1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
|
package server
import (
"os"
"time"
"github.com/eduvpn/eduvpn-common/internal/discovery"
"github.com/eduvpn/eduvpn-common/internal/oauth"
"github.com/eduvpn/eduvpn-common/internal/wireguard"
"github.com/go-errors/errors"
)
type Type int8
const (
CustomServerType Type = iota
InstituteAccessServerType
SecureInternetServerType
)
type Server interface {
OAuth() *oauth.OAuth
// TemplateAuth returns the authorization URL template function
TemplateAuth() func(string) string
// Base returns the server base
Base() (*Base, error)
// RefreshEndpoints
RefreshEndpoints(*discovery.Discovery) error
}
type EndpointList struct {
API string `json:"api_endpoint"`
Authorization string `json:"authorization_endpoint"`
Token string `json:"token_endpoint"`
}
type EndpointsVersions struct {
V2 EndpointList `json:"http://eduvpn.org/api#2"`
V3 EndpointList `json:"http://eduvpn.org/api#3"`
}
// Endpoints defines the json format for /.well-known/vpn-user-portal".
type Endpoints struct {
API EndpointsVersions `json:"api"`
V string `json:"v"`
}
// ShouldRenewButton returns whether or not the renew button should be shown for the server
// Implemented according to: https://github.com/eduvpn/documentation/blob/cdf4d054f7652d74e4192494e8bb0e21040e46ac/API.md#session-expiry
func ShouldRenewButton(srv Server) bool {
b, err := srv.Base()
if err != nil {
// FIXME: Log error here?
return false
}
// Get current time
now := time.Now()
// Session is expired
if !now.Before(b.EndTime) {
return true
}
// 30 minutes have not passed
if !now.After(b.StartTime.Add(30 * time.Minute)) {
return false
}
// Session will not expire today
if !now.Add(24 * time.Hour).After(b.EndTime) {
return false
}
return true
}
func UpdateTokens(srv Server, t oauth.Token) {
srv.OAuth().UpdateTokens(t)
}
func OAuthURL(srv Server, name string) (string, error) {
return srv.OAuth().AuthURL(name, srv.TemplateAuth())
}
func OAuthExchange(srv Server) error {
return srv.OAuth().Exchange()
}
func HeaderToken(srv Server) (string, error) {
return srv.OAuth().AccessToken()
}
func MarkTokenExpired(srv Server) {
srv.OAuth().SetTokenExpired()
}
func MarkTokensForRenew(srv Server) {
srv.OAuth().SetTokenRenew()
}
func NeedsRelogin(srv Server) bool {
_, err := HeaderToken(srv)
return err != nil
}
func CancelOAuth(srv Server) {
srv.OAuth().Cancel()
}
func CurrentProfile(srv Server) (*Profile, error) {
b, err := srv.Base()
if err != nil {
return nil, err
}
pID := b.Profiles.Current
for _, profile := range b.Profiles.Info.ProfileList {
if profile.ID == pID {
return &profile, nil
}
}
return nil, errors.Errorf("profile not found: " + pID)
}
func ValidProfiles(srv Server, wireguardSupport bool) (*ProfileInfo, error) {
// No error wrapping here otherwise we wrap it too much
b, err := srv.Base()
if err != nil {
return nil, err
}
ps := b.ValidProfiles(wireguardSupport)
if len(ps.Info.ProfileList) == 0 {
return nil, errors.Errorf("no profiles found with supported protocols")
}
return &ps, nil
}
type ConfigData struct {
// The configuration
Config string
// The type of configuration
Type string
// The tokens
Tokens oauth.Token
}
func wireguardGetConfig(srv Server, preferTCP bool, openVPNSupport bool) (*ConfigData, error) {
b, err := srv.Base()
if err != nil {
return nil, err
}
pID := b.Profiles.Current
key, err := wireguard.GenerateKey()
if err != nil {
return nil, err
}
pub := key.PublicKey().String()
cfg, proto, exp, err := APIConnectWireguard(srv, pID, pub, preferTCP, openVPNSupport)
if err != nil {
return nil, err
}
// Store start and end time
b.StartTime = time.Now()
b.EndTime = exp
if proto == "wireguard" {
// This needs the go code a way to identify a connection
// Use the uuid of the connection e.g. on Linux
// This needs the client code to call the go code
cfg = wireguard.ConfigAddKey(cfg, key)
}
t := oauth.Token{}
o := srv.OAuth()
if o != nil {
t = o.Token()
}
return &ConfigData{Config: cfg, Type: proto, Tokens: t}, nil
}
func openVPNGetConfig(srv Server, preferTCP bool) (*ConfigData, error) {
b, err := srv.Base()
if err != nil {
return nil, err
}
pid := b.Profiles.Current
cfg, exp, err := APIConnectOpenVPN(srv, pid, preferTCP)
if err != nil {
return nil, err
}
// Store start and end time
b.StartTime = time.Now()
b.EndTime = exp
t := oauth.Token{}
o := srv.OAuth()
if o != nil {
t = o.Token()
}
return &ConfigData{Config: cfg, Type: "openvpn", Tokens: t}, nil
}
func HasValidProfile(srv Server, wireguardSupport bool) (bool, error) {
// Get new profiles using the info call
// This does not override the current profile
err := APIInfo(srv)
if err != nil {
return false, err
}
b, err := srv.Base()
if err != nil {
return false, err
}
// If there was a profile chosen and it doesn't exist anymore, reset it
if b.Profiles.Current != "" {
if _, err = CurrentProfile(srv); err != nil {
b.Profiles.Current = ""
}
}
if len(b.Profiles.Info.ProfileList) != 1 && b.Profiles.Current == "" {
return false, nil
}
// Set the current profile if there is only one profile or profile is already selected
// Set the first profile if none is selected
if b.Profiles.Current == "" {
b.Profiles.Current = b.Profiles.Info.ProfileList[0].ID
}
p, err := CurrentProfile(srv)
// shouldn't happen
if err != nil {
return false, err
}
// Profile does not support OpenVPN but the client also doesn't support WireGuard
if !p.SupportsOpenVPN() && !wireguardSupport {
return false, nil
}
return true, nil
}
func Config(server Server, wireguardSupport bool, preferTCP bool) (*ConfigData, error) {
p, err := CurrentProfile(server)
if err != nil {
return nil, err
}
ovpn := p.SupportsOpenVPN()
wg := p.SupportsWireguard() && wireguardSupport
// If we don't prefer TCP and this profile and client supports wireguard,
// we disable openvpn if the EDUVPN_PREFER_WG environment variable is set
// This is useful to force WireGuard if the profile supports both OpenVPN and WireGuard but the server still prefers OpenVPN
if !preferTCP && wg {
if os.Getenv("EDUVPN_PREFER_WG") == "1" {
ovpn = false
}
}
var cfg *ConfigData
switch {
// The config supports wireguard and optionally openvpn
case wg:
// A wireguard connect call needs to generate a wireguard key and add it to the config
// Also the server could send back an OpenVPN config if it supports OpenVPN
cfg, err = wireguardGetConfig(server, preferTCP, ovpn)
// The config only supports OpenVPN
case ovpn:
cfg, err = openVPNGetConfig(server, preferTCP)
// The config supports no available protocol because the profile only supports WireGuard but the client doesn't
default:
return nil, errors.New("no supported protocol found")
}
// Add script security 0 to disable OpenVPN scripts
// The client may override this but we provide the default protection here
if err == nil && cfg.Type == "openvpn" {
cfg.Config += "\nscript-security 0"
}
return cfg, err
}
func Disconnect(server Server) error {
return APIDisconnect(server)
}
|
