1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
|
// Package discovery implements the server discovery by contacting disco.eduvpn.org and returning the data as a Go structure
package discovery
import (
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"time"
httpw "codeberg.org/eduVPN/eduvpn-common/internal/http"
"codeberg.org/eduVPN/eduvpn-common/internal/levenshtein"
"codeberg.org/eduVPN/eduvpn-common/internal/log"
"codeberg.org/eduVPN/eduvpn-common/internal/verify"
discotypes "codeberg.org/eduVPN/eduvpn-common/types/discovery"
)
// HasCache denotes whether or not we have an embedded cache available
var HasCache bool
// Organizations are the list of organizations from https://disco.eduvpn.org/v2/organization_list.json
type Organizations struct {
// Version is the version field in discovery. The Go library checks this for rollbacks
Version uint64 `json:"v"`
// List is the list of organizations, omitted if empty
List []Organization `json:"organization_list,omitempty"`
// Timestamp is the timestamp that is internally used by the Go library to keep track
// of when the organizations were last updated
Timestamp time.Time `json:"go_timestamp"`
// UpdateHeader is the result of the "Last-Modified" header
UpdateHeader time.Time `json:"go_update_header"`
}
// Organization is a single discovery Organization
type Organization struct {
// Organization is the embedded public type that is a subset of this thus common Organization
discotypes.Organization
// SecureInternetHome is the secure internet home server that belongs to this organization
// Omitted if none is defined
SecureInternetHome string `json:"secure_internet_home"`
// KeywordList is the list of keywords
// Omitted if none is defined
KeywordList discotypes.MapOrString `json:"keyword_list,omitempty"`
}
func (o *Organization) Score(search string) int {
return levenshtein.DiscoveryScore(search, o.DisplayName, o.KeywordList)
}
// Servers are the list of servers from https://disco.eduvpn.org/v2/server_list.json
type Servers struct {
// Version is the version field in discovery. The Go library checks this for rollbacks
Version uint64 `json:"v"`
// List is the list of servers, omitted if empty
List []Server `json:"server_list,omitempty"`
// Timestamp is a timestamp that is internally used by the Go library to keek track
// of when the servers were last updated
Timestamp time.Time `json:"go_timestamp"`
// UpdateHeader is the result of the "Last-Modified" header
UpdateHeader time.Time `json:"go_update_header"`
}
// Server is a single discovery server
type Server struct {
// Server is the embedded public type that is a subset of this common Server
discotypes.Server
// AuthenticationURLTemplate is the template to be used for authentication to skip WAYF
AuthenticationURLTemplate string `json:"authentication_url_template,omitempty"`
// KeywordList are the keywords of the server, omitted if empty
KeywordList discotypes.MapOrString `json:"keyword_list,omitempty"`
// PublicKeyList are the public keys of the server. Currently not used in this lib but returned by the upstream discovery server
PublicKeyList []string `json:"public_key_list,omitempty"`
// SupportContact is the list/slice of support contacts
SupportContact []string `json:"support_contact,omitempty"`
}
// Matches returns if the search query `str` matches with this server
func (s *Server) Score(search string) int {
return levenshtein.DiscoveryScore(search, s.DisplayName, s.KeywordList)
}
// Discovery is the main structure used for this package.
type Discovery struct {
// The httpClient for sending HTTP requests
httpClient *httpw.Client
// Organizations represents the organizations that are returned by the discovery server
OrganizationList Organizations `json:"organizations"`
// Servers represents the servers that are returned by the discovery server
ServerList Servers `json:"servers"`
}
// DiscoURL is the URL used for fetching the discovery files and signatures
var DiscoURL = "https://disco.eduvpn.org/v2/"
// file is a helper function that gets a disco JSON and fills the structure with it
// If it was unsuccessful it returns an error.
func (discovery *Discovery) file(ctx context.Context, jsonFile string, previousVersion uint64, last time.Time, structure interface{}) (time.Time, error) {
var newUpdate time.Time
// No HTTP client present, create one
if discovery.httpClient == nil {
discovery.httpClient = httpw.NewClient(nil)
}
// Get json data
jsonURL, err := httpw.JoinURLPath(DiscoURL, jsonFile)
if err != nil {
return newUpdate, err
}
var opts *httpw.OptionalParams
if !last.IsZero() {
header := http.Header{
"If-Modified-Since": []string{last.Format(http.TimeFormat)},
}
opts = &httpw.OptionalParams{
Headers: header,
}
}
h, body, err := discovery.httpClient.Do(ctx, "GET", jsonURL, opts)
if err != nil {
return newUpdate, err
}
lms := h.Get("Last-Modified")
if lms != "" {
lm, err := http.ParseTime(lms)
if err != nil {
log.Logger.Warningf("failed to parse 'Last-Modified' header: %v", err)
} else {
newUpdate = lm
log.Logger.Debugf("got 'Last-Modified' header: %v", lm)
}
} else {
log.Logger.Warningf("no 'Last-Modified' header found")
}
// Get signature
sigFile := jsonFile + ".minisig"
sigURL, err := httpw.JoinURLPath(DiscoURL, sigFile)
if err != nil {
return newUpdate, err
}
_, sigBody, err := discovery.httpClient.Get(ctx, sigURL)
if err != nil {
return newUpdate, err
}
// Verify signature
// Set this to true when we want to force prehash
const forcePrehash = false
ok, err := verify.Verify(
string(sigBody),
body,
jsonFile,
previousVersion,
forcePrehash,
)
if !ok || err != nil {
return newUpdate, err
}
// Parse JSON to extract version and list
if err = json.Unmarshal(body, structure); err != nil {
return newUpdate, fmt.Errorf("failed parsing discovery file: '%s' from the server with error: %w", jsonFile, err)
}
return newUpdate, nil
}
// MarkOrganizationsExpired marks the organizations as expired
func (discovery *Discovery) MarkOrganizationsExpired() {
// Re-initialize the timestamp to zero
discovery.OrganizationList.Timestamp = time.Time{}
}
// MarkServersExpired marks the servers as expired
func (discovery *Discovery) MarkServersExpired() {
// Re-initialize the timestamp to zero
discovery.ServerList.Timestamp = time.Time{}
}
// DetermineOrganizationsUpdate returns a boolean indicating whether or not the discovery organizations should be updated
// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md
// - [IMPLEMENTED] on "first launch" when offering the search for "Institute Access" and "Organizations";
// - [IMPLEMENTED in client/client.go and here] when the user tries to add new server AND the user did NOT yet choose an organization before; Implemented in Register()
// - [IMPLEMENTED in client/client.go] when the authorization for the server associated with an already chosen organization is triggered, e.g. after expiry or revocation.
// - [IMPLEMENTED here] NOTE: when the org_id that the user chose previously is no longer available in organization_list.json the application should ask the user to choose their organization (again). This can occur for example when the organization replaced their identity provider, uses a different domain after rebranding or simply ceased to exist.
func (discovery *Discovery) DetermineOrganizationsUpdate() bool {
if discovery.OrganizationList.Timestamp.IsZero() {
return true
}
if discovery.OrganizationList.UpdateHeader.IsZero() {
return true
}
return false
}
// SecureLocationList returns a slice of all the available locations.
func (discovery *Discovery) SecureLocationList() []string {
var loc []string
for _, srv := range discovery.ServerList.List {
if srv.Type == "secure_internet" {
loc = append(loc, srv.CountryCode)
}
}
return loc
}
// ServerByURL returns the discovery server by the base URL and the according type ("secure_internet", "institute_access")
// An error is returned if and only if nil is returned for the server.
func (discovery *Discovery) ServerByURL(
baseURL string,
srvType string,
) (*Server, error) {
for _, currentServer := range discovery.ServerList.List {
if currentServer.BaseURL == baseURL && currentServer.Type == srvType {
return ¤tServer, nil
}
}
return nil, fmt.Errorf("no server of type '%s' at URL '%s'", srvType, baseURL)
}
// ErrCountryNotFound is used when the secure internet country cannot be found
type ErrCountryNotFound struct {
CountryCode string
}
func (cnf *ErrCountryNotFound) Error() string {
return fmt.Sprintf("no secure internet server with country code: '%s'", cnf.CountryCode)
}
// ServerByCountryCode returns the discovery server by the country code
// An error is returned if and only if nil is returned for the server.
func (discovery *Discovery) ServerByCountryCode(countryCode string) (*Server, error) {
for _, srv := range discovery.ServerList.List {
if srv.CountryCode == countryCode && srv.Type == "secure_internet" {
return &srv, nil
}
}
return nil, &ErrCountryNotFound{CountryCode: countryCode}
}
// orgByID returns the discovery organization by the organization ID
// An error is returned if and only if nil is returned for the organization.
func (discovery *Discovery) orgByID(orgID string) (*Organization, error) {
for _, org := range discovery.OrganizationList.List {
if org.OrgID == orgID {
return &org, nil
}
}
return nil, fmt.Errorf("no secure internet home found in organization '%s'", orgID)
}
// SecureHomeArgs returns the secure internet home server arguments:
// - The organization it belongs to
// - The secure internet server itself
// An error is returned if and only if nil is returned for the organization.
func (discovery *Discovery) SecureHomeArgs(orgID string) (*Organization, *Server, error) {
org, err := discovery.orgByID(orgID)
if err != nil {
discovery.MarkOrganizationsExpired()
return nil, nil, err
}
// Get a server with the base url
srv, err := discovery.ServerByURL(org.SecureInternetHome, "secure_internet")
if err != nil {
discovery.MarkOrganizationsExpired()
return nil, nil, err
}
return org, srv, nil
}
// DetermineServersUpdate returns whether or not the discovery servers should be updated by contacting the discovery server
// https://github.com/eduvpn/documentation/blob/v3/SERVER_DISCOVERY.md
// - [Implemented] The application MUST always fetch the server_list.json at application start.
// - The application MAY refresh the server_list.json periodically, e.g. once every hour.
func (discovery *Discovery) DetermineServersUpdate() bool {
// No servers, we should update
if discovery.ServerList.Timestamp.IsZero() {
return true
}
if discovery.ServerList.UpdateHeader.IsZero() {
return true
}
// 1 hour from the last update
upd := discovery.ServerList.Timestamp.Add(1 * time.Hour)
return !time.Now().Before(upd)
}
func (discovery *Discovery) previousOrganizations() (*Organizations, error) {
// If the version field is not zero then we have a cached struct
// We also immediately return this copy if we have no embedded JSON
if discovery.OrganizationList.Version != 0 || !HasCache {
return &discovery.OrganizationList, nil
}
// We do not have a cached struct, this we need to get it using the embedded JSON
var eo Organizations
if err := json.Unmarshal(eOrganizations, &eo); err != nil {
return nil, fmt.Errorf("failed parsing discovery organizations from the embedded cache with error: %w", err)
}
discovery.OrganizationList = eo
return &eo, nil
}
func (discovery *Discovery) previousServers() (*Servers, error) {
// If the version field is not zero then we have a cached struct
// We also immediately return this copy if we have no embedded JSON
if discovery.ServerList.Version != 0 || !HasCache {
return &discovery.ServerList, nil
}
// We do not have a cached struct, this we need to get it using the embedded JSON
var es Servers
if err := json.Unmarshal(eServers, &es); err != nil {
return nil, fmt.Errorf("failed parsing discovery servers from the embedded cache with error: %w", err)
}
discovery.ServerList = es
return &es, nil
}
// Organizations returns the discovery organizations
// The second return value is a boolean that indicates whether a fresh list was updated internally
// If there was an error, a cached copy is returned if available.
func (discovery *Discovery) Organizations(ctx context.Context) (*Organizations, bool, error) {
if !discovery.DetermineOrganizationsUpdate() {
return &discovery.OrganizationList, false, nil
}
file := "organization_list.json"
var jsonDecode Organizations
update, err := discovery.file(ctx, file, discovery.OrganizationList.Version, discovery.OrganizationList.UpdateHeader, &jsonDecode)
if err != nil {
statErr := &httpw.StatusError{}
if errors.As(err, &statErr) {
if statErr.Status != 304 {
log.Logger.Warningf("failed to get fresh organizations: %v", err)
} else {
discovery.OrganizationList.Timestamp = time.Now()
log.Logger.Debugf("got 304 for discovery, organization_list.json not modified")
err = nil
}
}
// Return previous with an error
orgs, perr := discovery.previousOrganizations()
if perr != nil {
log.Logger.Warningf("failed to get previous discovery organizations: %v", perr)
}
return orgs, false, err
}
if len(jsonDecode.List) == 0 {
log.Logger.Warningf("fresh organization list is empty")
} else {
discovery.OrganizationList = jsonDecode
}
discovery.OrganizationList.Timestamp = time.Now()
if !update.IsZero() {
discovery.OrganizationList.UpdateHeader = update
}
return &discovery.OrganizationList, true, nil
}
// Servers returns the discovery servers
// The second return value is a boolean that indicates whether a fresh list was updated internally
// If there was an error, a cached copy is returned if available.
func (discovery *Discovery) Servers(ctx context.Context) (*Servers, bool, error) {
if !discovery.DetermineServersUpdate() {
return &discovery.ServerList, false, nil
}
file := "server_list.json"
var jsonDecode Servers
update, err := discovery.file(ctx, file, discovery.ServerList.Version, discovery.ServerList.UpdateHeader, &jsonDecode)
if err != nil {
statErr := &httpw.StatusError{}
if errors.As(err, &statErr) {
if statErr.Status != 304 {
log.Logger.Warningf("failed to get fresh servers: %v", err)
} else {
discovery.ServerList.Timestamp = time.Now()
log.Logger.Debugf("got 304 for discovery, server_list.json not modified")
err = nil
}
}
// Return previous with an error
srvs, perr := discovery.previousServers()
if perr != nil {
log.Logger.Warningf("failed to get previous discovery servers: %v", perr)
}
return srvs, false, err
}
if len(jsonDecode.List) == 0 {
log.Logger.Warningf("fresh server list is empty")
} else {
discovery.ServerList = jsonDecode
}
discovery.ServerList.Timestamp = time.Now()
if !update.IsZero() {
discovery.ServerList.UpdateHeader = update
}
return &discovery.ServerList, true, nil
}
func (discovery *Discovery) UpdateServers(other Discovery) {
if other.ServerList.Version >= discovery.ServerList.Version {
discovery.ServerList = other.ServerList
}
}
func (discovery *Discovery) Copy() (Discovery, error) {
var dest Discovery
b, err := json.Marshal(discovery)
if err != nil {
return dest, err
}
err = json.Unmarshal(b, &dest)
if err != nil {
return dest, err
}
return dest, nil
}
|
