Massive very unstable rewrite to event based architecture, wouldnt us…

…e this just yet
NHAS · Jan 21, 2024 · b04c087 · b04c087
1 parent 94d016b
commit b04c087
Show file tree

Hide file tree

Showing 23 changed files with 2,553 additions and 1,757 deletions.
diff --git a/commands/start.go b/commands/start.go
@@ -94,11 +94,14 @@ func (g *start) Check() error {
 }
 
 func (g *start) Run() error {
-	defer data.TearDown()
 
+	var err error
+	defer func() {
+		data.TearDown()
+	}()
 	error := make(chan error)
 
-	err := router.Setup(error, !g.noIptables)
+	err = router.Setup(error, !g.noIptables)
 	if err != nil {
 		return fmt.Errorf("unable to start router: %v", err)
 	}

diff --git a/go.mod b/go.mod
@@ -60,6 +60,7 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.26.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect

diff --git a/go.sum b/go.sum
@@ -210,6 +210,8 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/r3labs/diff v1.1.0 h1:V53xhrbTHrWFWq3gI4b94AjgEJOerO1+1l0xyHOBi8M=
+github.com/r3labs/diff v1.1.0/go.mod h1:7WjXasNzi0vJetRcB/RqNl5dlIsmXcTTLmF5IoH6Xig=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
@@ -229,6 +231,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

diff --git a/internal/acls/acls.go b/internal/acls/acls.go
@@ -0,0 +1,7 @@
+package acls
+
+type Acl struct {
+	Mfa   []string `json:",omitempty"`
+	Allow []string `json:",omitempty"`
+	Deny  []string `json:",omitempty"`
+}
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -96,6 +96,7 @@ type Config struct {
 		ListenAddresses  []string
 		Peers            map[string][]string
 		DatabaseLocation string
+		ETCDLogLevel     string
 	}
 
 	Authenticators struct {
@@ -152,44 +153,6 @@ func Values() Config {
 	return v
 }
 
-func GetEffectiveAcl(username string) acls.Acl {
-	valuesLock.RLock()
-	defer valuesLock.RUnlock()
-
-	var resultingACLs acls.Acl
-	//Add the server address by default
-	resultingACLs.Allow = []string{values.Wireguard.ServerAddress.String() + "/32"}
-
-	// Add dns servers if defined
-	// Make sure we resolve the dns servers in case someone added them as domains, so that clients dont get stuck trying to use the domain dns servers to look up the dns servers
-	// Restrict dns servers to only having 53/any by default as per #49
-	for _, server := range values.Wireguard.DNS {
-		resultingACLs.Allow = append(resultingACLs.Allow, fmt.Sprintf("%s 53/any", server))
-	}
-
-	if allPolicy, ok := values.Acls.Policies["*"]; ok {
-		resultingACLs.Allow = append(resultingACLs.Allow, allPolicy.Allow...)
-		resultingACLs.Mfa = append(resultingACLs.Mfa, allPolicy.Mfa...)
-	}
-
-	//If the user has any user specific rules, add those
-	if acl, ok := values.Acls.Policies[username]; ok {
-		resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
-		resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
-	}
-
-	//This may get expensive if the user belongs to a large number of
-	for group := range values.Acls.rGroupLookup[username] {
-		//If the user belongs to a series of groups, grab those, and add their rules
-		if acl, ok := values.Acls.Policies[group]; ok {
-			resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
-			resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
-		}
-	}
-
-	return resultingACLs
-}
-
 // Used in authentication methods that can specify user groups directly (for the moment just oidc)
 // Adds groups to username, even if user does not exist in the config.json file, so GetEffectiveAcls works
 func AddVirtualUser(username string, groups []string) {

diff --git a/internal/data/acls.go b/internal/data/acls.go
@@ -0,0 +1,118 @@
+package data
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/NHAS/wag/internal/acls"
+	"github.com/NHAS/wag/internal/config"
+	clientv3 "go.etcd.io/etcd/client/v3"
+)
+
+func SetAcl(effects string, policy acls.Acl, overwrite bool) error {
+
+	response, err := etcd.Get(context.Background(), "wag-acls-"+effects)
+	if err != nil {
+		return err
+	}
+
+	if len(response.Kvs) > 0 && !overwrite {
+		return errors.New("acl already exists")
+	}
+
+	policyJson, _ := json.Marshal(policy)
+
+	_, err = etcd.Put(context.Background(), "wag-acls-"+effects, string(policyJson))
+
+	return err
+}
+
+func RemoveAcl(effects string) error {
+	_, err := etcd.Delete(context.Background(), "wag-acls-"+effects)
+	return err
+}
+
+func GetEffectiveAcl(username string) acls.Acl {
+	var resultingACLs acls.Acl
+	//Add the server address by default
+	resultingACLs.Allow = []string{config.Values().Wireguard.ServerAddress.String() + "/32"}
+
+	// Add dns servers if defined
+	// Make sure we resolve the dns servers in case someone added them as domains, so that clients dont get stuck trying to use the domain dns servers to look up the dns servers
+	// Restrict dns servers to only having 53/any by default as per #49
+	for _, server := range config.Values().Wireguard.DNS {
+		resultingACLs.Allow = append(resultingACLs.Allow, fmt.Sprintf("%s 53/any", server))
+	}
+
+	txn := etcd.Txn(context.Background())
+	txn.Then(clientv3.OpGet("wag-acls-*"), clientv3.OpGet("wag-acls-"+username), clientv3.OpGet("wag-membership"))
+	resp, err := txn.Commit()
+	if err != nil {
+		return acls.Acl{}
+	}
+
+	// the default policy contents
+	if resp.Responses[0].GetResponseRange().GetCount() != 0 {
+		var acl acls.Acl
+
+		err := json.Unmarshal(resp.Responses[0].GetResponseRange().Kvs[0].Value, &acl)
+		if err == nil {
+			resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
+			resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
+		}
+	}
+
+	// User specific acls
+	if resp.Responses[1].GetResponseRange().GetCount() != 0 {
+		var acl acls.Acl
+
+		err := json.Unmarshal(resp.Responses[1].GetResponseRange().Kvs[0].Value, &acl)
+		if err == nil {
+			resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
+			resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
+		}
+	}
+
+	// Membership map for finding all the other policies
+	if resp.Responses[2].GetResponseRange().GetCount() != 0 {
+		var rGroupLookup map[string]map[string]bool
+
+		err = json.Unmarshal(resp.Responses[2].GetResponseRange().Kvs[0].Value, &rGroupLookup)
+		if err == nil {
+
+			txn := etcd.Txn(context.Background())
+
+			//If the user belongs to a series of groups, grab those, and add their rules
+			var ops []clientv3.Op
+			for group := range rGroupLookup[username] {
+				ops = append(ops, clientv3.OpGet("wag-acls-"+group))
+			}
+
+			resp, err := txn.Then(ops...).Commit()
+			if err != nil {
+				return acls.Acl{}
+			}
+
+			for m := range resp.Responses {
+				r := resp.Responses[m].GetResponseRange()
+				if r.Count > 0 {
+
+					var acl acls.Acl
+
+					err := json.Unmarshal(r.Kvs[0].Value, &acl)
+					if err != nil {
+						continue
+					}
+
+					resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
+					resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
+				}
+			}
+
+		}
+	}
+
+	return resultingACLs
+}
diff --git a/internal/data/config.go b/internal/data/config.go
@@ -0,0 +1,29 @@
+package data
+
+func SetHelpMail(helpMail string) error {
+	return nil
+}
+
+func SetExternalAddress(externalAddress string) error {
+	return nil
+}
+
+func SetDNS(dns []string) error {
+
+	return nil
+}
+
+func SetSessionLifetimeMinutes(lifetimeMinutes int) error {
+
+	return nil
+}
+
+func SetSessionInactivityTimeoutMinutes(InactivityTimeout int) error {
+
+	return nil
+}
+
+func SetLockout(accountLockout int) error {
+
+	return nil
+}