clients now generate keys

api/resource_wireguard.go

@@ -26,21 +26,21 @@ query($slug: String!) {
 	return *data.Organization.WireGuardPeers.Nodes, nil
 }
 
-func (c *Client) CreateWireGuardPeer(org *Organization, region, name string) (*CreatedWireGuardPeer, error) {
+func (c *Client) CreateWireGuardPeer(org *Organization, region, name, pubkey string) (*CreatedWireGuardPeer, error) {
 	req := c.NewRequest(`
 mutation($input: AddWireGuardPeerInput!) { 
   addWireGuardPeer(input: $input) { 
-    pubkey
-    privkey
     peerip
     endpointip
+    pubkey
   } 
 }
 `)
 	req.Var("input", map[string]interface{}{
 		"organizationId": org.ID,
 		"region":         region,
 		"name":           name,
+		"pubkey":         pubkey,
 	})
 
 	data, err := c.Run(req)

api/types.go

@@ -150,10 +150,9 @@ type Query struct {
 
 // carries the privkey; this is the only time it can be retrieved
 type CreatedWireGuardPeer struct {
-	Pubkey     string
-	Privkey    string
 	Peerip     string
 	Endpointip string
+	Pubkey     string
 }
 
 type Definition map[string]interface{}

cmd/wireguard.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net"
@@ -13,6 +15,7 @@ import (
 	"github.com/superfly/flyctl/api"
 	"github.com/superfly/flyctl/cmdctx"
 	"github.com/superfly/flyctl/docstrings"
+	"golang.org/x/crypto/curve25519"
 )
 
 func newWireGuardCommand() *Command {
@@ -93,10 +96,10 @@ func runWireGuardList(ctx *cmdctx.CmdContext) error {
 	return nil
 }
 
-func generateWgConf(peer *api.CreatedWireGuardPeer, w io.Writer) {
+func generateWgConf(peer *api.CreatedWireGuardPeer, privkey string, w io.Writer) {
 	templateStr := `
 [Interface]
-PrivateKey = {{.Peer.Privkey}}
+PrivateKey = {{.Meta.Privkey}}
 Address = {{.Peer.Peerip}}/24
 DNS = {{.Meta.DNS}}
 
@@ -109,6 +112,7 @@ Endpoint = {{.Peer.Endpointip}}:51820
 	data := struct {
 		Peer *api.CreatedWireGuardPeer
 		Meta struct {
+			Privkey    string
 			AllowedIPs string
 			DNS        string
 		}
@@ -127,12 +131,29 @@ Endpoint = {{.Peer.Endpointip}}:51820
 	addr[15] = 3
 
 	data.Meta.DNS = fmt.Sprintf("%s", addr)
+	data.Meta.Privkey = privkey
 
 	tmpl := template.Must(template.New("name").Parse(templateStr))
 
 	tmpl.Execute(w, &data)
 }
 
+func c25519pair() (string, string) {
+	var private [32]byte
+	_, err := rand.Read(private[:])
+	if err != nil {
+		panic(fmt.Sprintf("reading from random: %s", err))
+	}
+
+	public, err := curve25519.X25519(private[:], curve25519.Basepoint)
+	if err != nil {
+		panic(fmt.Sprintf("can't mult: %s", err))
+	}
+
+	return base64.StdEncoding.EncodeToString(public[:]),
+		base64.StdEncoding.EncodeToString(private[:])
+}
+
 func runWireGuardCreate(ctx *cmdctx.CmdContext) error {
 	client := ctx.Client.API()
 
@@ -153,7 +174,9 @@ func runWireGuardCreate(ctx *cmdctx.CmdContext) error {
 
 	fmt.Printf("Creating WireGuard peer \"%s\" in region \"%s\" for organization %s\n", name, region, org.Slug)
 
-	data, err := client.CreateWireGuardPeer(org, region, name)
+	pubkey, privatekey := c25519pair()
+
+	data, err := client.CreateWireGuardPeer(org, region, name, pubkey)
 	if err != nil {
 		return err
 	}
@@ -191,7 +214,7 @@ func runWireGuardCreate(ctx *cmdctx.CmdContext) error {
 		}
 	}
 
-	generateWgConf(data, w)
+	generateWgConf(data, privatekey, w)
 
 	if f != nil {
 		fmt.Printf("Wrote WireGuard configuration to '%s'; load in your WireGuard client\n", filename)

go.mod

@@ -50,6 +50,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/viper v1.7.0
 	github.com/stretchr/testify v1.6.1
+	golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392
 	golang.org/x/net v0.0.0-20200822124328-c89045814202
 	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 // indirect
 	golang.org/x/sys v0.0.0-20200523222454-059865788121 // indirect

go.sum

@@ -860,6 +860,8 @@ golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10
 golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 h1:xYJJ3S178yv++9zXV/hnr29plCAGO9vAFG9dorqaFQc=
+golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -983,6 +985,8 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20u
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121 h1:rITEj+UZHYC927n8GT97eC3zrpzXdb/voyeOuVKS46o=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=