170 lines
5.7 KiB
Go
170 lines
5.7 KiB
Go
package api
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"git.dws.rip/dubey/kat/internal/pki"
|
|
"git.dws.rip/dubey/kat/internal/store"
|
|
)
|
|
|
|
// JoinRequest represents the data sent by an agent when joining
|
|
type JoinRequest struct {
|
|
CSRData string `json:"csrData"` // base64 encoded CSR
|
|
AdvertiseAddr string `json:"advertiseAddr"`
|
|
NodeName string `json:"nodeName,omitempty"` // Optional, leader can generate
|
|
WireGuardPubKey string `json:"wireguardPubKey"` // Placeholder for now
|
|
}
|
|
|
|
// JoinResponse represents the data sent back to the agent
|
|
type JoinResponse struct {
|
|
NodeName string `json:"nodeName"`
|
|
NodeUID string `json:"nodeUID"`
|
|
SignedCertificate string `json:"signedCertificate"` // base64 encoded certificate
|
|
CACertificate string `json:"caCertificate"` // base64 encoded CA certificate
|
|
AssignedSubnet string `json:"assignedSubnet"` // Placeholder for now
|
|
EtcdJoinInstructions string `json:"etcdJoinInstructions,omitempty"`
|
|
}
|
|
|
|
// NewJoinHandler creates a handler for agent join requests
|
|
func NewJoinHandler(stateStore store.StateStore, caKeyPath, caCertPath string) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
log.Printf("Received join request from %s", r.RemoteAddr)
|
|
|
|
// Read and parse the request body
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
log.Printf("Failed to read request body: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to read request body: %v", err), http.StatusBadRequest)
|
|
return
|
|
}
|
|
defer r.Body.Close()
|
|
|
|
var joinReq JoinRequest
|
|
if err := json.Unmarshal(body, &joinReq); err != nil {
|
|
log.Printf("Failed to parse request: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to parse request: %v", err), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Validate request
|
|
if joinReq.CSRData == "" {
|
|
log.Printf("Missing CSR data")
|
|
http.Error(w, "Missing CSR data", http.StatusBadRequest)
|
|
return
|
|
}
|
|
if joinReq.AdvertiseAddr == "" {
|
|
log.Printf("Missing advertise address")
|
|
http.Error(w, "Missing advertise address", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Generate node name if not provided
|
|
nodeName := joinReq.NodeName
|
|
if nodeName == "" {
|
|
nodeName = fmt.Sprintf("node-%s", uuid.New().String()[:8])
|
|
log.Printf("Generated node name: %s", nodeName)
|
|
}
|
|
|
|
// Generate a unique node ID
|
|
nodeUID := uuid.New().String()
|
|
log.Printf("Generated node UID: %s", nodeUID)
|
|
|
|
// Decode CSR data
|
|
csrData, err := base64.StdEncoding.DecodeString(joinReq.CSRData)
|
|
if err != nil {
|
|
log.Printf("Failed to decode CSR data: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to decode CSR data: %v", err), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Create a temporary file for the CSR
|
|
tempDir := os.TempDir()
|
|
csrPath := filepath.Join(tempDir, fmt.Sprintf("%s.csr", nodeUID))
|
|
if err := os.WriteFile(csrPath, csrData, 0600); err != nil {
|
|
log.Printf("Failed to save CSR: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to save CSR: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
defer os.Remove(csrPath)
|
|
|
|
// Sign the CSR
|
|
certPath := filepath.Join(tempDir, fmt.Sprintf("%s.crt", nodeUID))
|
|
if err := pki.SignCertificateRequest(caKeyPath, caCertPath, csrPath, certPath, 365*24*time.Hour); err != nil {
|
|
log.Printf("Failed to sign CSR: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to sign CSR: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
defer os.Remove(certPath)
|
|
|
|
// Read the signed certificate
|
|
signedCert, err := os.ReadFile(certPath)
|
|
if err != nil {
|
|
log.Printf("Failed to read signed certificate: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to read signed certificate: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Read the CA certificate
|
|
caCert, err := os.ReadFile(caCertPath)
|
|
if err != nil {
|
|
log.Printf("Failed to read CA certificate: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to read CA certificate: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Store node registration in etcd
|
|
nodeRegKey := fmt.Sprintf("/kat/nodes/registration/%s", nodeName)
|
|
nodeReg := map[string]interface{}{
|
|
"uid": nodeUID,
|
|
"advertiseAddr": joinReq.AdvertiseAddr,
|
|
"wireguardPubKey": joinReq.WireGuardPubKey,
|
|
"joinTimestamp": time.Now().Unix(),
|
|
}
|
|
nodeRegData, err := json.Marshal(nodeReg)
|
|
if err != nil {
|
|
log.Printf("Failed to marshal node registration: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to marshal node registration: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
log.Printf("Storing node registration in etcd at key: %s", nodeRegKey)
|
|
if err := stateStore.Put(r.Context(), nodeRegKey, nodeRegData); err != nil {
|
|
log.Printf("Failed to store node registration: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to store node registration: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
log.Printf("Successfully stored node registration in etcd")
|
|
|
|
// Prepare and send response
|
|
joinResp := JoinResponse{
|
|
NodeName: nodeName,
|
|
NodeUID: nodeUID,
|
|
SignedCertificate: base64.StdEncoding.EncodeToString(signedCert),
|
|
CACertificate: base64.StdEncoding.EncodeToString(caCert),
|
|
AssignedSubnet: "10.100.0.0/24", // Placeholder for now, will be implemented in network phase
|
|
}
|
|
|
|
respData, err := json.Marshal(joinResp)
|
|
if err != nil {
|
|
log.Printf("Failed to marshal response: %v", err)
|
|
http.Error(w, fmt.Sprintf("Failed to marshal response: %v", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write(respData)
|
|
log.Printf("Successfully processed join request for node: %s", nodeName)
|
|
}
|
|
}
|