 src/openvpn.go delete mode 100644 src/server.go delete mode 100644 src/server_test.go delete mode 100644 src/state.go delete mode 100644 src/test_data/empty delete mode 100644 src/test_data/generate.sh delete mode 100644 src/test_data/generate_forged.py delete mode 100644 src/test_data/organization_list.json delete mode 100644 src/test_data/organization_list.json.minisig delete mode 100644 src/test_data/organization_list.json.tc_servlist.minisig delete mode 100644 src/test_data/other_list.json delete mode 100644 src/test_data/other_list.json.minisig delete mode 100644 src/test_data/public.key delete mode 100644 src/test_data/random.txt delete mode 100644 src/test_data/secret.key delete mode 100644 src/test_data/server_list.json delete mode 100644 src/test_data/server_list.json.blake2b delete mode 100644 src/test_data/server_list.json.forged_keyid.minisig delete mode 100644 src/test_data/server_list.json.forged_pure.minisig delete mode 100644 src/test_data/server_list.json.large_time.minisig delete mode 100644 src/test_data/server_list.json.minisig delete mode 100644 src/test_data/server_list.json.pure.minisig delete mode 100644 src/test_data/server_list.json.tc_earliertime.minisig delete mode 100644 src/test_data/server_list.json.tc_emptyfile.minisig delete mode 100644 src/test_data/server_list.json.tc_emptytime.minisig delete mode 100644 src/test_data/server_list.json.tc_latertime.minisig delete mode 100644 src/test_data/server_list.json.tc_nofile.minisig delete mode 100644 src/test_data/server_list.json.tc_nohashed.minisig delete mode 100644 src/test_data/server_list.json.tc_notime.minisig delete mode 100644 src/test_data/server_list.json.tc_orglist.minisig delete mode 100644 src/test_data/server_list.json.tc_otherfile.minisig delete mode 100644 src/test_data/server_list.json.tc_random.minisig delete mode 100644 src/test_data/server_list.json.wrong_key.minisig delete mode 100644 src/test_data/wrong_public.key delete mode 100644 src/test_data/wrong_secret.key delete mode 100644 src/util.go delete mode 100644 src/verify.go delete mode 100644 src/verify_test.go delete mode 100644 src/wireguard.go create mode 100644 state.go create mode 100644 state_test.go diff --git a/Makefile b/Makefile index 36a19da..938e891 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ build: test: test-go test-wrappers test-go: - go test github.com/jwijenbergh/eduvpn-common/src + go test ./... WRAPPERS ?= $(notdir $(patsubst %/,%,$(wildcard wrappers/*/))) diff --git a/ci/docker/go-test.docker b/ci/docker/go-test.docker index 3e56f67..2e6bcd5 100644 --- a/ci/docker/go-test.docker +++ b/ci/docker/go-test.docker @@ -28,10 +28,11 @@ RUN go mod download && go mod verify WORKDIR /eduvpn/go # Copy go source -COPY ./src ./src +COPY *.go ./ +COPY ./internal ./internal # Copy selenium scripts COPY ./selenium_eduvpn.py ./selenium_eduvpn.py # Run the tests -CMD ["go", "test", "-mod=readonly", "github.com/jwijenbergh/eduvpn-common/src", "-v"] +CMD ["go", "test", "-mod=readonly", "./...", "-v"] diff --git a/cli/go.mod b/cli/go.mod deleted file mode 100644 index 0bf9161..0000000 --- a/cli/go.mod +++ /dev/null @@ -1,7 +0,0 @@ -module github.com/jwijenbergh/eduvpn-common/cli - -replace github.com/jwijenbergh/eduvpn-common => ../ - -go 1.16 - -require github.com/jwijenbergh/eduvpn-common v0.0.0-00010101000000-000000000000 diff --git a/cli/go.sum b/cli/go.sum deleted file mode 100644 index 3e1adbc..0000000 --- a/cli/go.sum +++ /dev/null @@ -1,45 +0,0 @@ -github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7PDk6RgkP+A/SFfUD0ZR/AgG6SpRNEDKZy8= -github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU= -github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= -github.com/mdlayher/genetlink v1.2.0/go.mod h1:ra5LDov2KrUCZJiAtEvXXZBxGMInICMXIwshlJ+qRxQ= -github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA= -github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs= -github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220208050332-20e1d8d225ab/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 h1:BkypuErRT9A9I/iljuaG3/zdMjd/J6m8tKKJQtGfSdA= -golang.org/x/crypto v0.0.0-20220208233918-bba287dce954/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220207234003-57398862261d h1:Bm7BNOQt2Qv7ZqysjeLjgCBanX+88Z/OtdvsrEv1Djc= -golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg= -golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= -golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178 h1:Nrf94TOjrvW8nm6N3u2xtbnMZaZudNI9b8nIJH8p8qY= -golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220208144051-fde48d68ee68 h1:9c4/JVIQUc2qCJEEIiGIs3HmmnFjhPj4qHW4+Uj+u3U= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220208144051-fde48d68ee68/go.mod h1:8P32Ilp1kCpwB4ItaHyvSk4xAtnpQ+8gQVfg5WaO1TU= diff --git a/cli/main.go b/cli/main.go deleted file mode 100644 index d5c3aa8..0000000 --- a/cli/main.go +++ /dev/null @@ -1,84 +0,0 @@ -package main - -import ( - "errors" - "flag" - "fmt" - "os" - "os/exec" - "strings" - - eduvpn "github.com/jwijenbergh/eduvpn-common/src" -) - -func openBrowser(urlString string) { - fmt.Printf("OAuth: Initialized with AuthURL %s\n", urlString) - fmt.Println("OAuth: Opening browser with xdg-open...") - exec.Command("xdg-open", urlString).Start() -} - -func logState(oldState string, newState string, data string) { - fmt.Printf("State: %s -> State: %s with data %s\n", oldState, newState, data) - - if newState == "OAuth_Started" { - openBrowser(data) - } -} - -func writeGraph(filename string) error { - state := eduvpn.GetVPNState() - - state.InitializeFSM() - - graph := state.GenerateGraph() - - f, err := os.Create(filename) - if err != nil { - return errors.New(fmt.Sprintf("Failed to create file %s with error %v", filename, err)) - } - - defer f.Close() - - f.WriteString(graph) - - fmt.Printf("Graph written to file: %s, use 'fdp %s -Tsvg > graph.svg' from graphviz to save to a svg file called graph.svg\n", filename, filename) - - return nil -} - -func main() { - fileGraph := flag.String("dumpgraph", "", "Dump the FSM to a graphviz fdp file") - urlArg := flag.String("url", "", "The url of the vpn") - flag.Parse() - - fileGraphString := *fileGraph - if fileGraphString != "" { - writeGraph(fileGraphString) - return - } - urlString := *urlArg - - if urlString != "" { - if !strings.HasPrefix(urlString, "https://") { - urlString = "https://" + urlString - } - - state := eduvpn.GetVPNState() - - state.Register("org.eduvpn.app.linux", "configs", logState, true) - config, configErr := state.Connect(urlString) - - if configErr != nil { - fmt.Printf("Config error %v", configErr) - return - } - - fmt.Println(config) - - state.Deregister() - - return - } - - flag.PrintDefaults() -} diff --git a/cmd/cli/main.go b/cmd/cli/main.go new file mode 100644 index 0000000..1406175 --- /dev/null +++ b/cmd/cli/main.go @@ -0,0 +1,55 @@ +package main + +import ( + "flag" + "fmt" + "os/exec" + "strings" + + eduvpn "github.com/jwijenbergh/eduvpn-common" +) + +func openBrowser(urlString string) { + fmt.Printf("OAuth: Initialized with AuthURL %s\n", urlString) + fmt.Println("OAuth: Opening browser with xdg-open...") + exec.Command("xdg-open", urlString).Start() +} + +func logState(oldState string, newState string, data string) { + fmt.Printf("State: %s -> State: %s with data %s\n", oldState, newState, data) + + if newState == "OAuth_Started" { + openBrowser(data) + } +} + +func main() { + urlArg := flag.String("url", "", "The url of the vpn") + flag.Parse() + + urlString := *urlArg + + if urlString != "" { + if !strings.HasPrefix(urlString, "https://") { + urlString = "https://" + urlString + } + + state := eduvpn.GetVPNState() + + state.Register("org.eduvpn.app.linux", "configs", logState, true) + config, configErr := state.Connect(urlString) + + if configErr != nil { + fmt.Printf("Config error %v", configErr) + return + } + + fmt.Println(config) + + state.Deregister() + + return + } + + flag.PrintDefaults() +} diff --git a/exports/Makefile b/exports/Makefile index 86dbec2..b833228 100644 --- a/exports/Makefile +++ b/exports/Makefile @@ -16,7 +16,7 @@ endif # Build shared library and remove lib prefix (if any) from header name # GOOS and GOARCH envvars are set by common.mk # This extra target prevents unnecessary rebuild -lib/$(GOOS)/$(GOARCH)/$(LIB_FILE): exports.go ../src/*.go +lib/$(GOOS)/$(GOARCH)/$(LIB_FILE): exports.go .. CGO_ENABLED=1 go build -o $@ -buildmode=c-shared $< mv lib/$(GOOS)/$(GOARCH)/$(LIB_PREFIX)$(LIB_NAME).h lib/$(GOOS)/$(GOARCH)/$(LIB_NAME).h || true # Normalize header name diff --git a/exports/exports.go b/exports/exports.go index 84cd571..aa6f5b6 100644 --- a/exports/exports.go +++ b/exports/exports.go @@ -14,7 +14,7 @@ void call_callback(PythonCB callback, const char* oldstate, const char* newstate */ import "C" import "unsafe" -import "github.com/jwijenbergh/eduvpn-common/src" +import "github.com/jwijenbergh/eduvpn-common" var P_StateCallback C.PythonCB @@ -63,7 +63,7 @@ func Connect(url *C.char) (*C.char, *C.char) { //export GetOrganizationsList func GetOrganizationsList() (*C.char, *C.char) { state := eduvpn.GetVPNState() - organizations, organizationsErr := state.GetOrganizationsList() + organizations, organizationsErr := state.GetDiscoOrganizations() return C.CString(organizations), C.CString(ErrorToString(organizationsErr)) } @@ -71,27 +71,15 @@ func GetOrganizationsList() (*C.char, *C.char) { //export GetServersList func GetServersList() (*C.char, *C.char) { state := eduvpn.GetVPNState() - servers, serversErr := state.GetServersList() + servers, serversErr := state.GetDiscoServers() return C.CString(servers), C.CString(ErrorToString(serversErr)) } //export SetProfileID func SetProfileID(data *C.char) *C.char { state := eduvpn.GetVPNState() - - if !state.InState(eduvpn.ASK_PROFILE) { - return C.CString("Invalid state for setting a profile") - } - - // Set current profile to id - profile_id := C.GoString(data) - - server, serverErr := state.Servers.GetCurrentServer() - if serverErr != nil { - return C.CString("No server found for setting a profile ID") - } - server.Profiles.Current = profile_id - return C.CString("") + profileErr := state.SetProfileID(C.GoString(data)) + return C.CString(ErrorToString(profileErr)) } //export FreeString diff --git a/go.mod b/go.mod index 2c73c42..88bb6f1 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,6 @@ go 1.15 require ( github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b - golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 // indirect - golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220208144051-fde48d68ee68 + golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 // indirect + golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220420130459-88a4932fb60b ) diff --git a/go.sum b/go.sum index 1a3d3c8..d536cee 100644 --- a/go.sum +++ b/go.sum @@ -7,30 +7,37 @@ github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2C github.com/mdlayher/genetlink v1.2.0/go.mod h1:ra5LDov2KrUCZJiAtEvXXZBxGMInICMXIwshlJ+qRxQ= github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA= github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs= +github.com/mdlayher/socket v0.2.3/go.mod h1:bz12/FozYNH/VbvC3q7TRIK/Y6dH1kCKsXaUeXi/FmY= github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220208050332-20e1d8d225ab/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 h1:BkypuErRT9A9I/iljuaG3/zdMjd/J6m8tKKJQtGfSdA= -golang.org/x/crypto v0.0.0-20220208233918-bba287dce954/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220418201149-a630d4f3e7a2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220207234003-57398862261d h1:Bm7BNOQt2Qv7ZqysjeLjgCBanX+88Z/OtdvsrEv1Djc= -golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= @@ -38,9 +45,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg= golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= -golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178 h1:Nrf94TOjrvW8nm6N3u2xtbnMZaZudNI9b8nIJH8p8qY= -golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220208144051-fde48d68ee68 h1:9c4/JVIQUc2qCJEEIiGIs3HmmnFjhPj4qHW4+Uj+u3U= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220208144051-fde48d68ee68/go.mod h1:8P32Ilp1kCpwB4ItaHyvSk4xAtnpQ+8gQVfg5WaO1TU= +golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d h1:q4JksJ2n0fmbXC0Aj0eOs6E0AcPqnKglxWXWFqGD6x0= +golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220420130459-88a4932fb60b h1:8Uvay8veN0RwnZlR6eCnLb0dJbMutFFAdKrXa4TAIk8= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220420130459-88a4932fb60b/go.mod h1:yp4gl6zOlnDGOZeWeDfMwQcsdOIQnMdhuPx9mwwWBL4= diff --git a/internal/api.go b/internal/api.go new file mode 100644 index 0000000..718702b --- /dev/null +++ b/internal/api.go @@ -0,0 +1,110 @@ +package internal + +import ( + "encoding/json" + "errors" + "fmt" + "net/http" + "net/url" +) + +// Authenticated wrappers on top of HTTP +func (server *Server) apiAuthenticated(method string, endpoint string, opts *HTTPOptionalParams) (http.Header, []byte, error) { + // Ensure optional is not nil as we will fill it with headers + if opts == nil { + opts = &HTTPOptionalParams{} + } + url := server.Endpoints.API.V3.API + endpoint + + // Ensure we have valid tokens + oauthErr := server.EnsureTokens() + + if oauthErr != nil { + return nil, nil, oauthErr + } + + headerKey := "Authorization" + headerValue := fmt.Sprintf("Bearer %s", server.OAuth.Token.Access) + if opts.Headers != nil { + opts.Headers.Add(headerKey, headerValue) + } else { + opts.Headers = http.Header{headerKey: {headerValue}} + } + return HTTPMethodWithOpts(method, url, opts) +} + +func (server *Server) apiAuthenticatedRetry(method string, endpoint string, opts *HTTPOptionalParams) (http.Header, []byte, error) { + header, body, bodyErr := server.apiAuthenticated(method, endpoint, opts) + if bodyErr != nil { + var error *HTTPStatusError + + // Only retry authenticated if we get a HTTP 401 + if errors.As(bodyErr, &error) && error.Status == 401 { + server.Logger.Log(LOG_INFO, fmt.Sprintf("API: Got HTTP error %v, retrying authenticated", error)) + // Tell the method that the token is expired + server.OAuth.Token.ExpiredTimestamp = GenerateTimeSeconds() + return server.apiAuthenticated(method, endpoint, opts) + } + return header, nil, bodyErr + } + return header, body, bodyErr +} + +func (server *Server) APIInfo() error { + _, body, bodyErr := server.apiAuthenticatedRetry(http.MethodGet, "/info", nil) + if bodyErr != nil { + return bodyErr + } + structure := ServerProfileInfo{} + jsonErr := json.Unmarshal(body, &structure) + + if jsonErr != nil { + return jsonErr + } + + server.Profiles = structure + server.ProfilesRaw = string(body) + return nil +} + +func (server *Server) APIConnectWireguard(profile_id string, pubkey string) (string, string, error) { + headers := http.Header{ + "content-type": {"application/x-www-form-urlencoded"}, + "accept": {"application/x-wireguard-profile"}, + } + + urlForm := url.Values{ + "profile_id": {profile_id}, + "public_key": {pubkey}, + } + header, connectBody, connectErr := server.apiAuthenticatedRetry(http.MethodPost, "/connect", &HTTPOptionalParams{Headers: headers, Body: urlForm}) + if connectErr != nil { + return "", "", connectErr + } + + expires := header.Get("expires") + return string(connectBody), expires, nil +} + +func (server *Server) APIConnectOpenVPN(profile_id string) (string, string, error) { + headers := http.Header{ + "content-type": {"application/x-www-form-urlencoded"}, + "accept": {"application/x-openvpn-profile"}, + } + + urlForm := url.Values{ + "profile_id": {profile_id}, + } + header, connectBody, connectErr := server.apiAuthenticatedRetry(http.MethodPost, "/connect", &HTTPOptionalParams{Headers: headers, Body: urlForm}) + if connectErr != nil { + return "", "", connectErr + } + + expires := header.Get("expires") + return string(connectBody), expires, nil +} + +// This needs no further return value as it's best effort +func (server *Server) APIDisconnect() { + server.apiAuthenticatedRetry(http.MethodPost, "/disconnect", nil) +} diff --git a/internal/config.go b/internal/config.go new file mode 100644 index 0000000..47f773e --- /dev/null +++ b/internal/config.go @@ -0,0 +1,43 @@ +package internal + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "path" +) + +type Config struct { + Name string + Directory string +} + +func (config *Config) Init(name string, directory string) { + config.Name = name + config.Directory = directory +} + +func (config *Config) GetFilename() string { + pathString := path.Join(config.Directory, config.Name) + return fmt.Sprintf("%s.json", pathString) +} + +func (config *Config) Save(readStruct interface{}) error { + configDirErr := EnsureDirectory(config.Directory) + if configDirErr != nil { + return configDirErr + } + jsonString, marshalErr := json.Marshal(readStruct) + if marshalErr != nil { + return marshalErr + } + return ioutil.WriteFile(config.GetFilename(), jsonString, 0o644) +} + +func (config *Config) Load(writeStruct interface{}) error { + bytes, readErr := ioutil.ReadFile(config.GetFilename()) + if readErr != nil { + return readErr + } + return json.Unmarshal(bytes, writeStruct) +} diff --git a/internal/discovery.go b/internal/discovery.go new file mode 100644 index 0000000..8c0acc7 --- /dev/null +++ b/internal/discovery.go @@ -0,0 +1,172 @@ +package internal + +import ( + "encoding/json" + "fmt" +) + +type DiscoFileError struct { + URL string + Err error +} + +func (e *DiscoFileError) Error() string { + return fmt.Sprintf("failed obtaining disco file %s with error %v", e.URL, e.Err) +} + +type DiscoSigFileError struct { + URL string + Err error +} + +func (e *DiscoSigFileError) Error() string { + return fmt.Sprintf("failed obtaining disco signature file %s with error %v", e.URL, e.Err) +} + +type DiscoVerifyError struct { + File string + Sigfile string + Err error +} + +func (e *DiscoVerifyError) Error() string { + return fmt.Sprintf("failed verifying file %s with signature %s due to error %v", e.File, e.Sigfile, e.Err) +} + +type DiscoJSONError struct { + Body string + Err error +} + +func (e *DiscoJSONError) Error() string { + return fmt.Sprintf("failed parsing JSON for contents %s with error %v", e.Body, e.Err) +} + +type OrganizationList struct { + JSON json.RawMessage `json:"organization_list"` + Version uint64 `json:"v"` + Timestamp int64 `json:"-"` +} + +type ServersList struct { + JSON json.RawMessage `json:"server_list"` + Version uint64 `json:"v"` + Timestamp int64 `json:"-"` +} + +type Discovery struct { + Organizations OrganizationList + Servers ServersList + FSM *FSM + Logger *FileLogger +} + +// Helper function that gets a disco json +func getDiscoFile(jsonFile string, previousVersion uint64, structure interface{}) error { + // Get json data + discoURL := "https://disco.eduvpn.org/v2/" + fileURL := discoURL + jsonFile + _, fileBody, fileErr := HTTPGet(fileURL) + + if fileErr != nil { + return &DiscoFileError{fileURL, fileErr} + } + + // Get signature + sigFile := jsonFile + ".minisig" + sigURL := discoURL + sigFile + _, sigBody, sigFileErr := HTTPGet(sigURL) + + if sigFileErr != nil { + return &DiscoSigFileError{URL: sigURL, Err: sigFileErr} + } + + // Verify signature + // Set this to true when we want to force prehash + forcePrehash := false + verifySuccess, verifyErr := Verify(string(sigBody), fileBody, jsonFile, previousVersion, forcePrehash) + + if !verifySuccess || verifyErr != nil { + return &DiscoVerifyError{File: jsonFile, Sigfile: sigFile, Err: verifyErr} + } + + // Parse JSON to extract version and list + jsonErr := json.Unmarshal(fileBody, structure) + + if jsonErr != nil { + return &DiscoJSONError{Body: string(fileBody), Err: jsonErr} + } + + return nil +} + +type GetListError struct { + File string + Err error +} + +func (e *GetListError) Error() string { + return fmt.Sprintf("failed getting disco list file %s with error %v", e.File, e.Err) +} + +func (discovery *Discovery) Init(fsm *FSM, logger *FileLogger) { + discovery.FSM = fsm + discovery.Logger = logger +} + +// FIXME: Implement based on +// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md +// - [IMPLEMENTED] on "first launch" when offering the search for "Institute Access" and "Organizations"; +// - [TODO] when the user tries to add new server AND the user did NOT yet choose an organization before; +// - [TODO] when the authorization for the server associated with an already chosen organization is triggered, e.g. after expiry or revocation. +func (discovery *Discovery) DetermineOrganizationsUpdate() bool { + return string(discovery.Organizations.JSON) == "" +} + +// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md +// - [Implemented] The application MUST always fetch the server_list.json at application start. +// - The application MAY refresh the server_list.json periodically, e.g. once every hour. +func (discovery *Discovery) DetermineServersUpdate() bool { + // No servers, we should update + if string(discovery.Servers.JSON) == "" { + return true + } + // 1 hour from the last update + should_update_time := discovery.Servers.Timestamp + 3600 + now := GenerateTimeSeconds() + if now >= should_update_time { + return true + } + discovery.Logger.Log(LOG_INFO, "No update needed for servers, 1h is not passed yet") + return false +} + +// Get the organization list +func (discovery *Discovery) GetOrganizationsList() (string, error) { + if !discovery.DetermineOrganizationsUpdate() { + return string(discovery.Organizations.JSON), nil + } + file := "organization_list.json" + err := getDiscoFile(file, discovery.Organizations.Version, &discovery.Organizations) + if err != nil { + // Return previous with an error + return string(discovery.Organizations.JSON), &GetListError{File: file, Err: err} + } + return string(discovery.Organizations.JSON), nil +} + +// Get the server list +func (discovery *Discovery) GetServersList() (string, error) { + if !discovery.DetermineServersUpdate() { + return string(discovery.Servers.JSON), nil + } + file := "server_list.json" + err := getDiscoFile(file, discovery.Servers.Version, &discovery.Servers) + if err != nil { + // Return previous with an error + return string(discovery.Servers.JSON), &GetListError{File: file, Err: err} + } + // Update servers timestamp + discovery.Servers.Timestamp = GenerateTimeSeconds() + return string(discovery.Servers.JSON), nil +} diff --git a/internal/fsm.go b/internal/fsm.go new file mode 100644 index 0000000..fadc7c9 --- /dev/null +++ b/internal/fsm.go @@ -0,0 +1,187 @@ +package internal + +import ( + "fmt" + "os" + "sort" +) + +type ( + FSMStateID int8 + FSMStateIDSlice []FSMStateID +) + +func (v FSMStateIDSlice) Len() int { + return len(v) +} + +func (v FSMStateIDSlice) Less(i, j int) bool { + return v[i] < v[j] +} + +func (v FSMStateIDSlice) Swap(i, j int) { + v[i], v[j] = v[j], v[i] +} + +const ( + // Deregistered means the app is not registered with the wrapper + DEREGISTERED FSMStateID = iota + + // No Server means the user has not chosen a server yet + NO_SERVER + + // Chosen Server means the user has chosen a server to connect to + CHOSEN_SERVER + + // OAuth Started means the OAuth process has started + OAUTH_STARTED + + // Authenticated means the OAuth process has finished and the user is now authenticated with the server + AUTHENTICATED + + // Requested config means the user has requested a config for connecting + REQUEST_CONFIG + + // Has config means the user has gotten a config + HAS_CONFIG + + // Ask profile means the go code is asking for a profile selection from the ui + ASK_PROFILE + + // Connected means the user has been connected to the server + CONNECTED +) + +func (s FSMStateID) String() string { + switch s { + case DEREGISTERED: + return "Deregistered" + case NO_SERVER: + return "No_Server" + case CHOSEN_SERVER: + return "Chosen_Server" + case OAUTH_STARTED: + return "OAuth_Started" + case HAS_CONFIG: + return "Has_Config" + case REQUEST_CONFIG: + return "Request_Config" + case ASK_PROFILE: + return "Ask_Profile" + case AUTHENTICATED: + return "Authenticated" + case CONNECTED: + return "Connected" + default: + panic("unknown conversion of state to string") + } +} + +type FSMTransition struct { + To FSMStateID + Description string +} + +type ( + FSMTransitions []FSMTransition + FSMStates map[FSMStateID]FSMTransitions +) + +type FSM struct { + States FSMStates + Current FSMStateID + + // Info to be passed from the parent state + StateCallback func(string, string, string) + Logger *FileLogger + Debug bool +} + +func (fsm *FSM) Init(callback func(string, string, string), logger *FileLogger, debug bool) { + fsm.States = FSMStates{ + DEREGISTERED: {{NO_SERVER, "Client registers"}}, + NO_SERVER: {{CHOSEN_SERVER, "User chooses a server"}}, + CHOSEN_SERVER: {{AUTHENTICATED, "Found tokens in config"}, {OAUTH_STARTED, "No tokens found in config"}}, + OAUTH_STARTED: {{AUTHENTICATED, "User authorizes with browser"}}, + AUTHENTICATED: {{OAUTH_STARTED, "Re-authenticate with OAuth"}, {REQUEST_CONFIG, "Client requests a config"}}, + REQUEST_CONFIG: {{ASK_PROFILE, "Multiple profiles found"}, {HAS_CONFIG, "Success, only one profile"}}, + ASK_PROFILE: {{HAS_CONFIG, "User chooses profile and success"}}, + HAS_CONFIG: {{CONNECTED, "OS reports connected"}}, + CONNECTED: {{AUTHENTICATED, "OS reports disconnected"}}, + } + fsm.Current = DEREGISTERED + fsm.StateCallback = callback + fsm.Logger = logger + fsm.Debug = debug +} + +func (fsm *FSM) InState(check FSMStateID) bool { + return check == fsm.Current +} + +func (fsm *FSM) HasTransition(check FSMStateID) bool { + for _, transition_state := range fsm.States[fsm.Current] { + if transition_state.To == check { + return true + } + } + + return false +} + +func (fsm *FSM) writeGraph() { + graph := fsm.GenerateGraph() + + f, err := os.Create("debug.graph") + if err != nil { + fsm.Logger.Log(LOG_INFO, fmt.Sprintf("Failed to write debug fsm graph with error %v", err)) + } + + defer f.Close() + + f.WriteString(graph) +} + +func (fsm *FSM) GoTransitionWithData(newState FSMStateID, data string) bool { + ok := fsm.HasTransition(newState) + + if ok { + oldState := fsm.Current + fsm.Current = newState + if fsm.Debug { + fsm.writeGraph() + } + fsm.StateCallback(oldState.String(), newState.String(), data) + } + + return ok +} + +func (fsm *FSM) GoTransition(newState FSMStateID) bool { + return fsm.GoTransitionWithData(newState, "") +} + +func (fsm *FSM) generateMermaidGraph() string { + graph := "graph TD\n" + sorted_fsm := make(FSMStateIDSlice, 0, len(fsm.States)) + for state_id := range fsm.States { + sorted_fsm = append(sorted_fsm, state_id) + } + sort.Sort(sorted_fsm) + for _, state := range sorted_fsm { + transitions := fsm.States[state] + for _, transition := range transitions { + if state == fsm.Current { + graph += "\nstyle " + state.String() + " fill:cyan\n" + } else { + graph += "\nstyle " + state.String() + " fill:white\n" + } + graph += state.String() + "(" + state.String() + ") " + "-->|" + transition.Description + "| " + transition.To.String() + "\n" + } + } + return graph +} + +func (fsm *FSM) GenerateGraph() string { + return fsm.generateMermaidGraph() +} diff --git a/internal/http.go b/internal/http.go new file mode 100644 index 0000000..8ca8cb9 --- /dev/null +++ b/internal/http.go @@ -0,0 +1,172 @@ +package internal + +import ( + "fmt" + "io" + "io/ioutil" + "net/http" + "net/url" + "strings" +) + +type HTTPResourceError struct { + URL string + Err error +} + +func (e *HTTPResourceError) Error() string { + return fmt.Sprintf("failed obtaining HTTP resource %s with error %v", e.URL, e.Err) +} + +type HTTPStatusError struct { + URL string + Status int +} + +func (e *HTTPStatusError) Error() string { + return fmt.Sprintf("failed obtaining HTTP resource %s as it gave an unsuccesful status code %d", e.URL, e.Status) +} + +type HTTPReadError struct { + URL string + Err error +} + +func (e *HTTPReadError) Error() string { + return fmt.Sprintf("failed reading HTTP resource %s with error %v", e.URL, e.Err) +} + +type HTTPParseJsonError struct { + URL string + Body string + Err error +} + +func (e *HTTPParseJsonError) Error() string { + return fmt.Sprintf("failed parsing json %s for HTTP resource %s with error %v", e.Body, e.URL, e.Err) +} + +type HTTPRequestCreateError struct { + URL string + Err error +} + +func (e *HTTPRequestCreateError) Error() string { + return fmt.Sprintf("failed to create HTTP request with url %s and error %v", e.URL, e.Err) +} + +type URLParameters map[string]string + +type HTTPOptionalParams struct { + Headers http.Header + URLParameters URLParameters + Body url.Values +} + +// Construct an URL including on parameters +func HTTPConstructURL(baseURL string, parameters URLParameters) (string, error) { + url, err := url.Parse(baseURL) + if err != nil { + return "", err + } + + q := url.Query() + + for parameter, value := range parameters { + q.Set(parameter, value) + } + url.RawQuery = q.Encode() + return url.String(), nil +} + +// Convenience functions +func HTTPGet(url string) (http.Header, []byte, error) { + return HTTPMethodWithOpts(http.MethodGet, url, nil) +} + +func HTTPPost(url string, body url.Values) (http.Header, []byte, error) { + return HTTPMethodWithOpts(http.MethodGet, url, &HTTPOptionalParams{Body: body}) +} + +func HTTPGetWithOpts(url string, opts *HTTPOptionalParams) (http.Header, []byte, error) { + return HTTPMethodWithOpts(http.MethodGet, url, opts) +} + +func HTTPPostWithOpts(url string, opts *HTTPOptionalParams) (http.Header, []byte, error) { + return HTTPMethodWithOpts(http.MethodPost, url, opts) +} + +func httpOptionalURL(url string, opts *HTTPOptionalParams) (string, error) { + if opts != nil { + url, urlErr := HTTPConstructURL(url, opts.URLParameters) + + if urlErr != nil { + return url, &HTTPRequestCreateError{URL: url, Err: urlErr} + } + return url, nil + } + return url, nil +} + +func httpOptionalHeaders(req *http.Request, opts *HTTPOptionalParams) { + // Add headers + if opts != nil && req != nil { + for k, v := range opts.Headers { + req.Header.Add(k, v[0]) + } + } +} + +func httpOptionalBodyReader(opts *HTTPOptionalParams) io.Reader { + if opts != nil && opts.Body != nil { + return strings.NewReader(opts.Body.Encode()) + } + return nil +} + +func HTTPMethodWithOpts(method string, url string, opts *HTTPOptionalParams) (http.Header, []byte, error) { + // Make sure the url contains all the parameters + // This can return an error, + // it already has the right error so so we don't wrap it further + url, urlErr := httpOptionalURL(url, opts) + if urlErr != nil { + return nil, nil, urlErr + } + + // Create a client + client := &http.Client{} + + // Create request object with the body reader generated from the optional arguments + req, reqErr := http.NewRequest(method, url, httpOptionalBodyReader(opts)) + if reqErr != nil { + return nil, nil, &HTTPRequestCreateError{URL: url, Err: reqErr} + } + + // See https://stackoverflow.com/questions/17714494/golang-http-request-results-in-eof-errors-when-making-multiple-requests-successi + req.Close = true + + // Make sure the headers contain all the parameters + httpOptionalHeaders(req, opts) + + // Do request + resp, respErr := client.Do(req) + if respErr != nil { + return nil, nil, &HTTPResourceError{URL: url, Err: respErr} + } + + // Request successful, make sure body is closed at the end + defer resp.Body.Close() + + // Return a string + body, readErr := ioutil.ReadAll(resp.Body) + if readErr != nil { + return resp.Header, nil, &HTTPReadError{URL: url, Err: readErr} + } + + if resp.StatusCode < 200 || resp.StatusCode > 299 { + return resp.Header, body, &HTTPStatusError{URL: url, Status: resp.StatusCode} + } + + // Return the body in bytes and signal the status error if there was one + return resp.Header, body, nil +} diff --git a/internal/log.go b/internal/log.go new file mode 100644 index 0000000..52c0f3d --- /dev/null +++ b/internal/log.go @@ -0,0 +1,65 @@ +package internal + +import ( + "fmt" + "log" + "os" + "path" +) + +type FileLogger struct { + Level LogLevel + File *os.File +} + +type LogLevel int8 + +const ( + LOG_NOTSET LogLevel = iota + LOG_INFO + LOG_WARNING + LOG_ERROR +) + +func (e LogLevel) String() string { + switch e { + case LOG_NOTSET: + return "NOTSET" + case LOG_INFO: + return "INFO" + case LOG_WARNING: + return "WARNING" + case LOG_ERROR: + return "ERROR" + default: + return "UNKNOWN" + } +} + +func (logger *FileLogger) Init(level LogLevel, name string, directory string) error { + configDirErr := EnsureDirectory(directory) + if configDirErr != nil { + return configDirErr + } + logFile, logOpenErr := os.OpenFile(logger.getFilename(directory, name), os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666) + if logOpenErr != nil { + return logOpenErr + } + log.SetOutput(logFile) + return nil +} + +func (logger *FileLogger) getFilename(directory string, name string) string { + pathString := path.Join(directory, name) + return fmt.Sprintf("%s.log", pathString) +} + +func (logger *FileLogger) Log(level LogLevel, str string) { + if level >= logger.Level && logger.Level != LOG_NOTSET { + log.Printf("[%s]: %s", level.String(), str) + } +} + +func (logger *FileLogger) Close() { + logger.File.Close() +} diff --git a/internal/oauth.go b/internal/oauth.go new file mode 100644 index 0000000..1e728ca --- /dev/null +++ b/internal/oauth.go @@ -0,0 +1,379 @@ +package internal + +import ( + "context" + "crypto/sha256" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "net/http" + "net/url" +) + +// Generates a random base64 string to be used for state +// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.1 +// "state": OPTIONAL. An opaque value used by the client to maintain +// state between the request and callback. The authorization server +// includes this value when redirecting the user agent back to the +// client. +func genState() (string, error) { + randomBytes, err := MakeRandomByteSlice(32) + if err != nil { + return "", &OAuthGenStateUnableError{Err: err} + } + + // For consistency we also use raw url encoding here + return base64.RawURLEncoding.EncodeToString(randomBytes), nil +} + +// Generates a sha256 base64 challenge from a verifier +// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.8 +func genChallengeS256(verifier string) string { + hash := sha256.Sum256([]byte(verifier)) + + // We use raw url encoding as the challenge does not accept padding + return base64.RawURLEncoding.EncodeToString(hash[:]) +} + +// Generates a verifier +// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.1 +// The code_verifier is a unique high-entropy cryptographically random +// string generated for each authorization request, using the unreserved +// characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~", with a +// minimum length of 43 characters and a maximum length of 128 +// characters. +func genVerifier() (string, error) { + randomBytes, err := MakeRandomByteSlice(32) + if err != nil { + return "", &OAuthGenVerifierUnableError{Err: err} + } + + return base64.RawURLEncoding.EncodeToString(randomBytes), nil +} + +type OAuth struct { + Session OAuthExchangeSession `json:"-"` + Token OAuthToken `json:"token"` + TokenURL string `json:"token_url"` + Logger *FileLogger `json:"-"` + FSM *FSM `json:"-"` +} + +// This structure gets passed to the callback for easy access to the current state +type OAuthExchangeSession struct { + // returned from the callback + CallbackError error + + // filled in in initialize + ClientID string + State string + Verifier string + + // filled in when constructing the callback + Context context.Context + Server http.Server +} + +// Struct that defines the json format for /.well-known/vpn-user-portal" +type OAuthToken struct { + Access string `json:"access_token"` + Refresh string `json:"refresh_token"` + Type string `json:"token_type"` + Expires int64 `json:"expires_in"` + ExpiredTimestamp int64 `json:"expires_in_timestamp"` +} + +// Gets an authenticated HTTP client by obtaining refresh and access tokens +func (oauth *OAuth) getTokensWithCallback() error { + oauth.Session.Context = context.Background() + mux := http.NewServeMux() + addr := "127.0.0.1:8000" + oauth.Session.Server = http.Server{ + Addr: addr, + Handler: mux, + } + mux.HandleFunc("/callback", oauth.Callback) + if err := oauth.Session.Server.ListenAndServe(); err != http.ErrServerClosed { + return &OAuthFailedCallbackError{Addr: addr, Err: err} + } + return oauth.Session.CallbackError +} + +// Get the access and refresh tokens +// Access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.4 +// Refresh tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.2 +func (oauth *OAuth) getTokensWithAuthCode(authCode string) error { + // Make sure the verifier is set as the parameter + // so that the server can verify that we are the actual owner of the authorization code + + reqURL := oauth.TokenURL + data := url.Values{ + "client_id": {oauth.Session.ClientID}, + "code": {authCode}, + "code_verifier": {oauth.Session.Verifier}, + "grant_type": {"authorization_code"}, + "redirect_uri": {"http://127.0.0.1:8000/callback"}, + } + headers := http.Header{ + "content-type": {"application/x-www-form-urlencoded"}, + } + opts := &HTTPOptionalParams{Headers: headers, Body: data} + current_time := GenerateTimeSeconds() + _, body, bodyErr := HTTPPostWithOpts(reqURL, opts) + if bodyErr != nil { + return bodyErr + } + + tokenStructure := OAuthToken{} + + jsonErr := json.Unmarshal(body, &tokenStructure) + + if jsonErr != nil { + return &HTTPParseJsonError{URL: reqURL, Body: string(body), Err: jsonErr} + } + + tokenStructure.ExpiredTimestamp = current_time + tokenStructure.Expires + oauth.Token = tokenStructure + return nil +} + +func (oauth *OAuth) isTokensExpired() bool { + expired_time := oauth.Token.ExpiredTimestamp + current_time := GenerateTimeSeconds() + return current_time >= expired_time +} + +// Get the access and refresh tokens with a previously received refresh token +// Access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.4 +// Refresh tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.2 +func (oauth *OAuth) getTokensWithRefresh() error { + reqURL := oauth.TokenURL + data := url.Values{ + "refresh_token": {oauth.Token.Refresh}, + "grant_type": {"refresh_token"}, + } + headers := http.Header{ + "content-type": {"application/x-www-form-urlencoded"}, + } + opts := &HTTPOptionalParams{Headers: headers, Body: data} + current_time := GenerateTimeSeconds() + _, body, bodyErr := HTTPPostWithOpts(reqURL, opts) + if bodyErr != nil { + return bodyErr + } + + tokenStructure := OAuthToken{} + jsonErr := json.Unmarshal(body, &tokenStructure) + + if jsonErr != nil { + return &HTTPParseJsonError{URL: reqURL, Body: string(body), Err: jsonErr} + } + + tokenStructure.ExpiredTimestamp = current_time + tokenStructure.Expires + oauth.Token = tokenStructure + return nil +} + +// +//// The callback to retrieve the authorization code: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.1 +func (oauth *OAuth) Callback(w http.ResponseWriter, req *http.Request) { + // Extract the authorization code + code, success := req.URL.Query()["code"] + if !success { + oauth.Session.CallbackError = &OAuthFailedCallbackParameterError{Parameter: "code", URL: req.URL.String()} + go oauth.Session.Server.Shutdown(oauth.Session.Context) + return + } + // The code is the first entry + extractedCode := code[0] + + // Make sure the state is present and matches to protect against cross-site request forgeries + // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.15 + state, success := req.URL.Query()["state"] + if !success { + oauth.Session.CallbackError = &OAuthFailedCallbackParameterError{Parameter: "state", URL: req.URL.String()} + go oauth.Session.Server.Shutdown(oauth.Session.Context) + return + } + // The state is the first entry + extractedState := state[0] + if extractedState != oauth.Session.State { + oauth.Session.CallbackError = &OAuthFailedCallbackStateMatchError{State: extractedState, ExpectedState: oauth.Session.State} + go oauth.Session.Server.Shutdown(oauth.Session.Context) + return + } + + // Now that we have obtained the authorization code, we can move to the next step: + // Obtaining the access and refresh tokens + err := oauth.getTokensWithAuthCode(extractedCode) + if err != nil { + oauth.Session.CallbackError = &OAuthFailedCallbackGetTokensError{Err: err} + go oauth.Session.Server.Shutdown(oauth.Session.Context) + return + } + + // Shutdown the server as we're done listening + go oauth.Session.Server.Shutdown(oauth.Session.Context) +} + +func (oauth *OAuth) Init(fsm *FSM, logger *FileLogger) { + oauth.FSM = fsm + oauth.Logger = logger +} + +// Starts the OAuth exchange for eduvpn. +func (oauth *OAuth) start(name string, authorizationURL string, tokenURL string) error { + if !oauth.FSM.HasTransition(OAUTH_STARTED) { + return errors.New(fmt.Sprintf("Failed starting oauth, invalid state %s", oauth.FSM.Current.String())) + } + // Generate the state + state, stateErr := genState() + if stateErr != nil { + return &OAuthFailedInitializeError{Err: stateErr} + } + + // Generate the verifier and challenge + verifier, verifierErr := genVerifier() + if verifierErr != nil { + return &OAuthFailedInitializeError{Err: verifierErr} + } + challenge := genChallengeS256(verifier) + + parameters := map[string]string{ + "client_id": name, + "code_challenge_method": "S256", + "code_challenge": challenge, + "response_type": "code", + "scope": "config", + "state": state, + "redirect_uri": "http://127.0.0.1:8000/callback", + } + + authURL, urlErr := HTTPConstructURL(authorizationURL, parameters) + + if urlErr != nil { // shouldn't happen + panic(urlErr) + } + + // Fill the struct with the necessary fields filled for the next call to getting the HTTP client + oauthSession := OAuthExchangeSession{ClientID: name, State: state, Verifier: verifier} + oauth.TokenURL = tokenURL + oauth.Session = oauthSession + oauth.FSM.GoTransitionWithData(OAUTH_STARTED, authURL) + return nil +} + +// Error definitions +func (oauth *OAuth) Finish() error { + if !oauth.FSM.HasTransition(AUTHENTICATED) { + return errors.New("invalid state to finish oauth") + } + tokenErr := oauth.getTokensWithCallback() + if tokenErr != nil { + return tokenErr + } + oauth.FSM.GoTransition(AUTHENTICATED) + return nil +} + +func (oauth *OAuth) Login(name string, authorizationURL string, tokenURL string) error { + authInitializeErr := oauth.start(name, authorizationURL, tokenURL) + + if authInitializeErr != nil { + return authInitializeErr + } + + oauthErr := oauth.Finish() + + if oauthErr != nil { + return oauthErr + } + return nil +} + +func (oauth *OAuth) NeedsRelogin() bool { + // Access Token or Refresh Tokens empty, definitely needs a relogin + if oauth.Token.Access == "" || oauth.Token.Refresh == "" { + oauth.Logger.Log(LOG_INFO, "OAuth: Tokens are empty") + return true + } + + // We have tokens... + + // The tokens are not expired yet + // No relogin is needed + if !oauth.isTokensExpired() { + oauth.Logger.Log(LOG_INFO, "OAuth: Tokens are not expired, re-login not needed") + return false + } + + refreshErr := oauth.getTokensWithRefresh() + // We have obtained new tokens with refresh + if refreshErr == nil { + oauth.Logger.Log(LOG_INFO, "OAuth: Tokens could be re-acquired using the refresh token, re-login not needed") + return false + } + + // Otherwise relogin is really needed + return true +} + +type OAuthGenStateUnableError struct { + Err error +} + +func (e *OAuthGenStateUnableError) Error() string { + return fmt.Sprintf("failed generating state with error %v", e.Err) +} + +type OAuthGenVerifierUnableError struct { + Err error +} + +func (e *OAuthGenVerifierUnableError) Error() string { + return fmt.Sprintf("failed generating verifier with error %v", e.Err) +} + +type OAuthFailedCallbackError struct { + Addr string + Err error +} + +func (e *OAuthFailedCallbackError) Error() string { + return fmt.Sprintf("failed callback %s with error %v", e.Addr, e.Err) +} + +type OAuthFailedCallbackParameterError struct { + Parameter string + URL string +} + +func (e *OAuthFailedCallbackParameterError) Error() string { + return fmt.Sprintf("failed retrieving parameter %s in url %s", e.Parameter, e.URL) +} + +type OAuthFailedCallbackStateMatchError struct { + State string + ExpectedState string +} + +func (e *OAuthFailedCallbackStateMatchError) Error() string { + return fmt.Sprintf("failed matching state, got %s, want %s", e.State, e.ExpectedState) +} + +type OAuthFailedCallbackGetTokensError struct { + Err error +} + +func (e *OAuthFailedCallbackGetTokensError) Error() string { + return fmt.Sprintf("failed getting tokens with error %v", e.Err) +} + +type OAuthFailedInitializeError struct { + Err error +} + +func (e *OAuthFailedInitializeError) Error() string { + return fmt.Sprintf("failed initializing OAuth with error %v", e.Err) +} diff --git a/internal/openvpn.go b/internal/openvpn.go new file mode 100644 index 0000000..1b2e626 --- /dev/null +++ b/internal/openvpn.go @@ -0,0 +1,12 @@ +package internal + +func (server *Server) OpenVPNGetConfig() (string, error) { + profile_id := server.Profiles.Current + configOpenVPN, _, configErr := server.APIConnectOpenVPN(profile_id) + + if configErr != nil { + return "", configErr + } + + return configOpenVPN, nil +} diff --git a/internal/server.go b/internal/server.go new file mode 100644 index 0000000..eb7f8fe --- /dev/null +++ b/internal/server.go @@ -0,0 +1,196 @@ +package internal + +import ( + "encoding/json" + "errors" + "fmt" +) + +type Server struct { + BaseURL string `json:"base_url"` + Endpoints ServerEndpoints `json:"endpoints"` + OAuth OAuth `json:"oauth"` + Profiles ServerProfileInfo `json:"profiles"` + ProfilesRaw string `json:"profiles_raw"` + Logger *FileLogger `json:"-"` + FSM *FSM `json:"-"` +} + +type Servers struct { + List map[string]*Server `json:"list"` + Current string `json:"current"` +} + +func (servers *Servers) GetCurrentServer() (*Server, error) { + if servers.List == nil { + return nil, errors.New("No map found to get Current Server") + } + server, exists := servers.List[servers.Current] + + if !exists || server == nil { + return nil, errors.New("Current Server not found") + } + return server, nil +} + +func (server *Server) Init(url string, fsm *FSM, logger *FileLogger) error { + server.BaseURL = url + server.FSM = fsm + server.Logger = logger + server.OAuth.Init(fsm, logger) + endpointsErr := server.GetEndpoints() + if endpointsErr != nil { + return endpointsErr + } + return nil +} + +func (server *Server) EnsureTokens() error { + if server.OAuth.NeedsRelogin() { + server.Logger.Log(LOG_INFO, "OAuth: Tokens are invalid, relogging in") + return server.Login() + } + return nil +} + +func (servers *Servers) EnsureServer(url string, fsm *FSM, logger *FileLogger) *Server { + if servers.List == nil { + servers.List = make(map[string]*Server) + } + + server, exists := servers.List[url] + + if !exists || server == nil { + server = &Server{} + } + server.Init(url, fsm, logger) + servers.List[url] = server + servers.Current = url + return server +} + +type ServerProfile struct { + ID string `json:"profile_id"` + DisplayName string `json:"display_name"` + VPNProtoList []string `json:"vpn_proto_list"` + DefaultGateway bool `json:"default_gateway"` +} + +type ServerProfileInfo struct { + Current string `json:"current_profile"` + Info struct { + ProfileList []ServerProfile `json:"profile_list"` + } `json:"info"` +} + +type ServerEndpointList struct { + API string `json:"api_endpoint"` + Authorization string `json:"authorization_endpoint"` + Token string `json:"token_endpoint"` +} + +// Struct that defines the json format for /.well-known/vpn-user-portal" +type ServerEndpoints struct { + API struct { + V2 ServerEndpointList `json:"http://eduvpn.org/api#2"` + V3 ServerEndpointList `json:"http://eduvpn.org/api#3"` + } `json:"api"` + V string `json:"v"` +} + +func (server *Server) Login() error { + return server.OAuth.Login("org.eduvpn.app.linux", server.Endpoints.API.V3.Authorization, server.Endpoints.API.V3.Token) +} + +func (server *Server) NeedsRelogin() bool { + // Check if OAuth needs relogin + return server.OAuth.NeedsRelogin() +} + +func (server *Server) GetEndpoints() error { + url := server.BaseURL + "/.well-known/vpn-user-portal" + _, body, bodyErr := HTTPGet(url) + + if bodyErr != nil { + return bodyErr + } + + endpoints := ServerEndpoints{} + jsonErr := json.Unmarshal(body, &endpoints) + + if jsonErr != nil { + return jsonErr + } + + server.Endpoints = endpoints + + return nil +} + +func (profile *ServerProfile) supportsWireguard() bool { + for _, proto := range profile.VPNProtoList { + if proto == "wireguard" { + return true + } + } + return false +} + +func (server *Server) getCurrentProfile() (*ServerProfile, error) { + profile_id := server.Profiles.Current + for _, profile := range server.Profiles.Info.ProfileList { + if profile.ID == profile_id { + return &profile, nil + } + } + return nil, errors.New("no profile found for id") +} + +func (server *Server) getConfigWithProfile() (string, error) { + if !server.FSM.HasTransition(HAS_CONFIG) { + return "", errors.New("cannot get a config with a profile, invalid state") + } + profile, profileErr := server.getCurrentProfile() + + if profileErr != nil { + return "", profileErr + } + + if profile.supportsWireguard() { + return server.WireguardGetConfig() + } + return server.OpenVPNGetConfig() +} + +func (server *Server) askForProfileID() error { + if !server.FSM.HasTransition(ASK_PROFILE) { + return errors.New("cannot ask for a profile id, invalid state") + } + server.FSM.GoTransitionWithData(ASK_PROFILE, server.ProfilesRaw) + return nil +} + +func (server *Server) GetConfig() (string, error) { + if !server.FSM.InState(REQUEST_CONFIG) { + return "", errors.New(fmt.Sprintf("cannot get a config, invalid state %s", server.FSM.Current.String())) + } + infoErr := server.APIInfo() + + if infoErr != nil { + return "", infoErr + } + + // Set the current profile if there is only one profile + if len(server.Profiles.Info.ProfileList) == 1 { + server.Profiles.Current = server.Profiles.Info.ProfileList[0].ID + return server.getConfigWithProfile() + } + + profileErr := server.askForProfileID() + + if profileErr != nil { + return "", nil + } + + return server.getConfigWithProfile() +} diff --git a/internal/test_data/empty b/internal/test_data/empty new file mode 100644 index 0000000..e69de29 diff --git a/internal/test_data/generate.sh b/internal/test_data/generate.sh new file mode 100644 index 0000000..b1b4545 --- /dev/null +++ b/internal/test_data/generate.sh @@ -0,0 +1,58 @@ +#!/bin/bash +# Generate testcases with fake keys + +# Make sure we do not delete *.minisigs etc. in the wrong directory +if [ ${PWD##*/} != "test_data" ] +then + >&2 echo "Wrong directory, should be run in test_data/" + exit 1 +fi + +rm -f *.minisig *.blake2b + +# Uncomment to regenerate keys +#rm -f *.key +#echo -en "\n\n" | minisign -Gf -p public.key -s secret.key & +#echo -en "\n\n" | minisign -Gf -p wrong_public.key -s wrong_secret.key & +#wait + +# Try to create pure signature with default Minisign (works with version < 0.10) +echo | minisign -Sm server_list.json -x server_list.json.pure.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key +# Check if it is actually a prehashed signature +if echo | minisign -VHm server_list.json -x server_list.json.pure.minisig -p public.key +then + echo "minisign version is >0.9, trying minisign-0.9" + # If it is, try to sign with some minisign-0.9 program + if ! echo | minisign-0.9 -Sm server_list.json -x server_list.json.pure.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key + then + >&2 echo -e "\n\nTo produce a non-prehashed signature we need Minisign 0.9\n\n" + fi +fi + +# Rest works with Minisign 0.9 and 0.10 (and up, probably) + +echo | minisign -SHm server_list.json -t $'timestamp:10\tfile:server_list.json\thashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_nohashed.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_latertime.minisig -t $'timestamp:20\tfile:server_list.json\t hashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_orglist.minisig -t $'timestamp:10\tfile:organization_list.json\thashed' -s secret.key & +wait +echo | minisign -SHm server_list.json -x server_list.json.tc_otherfile.minisig -t $'timestamp:10\tfile:otherfile\thashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_nofile.minisig -t $'timestamp:10\thashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_notime.minisig -t $'file:server_list.json\thashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_emptytime.minisig -t $'timestamp:\tfile:server_list.json\thashed' -s secret.key & +wait +echo | minisign -SHm server_list.json -x server_list.json.tc_emptyfile.minisig -t $'timestamp:10\tfile:\thashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_earliertime.minisig -t $'timestamp:9\tfile:server_list.json\thashed' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.tc_random.minisig -t 'random stuff' -s secret.key & +echo | minisign -SHm server_list.json -x server_list.json.large_time.minisig -t $'timestamp:4300000000\tfile:server_list.json' -s secret.key & +wait + +echo | minisign -SHm organization_list.json -t $'timestamp:10\tfile:organization_list.json\thashed' -s secret.key & +echo | minisign -SHm organization_list.json -x organization_list.json.tc_servlist.minisig -t $'timestamp:10\tfile:server_list.json\thashed' -s secret.key & + +echo | minisign -SHm other_list.json -t $'timestamp:10\tfile:other_list.json\thashed' -s secret.key & + +echo | minisign -SHm server_list.json -x server_list.json.wrong_key.minisig -t $'timestamp:10\tfile:server_list.json\thashed' -s wrong_secret.key & +wait + +./generate_forged.py diff --git a/internal/test_data/generate_forged.py b/internal/test_data/generate_forged.py new file mode 100644 index 0000000..843b32d --- /dev/null +++ b/internal/test_data/generate_forged.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 + +import hashlib +import base64 + +# Hash server_list.json + +with open("server_list.json", "rb") as f: + b = f.read() + +with open("server_list.json.blake2b", "wb") as f: + f.write(hashlib.blake2b(b).digest()) + +# Forge pure signature on hash, see https://github.com/jedisct1/minisign/issues/104 + +with open("server_list.json.minisig", "rb") as f: + siglines = f.readlines() + +siglines[0] = b"untrusted comment: this signature has ED changed to Ed\n" +sig = base64.b64decode(siglines[1]) +siglines[1] = base64.b64encode(b"Ed" + sig[2:]) + b"\n" + +with open("server_list.json.forged_pure.minisig", "wb") as f: + f.writelines(siglines) + # Should now work: minisign -Vm server_list.json.blake2b -x server_list.json.forged_pure.minisig -p public-key + +# Try to forge key ID + +with open("server_list.json.wrong_key.minisig", "rb") as f: + siglines = f.readlines() + +siglines[0] = b"untrusted comment: this signature was created with wrong_secret.key but has key ID changed to that of public.key\n" +sig_wrong = base64.b64decode(siglines[1]) +siglines[1] = base64.b64encode(sig_wrong[:2] + sig[2:2+8] + sig_wrong[2+8:]) + b"\n" + +with open("server_list.json.forged_keyid.minisig", "wb") as f: + f.writelines(siglines) diff --git a/internal/test_data/organization_list.json b/internal/test_data/organization_list.json new file mode 100644 index 0000000..8c53044 --- /dev/null +++ b/internal/test_data/organization_list.json @@ -0,0 +1 @@ +{"organization_list": [{}]} \ No newline at end of file diff --git a/internal/test_data/organization_list.json.minisig b/internal/test_data/organization_list.json.minisig new file mode 100644 index 0000000..1fa546e --- /dev/null +++ b/internal/test_data/organization_list.json.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH31cHjNvTEh+TCqDVCwUgFVZoRdgWYAaQDxH3L3UIsRi9Qb1O4vLI4V1CYPatKzXZnSodSJM/AZgl9v7l/5bfPQ0= +trusted comment: timestamp:10 file:organization_list.json hashed +21zZv1DviMpLCdv1NgzLBl6d+F1ZllSNyjAquYxhTHGcs2F64bDFpqY0I0xjCHIoXly6HKqJKIBXNgud12ijCQ== diff --git a/internal/test_data/organization_list.json.tc_servlist.minisig b/internal/test_data/organization_list.json.tc_servlist.minisig new file mode 100644 index 0000000..a7fe41f --- /dev/null +++ b/internal/test_data/organization_list.json.tc_servlist.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH31cHjNvTEh+TCqDVCwUgFVZoRdgWYAaQDxH3L3UIsRi9Qb1O4vLI4V1CYPatKzXZnSodSJM/AZgl9v7l/5bfPQ0= +trusted comment: timestamp:10 file:server_list.json hashed +R6hjM/oMS5LAvpYM4F6E7iUpnlPxqiY0QfuOnpum31CW0sUy/Ypy2PiomSwvZXKVR7keEZS/+lZjyra9TkrLDQ== diff --git a/internal/test_data/other_list.json b/internal/test_data/other_list.json new file mode 100644 index 0000000..25ba1a8 --- /dev/null +++ b/internal/test_data/other_list.json @@ -0,0 +1 @@ +{"other_list": [{}]} \ No newline at end of file diff --git a/internal/test_data/other_list.json.minisig b/internal/test_data/other_list.json.minisig new file mode 100644 index 0000000..eaa2248 --- /dev/null +++ b/internal/test_data/other_list.json.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH366C1RnYeUAgEeX/S5A1Z9qmkV2+GJaVj06FWGd4aMLc+HS7iFMhG69u3TVD4YmzMH12rk7hQrnyCC6ex8ypIQA= +trusted comment: timestamp:10 file:other_list.json hashed +26+608n+bjQF9lwNdXbIK6t5bP8dzhjNQ9hACeYJLiB2tr437Aec2GkmJh0jSiRv1QV4RYBcKJeHQBUcV2grCQ== diff --git a/internal/test_data/public.key b/internal/test_data/public.key new file mode 100644 index 0000000..72676d3 --- /dev/null +++ b/internal/test_data/public.key @@ -0,0 +1,2 @@ +untrusted comment: minisign public key DF07F868DFAB9B4C +RWRMm6vfaPgH39iT++NBiUKZim2nDWnalgkNROovPbZdSwVFgUdKU4ac diff --git a/internal/test_data/random.txt b/internal/test_data/random.txt new file mode 100644 index 0000000..b6fc4c6 --- /dev/null +++ b/internal/test_data/random.txt @@ -0,0 +1 @@ +hello \ No newline at end of file diff --git a/internal/test_data/secret.key b/internal/test_data/secret.key new file mode 100644 index 0000000..6e4af37 --- /dev/null +++ b/internal/test_data/secret.key @@ -0,0 +1,2 @@ +untrusted comment: minisign encrypted secret key +RWRTY0IyobkTOt4ugAHNTPB6zOxHgX8spW6HQWddB5IrdCPDAgsAAAACAAAAAAAAAEAAAAAAvK1S1gsOgozZHuIdLWXq1IwxnWVr+dlySiykTbO6F85HvzPtgxZ7oLcGkT/vPdskAh0SV9H2ylHlt9oarXcWNDKs2r6EcZw/qy5FsD+5uhPfxwWV4qDF+1G456tYDYID63d50CgzdO0= diff --git a/internal/test_data/server_list.json b/internal/test_data/server_list.json new file mode 100644 index 0000000..67c4c8d --- /dev/null +++ b/internal/test_data/server_list.json @@ -0,0 +1,3 @@ +{ +"server_list": [{}] +} \ No newline at end of file diff --git a/internal/test_data/server_list.json.blake2b b/internal/test_data/server_list.json.blake2b new file mode 100644 index 0000000..5d2ca5a Binary files /dev/null and b/internal/test_data/server_list.json.blake2b differ diff --git a/internal/test_data/server_list.json.forged_keyid.minisig b/internal/test_data/server_list.json.forged_keyid.minisig new file mode 100644 index 0000000..efa349d --- /dev/null +++ b/internal/test_data/server_list.json.forged_keyid.minisig @@ -0,0 +1,4 @@ +untrusted comment: this signature was created with wrong_secret.key but has key ID changed to that of public.key +RURMm6vfaPgH35aarz3NMq4gbv6JvzOnjG003bDe6USu+HT/JzuxHjQcQGE/KBPdyCF6BDDwwFu+NVmi5jotYCJHWOEqSBU70gE= +trusted comment: timestamp:10 file:server_list.json hashed +3BWYJamM3t6ImuXQufTeO81UMZNyM7TujMu7SCmR+oapsSEBpmkazGOgzlJYR53HP9K9zrEA+4lV8gFFngooBA== diff --git a/internal/test_data/server_list.json.forged_pure.minisig b/internal/test_data/server_list.json.forged_pure.minisig new file mode 100644 index 0000000..a362504 --- /dev/null +++ b/internal/test_data/server_list.json.forged_pure.minisig @@ -0,0 +1,4 @@ +untrusted comment: this signature has ED changed to Ed +RWRMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 file:server_list.json hashed +oK41aX7rmpbO2ohF3v3+JGgSexQaVlfWvYPzaKEkDlJm8mVZtuK/h26SCRuL6PbTR92DLZU59rw8ckICUH/ADw== diff --git a/internal/test_data/server_list.json.large_time.minisig b/internal/test_data/server_list.json.large_time.minisig new file mode 100644 index 0000000..79a2a52 --- /dev/null +++ b/internal/test_data/server_list.json.large_time.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:4300000000 file:server_list.json +L9C58LIq7bTLf4otqW4Eb+ASL0+FM7nRRjstCBuCPtuUerFIsOqNUpDp2AQJJ4pZJKE7SkgIq2tV8/IaVpzxBQ== diff --git a/internal/test_data/server_list.json.minisig b/internal/test_data/server_list.json.minisig new file mode 100644 index 0000000..143585b --- /dev/null +++ b/internal/test_data/server_list.json.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 file:server_list.json hashed +oK41aX7rmpbO2ohF3v3+JGgSexQaVlfWvYPzaKEkDlJm8mVZtuK/h26SCRuL6PbTR92DLZU59rw8ckICUH/ADw== diff --git a/internal/test_data/server_list.json.pure.minisig b/internal/test_data/server_list.json.pure.minisig new file mode 100644 index 0000000..57dccfc --- /dev/null +++ b/internal/test_data/server_list.json.pure.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RWRMm6vfaPgH3zQ/rcq2GMsNz1SYySz+olupm0I+nzNpOkPyUHTBwig3Pep4biOk/bH73bH+0sLNoZPcDk1f2Acn8JINc9MWMw4= +trusted comment: timestamp:10 file:server_list.json +FZ0eA96SlADsMrSOUgStQJpmUnBGpPbRvNI/oaYhKrylu6jUcXOgsRu6571mmDxYdlruSuUSlQbdmG81Qbl4AA== diff --git a/internal/test_data/server_list.json.tc_earliertime.minisig b/internal/test_data/server_list.json.tc_earliertime.minisig new file mode 100644 index 0000000..03da710 --- /dev/null +++ b/internal/test_data/server_list.json.tc_earliertime.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:9 file:server_list.json hashed +vw3wjLDNZWoV98/GnFv38REiaeh+wUPEZgmBUvY35CEq00jDdHiJcYRV/7zBoKv+n9TAYxZ8WKUOGWNOPonTBg== diff --git a/internal/test_data/server_list.json.tc_emptyfile.minisig b/internal/test_data/server_list.json.tc_emptyfile.minisig new file mode 100644 index 0000000..a7aa3ed --- /dev/null +++ b/internal/test_data/server_list.json.tc_emptyfile.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 file: hashed +g4drZ91TcYXNLnIGbeH5ZIFzrs2wWB9JTXjV3Jwg9ehSC2D8lCTqw3u2Rg+PvLPRvYmXTHyuJoKNWelsSh64CA== diff --git a/internal/test_data/server_list.json.tc_emptytime.minisig b/internal/test_data/server_list.json.tc_emptytime.minisig new file mode 100644 index 0000000..d3ef01e --- /dev/null +++ b/internal/test_data/server_list.json.tc_emptytime.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp: file:server_list.json hashed +lw5rnZsPi+TkZ4lOCy7bjsUgTXxG+jaGOGdHuNL95FSD2mmP9ZzEJPrJ2jnH7iYfkF3zDm0QvEUDxhEirlHBDA== diff --git a/internal/test_data/server_list.json.tc_latertime.minisig b/internal/test_data/server_list.json.tc_latertime.minisig new file mode 100644 index 0000000..8237123 --- /dev/null +++ b/internal/test_data/server_list.json.tc_latertime.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:20 file:server_list.json hashed +rHcsHF2mmcZvDLreeuljVauuFULWiY8luCsxyBxxobcJkCedEDW3/RX5KeT+2NjHSFuQxkmrYOBWTY9+ECuUDQ== diff --git a/internal/test_data/server_list.json.tc_nofile.minisig b/internal/test_data/server_list.json.tc_nofile.minisig new file mode 100644 index 0000000..3c1dcbe --- /dev/null +++ b/internal/test_data/server_list.json.tc_nofile.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 hashed +NonaTZH7RDbsHXv85M7sL43YE7CTzs5qDRRoFYjajeqzHa+hdIuMGyemK85rAJ3prLGnMdWHkZhD4hsr3cZoDA== diff --git a/internal/test_data/server_list.json.tc_nohashed.minisig b/internal/test_data/server_list.json.tc_nohashed.minisig new file mode 100644 index 0000000..1d140c1 --- /dev/null +++ b/internal/test_data/server_list.json.tc_nohashed.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 file:server_list.json +HaPGKT+Jqxjyw2Nt1GEKaPIZsAmVl/RI6p1mQ+S1LqzYicVgT5GxPs9NR6khdGGIFvo/xhVkXFceAWTRUCVQAg== diff --git a/internal/test_data/server_list.json.tc_notime.minisig b/internal/test_data/server_list.json.tc_notime.minisig new file mode 100644 index 0000000..39625c3 --- /dev/null +++ b/internal/test_data/server_list.json.tc_notime.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: file:server_list.json hashed +dMhb+0Y0KAO2tzI4g0ukL/VdMiLVopmXa9BS1RQBY8bYwzmebdIM4DAIZrhtO1avkpdy0prZehuhA1No6cOSAw== diff --git a/internal/test_data/server_list.json.tc_orglist.minisig b/internal/test_data/server_list.json.tc_orglist.minisig new file mode 100644 index 0000000..7c2a3a8 --- /dev/null +++ b/internal/test_data/server_list.json.tc_orglist.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 file:organization_list.json hashed +NreDM4iGEjMWs5sfaJCGZBZ7D9QLqxBKJ/fVW2lvIDr249DSUNR4ZRca8UL73e3c9eTXgHnY/ojsjDtzxDScDw== diff --git a/internal/test_data/server_list.json.tc_otherfile.minisig b/internal/test_data/server_list.json.tc_otherfile.minisig new file mode 100644 index 0000000..58a29b2 --- /dev/null +++ b/internal/test_data/server_list.json.tc_otherfile.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: timestamp:10 file:otherfile hashed +PfDEIMlt2aNFyOnqHb45S7xm4fIg0vfUUbqXENPxry9GEZFX14c5BGtgcL/krDg8WFJHcIA5bzYcX58kgBiZCA== diff --git a/internal/test_data/server_list.json.tc_random.minisig b/internal/test_data/server_list.json.tc_random.minisig new file mode 100644 index 0000000..7240980 --- /dev/null +++ b/internal/test_data/server_list.json.tc_random.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= +trusted comment: random stuff +szGsyESH0EizTXH6n0yuQg6sHTKXr+TJW/Er9ZNJYgQV+1hVM+fc5q1EmVsJlA3kW4Rt/d1p9F0ShLIIgW2vAA== diff --git a/internal/test_data/server_list.json.wrong_key.minisig b/internal/test_data/server_list.json.wrong_key.minisig new file mode 100644 index 0000000..5a83c0e --- /dev/null +++ b/internal/test_data/server_list.json.wrong_key.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RUTQvDHvQuYCCJaarz3NMq4gbv6JvzOnjG003bDe6USu+HT/JzuxHjQcQGE/KBPdyCF6BDDwwFu+NVmi5jotYCJHWOEqSBU70gE= +trusted comment: timestamp:10 file:server_list.json hashed +3BWYJamM3t6ImuXQufTeO81UMZNyM7TujMu7SCmR+oapsSEBpmkazGOgzlJYR53HP9K9zrEA+4lV8gFFngooBA== diff --git a/internal/test_data/wrong_public.key b/internal/test_data/wrong_public.key new file mode 100644 index 0000000..aa794d4 --- /dev/null +++ b/internal/test_data/wrong_public.key @@ -0,0 +1,2 @@ +untrusted comment: minisign public key 802E642EF31BCD0 +RWTQvDHvQuYCCPDLi3UCXzj3BbzFM5QxUFfrp174iaqYo8lT0VaAkhOt diff --git a/internal/test_data/wrong_secret.key b/internal/test_data/wrong_secret.key new file mode 100644 index 0000000..68e9092 --- /dev/null +++ b/internal/test_data/wrong_secret.key @@ -0,0 +1,2 @@ +untrusted comment: minisign encrypted secret key +RWRTY0Iyrc2CTG2W1ZqEq9tb94oQWTnYUy4k8boMf13478FwlDYAAAACAAAAAAAAAEAAAAAA2gFhwOtjETu5WN1LpgtJHV1dk/7466LBJ8dgO/pZoQ3LLAYxlswJHVR/N/Q1HmmKvlxWo2jNTJcARXuHHlMTEgg1MERTldE88CqETrVbvq1JaqJlAY/HMkiqNEUR3L6+5VHbYPKXlVQ= diff --git a/internal/util.go b/internal/util.go new file mode 100644 index 0000000..02855c2 --- /dev/null +++ b/internal/util.go @@ -0,0 +1,30 @@ +package internal + +import ( + "crypto/rand" + "os" + "time" +) + +// Creates a random byteslice of `size` +func MakeRandomByteSlice(size int) ([]byte, error) { + byteSlice := make([]byte, size) + _, err := rand.Read(byteSlice) + if err != nil { + return nil, err + } + return byteSlice, nil +} + +func GenerateTimeSeconds() int64 { + current := time.Now() + return current.Unix() +} + +func EnsureDirectory(directory string) error { + mkdirErr := os.MkdirAll(directory, os.ModePerm) + if mkdirErr != nil { + return mkdirErr + } + return nil +} diff --git a/internal/verify.go b/internal/verify.go new file mode 100644 index 0000000..9128777 --- /dev/null +++ b/internal/verify.go @@ -0,0 +1,205 @@ +package internal + +import ( + "errors" + "fmt" + "os" + + "github.com/jedisct1/go-minisign" +) + +// getKeys returns keys taken from https://git.sr.ht/~eduvpn/disco.eduvpn.org#public-keys. +func getKeys() []string { + return []string{ + "RWRtBSX1alxyGX+Xn3LuZnWUT0w//B6EmTJvgaAxBMYzlQeI+jdrO6KF", // fkooman@tuxed.net, kolla@uninett.no + "RWQKqtqvd0R7rUDp0rWzbtYPA3towPWcLDCl7eY9pBMMI/ohCmrS0WiM", // RoSp + } +} + +// Verify verifies the signature (.minisig file format) on signedJson. +// +// expectedFileName must be set to the file type to be verified, either "server_list.json" or "organization_list.json". +// minSign must be set to the minimum UNIX timestamp (without milliseconds) for the file version. +// This value should not be smaller than the time on the previous document verified. +// forcePrehash indicates whether or not we want to force the use of prehashed signatures +// In the future we want to remove this parameter and only allow prehashed signatures +// +// The return value will either be (true, nil) for a valid signature or (false, VerifyError) otherwise. +// +// Verify is a wrapper around verifyWithKeys where allowedPublicKeys is set to the list from https://git.sr.ht/~eduvpn/disco.eduvpn.org#public-keys. +func Verify(signatureFileContent string, signedJson []byte, expectedFileName string, minSignTime uint64, forcePrehash bool) (bool, error) { + keyStrs := getKeys() + if extraKey != "" { + keyStrs = append(keyStrs, extraKey) + _, err := fmt.Fprintf(os.Stderr, "INSECURE TEST MODE ENABLED WITH KEY %q\n", extraKey) + if err != nil { + panic(err) + } + } + valid, err := verifyWithKeys(signatureFileContent, signedJson, expectedFileName, minSignTime, keyStrs, forcePrehash) + if err != nil { + var verifyCreatePublickeyError *VerifyCreatePublicKeyError + if errors.As(err, &verifyCreatePublickeyError) { + panic(err) // This should not happen unless keyStrs has an invalid key + } + return valid, err + } + return valid, nil +} + +// extraKey is an extra allowed key for testing. +var extraKey = "" + +// InsecureTestingSetExtraKey adds an extra allowed key for verification with Verify. +// ONLY USE FOR TESTING. Applies to all threads. Probably not thread-safe. Do not call in parallel to Verify. +// +// keyString must be a Base64-encoded Minisign key, or empty to reset. +func InsecureTestingSetExtraKey(keyString string) { + extraKey = keyString +} + +type VerifyUnknownExpectedFilenameError struct { + Filename string + Expected string +} + +func (e *VerifyUnknownExpectedFilenameError) Error() string { + return fmt.Sprintf("invalid filename %s, expected %s", e.Filename, e.Expected) +} + +type VerifyInvalidSignatureFormatError struct { + Err error +} + +func (e *VerifyInvalidSignatureFormatError) Error() string { + return fmt.Sprintf("invalid signature format, error %v", e.Err) +} + +type VerifyInvalidSignatureAlgorithmError struct { + Algorithm string + WantedAlgorithm string +} + +func (e *VerifyInvalidSignatureAlgorithmError) Error() string { + return fmt.Sprintf("invalid signature algorithm %s, wanted %s", e.Algorithm, e.WantedAlgorithm) +} + +type VerifyCreatePublicKeyError struct { + PublicKey string + Err error +} + +func (e *VerifyCreatePublicKeyError) Error() string { + return fmt.Sprintf("failed to create public key %s with error %v", e.PublicKey, e.Err) +} + +type VerifyInvalidSignatureError struct { + Err error +} + +func (e *VerifyInvalidSignatureError) Error() string { + return fmt.Sprintf("invalid signature with error %v", e.Err) +} + +type VerifyInvalidTrustedCommentError struct { + TrustedComment string + Err error +} + +func (e *VerifyInvalidTrustedCommentError) Error() string { + return fmt.Sprintf("invalid trusted comment %s with error %v", e.TrustedComment, e.Err) +} + +type VerifyWrongSigFilenameError struct { + Filename string + SigFilename string +} + +func (e *VerifyWrongSigFilenameError) Error() string { + return fmt.Sprintf("wrong filename %s, expected filename %s for signature", e.Filename, e.SigFilename) +} + +type VerifySigTimeEarlierError struct { + SigTime uint64 + MinSigTime uint64 +} + +func (e *VerifySigTimeEarlierError) Error() string { + return fmt.Sprintf("Sign time %d is earlier than sign time %d", e.SigTime, e.MinSigTime) +} + +type VerifyUnknownKeyError struct { + Filename string +} + +func (e *VerifyUnknownKeyError) Error() string { + return fmt.Sprintf("signature for filename %s was created with an unknown key", e.Filename) +} + +// verifyWithKeys verifies the Minisign signature in signatureFileContent (minisig file format) over the server_list/organization_list JSON in signedJson. +// +// Verification is performed using a matching key in allowedPublicKeys. +// The signature is checked to be a Ed25519 Minisign (optionally Ed25519 Blake2b-512 prehashed, see forcePrehash) signature with a valid trusted comment. +// The file type that is verified is indicated by expectedFileName, which must be one of "server_list.json"/"organization_list.json". +// The trusted comment is checked to be of the form "timestamp:\tfile:", optionally suffixed by something, e.g. "\thashed". +// The signature is checked to have a timestamp with a value of at least minSignTime, which is a UNIX timestamp without milliseconds. +// +// The return value will either be (true, nil) on success or (false, detailedVerifyError) on failure. +func verifyWithKeys(signatureFileContent string, signedJson []byte, filename string, minSignTime uint64, allowedPublicKeys []string, forcePrehash bool) (bool, error) { + switch filename { + case "server_list.json", "organization_list.json": + break + default: + return false, &VerifyUnknownExpectedFilenameError{Filename: filename, Expected: "server_list.json or organization_list.json"} + } + + sig, err := minisign.DecodeSignature(signatureFileContent) + if err != nil { + return false, &VerifyInvalidSignatureFormatError{Err: err} + } + + // Check if signature is prehashed, see https://jedisct1.github.io/minisign/#signature-format + if forcePrehash && sig.SignatureAlgorithm != [2]byte{'E', 'D'} { + return false, &VerifyInvalidSignatureAlgorithmError{Algorithm: string(sig.SignatureAlgorithm[:]), WantedAlgorithm: "ED (BLAKE2b-prehashed EdDSA)"} + } + + // Find allowed key used for signature + for _, keyStr := range allowedPublicKeys { + key, err := minisign.NewPublicKey(keyStr) + if err != nil { + // Should only happen if Verify is wrong or extraKey is invalid + return false, &VerifyCreatePublicKeyError{PublicKey: keyStr, Err: err} + } + + if sig.KeyId != key.KeyId { + continue // Wrong key + } + + valid, err := key.Verify(signedJson, sig) + if !valid { + return false, &VerifyInvalidSignatureError{Err: err} + } + + // Parse trusted comment + var signTime uint64 + var sigFileName string + // sigFileName cannot have spaces + _, err = fmt.Sscanf(sig.TrustedComment, "trusted comment: timestamp:%d\tfile:%s", &signTime, &sigFileName) + if err != nil { + return false, &VerifyInvalidTrustedCommentError{TrustedComment: sig.TrustedComment, Err: err} + } + + if sigFileName != filename { + return false, &VerifyWrongSigFilenameError{Filename: filename, SigFilename: sigFileName} + } + + if signTime < minSignTime { + return false, &VerifySigTimeEarlierError{SigTime: signTime, MinSigTime: minSignTime} + } + + return true, nil + } + + // No matching allowed key found + return false, &VerifyUnknownKeyError{Filename: filename} +} diff --git a/internal/verify_test.go b/internal/verify_test.go new file mode 100644 index 0000000..f980dc2 --- /dev/null +++ b/internal/verify_test.go @@ -0,0 +1,140 @@ +package internal + +import ( + "bufio" + "errors" + "fmt" + "io/ioutil" + "os" + "testing" +) + +func Test_verifyWithKeys(t *testing.T) { + var err error + + var pk []string + { + file, err := os.Open("test_data/public.key") + if err != nil { + panic(err) + } + defer file.Close() + + // Get last line (key string) from file + scanner := bufio.NewScanner(file) + for i := 0; i < 2; i++ { + if !scanner.Scan() { + panic(scanner.Err()) + } + } + pk = []string{scanner.Text()} + } + + var ( + verifyCreatePublicKeyError *VerifyCreatePublicKeyError + verifyInvalidSignatureAlgorithmError *VerifyInvalidSignatureAlgorithmError + verifyWrongSigFilenameError *VerifyWrongSigFilenameError + verifyInvalidTrustedCommentError *VerifyInvalidTrustedCommentError + verifyInvalidSignatureFormatError *VerifyInvalidSignatureFormatError + verifyInvalidSignatureError *VerifyInvalidSignatureError + verifySigTimeEarlierError *VerifySigTimeEarlierError + verifyUnknownExpectedFilenameError *VerifyUnknownExpectedFilenameError + verifyUnknownKeyError *VerifyUnknownKeyError + ) + + tests := []struct { + expectedErr interface{} + testName string + signatureFile string + jsonFile string + expectedFileName string + minSignTime uint64 + allowedPks []string + }{ + {&verifyInvalidSignatureAlgorithmError, "pure", "server_list.json.pure.minisig", "server_list.json", "server_list.json", 10, pk}, + + {nil, "valid server_list", "server_list.json.minisig", "server_list.json", "server_list.json", 10, pk}, + {nil, "TC no hashed", "server_list.json.tc_nohashed.minisig", "server_list.json", "server_list.json", 10, pk}, + {nil, "TC later time", "server_list.json.tc_latertime.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifyWrongSigFilenameError, "server_list TC file:organization_list", "server_list.json.tc_orglist.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifyWrongSigFilenameError, "organization_list as server_list", "organization_list.json.minisig", "organization_list.json", "server_list.json", 10, pk}, + {&verifyWrongSigFilenameError, "TC file:otherfile", "server_list.json.tc_otherfile.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifySigTimeEarlierError, "TC no file", "server_list.json.tc_nofile.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifySigTimeEarlierError, "TC no time", "server_list.json.tc_notime.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifySigTimeEarlierError, "TC empty time", "server_list.json.tc_emptytime.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifyInvalidSignatureFormatError, "TC empty file", "server_list.json.tc_emptyfile.minisig", "server_list.json", "server_list.json", 10, pk}, + {&verifyInvalidTrustedCommentError, "TC random", "server_list.json.tc_random.minisig", "server_list.json", "server_list.json", 10, pk}, + {nil, "large time", "server_list.json.large_time.minisig", "server_list.json", "server_list.json", 43e8, pk}, + {nil, "lower min time", "server_list.json.minisig", "server_list.json", "server_list.json", 5, pk}, + {&verifySigTimeEarlierError, "higher min time", "server_list.json.minisig", "server_list.json", "server_list.json", 11, pk}, + + {nil, "valid organization_list", "organization_list.json.minisig", "organization_list.json", "organization_list.json", 10, pk}, + {&verifyWrongSigFilenameError, "organization_list TC file:server_list", "organization_list.json.tc_servlist.minisig", "organization_list.json", "organization_list.json", 10, pk}, + {&verifyWrongSigFilenameError, "server_list as organization_list", "server_list.json.minisig", "server_list.json", "organization_list.json", 10, pk}, + + {&verifyUnknownExpectedFilenameError, "valid other_list", "other_list.json.minisig", "other_list.json", "other_list.json", 10, pk}, + {&verifyWrongSigFilenameError, "other_list as server_list", "other_list.json.minisig", "other_list.json", "server_list.json", 10, pk}, + + {&verifyInvalidSignatureFormatError, "invalid signature file", "random.txt", "server_list.json", "server_list.json", 10, pk}, + {&verifyInvalidSignatureFormatError, "empty signature file", "empty", "server_list.json", "server_list.json", 10, pk}, + + {&verifyUnknownKeyError, "wrong key", "server_list.json.wrong_key.minisig", "server_list.json", "server_list.json", 10, pk}, + + {&verifyInvalidSignatureAlgorithmError, "forged pure signature", "server_list.json.forged_pure.minisig", "server_list.json.blake2b", "server_list.json", 10, pk}, + {&verifyInvalidSignatureError, "forged key ID", "server_list.json.forged_keyid.minisig", "server_list.json", "server_list.json", 10, pk}, + + {&verifyUnknownKeyError, "no allowed keys", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{}}, + {nil, "multiple allowed keys 1", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{ + pk[0], "RWSf0PYToIUJmDlsz21YOXvgQzHj9NSdyJUqEY5ZdfS9GepeXt3+JJRZ", + }}, + {nil, "multiple allowed keys 2", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{ + "RWSf0PYToIUJmDlsz21YOXvgQzHj9NSdyJUqEY5ZdfS9GepeXt3+JJRZ", pk[0], + }}, + {&verifyCreatePublicKeyError, "invalid allowed key", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{"AAA"}}, + } + + // Cache file contents in map, mapping file names to contents + files := map[string][]byte{} + loadFile := func(name string) { + content, loaded := files[name] + if !loaded { + content, err = ioutil.ReadFile("test_data/" + name) + if err != nil { + panic(err) + } + files[name] = content + } + } + for _, test := range tests { + loadFile(test.signatureFile) + loadFile(test.jsonFile) + } + + forcePrehash := true + for _, tt := range tests { + t.Run(tt.testName, func(t *testing.T) { + t.Parallel() + valid, err := verifyWithKeys(string(files[tt.signatureFile]), files[tt.jsonFile], + tt.expectedFileName, tt.minSignTime, tt.allowedPks, forcePrehash) + compareResults(t, valid, err, tt.expectedErr, func() string { + return fmt.Sprintf("verifyWithKeys(%q, %q, %q, %v, %v, %t)", + tt.signatureFile, tt.jsonFile, tt.expectedFileName, tt.minSignTime, tt.allowedPks, forcePrehash) + }) + }) + } +} + +// compareResults compares returned ret, err from a verify function with expected error code expected. +// callStr is called to get the formatted parameters passed to the function. +func compareResults(t *testing.T, ret bool, err error, expectedErr interface{}, callStr func() string) { + // different error returned + if expectedErr != nil && !errors.As(err, expectedErr) { + t.Errorf("%v\nerror %T = %v, wantErr %T", callStr(), err, err, expectedErr) + return + } + // different boolean returned + expectedBool := expectedErr == nil + if ret != expectedBool { + t.Errorf("%v\n= %v, want %v", callStr(), ret, expectedBool) + } +} diff --git a/internal/wireguard.go b/internal/wireguard.go new file mode 100644 index 0000000..4ec12bd --- /dev/null +++ b/internal/wireguard.go @@ -0,0 +1,52 @@ +package internal + +import ( + "fmt" + "regexp" + + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" +) + +func wireguardGenerateKey() (wgtypes.Key, error) { + key, error := wgtypes.GeneratePrivateKey() + return key, error +} + +// FIXME: Instead of doing a regex replace, decide if we should use a parser +func wireguardConfigAddKey(config string, key wgtypes.Key) string { + interface_section := "[Interface]" + interface_section_escaped := regexp.QuoteMeta(interface_section) + + // (?m) enables multi line mode + // ^ match from beginning of line + // $ match till end of line + // So it matches [Interface] section exactly + interface_re := regexp.MustCompile(fmt.Sprintf("(?m)^%s$", interface_section_escaped)) + to_replace := fmt.Sprintf("%s\nPrivateKey = %s", interface_section, key.String()) + return interface_re.ReplaceAllString(config, to_replace) +} + +func (server *Server) WireguardGetConfig() (string, error) { + profile_id := server.Profiles.Current + wireguardKey, wireguardErr := wireguardGenerateKey() + + if wireguardErr != nil { + return "", wireguardErr + } + + wireguardPublicKey := wireguardKey.PublicKey().String() + configWireguard, _, configErr := server.APIConnectWireguard(profile_id, wireguardPublicKey) + + if configErr != nil { + return "", configErr + } + + // FIXME: Store expiry + // This needs the go code a way to identify a connection + // Use the uuid of the connection e.g. on Linux + // This needs the client code to call the go code + + configWireguardKey := wireguardConfigAddKey(configWireguard, wireguardKey) + + return configWireguardKey, nil +} diff --git a/src/api.go b/src/api.go deleted file mode 100644 index 93c1c42..0000000 --- a/src/api.go +++ /dev/null @@ -1,110 +0,0 @@ -package eduvpn - -import ( - "encoding/json" - "errors" - "fmt" - "net/http" - "net/url" -) - -// Authenticated wrappers on top of HTTP -func (server *Server) apiAuthenticated(method string, endpoint string, opts *HTTPOptionalParams) (http.Header, []byte, error) { - // Ensure optional is not nil as we will fill it with headers - if opts == nil { - opts = &HTTPOptionalParams{} - } - url := server.Endpoints.API.V3.API + endpoint - - // Ensure we have valid tokens - oauthErr := server.OAuth.EnsureTokens() - - if oauthErr != nil { - return nil, nil, oauthErr - } - - headerKey := "Authorization" - headerValue := fmt.Sprintf("Bearer %s", server.OAuth.Token.Access) - if opts.Headers != nil { - opts.Headers.Add(headerKey, headerValue) - } else { - opts.Headers = http.Header{headerKey: {headerValue}} - } - return HTTPMethodWithOpts(method, url, opts) -} - -func (server *Server) apiAuthenticatedRetry(method string, endpoint string, opts *HTTPOptionalParams) (http.Header, []byte, error) { - header, body, bodyErr := server.apiAuthenticated(method, endpoint, opts) - if bodyErr != nil { - var error *HTTPStatusError - - // Only retry authenticated if we get a HTTP 401 - if errors.As(bodyErr, &error) && error.Status == 401 { - GetVPNState().Log(LOG_INFO, fmt.Sprintf("API: Got HTTP error %v, retrying authenticated", error)) - // Tell the method that the token is expired - server.OAuth.Token.ExpiredTimestamp = GenerateTimeSeconds() - return server.apiAuthenticated(method, endpoint, opts) - } - return header, nil, bodyErr - } - return header, body, bodyErr -} - -func (server *Server) APIInfo() error { - _, body, bodyErr := server.apiAuthenticatedRetry(http.MethodGet, "/info", nil) - if bodyErr != nil { - return bodyErr - } - structure := ServerProfileInfo{} - jsonErr := json.Unmarshal(body, &structure) - - if jsonErr != nil { - return jsonErr - } - - server.Profiles = structure - server.ProfilesRaw = string(body) - return nil -} - -func (server *Server) APIConnectWireguard(profile_id string, pubkey string) (string, string, error) { - headers := http.Header{ - "content-type": {"application/x-www-form-urlencoded"}, - "accept": {"application/x-wireguard-profile"}, - } - - urlForm := url.Values{ - "profile_id": {profile_id}, - "public_key": {pubkey}, - } - header, connectBody, connectErr := server.apiAuthenticatedRetry(http.MethodPost, "/connect", &HTTPOptionalParams{Headers: headers, Body: urlForm}) - if connectErr != nil { - return "", "", connectErr - } - - expires := header.Get("expires") - return string(connectBody), expires, nil -} - -func (server *Server) APIConnectOpenVPN(profile_id string) (string, string, error) { - headers := http.Header{ - "content-type": {"application/x-www-form-urlencoded"}, - "accept": {"application/x-openvpn-profile"}, - } - - urlForm := url.Values{ - "profile_id": {profile_id}, - } - header, connectBody, connectErr := server.apiAuthenticatedRetry(http.MethodPost, "/connect", &HTTPOptionalParams{Headers: headers, Body: urlForm}) - if connectErr != nil { - return "", "", connectErr - } - - expires := header.Get("expires") - return string(connectBody), expires, nil -} - -// This needs no further return value as it's best effort -func (server *Server) APIDisconnect() { - server.apiAuthenticatedRetry(http.MethodPost, "/disconnect", nil) -} diff --git a/src/config.go b/src/config.go deleted file mode 100644 index 6db3cb2..0000000 --- a/src/config.go +++ /dev/null @@ -1,42 +0,0 @@ -package eduvpn - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "os" - "path" -) - -func (eduvpn *VPNState) EnsureConfigDir() error { - mkdirErr := os.MkdirAll(eduvpn.ConfigDirectory, os.ModePerm) - if mkdirErr != nil { - return mkdirErr - } - return nil -} - -func (eduvpn *VPNState) GetConfigName() string { - pathString := path.Join(eduvpn.ConfigDirectory, eduvpn.Name) - return fmt.Sprintf("%s.json", pathString) -} - -func (eduvpn *VPNState) WriteConfig() error { - configDirErr := eduvpn.EnsureConfigDir() - if configDirErr != nil { - return configDirErr - } - jsonString, marshalErr := json.Marshal(eduvpn) - if marshalErr != nil { - return marshalErr - } - return ioutil.WriteFile(eduvpn.GetConfigName(), jsonString, 0o644) -} - -func (eduvpn *VPNState) LoadConfig() error { - bytes, readErr := ioutil.ReadFile(eduvpn.GetConfigName()) - if readErr != nil { - return readErr - } - return json.Unmarshal(bytes, eduvpn) -} diff --git a/src/discovery.go b/src/discovery.go deleted file mode 100644 index fa3cac6..0000000 --- a/src/discovery.go +++ /dev/null @@ -1,165 +0,0 @@ -package eduvpn - -import ( - "encoding/json" - "fmt" -) - -type DiscoFileError struct { - URL string - Err error -} - -func (e *DiscoFileError) Error() string { - return fmt.Sprintf("failed obtaining disco file %s with error %v", e.URL, e.Err) -} - -type DiscoSigFileError struct { - URL string - Err error -} - -func (e *DiscoSigFileError) Error() string { - return fmt.Sprintf("failed obtaining disco signature file %s with error %v", e.URL, e.Err) -} - -type DiscoVerifyError struct { - File string - Sigfile string - Err error -} - -func (e *DiscoVerifyError) Error() string { - return fmt.Sprintf("failed verifying file %s with signature %s due to error %v", e.File, e.Sigfile, e.Err) -} - -type DiscoJSONError struct { - Body string - Err error -} - -func (e *DiscoJSONError) Error() string { - return fmt.Sprintf("failed parsing JSON for contents %s with error %v", e.Body, e.Err) -} - -type OrganizationList struct { - JSON json.RawMessage `json:"organization_list"` - Version uint64 `json:"v"` - Timestamp int64 `json:"-"` -} - -type ServersList struct { - JSON json.RawMessage `json:"server_list"` - Version uint64 `json:"v"` - Timestamp int64 `json:"-"` -} - -type DiscoLists struct { - Organizations OrganizationList - Servers ServersList -} - -// Helper function that gets a disco json -func getDiscoFile(jsonFile string, previousVersion uint64, structure interface{}) error { - // Get json data - discoURL := "https://disco.eduvpn.org/v2/" - fileURL := discoURL + jsonFile - _, fileBody, fileErr := HTTPGet(fileURL) - - if fileErr != nil { - return &DiscoFileError{fileURL, fileErr} - } - - // Get signature - sigFile := jsonFile + ".minisig" - sigURL := discoURL + sigFile - _, sigBody, sigFileErr := HTTPGet(sigURL) - - if sigFileErr != nil { - return &DiscoSigFileError{URL: sigURL, Err: sigFileErr} - } - - // Verify signature - // Set this to true when we want to force prehash - forcePrehash := false - verifySuccess, verifyErr := Verify(string(sigBody), fileBody, jsonFile, previousVersion, forcePrehash) - - if !verifySuccess || verifyErr != nil { - return &DiscoVerifyError{File: jsonFile, Sigfile: sigFile, Err: verifyErr} - } - - // Parse JSON to extract version and list - jsonErr := json.Unmarshal(fileBody, structure) - - if jsonErr != nil { - return &DiscoJSONError{Body: string(fileBody), Err: jsonErr} - } - - return nil -} - -type GetListError struct { - File string - Err error -} - -func (e *GetListError) Error() string { - return fmt.Sprintf("failed getting disco list file %s with error %v", e.File, e.Err) -} - -// FIXME: Implement based on -// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md -// - [IMPLEMENTED] on "first launch" when offering the search for "Institute Access" and "Organizations"; -// - [TODO] when the user tries to add new server AND the user did NOT yet choose an organization before; -// - [TODO] when the authorization for the server associated with an already chosen organization is triggered, e.g. after expiry or revocation. -func (eduvpn *VPNState) DetermineOrganizationsUpdate() bool { - return string(eduvpn.DiscoList.Organizations.JSON) == "" -} - -// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md -// - [Implemented] The application MUST always fetch the server_list.json at application start. -// - The application MAY refresh the server_list.json periodically, e.g. once every hour. -func (eduvpn *VPNState) DetermineServersUpdate() bool { - // No servers, we should update - if string(eduvpn.DiscoList.Servers.JSON) == "" { - return true - } - // 1 hour from the last update - should_update_time := eduvpn.DiscoList.Servers.Timestamp + 3600 - now := GenerateTimeSeconds() - if now >= should_update_time { - return true - } - GetVPNState().Log(LOG_INFO, "No update needed for servers, 1h is not passed yet") - return false -} - -// Get the organization list -func (eduvpn *VPNState) GetOrganizationsList() (string, error) { - if !eduvpn.DetermineOrganizationsUpdate() { - return string(eduvpn.DiscoList.Organizations.JSON), nil - } - file := "organization_list.json" - err := getDiscoFile(file, eduvpn.DiscoList.Organizations.Version, &eduvpn.DiscoList.Organizations) - if err != nil { - // Return previous with an error - return string(eduvpn.DiscoList.Organizations.JSON), &GetListError{File: file, Err: err} - } - return string(eduvpn.DiscoList.Organizations.JSON), nil -} - -// Get the server list -func (eduvpn *VPNState) GetServersList() (string, error) { - if !eduvpn.DetermineServersUpdate() { - return string(eduvpn.DiscoList.Servers.JSON), nil - } - file := "server_list.json" - err := getDiscoFile(file, eduvpn.DiscoList.Servers.Version, &eduvpn.DiscoList.Servers) - if err != nil { - // Return previous with an error - return string(eduvpn.DiscoList.Servers.JSON), &GetListError{File: file, Err: err} - } - // Update servers timestamp - eduvpn.DiscoList.Servers.Timestamp = GenerateTimeSeconds() - return string(eduvpn.DiscoList.Servers.JSON), nil -} diff --git a/src/fsm.go b/src/fsm.go deleted file mode 100644 index 223b42f..0000000 --- a/src/fsm.go +++ /dev/null @@ -1,197 +0,0 @@ -package eduvpn - -import ( - "fmt" - "os" - "sort" -) - -type ( - FSMStateID int8 - FSMStateIDSlice []FSMStateID -) - -func (v FSMStateIDSlice) Len() int { - return len(v) -} - -func (v FSMStateIDSlice) Less(i, j int) bool { - return v[i] < v[j] -} - -func (v FSMStateIDSlice) Swap(i, j int) { - v[i], v[j] = v[j], v[i] -} - -const ( - // Deregistered means the app is not registered with the wrapper - DEREGISTERED FSMStateID = iota - - // No Server means the user has not chosen a server yet - NO_SERVER - - // Chosen Server means the user has chosen a server to connect to - CHOSEN_SERVER - - // OAuth Started means the OAuth process has started - OAUTH_STARTED - - // Authenticated means the OAuth process has finished and the user is now authenticated with the server - AUTHENTICATED - - // Requested config means the user has requested a config for connecting - REQUEST_CONFIG - - // Has config means the user has gotten a config - HAS_CONFIG - - // Ask profile means the go code is asking for a profile selection from the ui - ASK_PROFILE - - // Connected means the user has been connected to the server - CONNECTED -) - -func (s FSMStateID) String() string { - switch s { - case DEREGISTERED: - return "Deregistered" - case NO_SERVER: - return "No_Server" - case CHOSEN_SERVER: - return "Chosen_Server" - case OAUTH_STARTED: - return "OAuth_Started" - case HAS_CONFIG: - return "Has_Config" - case REQUEST_CONFIG: - return "Request_Config" - case ASK_PROFILE: - return "Ask_Profile" - case AUTHENTICATED: - return "Authenticated" - case CONNECTED: - return "Connected" - default: - panic("unknown conversion of state to string") - } -} - -type FSMTransition struct { - To FSMStateID - Description string -} - -type ( - FSMTransitions []FSMTransition - FSMStates map[FSMStateID]FSMTransitions -) - -type FSM struct { - States FSMStates - Current FSMStateID -} - -func (eduvpn *VPNState) HasTransition(check FSMStateID) bool { - for _, transition_state := range eduvpn.FSM.States[eduvpn.FSM.Current] { - if transition_state.To == check { - return true - } - } - - return false -} - -func (eduvpn *VPNState) InState(check FSMStateID) bool { - return check == eduvpn.FSM.Current -} - -func (eduvpn *VPNState) writeGraph() { - graph := eduvpn.GenerateGraph() - - f, err := os.Create("debug.graph") - if err != nil { - eduvpn.Log(LOG_INFO, fmt.Sprintf("Failed to write debug fsm graph with error %v", err)) - } - - defer f.Close() - - f.WriteString(graph) -} - -func (eduvpn *VPNState) GoTransitionWithData(newState FSMStateID, data string) bool { - ok := eduvpn.HasTransition(newState) - - if ok { - oldState := eduvpn.FSM.Current - eduvpn.FSM.Current = newState - if eduvpn.Debug { - eduvpn.writeGraph() - } - eduvpn.StateCallback(oldState.String(), newState.String(), data) - } - - return ok -} - -func (eduvpn *VPNState) GoTransition(newState FSMStateID) bool { - return eduvpn.GoTransitionWithData(newState, "") -} - -func (eduvpn *VPNState) generateDotGraph() string { - graph := `digraph eduvpn_fsm { -nodesep = 2; -remincross = false; -` - graph += "node[color=blue]; " + eduvpn.FSM.Current.String() + ";\n" - graph += "node [color=black];\n" - for state, transitions := range eduvpn.FSM.States { - for _, transition := range transitions { - graph += state.String() + " -> " + transition.To.String() + " [label=\"" + transition.Description + "\"]\n" - } - } - graph += "}" - return graph -} - -func (eduvpn *VPNState) generateMermaidGraph() string { - graph := "graph TD\n" - sorted_fsm := make(FSMStateIDSlice, 0, len(eduvpn.FSM.States)) - for state_id := range eduvpn.FSM.States { - sorted_fsm = append(sorted_fsm, state_id) - } - sort.Sort(sorted_fsm) - for _, state := range sorted_fsm { - transitions := eduvpn.FSM.States[state] - for _, transition := range transitions { - if state == eduvpn.FSM.Current { - graph += "\nstyle " + state.String() + " fill:cyan\n" - } else { - graph += "\nstyle " + state.String() + " fill:white\n" - } - graph += state.String() + "(" + state.String() + ") " + "-->|" + transition.Description + "| " + transition.To.String() + "\n" - } - } - return graph -} - -func (eduvpn *VPNState) GenerateGraph() string { - return eduvpn.generateMermaidGraph() -} - -func (eduvpn *VPNState) InitializeFSM() { - eduvpn.FSM = FSM{ - States: FSMStates{ - DEREGISTERED: {{NO_SERVER, "Client registers"}}, - NO_SERVER: {{CHOSEN_SERVER, "User chooses a server"}}, - CHOSEN_SERVER: {{AUTHENTICATED, "Found tokens in config"}, {OAUTH_STARTED, "No tokens found in config"}}, - OAUTH_STARTED: {{AUTHENTICATED, "User authorizes with browser"}}, - AUTHENTICATED: {{OAUTH_STARTED, "Re-authenticate with OAuth"}, {REQUEST_CONFIG, "Client requests a config"}}, - REQUEST_CONFIG: {{ASK_PROFILE, "Multiple profiles found"}, {HAS_CONFIG, "Success, only one profile"}}, - ASK_PROFILE: {{HAS_CONFIG, "User chooses profile and success"}}, - HAS_CONFIG: {{CONNECTED, "OS reports connected"}}, - CONNECTED: {{AUTHENTICATED, "OS reports disconnected"}}, - }, - Current: DEREGISTERED, - } -} diff --git a/src/http.go b/src/http.go deleted file mode 100644 index bbc866b..0000000 --- a/src/http.go +++ /dev/null @@ -1,172 +0,0 @@ -package eduvpn - -import ( - "fmt" - "io" - "io/ioutil" - "net/http" - "net/url" - "strings" -) - -type HTTPResourceError struct { - URL string - Err error -} - -func (e *HTTPResourceError) Error() string { - return fmt.Sprintf("failed obtaining HTTP resource %s with error %v", e.URL, e.Err) -} - -type HTTPStatusError struct { - URL string - Status int -} - -func (e *HTTPStatusError) Error() string { - return fmt.Sprintf("failed obtaining HTTP resource %s as it gave an unsuccesful status code %d", e.URL, e.Status) -} - -type HTTPReadError struct { - URL string - Err error -} - -func (e *HTTPReadError) Error() string { - return fmt.Sprintf("failed reading HTTP resource %s with error %v", e.URL, e.Err) -} - -type HTTPParseJsonError struct { - URL string - Body string - Err error -} - -func (e *HTTPParseJsonError) Error() string { - return fmt.Sprintf("failed parsing json %s for HTTP resource %s with error %v", e.Body, e.URL, e.Err) -} - -type HTTPRequestCreateError struct { - URL string - Err error -} - -func (e *HTTPRequestCreateError) Error() string { - return fmt.Sprintf("failed to create HTTP request with url %s and error %v", e.URL, e.Err) -} - -type URLParameters map[string]string - -type HTTPOptionalParams struct { - Headers http.Header - URLParameters URLParameters - Body url.Values -} - -// Construct an URL including on parameters -func HTTPConstructURL(baseURL string, parameters URLParameters) (string, error) { - url, err := url.Parse(baseURL) - if err != nil { - return "", err - } - - q := url.Query() - - for parameter, value := range parameters { - q.Set(parameter, value) - } - url.RawQuery = q.Encode() - return url.String(), nil -} - -// Convenience functions -func HTTPGet(url string) (http.Header, []byte, error) { - return HTTPMethodWithOpts(http.MethodGet, url, nil) -} - -func HTTPPost(url string, body url.Values) (http.Header, []byte, error) { - return HTTPMethodWithOpts(http.MethodGet, url, &HTTPOptionalParams{Body: body}) -} - -func HTTPGetWithOpts(url string, opts *HTTPOptionalParams) (http.Header, []byte, error) { - return HTTPMethodWithOpts(http.MethodGet, url, opts) -} - -func HTTPPostWithOpts(url string, opts *HTTPOptionalParams) (http.Header, []byte, error) { - return HTTPMethodWithOpts(http.MethodPost, url, opts) -} - -func httpOptionalURL(url string, opts *HTTPOptionalParams) (string, error) { - if opts != nil { - url, urlErr := HTTPConstructURL(url, opts.URLParameters) - - if urlErr != nil { - return url, &HTTPRequestCreateError{URL: url, Err: urlErr} - } - return url, nil - } - return url, nil -} - -func httpOptionalHeaders(req *http.Request, opts *HTTPOptionalParams) { - // Add headers - if opts != nil && req != nil { - for k, v := range opts.Headers { - req.Header.Add(k, v[0]) - } - } -} - -func httpOptionalBodyReader(opts *HTTPOptionalParams) io.Reader { - if opts != nil && opts.Body != nil { - return strings.NewReader(opts.Body.Encode()) - } - return nil -} - -func HTTPMethodWithOpts(method string, url string, opts *HTTPOptionalParams) (http.Header, []byte, error) { - // Make sure the url contains all the parameters - // This can return an error, - // it already has the right error so so we don't wrap it further - url, urlErr := httpOptionalURL(url, opts) - if urlErr != nil { - return nil, nil, urlErr - } - - // Create a client - client := &http.Client{} - - // Create request object with the body reader generated from the optional arguments - req, reqErr := http.NewRequest(method, url, httpOptionalBodyReader(opts)) - if reqErr != nil { - return nil, nil, &HTTPRequestCreateError{URL: url, Err: reqErr} - } - - // See https://stackoverflow.com/questions/17714494/golang-http-request-results-in-eof-errors-when-making-multiple-requests-successi - req.Close = true - - // Make sure the headers contain all the parameters - httpOptionalHeaders(req, opts) - - // Do request - resp, respErr := client.Do(req) - if respErr != nil { - return nil, nil, &HTTPResourceError{URL: url, Err: respErr} - } - - // Request successful, make sure body is closed at the end - defer resp.Body.Close() - - // Return a string - body, readErr := ioutil.ReadAll(resp.Body) - if readErr != nil { - return resp.Header, nil, &HTTPReadError{URL: url, Err: readErr} - } - - if resp.StatusCode < 200 || resp.StatusCode > 299 { - return resp.Header, body, &HTTPStatusError{URL: url, Status: resp.StatusCode} - } - - // Return the body in bytes and signal the status error if there was one - return resp.Header, body, nil -} diff --git a/src/log.go b/src/log.go deleted file mode 100644 index 7402e31..0000000 --- a/src/log.go +++ /dev/null @@ -1,66 +0,0 @@ -package eduvpn - -import ( - "fmt" - "log" - "os" - "path" -) - -type FileLogger struct { - Level LogLevel - File *os.File -} - -type LogLevel int8 - -const ( - LOG_NOTSET LogLevel = iota - LOG_INFO - LOG_WARNING - LOG_ERROR -) - -func (e LogLevel) String() string { - switch e { - case LOG_NOTSET: - return "NOTSET" - case LOG_INFO: - return "INFO" - case LOG_WARNING: - return "WARNING" - case LOG_ERROR: - return "ERROR" - default: - return "UNKNOWN" - } -} - -func (eduvpn *VPNState) getLogFilename() string { - pathString := path.Join(eduvpn.ConfigDirectory, eduvpn.Name) - return fmt.Sprintf("%s.log", pathString) -} - -func (eduvpn *VPNState) InitLog(level LogLevel) error { - configDirErr := eduvpn.EnsureConfigDir() - if configDirErr != nil { - return configDirErr - } - logFile, logOpenErr := os.OpenFile(eduvpn.getLogFilename(), os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666) - if logOpenErr != nil { - return logOpenErr - } - log.SetOutput(logFile) - eduvpn.LogFile = FileLogger{Level: level, File: logFile} - return nil -} - -func (eduvpn *VPNState) Log(level LogLevel, str string) { - if level >= eduvpn.LogFile.Level && eduvpn.LogFile.Level != LOG_NOTSET { - log.Printf("[%s]: %s", level.String(), str) - } -} - -func (eduvpn *VPNState) CloseLog() { - eduvpn.LogFile.File.Close() -} diff --git a/src/oauth.go b/src/oauth.go deleted file mode 100644 index 263690e..0000000 --- a/src/oauth.go +++ /dev/null @@ -1,393 +0,0 @@ -package eduvpn - -import ( - "context" - "crypto/sha256" - "encoding/base64" - "encoding/json" - "errors" - "fmt" - "net/http" - "net/url" -) - -// Generates a random base64 string to be used for state -// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.1 -// "state": OPTIONAL. An opaque value used by the client to maintain -// state between the request and callback. The authorization server -// includes this value when redirecting the user agent back to the -// client. -func genState() (string, error) { - randomBytes, err := MakeRandomByteSlice(32) - if err != nil { - return "", &OAuthGenStateUnableError{Err: err} - } - - // For consistency we also use raw url encoding here - return base64.RawURLEncoding.EncodeToString(randomBytes), nil -} - -// Generates a sha256 base64 challenge from a verifier -// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.8 -func genChallengeS256(verifier string) string { - hash := sha256.Sum256([]byte(verifier)) - - // We use raw url encoding as the challenge does not accept padding - return base64.RawURLEncoding.EncodeToString(hash[:]) -} - -// Generates a verifier -// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.1 -// The code_verifier is a unique high-entropy cryptographically random -// string generated for each authorization request, using the unreserved -// characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~", with a -// minimum length of 43 characters and a maximum length of 128 -// characters. -func genVerifier() (string, error) { - randomBytes, err := MakeRandomByteSlice(32) - if err != nil { - return "", &OAuthGenVerifierUnableError{Err: err} - } - - return base64.RawURLEncoding.EncodeToString(randomBytes), nil -} - -type OAuth struct { - Session OAuthExchangeSession `json:"-"` - Token OAuthToken `json:"token"` - TokenURL string `json:"token_url"` -} - -// This structure gets passed to the callback for easy access to the current state -type OAuthExchangeSession struct { - // returned from the callback - CallbackError error - - // filled in in initialize - ClientID string - State string - Verifier string - - // filled in when constructing the callback - Context context.Context - Server http.Server -} - -// Struct that defines the json format for /.well-known/vpn-user-portal" -type OAuthToken struct { - Access string `json:"access_token"` - Refresh string `json:"refresh_token"` - Type string `json:"token_type"` - Expires int64 `json:"expires_in"` - ExpiredTimestamp int64 `json:"expires_in_timestamp"` -} - -// Gets an authenticated HTTP client by obtaining refresh and access tokens -func (oauth *OAuth) getTokensWithCallback() error { - oauth.Session.Context = context.Background() - mux := http.NewServeMux() - addr := "127.0.0.1:8000" - oauth.Session.Server = http.Server{ - Addr: addr, - Handler: mux, - } - mux.HandleFunc("/callback", oauth.Callback) - if err := oauth.Session.Server.ListenAndServe(); err != http.ErrServerClosed { - return &OAuthFailedCallbackError{Addr: addr, Err: err} - } - return oauth.Session.CallbackError -} - -// Get the access and refresh tokens -// Access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.4 -// Refresh tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.2 -func (oauth *OAuth) getTokensWithAuthCode(authCode string) error { - // Make sure the verifier is set as the parameter - // so that the server can verify that we are the actual owner of the authorization code - - reqURL := oauth.TokenURL - data := url.Values{ - "client_id": {oauth.Session.ClientID}, - "code": {authCode}, - "code_verifier": {oauth.Session.Verifier}, - "grant_type": {"authorization_code"}, - "redirect_uri": {"http://127.0.0.1:8000/callback"}, - } - headers := http.Header{ - "content-type": {"application/x-www-form-urlencoded"}, - } - opts := &HTTPOptionalParams{Headers: headers, Body: data} - current_time := GenerateTimeSeconds() - _, body, bodyErr := HTTPPostWithOpts(reqURL, opts) - if bodyErr != nil { - return bodyErr - } - - tokenStructure := OAuthToken{} - - jsonErr := json.Unmarshal(body, &tokenStructure) - - if jsonErr != nil { - return &HTTPParseJsonError{URL: reqURL, Body: string(body), Err: jsonErr} - } - - tokenStructure.ExpiredTimestamp = current_time + tokenStructure.Expires - oauth.Token = tokenStructure - return nil -} - -func (oauth *OAuth) isTokensExpired() bool { - expired_time := oauth.Token.ExpiredTimestamp - current_time := GenerateTimeSeconds() - return current_time >= expired_time -} - -// Get the access and refresh tokens with a previously received refresh token -// Access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.4 -// Refresh tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.2 -func (oauth *OAuth) getTokensWithRefresh() error { - reqURL := oauth.TokenURL - data := url.Values{ - "refresh_token": {oauth.Token.Refresh}, - "grant_type": {"refresh_token"}, - } - headers := http.Header{ - "content-type": {"application/x-www-form-urlencoded"}, - } - opts := &HTTPOptionalParams{Headers: headers, Body: data} - current_time := GenerateTimeSeconds() - _, body, bodyErr := HTTPPostWithOpts(reqURL, opts) - if bodyErr != nil { - return bodyErr - } - - tokenStructure := OAuthToken{} - jsonErr := json.Unmarshal(body, &tokenStructure) - - if jsonErr != nil { - return &HTTPParseJsonError{URL: reqURL, Body: string(body), Err: jsonErr} - } - - tokenStructure.ExpiredTimestamp = current_time + tokenStructure.Expires - oauth.Token = tokenStructure - return nil -} - -// -//// The callback to retrieve the authorization code: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-1.3.1 -func (oauth *OAuth) Callback(w http.ResponseWriter, req *http.Request) { - // Extract the authorization code - code, success := req.URL.Query()["code"] - if !success { - oauth.Session.CallbackError = &OAuthFailedCallbackParameterError{Parameter: "code", URL: req.URL.String()} - go oauth.Session.Server.Shutdown(oauth.Session.Context) - return - } - // The code is the first entry - extractedCode := code[0] - - // Make sure the state is present and matches to protect against cross-site request forgeries - // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.15 - state, success := req.URL.Query()["state"] - if !success { - oauth.Session.CallbackError = &OAuthFailedCallbackParameterError{Parameter: "state", URL: req.URL.String()} - go oauth.Session.Server.Shutdown(oauth.Session.Context) - return - } - // The state is the first entry - extractedState := state[0] - if extractedState != oauth.Session.State { - oauth.Session.CallbackError = &OAuthFailedCallbackStateMatchError{State: extractedState, ExpectedState: oauth.Session.State} - go oauth.Session.Server.Shutdown(oauth.Session.Context) - return - } - - // Now that we have obtained the authorization code, we can move to the next step: - // Obtaining the access and refresh tokens - err := oauth.getTokensWithAuthCode(extractedCode) - if err != nil { - oauth.Session.CallbackError = &OAuthFailedCallbackGetTokensError{Err: err} - go oauth.Session.Server.Shutdown(oauth.Session.Context) - return - } - - // Shutdown the server as we're done listening - go oauth.Session.Server.Shutdown(oauth.Session.Context) -} - -// Initializes the OAuth for eduvpn. -// It needs a vpn state that was gotten from `Register` -// It returns the authurl for the browser and an error if present -func (eduvpn *VPNState) InitializeOAuth() error { - if !eduvpn.HasTransition(OAUTH_STARTED) { - return errors.New(fmt.Sprintf("Failed starting oauth, invalid state %s", eduvpn.FSM.Current.String())) - } - // Generate the state - state, stateErr := genState() - if stateErr != nil { - return &OAuthFailedInitializeError{Err: stateErr} - } - - // Generate the verifier and challenge - verifier, verifierErr := genVerifier() - if verifierErr != nil { - return &OAuthFailedInitializeError{Err: verifierErr} - } - challenge := genChallengeS256(verifier) - - parameters := map[string]string{ - "client_id": eduvpn.Name, - "code_challenge_method": "S256", - "code_challenge": challenge, - "response_type": "code", - "scope": "config", - "state": state, - "redirect_uri": "http://127.0.0.1:8000/callback", - } - - server, serverErr := eduvpn.Servers.GetCurrentServer() - if serverErr != nil { - return errors.New("OAuth Initialize no server found") - } - authURL, urlErr := HTTPConstructURL(server.Endpoints.API.V3.Authorization, parameters) - - if urlErr != nil { // shouldn't happen - panic(urlErr) - } - - // Fill the struct with the necessary fields filled for the next call to getting the HTTP client - oauthSession := OAuthExchangeSession{ClientID: eduvpn.Name, State: state, Verifier: verifier} - server.OAuth = OAuth{TokenURL: server.Endpoints.API.V3.Token, Session: oauthSession} - eduvpn.GoTransitionWithData(OAUTH_STARTED, authURL) - return nil -} - -// Error definitions -func (eduvpn *VPNState) FinishOAuth() error { - if !eduvpn.HasTransition(AUTHENTICATED) { - return errors.New("invalid state to finish oauth") - } - server, serverErr := eduvpn.Servers.GetCurrentServer() - if serverErr != nil { - return errors.New("OAuth Initialize No server found") - } - tokenErr := server.OAuth.getTokensWithCallback() - if tokenErr != nil { - return tokenErr - } - eduvpn.GoTransition(AUTHENTICATED) - return nil -} - -func (state *VPNState) LoginOAuth() error { - authInitializeErr := state.InitializeOAuth() - - if authInitializeErr != nil { - return authInitializeErr - } - - oauthErr := state.FinishOAuth() - - if oauthErr != nil { - return oauthErr - } - return nil -} - -func (oauth *OAuth) Login() error { - return GetVPNState().LoginOAuth() -} - -func (oauth *OAuth) NeedsRelogin() bool { - // Access Token or Refresh Tokens empty, definitely needs a relogin - if oauth.Token.Access == "" || oauth.Token.Refresh == "" { - GetVPNState().Log(LOG_INFO, "OAuth: Tokens are empty") - return true - } - - // We have tokens... - - // The tokens are not expired yet - // No relogin is needed - if !oauth.isTokensExpired() { - GetVPNState().Log(LOG_INFO, "OAuth: Tokens are not expired, re-login not needed") - return false - } - - refreshErr := oauth.getTokensWithRefresh() - // We have obtained new tokens with refresh - if refreshErr == nil { - GetVPNState().Log(LOG_INFO, "OAuth: Tokens could be re-acquired using the refresh token, re-login not needed") - return false - } - - // Otherwise relogin is really needed - return true -} - -func (oauth *OAuth) EnsureTokens() error { - if oauth.NeedsRelogin() { - GetVPNState().Log(LOG_INFO, "OAuth: Tokens are invalid, relogging in") - return oauth.Login() - } - return nil -} - -type OAuthGenStateUnableError struct { - Err error -} - -func (e *OAuthGenStateUnableError) Error() string { - return fmt.Sprintf("failed generating state with error %v", e.Err) -} - -type OAuthGenVerifierUnableError struct { - Err error -} - -func (e *OAuthGenVerifierUnableError) Error() string { - return fmt.Sprintf("failed generating verifier with error %v", e.Err) -} - -type OAuthFailedCallbackError struct { - Addr string - Err error -} - -func (e *OAuthFailedCallbackError) Error() string { - return fmt.Sprintf("failed callback %s with error %v", e.Addr, e.Err) -} - -type OAuthFailedCallbackParameterError struct { - Parameter string - URL string -} - -func (e *OAuthFailedCallbackParameterError) Error() string { - return fmt.Sprintf("failed retrieving parameter %s in url %s", e.Parameter, e.URL) -} - -type OAuthFailedCallbackStateMatchError struct { - State string - ExpectedState string -} - -func (e *OAuthFailedCallbackStateMatchError) Error() string { - return fmt.Sprintf("failed matching state, got %s, want %s", e.State, e.ExpectedState) -} - -type OAuthFailedCallbackGetTokensError struct { - Err error -} - -func (e *OAuthFailedCallbackGetTokensError) Error() string { - return fmt.Sprintf("failed getting tokens with error %v", e.Err) -} - -type OAuthFailedInitializeError struct { - Err error -} - -func (e *OAuthFailedInitializeError) Error() string { - return fmt.Sprintf("failed initializing OAuth with error %v", e.Err) -} diff --git a/src/openvpn.go b/src/openvpn.go deleted file mode 100644 index 95e1328..0000000 --- a/src/openvpn.go +++ /dev/null @@ -1,12 +0,0 @@ -package eduvpn - -func (server *Server) OpenVPNGetConfig() (string, error) { - profile_id := server.Profiles.Current - configOpenVPN, _, configErr := server.APIConnectOpenVPN(profile_id) - - if configErr != nil { - return "", configErr - } - - return configOpenVPN, nil -} diff --git a/src/server.go b/src/server.go deleted file mode 100644 index 3dca26b..0000000 --- a/src/server.go +++ /dev/null @@ -1,178 +0,0 @@ -package eduvpn - -import ( - "encoding/json" - "errors" -) - -type Server struct { - BaseURL string `json:"base_url"` - Endpoints ServerEndpoints `json:"endpoints"` - OAuth OAuth `json:"oauth"` - Profiles ServerProfileInfo `json:"profiles"` - ProfilesRaw string `json:"profiles_raw"` -} - -type Servers struct { - List map[string]*Server `json:"list"` - Current string `json:"current"` -} - -func (servers *Servers) GetCurrentServer() (*Server, error) { - if servers.List == nil { - return nil, errors.New("No map found to get Current Server") - } - server, exists := servers.List[servers.Current] - - if !exists || server == nil { - return nil, errors.New("Current Server not found") - } - return server, nil -} - -func (servers *Servers) EnsureServer(url string) *Server { - if servers.List == nil { - servers.List = make(map[string]*Server) - } - - server, exists := servers.List[url] - - if !exists || server == nil { - server = &Server{} - server.Initialize(url) - servers.List[url] = server - } - servers.Current = url - return server -} - -type ServerProfile struct { - ID string `json:"profile_id"` - DisplayName string `json:"display_name"` - VPNProtoList []string `json:"vpn_proto_list"` - DefaultGateway bool `json:"default_gateway"` -} - -type ServerProfileInfo struct { - Current string `json:"current_profile"` - Info struct { - ProfileList []ServerProfile `json:"profile_list"` - } `json:"info"` -} - -type ServerEndpointList struct { - API string `json:"api_endpoint"` - Authorization string `json:"authorization_endpoint"` - Token string `json:"token_endpoint"` -} - -// Struct that defines the json format for /.well-known/vpn-user-portal" -type ServerEndpoints struct { - API struct { - V2 ServerEndpointList `json:"http://eduvpn.org/api#2"` - V3 ServerEndpointList `json:"http://eduvpn.org/api#3"` - } `json:"api"` - V string `json:"v"` -} - -func (server *Server) Initialize(url string) error { - server.BaseURL = url - endpointsErr := server.GetEndpoints() - if endpointsErr != nil { - return endpointsErr - } - return nil -} - -func (server *Server) NeedsRelogin() bool { - // Check if OAuth needs relogin - return server.OAuth.NeedsRelogin() -} - -func (server *Server) GetEndpoints() error { - url := server.BaseURL + "/.well-known/vpn-user-portal" - _, body, bodyErr := HTTPGet(url) - - if bodyErr != nil { - return bodyErr - } - - endpoints := ServerEndpoints{} - jsonErr := json.Unmarshal(body, &endpoints) - - if jsonErr != nil { - return jsonErr - } - - server.Endpoints = endpoints - - return nil -} - -func (profile *ServerProfile) supportsWireguard() bool { - for _, proto := range profile.VPNProtoList { - if proto == "wireguard" { - return true - } - } - return false -} - -func (server *Server) getCurrentProfile() (*ServerProfile, error) { - profile_id := server.Profiles.Current - for _, profile := range server.Profiles.Info.ProfileList { - if profile.ID == profile_id { - return &profile, nil - } - } - return nil, errors.New("no profile found for id") -} - -func (server *Server) getConfigWithProfile() (string, error) { - if !GetVPNState().HasTransition(HAS_CONFIG) { - return "", errors.New("cannot get a config with a profile, invalid state") - } - profile, profileErr := server.getCurrentProfile() - - if profileErr != nil { - return "", profileErr - } - - if profile.supportsWireguard() { - return server.WireguardGetConfig() - } - return server.OpenVPNGetConfig() -} - -func (server *Server) askForProfileID() error { - if !GetVPNState().HasTransition(ASK_PROFILE) { - return errors.New("cannot ask for a profile id, invalid state") - } - GetVPNState().GoTransitionWithData(ASK_PROFILE, server.ProfilesRaw) - return nil -} - -func (server *Server) GetConfig() (string, error) { - if !GetVPNState().InState(REQUEST_CONFIG) { - return "", errors.New("cannot get a config, invalid state") - } - infoErr := server.APIInfo() - - if infoErr != nil { - return "", infoErr - } - - // Set the current profile if there is only one profile - if len(server.Profiles.Info.ProfileList) == 1 { - server.Profiles.Current = server.Profiles.Info.ProfileList[0].ID - return server.getConfigWithProfile() - } - - profileErr := server.askForProfileID() - - if profileErr != nil { - return "", nil - } - - return server.getConfigWithProfile() -} diff --git a/src/server_test.go b/src/server_test.go deleted file mode 100644 index ccf58f6..0000000 --- a/src/server_test.go +++ /dev/null @@ -1,214 +0,0 @@ -package eduvpn - -import ( - "crypto/tls" - "errors" - "fmt" - "net/http" - "os" - "os/exec" - "strconv" - "strings" - "testing" - "time" -) - -func runCommand(t *testing.T, errBuffer *strings.Builder, name string, args ...string) error { - cmd := exec.Command(name, args...) - - cmd.Stderr = errBuffer - err := cmd.Start() - if err != nil { - return err - } - - return cmd.Wait() -} - -func LoginOAuthSelenium(t *testing.T, url string) { - // We could use the go selenium library - // But it does not support the latest selenium v4 just yet - var errBuffer strings.Builder - err := runCommand(t, &errBuffer, "python3", "../selenium_eduvpn.py", url) - if err != nil { - t.Errorf("Login OAuth with selenium script failed with error %v and stderr %s", err, errBuffer.String()) - } -} - -func StateCallback(t *testing.T, oldState string, newState string, data string) { - if newState == "OAuth_Started" { - go LoginOAuthSelenium(t, data) - } -} - -func Test_server(t *testing.T) { - state := GetVPNState() - - // Do not verify because during testing, the cert is self-signed - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} - - state.Register("org.eduvpn.app.linux", "configstest", func(old string, new string, data string) { - StateCallback(t, old, new, data) - }, false) - - _, configErr := state.Connect("https://eduvpnserver") - - if configErr != nil { - t.Errorf("Connect error: %v", configErr) - } -} - -func test_connect_oauth_parameter(t *testing.T, parameters URLParameters, expectedErr interface{}) { - state := GetVPNState() - state.Deregister() - - // Do not verify because during testing, the cert is self-signed - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} - - state.Register("org.eduvpn.app.linux", "configsnologin", func(oldState string, newState string, data string) { - if newState == "OAuth_Started" { - baseURL := "http://127.0.0.1:8000/callback" - url, err := HTTPConstructURL(baseURL, parameters) - if err != nil { - t.Errorf("Error: Constructing url %s with parameters %s", baseURL, fmt.Sprint(parameters)) - } - go http.Get(url) - - } - }, false) - _, configErr := state.Connect("https://eduvpnserver") - - if !errors.As(configErr, expectedErr) { - t.Errorf("error %T = %v, wantErr %T", configErr, configErr, expectedErr) - } -} - -func Test_connect_oauth_parameters(t *testing.T) { - var ( - failedCallbackParameterError *OAuthFailedCallbackParameterError - failedCallbackStateMatchError *OAuthFailedCallbackStateMatchError - ) - - tests := []struct { - expectedErr interface{} - parameters URLParameters - }{ - {&failedCallbackParameterError, URLParameters{}}, - {&failedCallbackParameterError, URLParameters{"code": "42"}}, - {&failedCallbackStateMatchError, URLParameters{"code": "42", "state": "21"}}, - } - - for _, test := range tests { - test_connect_oauth_parameter(t, test.parameters, test.expectedErr) - } -} - -func Test_token_expired(t *testing.T) { - expiredTTL := os.Getenv("OAUTH_EXPIRED_TTL") - if expiredTTL == "" { - t.Log("No expired TTL present, skipping this test. Set EXPIRED_TTL env variable to run it") - return - } - - // Convert the env variable to an int and signal error if it is not possible - expiredInt, expiredErr := strconv.Atoi(expiredTTL) - if expiredErr != nil { - t.Errorf("Cannot convert EXPIRED_TTL env variable to an int with error %v", expiredErr) - } - - // Get a vpn state - state := GetVPNState() - - state.Deregister() - - // Do not verify because during testing, the cert is self-signed - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} - - state.Register("org.eduvpn.app.linux", "configsexpired", func(old string, new string, data string) { - StateCallback(t, old, new, data) - }, false) - - _, configErr := state.Connect("https://eduvpnserver") - - if configErr != nil { - t.Errorf("Connect error before expired: %v", configErr) - } - - server, serverErr := state.Servers.GetCurrentServer() - if serverErr != nil { - t.Errorf("No server found") - } - - accessToken := server.OAuth.Token.Access - refreshToken := server.OAuth.Token.Refresh - - // Wait for TTL so that the tokens expire - time.Sleep(time.Duration(expiredInt) * time.Second) - - infoErr := server.APIInfo() - - if infoErr != nil { - t.Errorf("Info error after expired: %v", infoErr) - } - - // Check if tokens have changed - accessTokenAfter := server.OAuth.Token.Access - refreshTokenAfter := server.OAuth.Token.Refresh - - if accessToken == accessTokenAfter { - t.Errorf("Access token is the same after refresh") - } - - if refreshToken == refreshTokenAfter { - t.Errorf("Refresh token is the same after refresh") - } -} - -func Test_token_invalid(t *testing.T) { - state := GetVPNState() - - // Do not verify because during testing, the cert is self-signed - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} - - state.Deregister() - - state.Register("org.eduvpn.app.linux", "configsinvalid", func(old string, new string, data string) { - StateCallback(t, old, new, data) - }, false) - - _, configErr := state.Connect("https://eduvpnserver") - - if configErr != nil { - t.Errorf("Connect error before invalid: %v", configErr) - } - - // Fake connect and then back to authenticated so that we can re-authenticate - // Going to authenticated fakes a disconnect - state.GoTransition(CONNECTED) - state.GoTransition(AUTHENTICATED) - - dummy_value := "37" - - server, serverErr := state.Servers.GetCurrentServer() - if serverErr != nil { - t.Errorf("No server found") - } - - // Override tokens with invalid values - server.OAuth.Token.Access = dummy_value - server.OAuth.Token.Refresh = dummy_value - - infoErr := server.APIInfo() - - if infoErr != nil { - t.Errorf("Info error after invalid: %v", infoErr) - } - - if server.OAuth.Token.Access == dummy_value { - t.Errorf("Access token is equal to dummy value: %s", dummy_value) - } - - if server.OAuth.Token.Refresh == dummy_value { - t.Errorf("Refresh token is equal to dummy value: %s", dummy_value) - } -} diff --git a/src/state.go b/src/state.go deleted file mode 100644 index c0e512f..0000000 --- a/src/state.go +++ /dev/null @@ -1,108 +0,0 @@ -package eduvpn - -import ( - "errors" -) - -type VPNState struct { - // Info passed by the client - ConfigDirectory string `json:"-"` - Name string `json:"-"` - StateCallback func(string, string, string) `json:"-"` - StateCallbackData string `json:"-"` - - // The chosen server - Servers Servers `json:"servers"` - - // The list of servers and organizations from disco - DiscoList DiscoLists `json:"-"` - - // The file we keep open for logging - LogFile FileLogger `json:"-"` - - // The fsm - FSM FSM `json:"-"` - - // Whether to enable debugging - Debug bool `json:"-"` -} - -func (state *VPNState) Register(name string, directory string, stateCallback func(string, string, string), debug bool) error { - if !state.InState(DEREGISTERED) { - return errors.New("app already registered") - } - state.InitializeFSM() - state.Name = name - state.ConfigDirectory = directory - state.StateCallback = stateCallback - state.Debug = debug - - LogLevel := LOG_WARNING - - if debug { - LogLevel = LOG_INFO - } - - // Initialize the logger - state.InitLog(LogLevel) - - // Try to load the previous configuration - if state.LoadConfig() != nil { - // This error can be safely ignored, as when the config does not load, the struct will not be filled - state.Log(LOG_INFO, "Previous configuration not found") - } - state.GoTransition(NO_SERVER) - return nil -} - -func (state *VPNState) Deregister() error { - // Close the log file - state.CloseLog() - - // Write the config - state.WriteConfig() - - // Re-initialize the servers and FSM - state.Servers = Servers{} - state.InitializeFSM() - return nil -} - -func (state *VPNState) Connect(url string) (string, error) { - // New server chosen, ensure the server is fresh - server := state.Servers.EnsureServer(url) - // Make sure we are in the chosen state if available - state.GoTransition(CHOSEN_SERVER) - // Relogin with oauth - // This moves the state to authenticated - if server.NeedsRelogin() { - loginErr := state.LoginOAuth() - - if loginErr != nil { - return "", loginErr - } - } else { // OAuth was valid, ensure we are in the authenticated state - state.GoTransition(AUTHENTICATED) - } - - state.GoTransition(REQUEST_CONFIG) - - config, configErr := server.GetConfig() - - if configErr != nil { - return "", configErr - } else { - state.GoTransition(HAS_CONFIG) - } - - return config, nil -} - -var VPNStateInstance *VPNState - -func GetVPNState() *VPNState { - if VPNStateInstance == nil { - VPNStateInstance = &VPNState{} - } - return VPNStateInstance -} diff --git a/src/test_data/empty b/src/test_data/empty deleted file mode 100644 index e69de29..0000000 diff --git a/src/test_data/generate.sh b/src/test_data/generate.sh deleted file mode 100644 index b1b4545..0000000 --- a/src/test_data/generate.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash -# Generate testcases with fake keys - -# Make sure we do not delete *.minisigs etc. in the wrong directory -if [ ${PWD##*/} != "test_data" ] -then - >&2 echo "Wrong directory, should be run in test_data/" - exit 1 -fi - -rm -f *.minisig *.blake2b - -# Uncomment to regenerate keys -#rm -f *.key -#echo -en "\n\n" | minisign -Gf -p public.key -s secret.key & -#echo -en "\n\n" | minisign -Gf -p wrong_public.key -s wrong_secret.key & -#wait - -# Try to create pure signature with default Minisign (works with version < 0.10) -echo | minisign -Sm server_list.json -x server_list.json.pure.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key -# Check if it is actually a prehashed signature -if echo | minisign -VHm server_list.json -x server_list.json.pure.minisig -p public.key -then - echo "minisign version is >0.9, trying minisign-0.9" - # If it is, try to sign with some minisign-0.9 program - if ! echo | minisign-0.9 -Sm server_list.json -x server_list.json.pure.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key - then - >&2 echo -e "\n\nTo produce a non-prehashed signature we need Minisign 0.9\n\n" - fi -fi - -# Rest works with Minisign 0.9 and 0.10 (and up, probably) - -echo | minisign -SHm server_list.json -t $'timestamp:10\tfile:server_list.json\thashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_nohashed.minisig -t $'timestamp:10\tfile:server_list.json' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_latertime.minisig -t $'timestamp:20\tfile:server_list.json\t hashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_orglist.minisig -t $'timestamp:10\tfile:organization_list.json\thashed' -s secret.key & -wait -echo | minisign -SHm server_list.json -x server_list.json.tc_otherfile.minisig -t $'timestamp:10\tfile:otherfile\thashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_nofile.minisig -t $'timestamp:10\thashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_notime.minisig -t $'file:server_list.json\thashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_emptytime.minisig -t $'timestamp:\tfile:server_list.json\thashed' -s secret.key & -wait -echo | minisign -SHm server_list.json -x server_list.json.tc_emptyfile.minisig -t $'timestamp:10\tfile:\thashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_earliertime.minisig -t $'timestamp:9\tfile:server_list.json\thashed' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.tc_random.minisig -t 'random stuff' -s secret.key & -echo | minisign -SHm server_list.json -x server_list.json.large_time.minisig -t $'timestamp:4300000000\tfile:server_list.json' -s secret.key & -wait - -echo | minisign -SHm organization_list.json -t $'timestamp:10\tfile:organization_list.json\thashed' -s secret.key & -echo | minisign -SHm organization_list.json -x organization_list.json.tc_servlist.minisig -t $'timestamp:10\tfile:server_list.json\thashed' -s secret.key & - -echo | minisign -SHm other_list.json -t $'timestamp:10\tfile:other_list.json\thashed' -s secret.key & - -echo | minisign -SHm server_list.json -x server_list.json.wrong_key.minisig -t $'timestamp:10\tfile:server_list.json\thashed' -s wrong_secret.key & -wait - -./generate_forged.py diff --git a/src/test_data/generate_forged.py b/src/test_data/generate_forged.py deleted file mode 100644 index 843b32d..0000000 --- a/src/test_data/generate_forged.py +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env python3 - -import hashlib -import base64 - -# Hash server_list.json - -with open("server_list.json", "rb") as f: - b = f.read() - -with open("server_list.json.blake2b", "wb") as f: - f.write(hashlib.blake2b(b).digest()) - -# Forge pure signature on hash, see https://github.com/jedisct1/minisign/issues/104 - -with open("server_list.json.minisig", "rb") as f: - siglines = f.readlines() - -siglines[0] = b"untrusted comment: this signature has ED changed to Ed\n" -sig = base64.b64decode(siglines[1]) -siglines[1] = base64.b64encode(b"Ed" + sig[2:]) + b"\n" - -with open("server_list.json.forged_pure.minisig", "wb") as f: - f.writelines(siglines) - # Should now work: minisign -Vm server_list.json.blake2b -x server_list.json.forged_pure.minisig -p public-key - -# Try to forge key ID - -with open("server_list.json.wrong_key.minisig", "rb") as f: - siglines = f.readlines() - -siglines[0] = b"untrusted comment: this signature was created with wrong_secret.key but has key ID changed to that of public.key\n" -sig_wrong = base64.b64decode(siglines[1]) -siglines[1] = base64.b64encode(sig_wrong[:2] + sig[2:2+8] + sig_wrong[2+8:]) + b"\n" - -with open("server_list.json.forged_keyid.minisig", "wb") as f: - f.writelines(siglines) diff --git a/src/test_data/organization_list.json b/src/test_data/organization_list.json deleted file mode 100644 index 8c53044..0000000 --- a/src/test_data/organization_list.json +++ /dev/null @@ -1 +0,0 @@ -{"organization_list": [{}]} \ No newline at end of file diff --git a/src/test_data/organization_list.json.minisig b/src/test_data/organization_list.json.minisig deleted file mode 100644 index 1fa546e..0000000 --- a/src/test_data/organization_list.json.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH31cHjNvTEh+TCqDVCwUgFVZoRdgWYAaQDxH3L3UIsRi9Qb1O4vLI4V1CYPatKzXZnSodSJM/AZgl9v7l/5bfPQ0= -trusted comment: timestamp:10 file:organization_list.json hashed -21zZv1DviMpLCdv1NgzLBl6d+F1ZllSNyjAquYxhTHGcs2F64bDFpqY0I0xjCHIoXly6HKqJKIBXNgud12ijCQ== diff --git a/src/test_data/organization_list.json.tc_servlist.minisig b/src/test_data/organization_list.json.tc_servlist.minisig deleted file mode 100644 index a7fe41f..0000000 --- a/src/test_data/organization_list.json.tc_servlist.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH31cHjNvTEh+TCqDVCwUgFVZoRdgWYAaQDxH3L3UIsRi9Qb1O4vLI4V1CYPatKzXZnSodSJM/AZgl9v7l/5bfPQ0= -trusted comment: timestamp:10 file:server_list.json hashed -R6hjM/oMS5LAvpYM4F6E7iUpnlPxqiY0QfuOnpum31CW0sUy/Ypy2PiomSwvZXKVR7keEZS/+lZjyra9TkrLDQ== diff --git a/src/test_data/other_list.json b/src/test_data/other_list.json deleted file mode 100644 index 25ba1a8..0000000 --- a/src/test_data/other_list.json +++ /dev/null @@ -1 +0,0 @@ -{"other_list": [{}]} \ No newline at end of file diff --git a/src/test_data/other_list.json.minisig b/src/test_data/other_list.json.minisig deleted file mode 100644 index eaa2248..0000000 --- a/src/test_data/other_list.json.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH366C1RnYeUAgEeX/S5A1Z9qmkV2+GJaVj06FWGd4aMLc+HS7iFMhG69u3TVD4YmzMH12rk7hQrnyCC6ex8ypIQA= -trusted comment: timestamp:10 file:other_list.json hashed -26+608n+bjQF9lwNdXbIK6t5bP8dzhjNQ9hACeYJLiB2tr437Aec2GkmJh0jSiRv1QV4RYBcKJeHQBUcV2grCQ== diff --git a/src/test_data/public.key b/src/test_data/public.key deleted file mode 100644 index 72676d3..0000000 --- a/src/test_data/public.key +++ /dev/null @@ -1,2 +0,0 @@ -untrusted comment: minisign public key DF07F868DFAB9B4C -RWRMm6vfaPgH39iT++NBiUKZim2nDWnalgkNROovPbZdSwVFgUdKU4ac diff --git a/src/test_data/random.txt b/src/test_data/random.txt deleted file mode 100644 index b6fc4c6..0000000 --- a/src/test_data/random.txt +++ /dev/null @@ -1 +0,0 @@ -hello \ No newline at end of file diff --git a/src/test_data/secret.key b/src/test_data/secret.key deleted file mode 100644 index 6e4af37..0000000 --- a/src/test_data/secret.key +++ /dev/null @@ -1,2 +0,0 @@ -untrusted comment: minisign encrypted secret key -RWRTY0IyobkTOt4ugAHNTPB6zOxHgX8spW6HQWddB5IrdCPDAgsAAAACAAAAAAAAAEAAAAAAvK1S1gsOgozZHuIdLWXq1IwxnWVr+dlySiykTbO6F85HvzPtgxZ7oLcGkT/vPdskAh0SV9H2ylHlt9oarXcWNDKs2r6EcZw/qy5FsD+5uhPfxwWV4qDF+1G456tYDYID63d50CgzdO0= diff --git a/src/test_data/server_list.json b/src/test_data/server_list.json deleted file mode 100644 index 67c4c8d..0000000 --- a/src/test_data/server_list.json +++ /dev/null @@ -1,3 +0,0 @@ -{ -"server_list": [{}] -} \ No newline at end of file diff --git a/src/test_data/server_list.json.blake2b b/src/test_data/server_list.json.blake2b deleted file mode 100644 index 5d2ca5a..0000000 Binary files a/src/test_data/server_list.json.blake2b and /dev/null differ diff --git a/src/test_data/server_list.json.forged_keyid.minisig b/src/test_data/server_list.json.forged_keyid.minisig deleted file mode 100644 index efa349d..0000000 --- a/src/test_data/server_list.json.forged_keyid.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: this signature was created with wrong_secret.key but has key ID changed to that of public.key -RURMm6vfaPgH35aarz3NMq4gbv6JvzOnjG003bDe6USu+HT/JzuxHjQcQGE/KBPdyCF6BDDwwFu+NVmi5jotYCJHWOEqSBU70gE= -trusted comment: timestamp:10 file:server_list.json hashed -3BWYJamM3t6ImuXQufTeO81UMZNyM7TujMu7SCmR+oapsSEBpmkazGOgzlJYR53HP9K9zrEA+4lV8gFFngooBA== diff --git a/src/test_data/server_list.json.forged_pure.minisig b/src/test_data/server_list.json.forged_pure.minisig deleted file mode 100644 index a362504..0000000 --- a/src/test_data/server_list.json.forged_pure.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: this signature has ED changed to Ed -RWRMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 file:server_list.json hashed -oK41aX7rmpbO2ohF3v3+JGgSexQaVlfWvYPzaKEkDlJm8mVZtuK/h26SCRuL6PbTR92DLZU59rw8ckICUH/ADw== diff --git a/src/test_data/server_list.json.large_time.minisig b/src/test_data/server_list.json.large_time.minisig deleted file mode 100644 index 79a2a52..0000000 --- a/src/test_data/server_list.json.large_time.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:4300000000 file:server_list.json -L9C58LIq7bTLf4otqW4Eb+ASL0+FM7nRRjstCBuCPtuUerFIsOqNUpDp2AQJJ4pZJKE7SkgIq2tV8/IaVpzxBQ== diff --git a/src/test_data/server_list.json.minisig b/src/test_data/server_list.json.minisig deleted file mode 100644 index 143585b..0000000 --- a/src/test_data/server_list.json.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 file:server_list.json hashed -oK41aX7rmpbO2ohF3v3+JGgSexQaVlfWvYPzaKEkDlJm8mVZtuK/h26SCRuL6PbTR92DLZU59rw8ckICUH/ADw== diff --git a/src/test_data/server_list.json.pure.minisig b/src/test_data/server_list.json.pure.minisig deleted file mode 100644 index 57dccfc..0000000 --- a/src/test_data/server_list.json.pure.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RWRMm6vfaPgH3zQ/rcq2GMsNz1SYySz+olupm0I+nzNpOkPyUHTBwig3Pep4biOk/bH73bH+0sLNoZPcDk1f2Acn8JINc9MWMw4= -trusted comment: timestamp:10 file:server_list.json -FZ0eA96SlADsMrSOUgStQJpmUnBGpPbRvNI/oaYhKrylu6jUcXOgsRu6571mmDxYdlruSuUSlQbdmG81Qbl4AA== diff --git a/src/test_data/server_list.json.tc_earliertime.minisig b/src/test_data/server_list.json.tc_earliertime.minisig deleted file mode 100644 index 03da710..0000000 --- a/src/test_data/server_list.json.tc_earliertime.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:9 file:server_list.json hashed -vw3wjLDNZWoV98/GnFv38REiaeh+wUPEZgmBUvY35CEq00jDdHiJcYRV/7zBoKv+n9TAYxZ8WKUOGWNOPonTBg== diff --git a/src/test_data/server_list.json.tc_emptyfile.minisig b/src/test_data/server_list.json.tc_emptyfile.minisig deleted file mode 100644 index a7aa3ed..0000000 --- a/src/test_data/server_list.json.tc_emptyfile.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 file: hashed -g4drZ91TcYXNLnIGbeH5ZIFzrs2wWB9JTXjV3Jwg9ehSC2D8lCTqw3u2Rg+PvLPRvYmXTHyuJoKNWelsSh64CA== diff --git a/src/test_data/server_list.json.tc_emptytime.minisig b/src/test_data/server_list.json.tc_emptytime.minisig deleted file mode 100644 index d3ef01e..0000000 --- a/src/test_data/server_list.json.tc_emptytime.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp: file:server_list.json hashed -lw5rnZsPi+TkZ4lOCy7bjsUgTXxG+jaGOGdHuNL95FSD2mmP9ZzEJPrJ2jnH7iYfkF3zDm0QvEUDxhEirlHBDA== diff --git a/src/test_data/server_list.json.tc_latertime.minisig b/src/test_data/server_list.json.tc_latertime.minisig deleted file mode 100644 index 8237123..0000000 --- a/src/test_data/server_list.json.tc_latertime.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:20 file:server_list.json hashed -rHcsHF2mmcZvDLreeuljVauuFULWiY8luCsxyBxxobcJkCedEDW3/RX5KeT+2NjHSFuQxkmrYOBWTY9+ECuUDQ== diff --git a/src/test_data/server_list.json.tc_nofile.minisig b/src/test_data/server_list.json.tc_nofile.minisig deleted file mode 100644 index 3c1dcbe..0000000 --- a/src/test_data/server_list.json.tc_nofile.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 hashed -NonaTZH7RDbsHXv85M7sL43YE7CTzs5qDRRoFYjajeqzHa+hdIuMGyemK85rAJ3prLGnMdWHkZhD4hsr3cZoDA== diff --git a/src/test_data/server_list.json.tc_nohashed.minisig b/src/test_data/server_list.json.tc_nohashed.minisig deleted file mode 100644 index 1d140c1..0000000 --- a/src/test_data/server_list.json.tc_nohashed.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 file:server_list.json -HaPGKT+Jqxjyw2Nt1GEKaPIZsAmVl/RI6p1mQ+S1LqzYicVgT5GxPs9NR6khdGGIFvo/xhVkXFceAWTRUCVQAg== diff --git a/src/test_data/server_list.json.tc_notime.minisig b/src/test_data/server_list.json.tc_notime.minisig deleted file mode 100644 index 39625c3..0000000 --- a/src/test_data/server_list.json.tc_notime.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: file:server_list.json hashed -dMhb+0Y0KAO2tzI4g0ukL/VdMiLVopmXa9BS1RQBY8bYwzmebdIM4DAIZrhtO1avkpdy0prZehuhA1No6cOSAw== diff --git a/src/test_data/server_list.json.tc_orglist.minisig b/src/test_data/server_list.json.tc_orglist.minisig deleted file mode 100644 index 7c2a3a8..0000000 --- a/src/test_data/server_list.json.tc_orglist.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 file:organization_list.json hashed -NreDM4iGEjMWs5sfaJCGZBZ7D9QLqxBKJ/fVW2lvIDr249DSUNR4ZRca8UL73e3c9eTXgHnY/ojsjDtzxDScDw== diff --git a/src/test_data/server_list.json.tc_otherfile.minisig b/src/test_data/server_list.json.tc_otherfile.minisig deleted file mode 100644 index 58a29b2..0000000 --- a/src/test_data/server_list.json.tc_otherfile.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: timestamp:10 file:otherfile hashed -PfDEIMlt2aNFyOnqHb45S7xm4fIg0vfUUbqXENPxry9GEZFX14c5BGtgcL/krDg8WFJHcIA5bzYcX58kgBiZCA== diff --git a/src/test_data/server_list.json.tc_random.minisig b/src/test_data/server_list.json.tc_random.minisig deleted file mode 100644 index 7240980..0000000 --- a/src/test_data/server_list.json.tc_random.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RURMm6vfaPgH3997FX/cHwhXJpcluwbNiznrfYV83WS/Gsd3BeO/g10Mo7Z9N5rMSXcpGrmT2CagiEEm5zSw/MEnTqs4YWICdQs= -trusted comment: random stuff -szGsyESH0EizTXH6n0yuQg6sHTKXr+TJW/Er9ZNJYgQV+1hVM+fc5q1EmVsJlA3kW4Rt/d1p9F0ShLIIgW2vAA== diff --git a/src/test_data/server_list.json.wrong_key.minisig b/src/test_data/server_list.json.wrong_key.minisig deleted file mode 100644 index 5a83c0e..0000000 --- a/src/test_data/server_list.json.wrong_key.minisig +++ /dev/null @@ -1,4 +0,0 @@ -untrusted comment: signature from minisign secret key -RUTQvDHvQuYCCJaarz3NMq4gbv6JvzOnjG003bDe6USu+HT/JzuxHjQcQGE/KBPdyCF6BDDwwFu+NVmi5jotYCJHWOEqSBU70gE= -trusted comment: timestamp:10 file:server_list.json hashed -3BWYJamM3t6ImuXQufTeO81UMZNyM7TujMu7SCmR+oapsSEBpmkazGOgzlJYR53HP9K9zrEA+4lV8gFFngooBA== diff --git a/src/test_data/wrong_public.key b/src/test_data/wrong_public.key deleted file mode 100644 index aa794d4..0000000 --- a/src/test_data/wrong_public.key +++ /dev/null @@ -1,2 +0,0 @@ -untrusted comment: minisign public key 802E642EF31BCD0 -RWTQvDHvQuYCCPDLi3UCXzj3BbzFM5QxUFfrp174iaqYo8lT0VaAkhOt diff --git a/src/test_data/wrong_secret.key b/src/test_data/wrong_secret.key deleted file mode 100644 index 68e9092..0000000 --- a/src/test_data/wrong_secret.key +++ /dev/null @@ -1,2 +0,0 @@ -untrusted comment: minisign encrypted secret key -RWRTY0Iyrc2CTG2W1ZqEq9tb94oQWTnYUy4k8boMf13478FwlDYAAAACAAAAAAAAAEAAAAAA2gFhwOtjETu5WN1LpgtJHV1dk/7466LBJ8dgO/pZoQ3LLAYxlswJHVR/N/Q1HmmKvlxWo2jNTJcARXuHHlMTEgg1MERTldE88CqETrVbvq1JaqJlAY/HMkiqNEUR3L6+5VHbYPKXlVQ= diff --git a/src/util.go b/src/util.go deleted file mode 100644 index 87340f9..0000000 --- a/src/util.go +++ /dev/null @@ -1,21 +0,0 @@ -package eduvpn - -import ( - "crypto/rand" - "time" -) - -// Creates a random byteslice of `size` -func MakeRandomByteSlice(size int) ([]byte, error) { - byteSlice := make([]byte, size) - _, err := rand.Read(byteSlice) - if err != nil { - return nil, err - } - return byteSlice, nil -} - -func GenerateTimeSeconds() int64 { - current := time.Now() - return current.Unix() -} diff --git a/src/verify.go b/src/verify.go deleted file mode 100644 index 3c87fe1..0000000 --- a/src/verify.go +++ /dev/null @@ -1,205 +0,0 @@ -package eduvpn - -import ( - "errors" - "fmt" - "os" - - "github.com/jedisct1/go-minisign" -) - -// getKeys returns keys taken from https://git.sr.ht/~eduvpn/disco.eduvpn.org#public-keys. -func getKeys() []string { - return []string{ - "RWRtBSX1alxyGX+Xn3LuZnWUT0w//B6EmTJvgaAxBMYzlQeI+jdrO6KF", // fkooman@tuxed.net, kolla@uninett.no - "RWQKqtqvd0R7rUDp0rWzbtYPA3towPWcLDCl7eY9pBMMI/ohCmrS0WiM", // RoSp - } -} - -// Verify verifies the signature (.minisig file format) on signedJson. -// -// expectedFileName must be set to the file type to be verified, either "server_list.json" or "organization_list.json". -// minSign must be set to the minimum UNIX timestamp (without milliseconds) for the file version. -// This value should not be smaller than the time on the previous document verified. -// forcePrehash indicates whether or not we want to force the use of prehashed signatures -// In the future we want to remove this parameter and only allow prehashed signatures -// -// The return value will either be (true, nil) for a valid signature or (false, VerifyError) otherwise. -// -// Verify is a wrapper around verifyWithKeys where allowedPublicKeys is set to the list from https://git.sr.ht/~eduvpn/disco.eduvpn.org#public-keys. -func Verify(signatureFileContent string, signedJson []byte, expectedFileName string, minSignTime uint64, forcePrehash bool) (bool, error) { - keyStrs := getKeys() - if extraKey != "" { - keyStrs = append(keyStrs, extraKey) - _, err := fmt.Fprintf(os.Stderr, "INSECURE TEST MODE ENABLED WITH KEY %q\n", extraKey) - if err != nil { - panic(err) - } - } - valid, err := verifyWithKeys(signatureFileContent, signedJson, expectedFileName, minSignTime, keyStrs, forcePrehash) - if err != nil { - var verifyCreatePublickeyError *VerifyCreatePublicKeyError - if errors.As(err, &verifyCreatePublickeyError) { - panic(err) // This should not happen unless keyStrs has an invalid key - } - return valid, err - } - return valid, nil -} - -// extraKey is an extra allowed key for testing. -var extraKey = "" - -// InsecureTestingSetExtraKey adds an extra allowed key for verification with Verify. -// ONLY USE FOR TESTING. Applies to all threads. Probably not thread-safe. Do not call in parallel to Verify. -// -// keyString must be a Base64-encoded Minisign key, or empty to reset. -func InsecureTestingSetExtraKey(keyString string) { - extraKey = keyString -} - -type VerifyUnknownExpectedFilenameError struct { - Filename string - Expected string -} - -func (e *VerifyUnknownExpectedFilenameError) Error() string { - return fmt.Sprintf("invalid filename %s, expected %s", e.Filename, e.Expected) -} - -type VerifyInvalidSignatureFormatError struct { - Err error -} - -func (e *VerifyInvalidSignatureFormatError) Error() string { - return fmt.Sprintf("invalid signature format, error %v", e.Err) -} - -type VerifyInvalidSignatureAlgorithmError struct { - Algorithm string - WantedAlgorithm string -} - -func (e *VerifyInvalidSignatureAlgorithmError) Error() string { - return fmt.Sprintf("invalid signature algorithm %s, wanted %s", e.Algorithm, e.WantedAlgorithm) -} - -type VerifyCreatePublicKeyError struct { - PublicKey string - Err error -} - -func (e *VerifyCreatePublicKeyError) Error() string { - return fmt.Sprintf("failed to create public key %s with error %v", e.PublicKey, e.Err) -} - -type VerifyInvalidSignatureError struct { - Err error -} - -func (e *VerifyInvalidSignatureError) Error() string { - return fmt.Sprintf("invalid signature with error %v", e.Err) -} - -type VerifyInvalidTrustedCommentError struct { - TrustedComment string - Err error -} - -func (e *VerifyInvalidTrustedCommentError) Error() string { - return fmt.Sprintf("invalid trusted comment %s with error %v", e.TrustedComment, e.Err) -} - -type VerifyWrongSigFilenameError struct { - Filename string - SigFilename string -} - -func (e *VerifyWrongSigFilenameError) Error() string { - return fmt.Sprintf("wrong filename %s, expected filename %s for signature", e.Filename, e.SigFilename) -} - -type VerifySigTimeEarlierError struct { - SigTime uint64 - MinSigTime uint64 -} - -func (e *VerifySigTimeEarlierError) Error() string { - return fmt.Sprintf("Sign time %d is earlier than sign time %d", e.SigTime, e.MinSigTime) -} - -type VerifyUnknownKeyError struct { - Filename string -} - -func (e *VerifyUnknownKeyError) Error() string { - return fmt.Sprintf("signature for filename %s was created with an unknown key", e.Filename) -} - -// verifyWithKeys verifies the Minisign signature in signatureFileContent (minisig file format) over the server_list/organization_list JSON in signedJson. -// -// Verification is performed using a matching key in allowedPublicKeys. -// The signature is checked to be a Ed25519 Minisign (optionally Ed25519 Blake2b-512 prehashed, see forcePrehash) signature with a valid trusted comment. -// The file type that is verified is indicated by expectedFileName, which must be one of "server_list.json"/"organization_list.json". -// The trusted comment is checked to be of the form "timestamp:\tfile:", optionally suffixed by something, e.g. "\thashed". -// The signature is checked to have a timestamp with a value of at least minSignTime, which is a UNIX timestamp without milliseconds. -// -// The return value will either be (true, nil) on success or (false, detailedVerifyError) on failure. -func verifyWithKeys(signatureFileContent string, signedJson []byte, filename string, minSignTime uint64, allowedPublicKeys []string, forcePrehash bool) (bool, error) { - switch filename { - case "server_list.json", "organization_list.json": - break - default: - return false, &VerifyUnknownExpectedFilenameError{Filename: filename, Expected: "server_list.json or organization_list.json"} - } - - sig, err := minisign.DecodeSignature(signatureFileContent) - if err != nil { - return false, &VerifyInvalidSignatureFormatError{Err: err} - } - - // Check if signature is prehashed, see https://jedisct1.github.io/minisign/#signature-format - if forcePrehash && sig.SignatureAlgorithm != [2]byte{'E', 'D'} { - return false, &VerifyInvalidSignatureAlgorithmError{Algorithm: string(sig.SignatureAlgorithm[:]), WantedAlgorithm: "ED (BLAKE2b-prehashed EdDSA)"} - } - - // Find allowed key used for signature - for _, keyStr := range allowedPublicKeys { - key, err := minisign.NewPublicKey(keyStr) - if err != nil { - // Should only happen if Verify is wrong or extraKey is invalid - return false, &VerifyCreatePublicKeyError{PublicKey: keyStr, Err: err} - } - - if sig.KeyId != key.KeyId { - continue // Wrong key - } - - valid, err := key.Verify(signedJson, sig) - if !valid { - return false, &VerifyInvalidSignatureError{Err: err} - } - - // Parse trusted comment - var signTime uint64 - var sigFileName string - // sigFileName cannot have spaces - _, err = fmt.Sscanf(sig.TrustedComment, "trusted comment: timestamp:%d\tfile:%s", &signTime, &sigFileName) - if err != nil { - return false, &VerifyInvalidTrustedCommentError{TrustedComment: sig.TrustedComment, Err: err} - } - - if sigFileName != filename { - return false, &VerifyWrongSigFilenameError{Filename: filename, SigFilename: sigFileName} - } - - if signTime < minSignTime { - return false, &VerifySigTimeEarlierError{SigTime: signTime, MinSigTime: minSignTime} - } - - return true, nil - } - - // No matching allowed key found - return false, &VerifyUnknownKeyError{Filename: filename} -} diff --git a/src/verify_test.go b/src/verify_test.go deleted file mode 100644 index fc78ec3..0000000 --- a/src/verify_test.go +++ /dev/null @@ -1,140 +0,0 @@ -package eduvpn - -import ( - "bufio" - "errors" - "fmt" - "io/ioutil" - "os" - "testing" -) - -func Test_verifyWithKeys(t *testing.T) { - var err error - - var pk []string - { - file, err := os.Open("test_data/public.key") - if err != nil { - panic(err) - } - defer file.Close() - - // Get last line (key string) from file - scanner := bufio.NewScanner(file) - for i := 0; i < 2; i++ { - if !scanner.Scan() { - panic(scanner.Err()) - } - } - pk = []string{scanner.Text()} - } - - var ( - verifyCreatePublicKeyError *VerifyCreatePublicKeyError - verifyInvalidSignatureAlgorithmError *VerifyInvalidSignatureAlgorithmError - verifyWrongSigFilenameError *VerifyWrongSigFilenameError - verifyInvalidTrustedCommentError *VerifyInvalidTrustedCommentError - verifyInvalidSignatureFormatError *VerifyInvalidSignatureFormatError - verifyInvalidSignatureError *VerifyInvalidSignatureError - verifySigTimeEarlierError *VerifySigTimeEarlierError - verifyUnknownExpectedFilenameError *VerifyUnknownExpectedFilenameError - verifyUnknownKeyError *VerifyUnknownKeyError - ) - - tests := []struct { - expectedErr interface{} - testName string - signatureFile string - jsonFile string - expectedFileName string - minSignTime uint64 - allowedPks []string - }{ - {&verifyInvalidSignatureAlgorithmError, "pure", "server_list.json.pure.minisig", "server_list.json", "server_list.json", 10, pk}, - - {nil, "valid server_list", "server_list.json.minisig", "server_list.json", "server_list.json", 10, pk}, - {nil, "TC no hashed", "server_list.json.tc_nohashed.minisig", "server_list.json", "server_list.json", 10, pk}, - {nil, "TC later time", "server_list.json.tc_latertime.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifyWrongSigFilenameError, "server_list TC file:organization_list", "server_list.json.tc_orglist.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifyWrongSigFilenameError, "organization_list as server_list", "organization_list.json.minisig", "organization_list.json", "server_list.json", 10, pk}, - {&verifyWrongSigFilenameError, "TC file:otherfile", "server_list.json.tc_otherfile.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifySigTimeEarlierError, "TC no file", "server_list.json.tc_nofile.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifySigTimeEarlierError, "TC no time", "server_list.json.tc_notime.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifySigTimeEarlierError, "TC empty time", "server_list.json.tc_emptytime.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifyInvalidSignatureFormatError, "TC empty file", "server_list.json.tc_emptyfile.minisig", "server_list.json", "server_list.json", 10, pk}, - {&verifyInvalidTrustedCommentError, "TC random", "server_list.json.tc_random.minisig", "server_list.json", "server_list.json", 10, pk}, - {nil, "large time", "server_list.json.large_time.minisig", "server_list.json", "server_list.json", 43e8, pk}, - {nil, "lower min time", "server_list.json.minisig", "server_list.json", "server_list.json", 5, pk}, - {&verifySigTimeEarlierError, "higher min time", "server_list.json.minisig", "server_list.json", "server_list.json", 11, pk}, - - {nil, "valid organization_list", "organization_list.json.minisig", "organization_list.json", "organization_list.json", 10, pk}, - {&verifyWrongSigFilenameError, "organization_list TC file:server_list", "organization_list.json.tc_servlist.minisig", "organization_list.json", "organization_list.json", 10, pk}, - {&verifyWrongSigFilenameError, "server_list as organization_list", "server_list.json.minisig", "server_list.json", "organization_list.json", 10, pk}, - - {&verifyUnknownExpectedFilenameError, "valid other_list", "other_list.json.minisig", "other_list.json", "other_list.json", 10, pk}, - {&verifyWrongSigFilenameError, "other_list as server_list", "other_list.json.minisig", "other_list.json", "server_list.json", 10, pk}, - - {&verifyInvalidSignatureFormatError, "invalid signature file", "random.txt", "server_list.json", "server_list.json", 10, pk}, - {&verifyInvalidSignatureFormatError, "empty signature file", "empty", "server_list.json", "server_list.json", 10, pk}, - - {&verifyUnknownKeyError, "wrong key", "server_list.json.wrong_key.minisig", "server_list.json", "server_list.json", 10, pk}, - - {&verifyInvalidSignatureAlgorithmError, "forged pure signature", "server_list.json.forged_pure.minisig", "server_list.json.blake2b", "server_list.json", 10, pk}, - {&verifyInvalidSignatureError, "forged key ID", "server_list.json.forged_keyid.minisig", "server_list.json", "server_list.json", 10, pk}, - - {&verifyUnknownKeyError, "no allowed keys", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{}}, - {nil, "multiple allowed keys 1", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{ - pk[0], "RWSf0PYToIUJmDlsz21YOXvgQzHj9NSdyJUqEY5ZdfS9GepeXt3+JJRZ", - }}, - {nil, "multiple allowed keys 2", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{ - "RWSf0PYToIUJmDlsz21YOXvgQzHj9NSdyJUqEY5ZdfS9GepeXt3+JJRZ", pk[0], - }}, - {&verifyCreatePublicKeyError, "invalid allowed key", "server_list.json.minisig", "server_list.json", "server_list.json", 10, []string{"AAA"}}, - } - - // Cache file contents in map, mapping file names to contents - files := map[string][]byte{} - loadFile := func(name string) { - content, loaded := files[name] - if !loaded { - content, err = ioutil.ReadFile("test_data/" + name) - if err != nil { - panic(err) - } - files[name] = content - } - } - for _, test := range tests { - loadFile(test.signatureFile) - loadFile(test.jsonFile) - } - - forcePrehash := true - for _, tt := range tests { - t.Run(tt.testName, func(t *testing.T) { - t.Parallel() - valid, err := verifyWithKeys(string(files[tt.signatureFile]), files[tt.jsonFile], - tt.expectedFileName, tt.minSignTime, tt.allowedPks, forcePrehash) - compareResults(t, valid, err, tt.expectedErr, func() string { - return fmt.Sprintf("verifyWithKeys(%q, %q, %q, %v, %v, %t)", - tt.signatureFile, tt.jsonFile, tt.expectedFileName, tt.minSignTime, tt.allowedPks, forcePrehash) - }) - }) - } -} - -// compareResults compares returned ret, err from a verify function with expected error code expected. -// callStr is called to get the formatted parameters passed to the function. -func compareResults(t *testing.T, ret bool, err error, expectedErr interface{}, callStr func() string) { - // different error returned - if expectedErr != nil && !errors.As(err, expectedErr) { - t.Errorf("%v\nerror %T = %v, wantErr %T", callStr(), err, err, expectedErr) - return - } - // different boolean returned - expectedBool := expectedErr == nil - if ret != expectedBool { - t.Errorf("%v\n= %v, want %v", callStr(), ret, expectedBool) - } -} diff --git a/src/wireguard.go b/src/wireguard.go deleted file mode 100644 index 2f1c41c..0000000 --- a/src/wireguard.go +++ /dev/null @@ -1,52 +0,0 @@ -package eduvpn - -import ( - "fmt" - "regexp" - - "golang.zx2c4.com/wireguard/wgctrl/wgtypes" -) - -func wireguardGenerateKey() (wgtypes.Key, error) { - key, error := wgtypes.GeneratePrivateKey() - return key, error -} - -// FIXME: Instead of doing a regex replace, decide if we should use a parser -func wireguardConfigAddKey(config string, key wgtypes.Key) string { - interface_section := "[Interface]" - interface_section_escaped := regexp.QuoteMeta(interface_section) - - // (?m) enables multi line mode - // ^ match from beginning of line - // $ match till end of line - // So it matches [Interface] section exactly - interface_re := regexp.MustCompile(fmt.Sprintf("(?m)^%s$", interface_section_escaped)) - to_replace := fmt.Sprintf("%s\nPrivateKey = %s", interface_section, key.String()) - return interface_re.ReplaceAllString(config, to_replace) -} - -func (server *Server) WireguardGetConfig() (string, error) { - profile_id := server.Profiles.Current - wireguardKey, wireguardErr := wireguardGenerateKey() - - if wireguardErr != nil { - return "", wireguardErr - } - - wireguardPublicKey := wireguardKey.PublicKey().String() - configWireguard, _, configErr := server.APIConnectWireguard(profile_id, wireguardPublicKey) - - if configErr != nil { - return "", configErr - } - - // FIXME: Store expiry - // This needs the go code a way to identify a connection - // Use the uuid of the connection e.g. on Linux - // This needs the client code to call the go code - - configWireguardKey := wireguardConfigAddKey(configWireguard, wireguardKey) - - return configWireguardKey, nil -} diff --git a/state.go b/state.go new file mode 100644 index 0000000..bafdfb9 --- /dev/null +++ b/state.go @@ -0,0 +1,143 @@ +package eduvpn + +import ( + "errors" + "github.com/jwijenbergh/eduvpn-common/internal" +) + +type VPNState struct { + // The chosen server + Servers internal.Servers `json:"servers"` + + // The list of servers and organizations from disco + Discovery internal.Discovery `json:"-"` + + // The fsm + FSM internal.FSM `json:"-"` + + // The logger + Logger internal.FileLogger `json:"-"` + + // The config + Config internal.Config `json:"-"` + + // Whether to enable debugging + Debug bool `json:"-"` +} + +var VPNStateInstance *VPNState + +func GetVPNState() *VPNState { + if VPNStateInstance == nil { + VPNStateInstance = &VPNState{} + } + return VPNStateInstance +} + +func (state *VPNState) Register(name string, directory string, stateCallback func(string, string, string), debug bool) error { + if !state.FSM.InState(internal.DEREGISTERED) { + return errors.New("app already registered") + } + // Initialize the logger + logLevel := internal.LOG_WARNING + + if debug { + logLevel = internal.LOG_INFO + } + + loggerErr := state.Logger.Init(logLevel, name, directory) + if loggerErr != nil { + return errors.New("Failed to create a logger") + } + + // Initialize the FSM + state.FSM.Init(stateCallback, &state.Logger, debug) + state.Debug = debug + + // Initialize the Config + state.Config.Init(name, directory) + + // Initialize Discovery + state.Discovery.Init(&state.FSM, &state.Logger) + + // Try to load the previous configuration + if state.Config.Load(&state) != nil { + // This error can be safely ignored, as when the config does not load, the struct will not be filled + state.Logger.Log(internal.LOG_INFO, "Previous configuration not found") + } + state.FSM.GoTransition(internal.NO_SERVER) + return nil +} + +func (state *VPNState) Deregister() error { + // Close the log file + state.Logger.Close() + + // Save the config + state.Config.Save(&state) + + // Empty out fsm + state.FSM = internal.FSM{} + return nil +} + +func (state *VPNState) Connect(url string) (string, error) { + if state.FSM.InState(internal.DEREGISTERED) { + return "", errors.New("app not registered") + } + // New server chosen, ensure the server is fresh + server := state.Servers.EnsureServer(url, &state.FSM, &state.Logger) + // Make sure we are in the chosen state if available + state.FSM.GoTransition(internal.CHOSEN_SERVER) + // Relogin with oauth + // This moves the state to authenticated + if server.NeedsRelogin() { + loginErr := server.Login() + + if loginErr != nil { + return "", loginErr + } + } else { // OAuth was valid, ensure we are in the authenticated state + state.FSM.GoTransition(internal.AUTHENTICATED) + } + + state.FSM.GoTransition(internal.REQUEST_CONFIG) + + config, configErr := server.GetConfig() + + if configErr != nil { + return "", configErr + } else { + state.FSM.GoTransition(internal.HAS_CONFIG) + } + + return config, nil +} + +func (state *VPNState) GetDiscoOrganizations() (string, error) { + if state.FSM.InState(internal.DEREGISTERED) { + return "", errors.New("app not registered") + } + return state.Discovery.GetOrganizationsList() +} + + +func (state *VPNState) GetDiscoServers() (string, error) { + if state.FSM.InState(internal.DEREGISTERED) { + return "", errors.New("app not registered") + } + return state.Discovery.GetServersList() +} + +func (state *VPNState) SetProfileID(profileID string) error { + if !state.FSM.InState(internal.ASK_PROFILE) { + return errors.New("Invalid state for setting a profile") + } + + server, serverErr := state.Servers.GetCurrentServer() + if serverErr != nil { + return errors.New("No server found for setting a profile ID") + } + server.Profiles.Current = profileID + return nil +} diff --git a/state_test.go b/state_test.go new file mode 100644 index 0000000..d5d0b11 --- /dev/null +++ b/state_test.go @@ -0,0 +1,212 @@ +package eduvpn + +import ( + "crypto/tls" + "errors" + "fmt" + "net/http" + "os" + "os/exec" + "strconv" + "strings" + "testing" + "time" + + "github.com/jwijenbergh/eduvpn-common/internal" +) + +func runCommand(t *testing.T, errBuffer *strings.Builder, name string, args ...string) error { + cmd := exec.Command(name, args...) + + cmd.Stderr = errBuffer + err := cmd.Start() + if err != nil { + return err + } + + return cmd.Wait() +} + +func LoginOAuthSelenium(t *testing.T, url string) { + // We could use the go selenium library + // But it does not support the latest selenium v4 just yet + var errBuffer strings.Builder + err := runCommand(t, &errBuffer, "python3", "selenium_eduvpn.py", url) + if err != nil { + t.Errorf("Login OAuth with selenium script failed with error %v and stderr %s", err, errBuffer.String()) + } +} + +func StateCallback(t *testing.T, oldState string, newState string, data string) { + if newState == "OAuth_Started" { + go LoginOAuthSelenium(t, data) + } +} + +func Test_server(t *testing.T) { + state := &VPNState{} + + // Do not verify because during testing, the cert is self-signed + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + + state.Register("org.eduvpn.app.linux", "configstest", func(old string, new string, data string) { + StateCallback(t, old, new, data) + }, false) + + _, configErr := state.Connect("https://eduvpnserver") + + if configErr != nil { + t.Errorf("Connect error: %v", configErr) + } +} + +func test_connect_oauth_parameter(t *testing.T, parameters internal.URLParameters, expectedErr interface{}) { + state := &VPNState{} + configDirectory := "test_oauth_parameters" + + // Do not verify because during testing, the cert is self-signed + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + + state.Register("org.eduvpn.app.linux", configDirectory, func(oldState string, newState string, data string) { + if newState == "OAuth_Started" { + baseURL := "http://127.0.0.1:8000/callback" + url, err := internal.HTTPConstructURL(baseURL, parameters) + if err != nil { + t.Errorf("Error: Constructing url %s with parameters %s", baseURL, fmt.Sprint(parameters)) + } + go http.Get(url) + + } + }, false) + _, configErr := state.Connect("https://eduvpnserver") + + if !errors.As(configErr, expectedErr) { + t.Errorf("error %T = %v, wantErr %T", configErr, configErr, expectedErr) + } +} + +func Test_connect_oauth_parameters(t *testing.T) { + var ( + failedCallbackParameterError *internal.OAuthFailedCallbackParameterError + failedCallbackStateMatchError *internal.OAuthFailedCallbackStateMatchError + ) + + tests := []struct { + expectedErr interface{} + parameters internal.URLParameters + }{ + {&failedCallbackParameterError, internal.URLParameters{}}, + {&failedCallbackParameterError, internal.URLParameters{"code": "42"}}, + {&failedCallbackStateMatchError, internal.URLParameters{"code": "42", "state": "21"}}, + } + + for _, test := range tests { + test_connect_oauth_parameter(t, test.parameters, test.expectedErr) + } +} + +func Test_token_expired(t *testing.T) { + expiredTTL := os.Getenv("OAUTH_EXPIRED_TTL") + if expiredTTL == "" { + t.Log("No expired TTL present, skipping this test. Set EXPIRED_TTL env variable to run it") + return + } + + // Convert the env variable to an int and signal error if it is not possible + expiredInt, expiredErr := strconv.Atoi(expiredTTL) + if expiredErr != nil { + t.Errorf("Cannot convert EXPIRED_TTL env variable to an int with error %v", expiredErr) + } + + // Get a vpn state + state := &VPNState{} + + // Do not verify because during testing, the cert is self-signed + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + + state.Register("org.eduvpn.app.linux", "configsexpired", func(old string, new string, data string) { + StateCallback(t, old, new, data) + }, false) + + _, configErr := state.Connect("https://eduvpnserver") + + if configErr != nil { + t.Errorf("Connect error before expired: %v", configErr) + } + + server, serverErr := state.Servers.GetCurrentServer() + if serverErr != nil { + t.Errorf("No server found") + } + + accessToken := server.OAuth.Token.Access + refreshToken := server.OAuth.Token.Refresh + + // Wait for TTL so that the tokens expire + time.Sleep(time.Duration(expiredInt) * time.Second) + + infoErr := server.APIInfo() + + if infoErr != nil { + t.Errorf("Info error after expired: %v", infoErr) + } + + // Check if tokens have changed + accessTokenAfter := server.OAuth.Token.Access + refreshTokenAfter := server.OAuth.Token.Refresh + + if accessToken == accessTokenAfter { + t.Errorf("Access token is the same after refresh") + } + + if refreshToken == refreshTokenAfter { + t.Errorf("Refresh token is the same after refresh") + } +} + +func Test_token_invalid(t *testing.T) { + state := &VPNState{} + + // Do not verify because during testing, the cert is self-signed + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + + state.Register("org.eduvpn.app.linux", "configsinvalid", func(old string, new string, data string) { + StateCallback(t, old, new, data) + }, false) + + _, configErr := state.Connect("https://eduvpnserver") + + if configErr != nil { + t.Errorf("Connect error before invalid: %v", configErr) + } + + // Fake connect and then back to authenticated so that we can re-authenticate + // Going to authenticated fakes a disconnect + state.FSM.GoTransition(internal.CONNECTED) + state.FSM.GoTransition(internal.AUTHENTICATED) + + dummy_value := "37" + + server, serverErr := state.Servers.GetCurrentServer() + if serverErr != nil { + t.Errorf("No server found") + } + + // Override tokens with invalid values + server.OAuth.Token.Access = dummy_value + server.OAuth.Token.Refresh = dummy_value + + infoErr := server.APIInfo() + + if infoErr != nil { + t.Errorf("Info error after invalid: %v", infoErr) + } + + if server.OAuth.Token.Access == dummy_value { + t.Errorf("Access token is equal to dummy value: %s", dummy_value) + } + + if server.OAuth.Token.Refresh == dummy_value { + t.Errorf("Refresh token is equal to dummy value: %s", dummy_value) + } +} -- cgit v1.2.3