feat: Implement basic API server with mTLS for leader join endpoint
This commit is contained in:
141
internal/api/join_handler.go
Normal file
141
internal/api/join_handler.go
Normal file
@ -0,0 +1,141 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"kat-system/internal/pki"
|
||||
"kat-system/internal/store"
|
||||
)
|
||||
|
||||
// JoinRequest represents the data sent by an agent when joining
|
||||
type JoinRequest struct {
|
||||
CSR []byte `json:"csr"`
|
||||
AdvertiseAddr string `json:"advertiseAddr"`
|
||||
NodeName string `json:"nodeName,omitempty"` // Optional, leader can generate
|
||||
WireguardPubKey string `json:"wireguardPubKey"` // Placeholder for now
|
||||
}
|
||||
|
||||
// JoinResponse represents the data sent back to the agent
|
||||
type JoinResponse struct {
|
||||
NodeName string `json:"nodeName"`
|
||||
NodeUID string `json:"nodeUID"`
|
||||
SignedCert []byte `json:"signedCert"`
|
||||
CACert []byte `json:"caCert"`
|
||||
JoinTimestamp int64 `json:"joinTimestamp"`
|
||||
}
|
||||
|
||||
// NewJoinHandler creates a handler for agent join requests
|
||||
func NewJoinHandler(stateStore store.StateStore, caKeyPath, caCertPath string) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
// Read and parse the request body
|
||||
body, err := io.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to read request body: %v", err), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
defer r.Body.Close()
|
||||
|
||||
var joinReq JoinRequest
|
||||
if err := json.Unmarshal(body, &joinReq); err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to parse request: %v", err), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Validate request
|
||||
if len(joinReq.CSR) == 0 {
|
||||
http.Error(w, "Missing CSR", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if joinReq.AdvertiseAddr == "" {
|
||||
http.Error(w, "Missing advertise address", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Generate node name if not provided
|
||||
nodeName := joinReq.NodeName
|
||||
if nodeName == "" {
|
||||
nodeName = fmt.Sprintf("node-%s", uuid.New().String()[:8])
|
||||
}
|
||||
|
||||
// Generate a unique node ID
|
||||
nodeUID := uuid.New().String()
|
||||
|
||||
// Sign the CSR
|
||||
// Create a temporary file for the CSR
|
||||
tempDir := os.TempDir()
|
||||
csrPath := filepath.Join(tempDir, fmt.Sprintf("%s.csr", nodeUID))
|
||||
if err := os.WriteFile(csrPath, joinReq.CSR, 0600); err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to save CSR: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
defer os.Remove(csrPath)
|
||||
|
||||
// Sign the CSR
|
||||
certPath := filepath.Join(tempDir, fmt.Sprintf("%s.crt", nodeUID))
|
||||
if err := pki.SignCertificateRequest(caKeyPath, caCertPath, csrPath, certPath, 365*24*time.Hour); err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to sign CSR: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
defer os.Remove(certPath)
|
||||
|
||||
// Read the signed certificate
|
||||
signedCert, err := os.ReadFile(certPath)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to read signed certificate: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
// Read the CA certificate
|
||||
caCert, err := os.ReadFile(caCertPath)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to read CA certificate: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
// Store node registration in etcd
|
||||
nodeRegKey := fmt.Sprintf("/kat/nodes/registration/%s", nodeName)
|
||||
nodeReg := map[string]interface{}{
|
||||
"uid": nodeUID,
|
||||
"advertiseAddr": joinReq.AdvertiseAddr,
|
||||
"wireguardPubKey": joinReq.WireguardPubKey,
|
||||
"joinTimestamp": time.Now().Unix(),
|
||||
}
|
||||
nodeRegData, err := json.Marshal(nodeReg)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to marshal node registration: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if err := stateStore.Put(r.Context(), nodeRegKey, nodeRegData); err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to store node registration: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
// Prepare and send response
|
||||
joinResp := JoinResponse{
|
||||
NodeName: nodeName,
|
||||
NodeUID: nodeUID,
|
||||
SignedCert: signedCert,
|
||||
CACert: caCert,
|
||||
JoinTimestamp: time.Now().Unix(),
|
||||
}
|
||||
|
||||
respData, err := json.Marshal(joinResp)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("Failed to marshal response: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
w.Write(respData)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user