/
pc_api_server.go
106 lines (93 loc) · 3.74 KB
/
pc_api_server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package auth
import (
"fmt"
"net/http"
"github.com/gravitational/teleport"
"github.com/gravitational/teleport/lib/httplib"
"github.com/gravitational/teleport/lib/utils"
"github.com/gravitational/trace"
"github.com/julienschmidt/httprouter"
)
const (
PocketApiVersion string = "v0"
PocketUserSignup string = "signup"
PocketSignupToken string = "token"
PocketOperation string = "operation"
PocketRequestSignedCert string = "reqsignedcert"
PocketReuqestUserIdentity string = "requserinfo"
)
type PocketRequestBase struct {
// AuthServers is a list of auth servers nodes, proxies and peer auth servers connect to
AuthServers []utils.NetAddr
// Host role
Role teleport.Role
// Hostname is a node host name
Hostname string
// HostUUID is a unique host id
HostUUID string
// AuthToken
AuthToken string
}
// Enhances API server for pocket API
func enhanceWithPocketAPI(srv *APIServer, config *APIConfig) {
// (03/11/2017)
// certSigner is added to issue various types of other certs.
// We'll later replace it with an enhanced cert manager.
// Also, it is pointless to add additional APIs without cert signer.
if config.CertSigner == nil {
return
}
srv.certSigner = config.CertSigner
srv.userKiosk = config.UserKiosk
srv.POST(fmt.Sprintf("/%s/%s/%s", PocketApiVersion, PocketUserSignup, PocketSignupToken), httplib.MakeHandler(srv.releaseSignupToken))
srv.POST(fmt.Sprintf("/%s/%s/%s", PocketApiVersion, PocketOperation, PocketRequestSignedCert), httplib.MakeHandler(srv.issueSignedCertificatewithToken))
srv.POST(fmt.Sprintf("/%s/%s/%s", PocketApiVersion, PocketOperation, PocketReuqestUserIdentity), httplib.MakeHandler(srv.deliverUserIdentityWithToken))
}
// -- create user with signup token only -- //
// TODO : apply encryption
type signupTokenReq struct {
SignupToken string `json:"signuptoken"`
}
func (s *APIServer) releaseSignupToken(w http.ResponseWriter, r *http.Request, _ httprouter.Params) (interface{}, error) {
var req *signupTokenReq
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
tokenData, err := s.a.releaseSignupToken(req.SignupToken)
if err != nil {
return nil, trace.Wrap(err)
}
return tokenData, nil
}
// -- issue signed certificate with token -- //
type requestOperationParamWithToken struct {
Token string `json:"token"`
Hostname string `json:"hostname"`
HostUUID string `json:"hostuuid"`
Role teleport.Role `json:"role"`
}
func (s *APIServer) issueSignedCertificatewithToken(w http.ResponseWriter, r *http.Request, _ httprouter.Params) (interface{}, error) {
var req *requestOperationParamWithToken
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
if s.certSigner == nil {
return nil, trace.Wrap(fmt.Errorf("Cannot issue certificates with null signer"))
}
keys, err := s.a.issueSignedCertificateWithToken(s.certSigner, req)
if err != nil {
return nil, trace.Wrap(err)
}
return keys, nil
}
// -- deliver user information -- //
func (s *APIServer) deliverUserIdentityWithToken(w http.ResponseWriter, r *http.Request, _ httprouter.Params) (interface{}, error) {
var req *requestOperationParamWithToken
if err := httplib.ReadJSON(r, &req); err != nil {
return nil, trace.Wrap(err)
}
if s.userKiosk == nil {
return nil, trace.Wrap(fmt.Errorf("Cannot deliver user identity with null kiosk"))
}
return s.a.deliverUserInformationWithToken(s.userKiosk, req)
}