Merge pull request #1642 from chirino/create-admin-reg-key

precursor for #1628: auto create a reg-key for the admin user ...
nexodus-io · Nov 14, 2023 · 06b115d · 06b115d
2 parents f59c0e3 + d9e225e
commit 06b115d
Show file tree

Hide file tree

Showing 5 changed files with 176 additions and 8 deletions.
diff --git a/hack/update-ca.sh b/hack/update-ca.sh
@@ -21,16 +21,16 @@ fi
 if [ "$1" = "prod" ]; then
   cat << EOF > ~/.bash_history
 NEXD_LOGLEVEL=debug nexd --service-url https://qa.nexodus.io
-NEXD_LOGLEVEL=debug nexd --service-url https://try.nexodus.io
+NEXD_LOGLEVEL=debug nexd
 nexd --service-url https://qa.nexodus.io
-nexd --service-url https://try.nexodus.io
+nexd
 EOF
 
   cat << EOF > ~/.motd
 
 To connect this container to the nexodus network, try running:
 
-    nexd --service-url https://try.nexodus.io
+    nexd
 
 Press the up arrow to get this command from bash history.
 
@@ -40,17 +40,18 @@ else
   cat << EOF > ~/.bash_history
 NEXD_LOGLEVEL=debug nexd --service-url https://try.nexodus.io
 NEXD_LOGLEVEL=debug nexd --service-url https://qa.nexodus.io
-NEXD_LOGLEVEL=debug nexd --service-url https://try.nexodus.127.0.0.1.nip.io --username admin --password floofykittens
+NEXD_LOGLEVEL=debug nexd --service-url https://try.nexodus.127.0.0.1.nip.io --reg-key RK:dev-admin-reg-key
 nexd --service-url https://try.nexodus.io
 nexd --service-url https://qa.nexodus.io
-nexd --service-url https://try.nexodus.127.0.0.1.nip.io --username admin --password floofykittens
+nexctl --service-url https://try.nexodus.127.0.0.1.nip.io --username admin --password floofykittens
+nexd --service-url https://try.nexodus.127.0.0.1.nip.io --reg-key RK:dev-admin-reg-key
 EOF
 
   cat << EOF > ~/.motd
 
 To connect this container to the nexodus network, try running:
 
-    nexd --service-url https://try.nexodus.127.0.0.1.nip.io --username admin --password floofykittens
+    nexd --service-url https://try.nexodus.127.0.0.1.nip.io --reg-key RK:dev-admin-reg-key
 
 Commands for using a dev service, qa.nexodus.io, or try.nexodus.io are in bash history.
 

diff --git a/internal/database/database.go b/internal/database/database.go
@@ -6,6 +6,7 @@ import (
 	"github.com/nexodus-io/nexodus/internal/database/migration_20231108_0000"
 	"github.com/nexodus-io/nexodus/internal/database/migration_20231112_0000"
 	"github.com/nexodus-io/nexodus/internal/database/migration_20231113_0000"
+	"github.com/nexodus-io/nexodus/internal/database/migration_20231114_0000"
 
 	"github.com/nexodus-io/nexodus/internal/database/migration_20231031_0000"
 	"github.com/nexodus-io/nexodus/internal/database/migration_20231106_0000"
@@ -101,6 +102,7 @@ func Migrations() *migrations.Migrations {
 			migration_20231108_0000.New(),
 			migration_20231112_0000.New(),
 			migration_20231113_0000.New(),
+			migration_20231114_0000.New(),
 		},
 	}
 }
diff --git a/internal/database/migration_20231114_0000/migration.go b/internal/database/migration_20231114_0000/migration.go
@@ -0,0 +1,165 @@
+package migration_20231114_0000
+
+import (
+	"fmt"
+	"github.com/go-gormigrate/gormigrate/v2"
+	"github.com/google/uuid"
+	. "github.com/nexodus-io/nexodus/internal/database/migrations"
+	"gorm.io/gorm"
+	"os"
+	"time"
+)
+
+type Base struct {
+	ID        uuid.UUID `gorm:"type:uuid;primary_key;"`
+	CreatedAt time.Time
+	UpdatedAt time.Time
+	DeletedAt gorm.DeletedAt
+}
+
+type User struct {
+	Base
+	IdpID         string
+	UserName      string
+	Organizations []*Organization `gorm:"many2many:user_organizations"`
+}
+
+type Organization struct {
+	Base
+	OwnerID     uuid.UUID
+	Name        string
+	Description string
+
+	Users []*User `gorm:"many2many:user_organizations;"`
+}
+
+type VPC struct {
+	Base
+	OrganizationID uuid.UUID `json:"organization_id"`
+	Description    string    `json:"description"`
+	PrivateCidr    bool      `json:"private_cidr"`
+	Ipv4Cidr       string    `json:"ipv4_cidr"`
+	Ipv6Cidr       string    `json:"ipv6_cidr"`
+
+	Organization *Organization `json:"-"`
+}
+
+type SecurityGroup struct {
+	Base
+	Description    string         `json:"description"`
+	VpcId          uuid.UUID      `json:"vpc_id"`
+	OrganizationID uuid.UUID      `json:"-"` // Denormalized from the VPC record for performance
+	InboundRules   []SecurityRule `json:"inbound_rules,omitempty" gorm:"type:JSONB; serializer:json"`
+	OutboundRules  []SecurityRule `json:"outbound_rules,omitempty" gorm:"type:JSONB; serializer:json"`
+	Revision       uint64         `json:"revision"  gorm:"type:bigserial;index:"`
+}
+type SecurityRule struct {
+	IpProtocol string   `json:"ip_protocol"`
+	FromPort   int64    `json:"from_port"`
+	ToPort     int64    `json:"to_port"`
+	IpRanges   []string `json:"ip_ranges,omitempty"`
+}
+
+type RegKey struct {
+	Base
+	OwnerID        uuid.UUID  `json:"owner_id,omitempty"`
+	VpcID          uuid.UUID  `json:"vpc_id,omitempty"`
+	OrganizationID uuid.UUID  `json:"-"`                      // OrganizationID is denormalized from the VPC record for performance
+	BearerToken    string     `json:"bearer_token,omitempty"` // BearerToken is the bearer token the client should use to authenticate the device registration request.
+	Description    string     `json:"description,omitempty"`
+	DeviceId       *uuid.UUID `json:"device_id,omitempty"`  // DeviceId is set if the RegKey was created for single use
+	ExpiresAt      *time.Time `json:"expires_at,omitempty"` // ExpiresAt is optional, if set the registration key is only valid until the ExpiresAt time.
+}
+
+const (
+	defaultIPAMv4Cidr = "100.64.0.0/10"
+	defaultIPAMv6Cidr = "200::/64"
+)
+
+func New() *gormigrate.Migration {
+	migrationId := "20231114-0000"
+	return CreateMigrationFromActions(migrationId,
+		func(tx *gorm.DB, apply bool) error {
+			if !(apply && os.Getenv("NEXAPI_ENVIRONMENT") == "development") {
+				return nil
+			}
+			return tx.Transaction(func(tx *gorm.DB) error {
+
+				// do we need to create the admin user?
+				var count int64
+				adminIdpId := "01578c9e-8e76-46a4-b2b2-50788cec2ccd"
+				if res := tx.Model(&User{}).Where("idp_id = ?", adminIdpId).Count(&count); res.Error != nil {
+					return res.Error
+				}
+				if count != 0 {
+					return nil
+				}
+
+				user := &User{
+					Base: Base{
+						ID: uuid.New(),
+					},
+					IdpID:    adminIdpId,
+					UserName: "admin",
+				}
+				if res := tx.Create(user); res.Error != nil {
+					return res.Error
+				}
+				if res := tx.Create(&Organization{
+					Base: Base{
+						ID: user.ID,
+					},
+					OwnerID:     user.ID,
+					Name:        user.UserName,
+					Description: fmt.Sprintf("%s's organization", user.UserName),
+					Users: []*User{{
+						Base: Base{
+							ID: user.ID,
+						},
+					}},
+				}); res.Error != nil {
+					return res.Error
+				}
+				if res := tx.Create(&VPC{
+					Base: Base{
+						ID: user.ID,
+					},
+					OrganizationID: user.ID,
+					Description:    "default vpc",
+					PrivateCidr:    false,
+					Ipv4Cidr:       defaultIPAMv4Cidr,
+					Ipv6Cidr:       defaultIPAMv6Cidr,
+				}); res.Error != nil {
+					return res.Error
+				}
+
+				if res := tx.Create(&SecurityGroup{
+					Base: Base{
+						ID: user.ID,
+					},
+					VpcId:          user.ID,
+					OrganizationID: user.ID,
+					Description:    "default vpc security group",
+					InboundRules:   []SecurityRule{},
+					OutboundRules:  []SecurityRule{},
+				}); res.Error != nil {
+					return res.Error
+				}
+				if res := tx.Create(&RegKey{
+					Base: Base{
+						ID: user.ID,
+					},
+					OwnerID:        user.ID,
+					VpcID:          user.ID,
+					OrganizationID: user.ID,
+					Description:    "well known development reg key",
+					BearerToken:    "RK:dev-admin-reg-key",
+				}); res.Error != nil {
+					return res.Error
+				}
+
+				return nil
+			})
+		},
+	)
+}
diff --git a/internal/handlers/envoy_authz.go b/internal/handlers/envoy_authz.go
@@ -40,7 +40,7 @@ func (api *API) Check(ctx context.Context, checkReq *auth.CheckRequest) (*auth.C
 	if authorizationHeader != "" {
 
 		// Does it look like a reg key?
-		if strings.HasPrefix(authorizationHeader, "Bearer RT:") {
+		if strings.HasPrefix(authorizationHeader, "Bearer RK:") {
 			token := strings.TrimPrefix(authorizationHeader, "Bearer ")
 			return checkRegistrationToken(ctx, api, token)
 		} else if strings.HasPrefix(authorizationHeader, "Bearer DT:") {

diff --git a/internal/handlers/reg_key.go b/internal/handlers/reg_key.go
@@ -76,7 +76,7 @@ func (api *API) CreateRegKey(c *gin.Context) {
 			OwnerID:        userId,
 			VpcID:          vpc.ID,
 			OrganizationID: vpc.OrganizationID,
-			BearerToken:    "RT:" + token.String(),
+			BearerToken:    "RK:" + token.String(),
 			Description:    request.Description,
 			ExpiresAt:      request.ExpiresAt,
 		}