backend work for improved setup flow (#19)

* backend work for improved setup flow
in4it · Sep 11, 2024 · 280a892 · 280a892
1 parent 106de15
commit 280a892
Show file tree

Hide file tree

Showing 21 changed files with 599 additions and 81 deletions.
diff --git a/cmd/reset-admin-password/main.go b/cmd/reset-admin-password/main.go
@@ -29,7 +29,7 @@ func main() {
 		os.Exit(1)
 	}
 	if !newAdminUserCreated {
-		resetMFA, err := getLine("Also remove MFA if present? [Y/n] ")
+		resetMFA, err := getLine("\nAlso remove MFA if present? [Y/n] ")
 		if err != nil {
 			fmt.Printf("Failed to changed admin password: %s", err)
 			os.Exit(1)

diff --git a/docs/release-notes.md b/docs/release-notes.md
@@ -1,5 +1,14 @@
 # Release Notes
 
+## Version v1.1.4
+* Improved setup flow for AWS & DigitalOcean
+
+## Version v1.1.3
+* New Feature: Log packets traversing the VPN Server. This release supports logging TCP / DNS / HTTP / HTTPS packets and inspecting the destination of http/https packets.
+
+## Version v1.1.2
+* UI: fixes in user creation
+
 ## Version v1.1.0
 * UI: change VPN configuration within the admin UI
 * UI: ability to reload WireGuard® configuration 

diff --git a/latest b/latest
@@ -1 +1 @@
-v1.1.3
+v1.1.4
diff --git a/pkg/commands/resetpassword.go b/pkg/commands/resetpassword.go
@@ -20,6 +20,9 @@ func ResetPassword(appDir, password string) (bool, error) {
 	if err != nil {
 		return adminCreated, fmt.Errorf("config retrieval error: %s", err)
 	}
+	c.Storage = &rest.Storage{
+		Client: localstorage,
+	}
 	c.UserStore, err = users.NewUserStore(localstorage, -1)
 	if err != nil {
 		return adminCreated, fmt.Errorf("userstore initialization error: %s", err)

diff --git a/pkg/license/aws.go b/pkg/license/aws.go
@@ -13,7 +13,7 @@ import (
 const AWS_PRODUCT_CODE = "7h7h3bnutjn0ziamv7npi8a69"
 
 func getMetadataToken(client http.Client) string {
-	metadataEndpoint := "http://" + metadataIP + "/latest/api/token"
+	metadataEndpoint := "http://" + MetadataIP + "/latest/api/token"
 
 	req, err := http.NewRequest("PUT", metadataEndpoint, nil)
 	if err != nil {
@@ -62,7 +62,7 @@ func isOnAWS(client http.Client) bool {
 func getInstanceIdentityDocument(client http.Client, token string) (InstanceIdentityDocument, error) {
 	var instanceIdentityDocument InstanceIdentityDocument
 
-	endpoint := "http://" + metadataIP + "/2022-09-24/dynamic/instance-identity/document"
+	endpoint := "http://" + MetadataIP + "/2022-09-24/dynamic/instance-identity/document"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return instanceIdentityDocument, err
@@ -145,7 +145,7 @@ func getLicense(client http.Client, key string) (License, error) {
 }
 
 func getLicenseFromMetaData(token string, client http.Client) (string, error) {
-	endpoint := "http://" + metadataIP + "/2022-09-24/meta-data/tags/instance/license"
+	endpoint := "http://" + MetadataIP + "/2022-09-24/meta-data/tags/instance/license"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return "", err
@@ -173,7 +173,7 @@ func getLicenseFromMetaData(token string, client http.Client) (string, error) {
 func getAWSInstanceType(client http.Client) string {
 	token := getMetadataToken(client)
 
-	endpoint := "http://" + metadataIP + "/latest/meta-data/instance-type"
+	endpoint := "http://" + MetadataIP + "/latest/meta-data/instance-type"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return ""
@@ -194,6 +194,30 @@ func getAWSInstanceType(client http.Client) string {
 	return ""
 }
 
+func GetAWSInstanceID(client http.Client) (string, error) {
+	token := getMetadataToken(client)
+
+	endpoint := "http://" + MetadataIP + "/latest/meta-data/instance-id"
+	req, err := http.NewRequest("GET", endpoint, nil)
+	if err != nil {
+		return "", err
+	}
+	if token != "" {
+		req.Header.Add("X-aws-ec2-metadata-token", token)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode == 200 {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return string(bodyBytes), err
+	}
+	return "", fmt.Errorf("received statuscode %d from aws metadata api", resp.StatusCode)
+}
+
 func GetMaxUsersAWS(instanceType string) int {
 	if instanceType == "" {
 		return 3

diff --git a/pkg/license/azure.go b/pkg/license/azure.go
@@ -9,7 +9,7 @@ import (
 )
 
 func isOnAzure(client http.Client) bool {
-	req, err := http.NewRequest("GET", "http://"+metadataIP+"/metadata/versions", nil)
+	req, err := http.NewRequest("GET", "http://"+MetadataIP+"/metadata/versions", nil)
 	if err != nil {
 		return false
 	}
@@ -51,7 +51,7 @@ func GetMaxUsersAzure(instanceType string) int {
 	return 3
 }
 func getAzureInstanceType(client http.Client) string {
-	metadataEndpoint := "http://" + metadataIP + "/metadata/instance?api-version=2021-02-01"
+	metadataEndpoint := "http://" + MetadataIP + "/metadata/instance?api-version=2021-02-01"
 	req, err := http.NewRequest("GET", metadataEndpoint, nil)
 	if err != nil {
 		return ""

diff --git a/pkg/license/digitalocean.go b/pkg/license/digitalocean.go
@@ -1,6 +1,7 @@
 package license
 
 import (
+	"bufio"
 	"fmt"
 	"io"
 	"net/http"
@@ -11,7 +12,7 @@ import (
 )
 
 func isOnDigitalOcean(client http.Client) bool {
-	endpoint := "http://" + metadataIP + "/metadata/v1/interfaces/private/0/type"
+	endpoint := "http://" + MetadataIP + "/metadata/v1/interfaces/private/0/type"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return false
@@ -60,7 +61,7 @@ func getDigitalOceanLicenseKey(storage storage.ReadWriter, client http.Client) (
 
 func getDigitalOceanIdentifier(client http.Client) (string, error) {
 	id := ""
-	endpoint := "http://" + metadataIP + "/metadata/v1/id"
+	endpoint := "http://" + MetadataIP + "/metadata/v1/id"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return id, err
@@ -82,3 +83,39 @@ func getDigitalOceanIdentifier(client http.Client) (string, error) {
 	return strings.TrimSpace(string(body)), nil
 
 }
+
+func HasDigitalOceanTagSet(client http.Client, tag string) (bool, error) {
+	endpoint := "http://" + MetadataIP + "/metadata/v1/tags"
+	req, err := http.NewRequest("GET", endpoint, nil)
+	if err != nil {
+		return false, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return false, err
+		}
+		return false, fmt.Errorf("wrong statuscode returned: %d; body: %s", resp.StatusCode, body)
+	}
+
+	scanner := bufio.NewScanner(resp.Body)
+	for scanner.Scan() {
+		if tag == strings.TrimSpace(scanner.Text()) {
+			return true, nil
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return false, err
+	}
+
+	return false, nil
+
+}
diff --git a/pkg/license/gcp.go b/pkg/license/gcp.go
@@ -11,7 +11,7 @@ import (
 )
 
 func isOnGCP(client http.Client) bool {
-	endpoint := "http://" + metadataIP + "/computeMetadata/v1/"
+	endpoint := "http://" + MetadataIP + "/computeMetadata/v1/"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return false
@@ -62,7 +62,7 @@ func getGCPLicenseKey(storage storage.ReadWriter, client http.Client) (string, e
 
 func getGCPIdentifier(client http.Client) (string, error) {
 	id := ""
-	endpoint := "http://" + metadataIP + "/computeMetadata/v1/project/project-id"
+	endpoint := "http://" + MetadataIP + "/computeMetadata/v1/project/project-id"
 	req, err := http.NewRequest("GET", endpoint, nil)
 	if err != nil {
 		return id, err

diff --git a/pkg/license/gcp_test.go b/pkg/license/gcp_test.go
@@ -22,7 +22,7 @@ func TestGuessInfrastructureGCP(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	infra := guessInfrastructure()
 
@@ -50,7 +50,7 @@ func TestGetMaxUsersGCPBYOL(t *testing.T) {
 	defer ts.Close()
 
 	licenseURL = ts.URL
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	mockStorage := &memorystorage.MockMemoryStorage{}
 	err := mockStorage.WriteFile("config/license.key", []byte("license-1234556-license"))

diff --git a/pkg/license/license.go b/pkg/license/license.go
@@ -11,7 +11,7 @@ import (
 	randomutils "github.com/in4it/wireguard-server/pkg/utils/random"
 )
 
-var metadataIP = "169.254.169.254"
+var MetadataIP = "169.254.169.254"
 var licenseURL = "https://in4it-vpn-server.s3.amazonaws.com/licenses"
 
 func guessInfrastructure() string {

diff --git a/pkg/license/license_test.go b/pkg/license/license_test.go
@@ -96,7 +96,7 @@ func TestGetMaxUsersAWSBYOL(t *testing.T) {
 		"t3.xlarge": 50,
 	}
 	licenseURL = ts.URL
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 	for _, v := range testCases {
 		if v2 := GetMaxUsersAWSBYOL(http.Client{Timeout: 5 * time.Second}, &memorystorage.MockMemoryStorage{}); v2 != v {
 			t.Fatalf("Wrong output: %d vs %d", v2, v)
@@ -127,7 +127,7 @@ func TestGuessInfrastructureAzure(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	infra := guessInfrastructure()
 
@@ -170,7 +170,7 @@ func TestGuessInfrastructureAWSMarketplace(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	infra := guessInfrastructure()
 
@@ -204,7 +204,7 @@ func TestGuessInfrastructureAWS(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	infra := guessInfrastructure()
 
@@ -223,7 +223,7 @@ func TestGuessInfrastructureOther(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	infra := guessInfrastructure()
 
@@ -248,7 +248,7 @@ func TestGetAzureInstanceType(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	usersPerVCPU := 25
 
@@ -275,7 +275,7 @@ func TestGetAWSInstanceType(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	users := GetMaxUsersAWS(getAWSInstanceType(http.Client{Timeout: 5 * time.Second}))
 
@@ -294,7 +294,7 @@ func TestGuessInfrastructureDigitalOcean(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	infra := guessInfrastructure()
 
@@ -330,7 +330,7 @@ func TestGetMaxUsersDigitalOceanBYOL(t *testing.T) {
 	defer ts.Close()
 
 	licenseURL = ts.URL
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	mockStorage := &memorystorage.MockMemoryStorage{}
 	err := mockStorage.WriteFile("config/license.key", []byte("license-1234556-license"))
@@ -383,7 +383,7 @@ func TestGetLicenseKey(t *testing.T) {
 		w.WriteHeader(http.StatusNotFound)
 	}))
 
-	metadataIP = strings.Replace(ts.URL, "http://", "", -1)
+	MetadataIP = strings.Replace(ts.URL, "http://", "", -1)
 
 	logging.Loglevel = logging.LOG_DEBUG + logging.LOG_ERROR
 	key := GetLicenseKey(&memorystorage.MockMemoryStorage{}, "")

diff --git a/pkg/rest/context.go b/pkg/rest/context.go
@@ -110,6 +110,7 @@ func getEmptyContext(appDir string) (*Context, error) {
 		TokenRenewalTimeMinutes: oidcrenewal.DEFAULT_RENEWAL_TIME_MINUTES,
 		LogLevel:                logging.LOG_ERROR,
 		SCIM:                    &SCIM{EnableSCIM: false},
+		SAML:                    &SAML{Providers: &[]saml.Provider{}},
 	}
 	return c, nil
 }