Init create and delete workflow
This commit is contained in:
commit
751e312862
10 changed files with 2787 additions and 0 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
guard
|
31
Makefile
Normal file
31
Makefile
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# Copyright (c) 2019 @crosbymichael
|
||||||
|
|
||||||
|
# Permission is hereby granted, free of charge, to any person
|
||||||
|
# obtaining a copy of this software and associated documentation
|
||||||
|
# files (the "Software"), to deal in the Software without
|
||||||
|
# restriction, including without limitation the rights to use, copy,
|
||||||
|
# modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||||
|
# of the Software, and to permit persons to whom the Software is
|
||||||
|
# furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
# The above copyright notice and this permission notice shall be
|
||||||
|
# included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
# EXPRESS OR IMPLIED,
|
||||||
|
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
||||||
|
# HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
# DAMAGES OR OTHER LIABILITY,
|
||||||
|
# WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
# TORT OR OTHERWISE,
|
||||||
|
# ARISING FROM, OUT OF OR IN CONNECTION WITH
|
||||||
|
# THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
||||||
|
PACKAGES=$(shell go list ./... | grep -v /vendor/)
|
||||||
|
REVISION=$(shell git rev-parse HEAD)
|
||||||
|
|
||||||
|
protos:
|
||||||
|
protobuild --quiet ${PACKAGES}
|
||||||
|
|
28
Protobuild.toml
Normal file
28
Protobuild.toml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
version = "unstable"
|
||||||
|
generator = "gogoctrd"
|
||||||
|
plugins = ["grpc"]
|
||||||
|
|
||||||
|
# Control protoc include paths. Below are usually some good defaults, but feel
|
||||||
|
# free to try it without them if it works for your project.
|
||||||
|
[includes]
|
||||||
|
# Paths that should be treated as include roots in relation to the vendor
|
||||||
|
# directory. These will be calculated with the vendor directory nearest the
|
||||||
|
# target package.
|
||||||
|
packages = ["github.com/gogo/protobuf", "github.com/gogo/googleapis"]
|
||||||
|
|
||||||
|
# Paths that will be added untouched to the end of the includes. We use
|
||||||
|
# `/usr/local/include` to pickup the common install location of protobuf.
|
||||||
|
# This is the default.
|
||||||
|
after = ["/usr/local/include"]
|
||||||
|
|
||||||
|
# This section maps protobuf imports to Go packages. These will become
|
||||||
|
# `-M` directives in the call to the go protobuf generator.
|
||||||
|
[packages]
|
||||||
|
"gogoproto/gogo.proto" = "github.com/gogo/protobuf/gogoproto"
|
||||||
|
"google/protobuf/any.proto" = "github.com/gogo/protobuf/types"
|
||||||
|
"google/protobuf/empty.proto" = "github.com/gogo/protobuf/types"
|
||||||
|
"google/protobuf/descriptor.proto" = "github.com/gogo/protobuf/protoc-gen-gogo/descriptor"
|
||||||
|
"google/protobuf/field_mask.proto" = "github.com/gogo/protobuf/types"
|
||||||
|
"google/protobuf/timestamp.proto" = "github.com/gogo/protobuf/types"
|
||||||
|
"google/protobuf/duration.proto" = "github.com/gogo/protobuf/types"
|
||||||
|
"google/rpc/status.proto" = "github.com/gogo/googleapis/google/rpc"
|
28
api/v1/doc.go
Normal file
28
api/v1/doc.go
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
/*
|
||||||
|
Copyright (c) 2019 @crosbymichael
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person
|
||||||
|
obtaining a copy of this software and associated documentation
|
||||||
|
files (the "Software"), to deal in the Software without
|
||||||
|
restriction, including without limitation the rights to use, copy,
|
||||||
|
modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||||
|
of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be
|
||||||
|
included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
EXPRESS OR IMPLIED,
|
||||||
|
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
||||||
|
HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
DAMAGES OR OTHER LIABILITY,
|
||||||
|
WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
TORT OR OTHERWISE,
|
||||||
|
ARISING FROM, OUT OF OR IN CONNECTION WITH
|
||||||
|
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package v1
|
2145
api/v1/guard.pb.go
Normal file
2145
api/v1/guard.pb.go
Normal file
File diff suppressed because it is too large
Load diff
54
api/v1/guard.proto
Normal file
54
api/v1/guard.proto
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
syntax = "proto3";
|
||||||
|
|
||||||
|
package com.crosbymichael.guard.v1;
|
||||||
|
|
||||||
|
import weak "gogoproto/gogo.proto";
|
||||||
|
import "google/protobuf/empty.proto";
|
||||||
|
|
||||||
|
option go_package = "github.com/crosbymichael/guard/api/v1;v1";
|
||||||
|
|
||||||
|
service Wireguard {
|
||||||
|
rpc Create(CreateRequest) returns (CreateResponse);
|
||||||
|
rpc Delete(DeleteRequest) returns (google.protobuf.Empty);
|
||||||
|
rpc List(google.protobuf.Empty) returns (ListResponse);
|
||||||
|
}
|
||||||
|
|
||||||
|
message CreateRequest {
|
||||||
|
string id = 1 [(gogoproto.customname) = "ID"];
|
||||||
|
uint32 listen_port = 2;
|
||||||
|
string address = 3;
|
||||||
|
}
|
||||||
|
|
||||||
|
message CreateResponse {
|
||||||
|
Tunnel tunnel = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
message DeleteRequest {
|
||||||
|
string id = 1 [(gogoproto.customname) = "ID"];
|
||||||
|
}
|
||||||
|
|
||||||
|
message ListResponse {
|
||||||
|
repeated Tunnel tunnels = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
message Tunnel {
|
||||||
|
string id = 1 [(gogoproto.customname) = "ID"];
|
||||||
|
string private_key = 2;
|
||||||
|
uint32 listen_port = 3;
|
||||||
|
string address = 4;
|
||||||
|
string dns = 5 [(gogoproto.customname) = "DNS"];
|
||||||
|
repeated Peer peers = 6;
|
||||||
|
Masquerade masquerade = 7;
|
||||||
|
}
|
||||||
|
|
||||||
|
message Peer {
|
||||||
|
string public_key = 1;
|
||||||
|
repeated string allowed_ips = 2 [(gogoproto.customname) = "AllowedIPs"];
|
||||||
|
string endpoint = 3;
|
||||||
|
uint32 persistent_keepalive = 4;
|
||||||
|
string comment = 5;
|
||||||
|
}
|
||||||
|
|
||||||
|
message Masquerade {
|
||||||
|
string interface = 1;
|
||||||
|
}
|
74
api/v1/tunnel.go
Normal file
74
api/v1/tunnel.go
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
/*
|
||||||
|
Copyright (c) 2019 @crosbymichael
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person
|
||||||
|
obtaining a copy of this software and associated documentation
|
||||||
|
files (the "Software"), to deal in the Software without
|
||||||
|
restriction, including without limitation the rights to use, copy,
|
||||||
|
modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||||
|
of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be
|
||||||
|
included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
EXPRESS OR IMPLIED,
|
||||||
|
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
||||||
|
HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
DAMAGES OR OTHER LIABILITY,
|
||||||
|
WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
TORT OR OTHERWISE,
|
||||||
|
ARISING FROM, OUT OF OR IN CONNECTION WITH
|
||||||
|
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package v1
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
"text/template"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
const confFmt = `[Interface]
|
||||||
|
PrivateKey = {{.PrivateKey}}
|
||||||
|
{{if gt .ListenPort 0}}ListenPort = {{.ListenPort}}{{end}}
|
||||||
|
Address = {{.Address}}
|
||||||
|
{{if .DNS }}DNS = {{.DNS}}{{end}}
|
||||||
|
|
||||||
|
{{if .Masquerade}}
|
||||||
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{.Masquerade.Interface}} -j MASQUERADE
|
||||||
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{.Masquerade.Interface}} -j MASQUERADE
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{range $peer := .Peers -}}
|
||||||
|
# {{$peer.Comment}}
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{$peer.PublicKey}}
|
||||||
|
AllowedIPs = {{joinIPs $peer.AllowedIPs}}
|
||||||
|
{{if .Endpoint}}Endpoint = {{.Endpoint}}{{end}}
|
||||||
|
{{if .PersistentKeepalive}}PersistentKeepalive = {{.PersistentKeepalive}}{{end}}
|
||||||
|
{{end}}
|
||||||
|
`
|
||||||
|
|
||||||
|
func (t *Tunnel) Render(w io.Writer) error {
|
||||||
|
tmp, err := template.New("wireguard").Funcs(template.FuncMap{
|
||||||
|
"joinIPs": joinIPs,
|
||||||
|
}).Parse(confFmt)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "parse template")
|
||||||
|
}
|
||||||
|
if err := tmp.Execute(w, t); err != nil {
|
||||||
|
return errors.Wrap(err, "execute template")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func joinIPs(ips []string) string {
|
||||||
|
return strings.Join(ips, ", ")
|
||||||
|
}
|
221
main.go
Normal file
221
main.go
Normal file
|
@ -0,0 +1,221 @@
|
||||||
|
/*
|
||||||
|
Copyright (c) 2019 @crosbymichael
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person
|
||||||
|
obtaining a copy of this software and associated documentation
|
||||||
|
files (the "Software"), to deal in the Software without
|
||||||
|
restriction, including without limitation the rights to use, copy,
|
||||||
|
modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||||
|
of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be
|
||||||
|
included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
EXPRESS OR IMPLIED,
|
||||||
|
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
||||||
|
HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
DAMAGES OR OTHER LIABILITY,
|
||||||
|
WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
TORT OR OTHERWISE,
|
||||||
|
ARISING FROM, OUT OF OR IN CONNECTION WITH
|
||||||
|
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"os/signal"
|
||||||
|
"syscall"
|
||||||
|
|
||||||
|
v1 "github.com/crosbymichael/guard/api/v1"
|
||||||
|
"github.com/getsentry/raven-go"
|
||||||
|
grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/sirupsen/logrus"
|
||||||
|
"github.com/urfave/cli"
|
||||||
|
"google.golang.org/grpc"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
app := cli.NewApp()
|
||||||
|
app.Name = "guard"
|
||||||
|
app.Version = "1"
|
||||||
|
app.Usage = "Wireguard grpc server"
|
||||||
|
app.Flags = []cli.Flag{
|
||||||
|
cli.BoolFlag{
|
||||||
|
Name: "debug",
|
||||||
|
Usage: "enable debug output in the logs",
|
||||||
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "address,a",
|
||||||
|
Usage: "grpc address",
|
||||||
|
Value: "127.0.0.1:10100",
|
||||||
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "sentry-dsn",
|
||||||
|
Usage: "sentry DSN",
|
||||||
|
EnvVar: "SENTRY_DSN",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
app.Before = func(clix *cli.Context) error {
|
||||||
|
if clix.GlobalBool("debug") {
|
||||||
|
logrus.SetLevel(logrus.DebugLevel)
|
||||||
|
}
|
||||||
|
if dsn := clix.GlobalString("sentry-dsn"); dsn != "" {
|
||||||
|
raven.SetDSN(dsn)
|
||||||
|
raven.DefaultClient.SetRelease(app.Version)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
app.Commands = []cli.Command{
|
||||||
|
createCommand,
|
||||||
|
deleteCommand,
|
||||||
|
serverCommand,
|
||||||
|
}
|
||||||
|
if err := app.Run(os.Args); err != nil {
|
||||||
|
fmt.Fprintln(os.Stderr, err)
|
||||||
|
raven.CaptureErrorAndWait(err, nil)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var serverCommand = cli.Command{
|
||||||
|
Name: "server",
|
||||||
|
Description: "run the wireguard grpc server",
|
||||||
|
Flags: []cli.Flag{
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "dir",
|
||||||
|
Usage: "wireguard configuration directory",
|
||||||
|
Value: defaultWireguardDir,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Action: func(clix *cli.Context) error {
|
||||||
|
if os.Geteuid() != 0 {
|
||||||
|
return errors.New("grpc server must run as root")
|
||||||
|
}
|
||||||
|
wg, err := newServer(clix.String("dir"))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
server := newGRPC()
|
||||||
|
|
||||||
|
v1.RegisterWireguardServer(server, wg)
|
||||||
|
|
||||||
|
signals := make(chan os.Signal, 32)
|
||||||
|
signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
|
||||||
|
go func() {
|
||||||
|
<-signals
|
||||||
|
server.Stop()
|
||||||
|
}()
|
||||||
|
l, err := net.Listen("tcp", clix.GlobalString("address"))
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "listen tcp")
|
||||||
|
}
|
||||||
|
defer l.Close()
|
||||||
|
return server.Serve(l)
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
var createCommand = cli.Command{
|
||||||
|
Name: "create",
|
||||||
|
Description: "create a new tunnel",
|
||||||
|
Flags: []cli.Flag{
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "address,a",
|
||||||
|
Usage: "cidr for the tunnel address",
|
||||||
|
},
|
||||||
|
cli.UintFlag{
|
||||||
|
Name: "port,p",
|
||||||
|
Usage: "listen port for the tunnel",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Action: func(clix *cli.Context) error {
|
||||||
|
conn, err := grpc.Dial(clix.GlobalString("address"), grpc.WithInsecure())
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "dial server")
|
||||||
|
}
|
||||||
|
defer conn.Close()
|
||||||
|
|
||||||
|
var (
|
||||||
|
ctx = cancelContext()
|
||||||
|
client = v1.NewWireguardClient(conn)
|
||||||
|
)
|
||||||
|
|
||||||
|
r, err := client.Create(ctx, &v1.CreateRequest{
|
||||||
|
ID: clix.Args().First(),
|
||||||
|
Address: clix.String("address"),
|
||||||
|
ListenPort: uint32(clix.Uint("port")),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return json.NewEncoder(os.Stdout).Encode(r.Tunnel)
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
var deleteCommand = cli.Command{
|
||||||
|
Name: "delete",
|
||||||
|
Description: "delete a tunnel",
|
||||||
|
Action: func(clix *cli.Context) error {
|
||||||
|
conn, err := grpc.Dial(clix.GlobalString("address"), grpc.WithInsecure())
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "dial server")
|
||||||
|
}
|
||||||
|
defer conn.Close()
|
||||||
|
|
||||||
|
var (
|
||||||
|
ctx = cancelContext()
|
||||||
|
client = v1.NewWireguardClient(conn)
|
||||||
|
)
|
||||||
|
if _, err := client.Delete(ctx, &v1.DeleteRequest{
|
||||||
|
ID: clix.Args().First(),
|
||||||
|
}); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
func newGRPC() *grpc.Server {
|
||||||
|
s := grpc.NewServer(
|
||||||
|
grpc.UnaryInterceptor(unary),
|
||||||
|
grpc.StreamInterceptor(stream),
|
||||||
|
)
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
func unary(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
|
||||||
|
r, err := grpc_prometheus.UnaryServerInterceptor(ctx, req, info, handler)
|
||||||
|
if err != nil {
|
||||||
|
raven.CaptureError(err, nil)
|
||||||
|
}
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func stream(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
||||||
|
err := grpc_prometheus.StreamServerInterceptor(srv, ss, info, handler)
|
||||||
|
if err != nil {
|
||||||
|
raven.CaptureError(err, nil)
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func cancelContext() context.Context {
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
s := make(chan os.Signal)
|
||||||
|
signal.Notify(s, syscall.SIGTERM, syscall.SIGINT)
|
||||||
|
go func() {
|
||||||
|
<-s
|
||||||
|
cancel()
|
||||||
|
}()
|
||||||
|
return ctx
|
||||||
|
}
|
177
server.go
Normal file
177
server.go
Normal file
|
@ -0,0 +1,177 @@
|
||||||
|
/*
|
||||||
|
Copyright (c) 2019 @crosbymichael
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person
|
||||||
|
obtaining a copy of this software and associated documentation
|
||||||
|
files (the "Software"), to deal in the Software without
|
||||||
|
restriction, including without limitation the rights to use, copy,
|
||||||
|
modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||||
|
of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be
|
||||||
|
included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
EXPRESS OR IMPLIED,
|
||||||
|
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
||||||
|
HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
DAMAGES OR OTHER LIABILITY,
|
||||||
|
WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
TORT OR OTHERWISE,
|
||||||
|
ARISING FROM, OUT OF OR IN CONNECTION WITH
|
||||||
|
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"os/exec"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
|
v1 "github.com/crosbymichael/guard/api/v1"
|
||||||
|
"github.com/gogo/protobuf/types"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
var empty = &types.Empty{}
|
||||||
|
|
||||||
|
const defaultWireguardDir = "/etc/wireguard"
|
||||||
|
|
||||||
|
func newServer(dir string) (*server, error) {
|
||||||
|
if err := os.MkdirAll(defaultWireguardDir, 0700); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "create wireguard dir")
|
||||||
|
}
|
||||||
|
return &server{
|
||||||
|
dir: dir,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type server struct {
|
||||||
|
dir string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *server) Create(ctx context.Context, r *v1.CreateRequest) (*v1.CreateResponse, error) {
|
||||||
|
if r.ID == "" {
|
||||||
|
return nil, errors.New("tunnel id cannot be empty")
|
||||||
|
}
|
||||||
|
if r.Address == "" {
|
||||||
|
return nil, errors.New("address cannot be empty")
|
||||||
|
}
|
||||||
|
if r.ListenPort == 0 {
|
||||||
|
return nil, errors.New("listen port cannot be 0")
|
||||||
|
}
|
||||||
|
path := filepath.Join(s.dir, r.ID)
|
||||||
|
if err := os.Mkdir(path, 0700); err != nil {
|
||||||
|
if os.IsExist(err) {
|
||||||
|
return nil, errors.New("tunnel already exists")
|
||||||
|
}
|
||||||
|
return nil, errors.Wrap(err, "create tunnel directory")
|
||||||
|
}
|
||||||
|
key, err := newPrivateKey(ctx)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
t := v1.Tunnel{
|
||||||
|
ID: r.ID,
|
||||||
|
ListenPort: r.ListenPort,
|
||||||
|
Address: r.Address,
|
||||||
|
PrivateKey: key,
|
||||||
|
}
|
||||||
|
|
||||||
|
dataPath := filepath.Join(path, "tunnel.json")
|
||||||
|
if err := saveTunnel(dataPath, &t); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := s.saveConf(&t); err != nil {
|
||||||
|
os.RemoveAll(path)
|
||||||
|
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := wgquick(ctx, "enable", t.ID); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "enable tunnel")
|
||||||
|
}
|
||||||
|
if err := wgquick(ctx, "start", t.ID); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "start tunnel")
|
||||||
|
}
|
||||||
|
return &v1.CreateResponse{
|
||||||
|
Tunnel: &t,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *server) Delete(ctx context.Context, r *v1.DeleteRequest) (*types.Empty, error) {
|
||||||
|
if r.ID == "" {
|
||||||
|
return nil, errors.New("tunnel id cannot be empty")
|
||||||
|
}
|
||||||
|
path := filepath.Join(s.dir, r.ID)
|
||||||
|
if err := wgquick(ctx, "disable", r.ID); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "disable tunnel")
|
||||||
|
}
|
||||||
|
if err := wgquick(ctx, "stop", r.ID); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "stop tunnel")
|
||||||
|
}
|
||||||
|
if err := os.RemoveAll(path); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "remove data path")
|
||||||
|
}
|
||||||
|
if err := os.Remove(filepath.Join(s.dir, fmt.Sprintf("%s.conf", r.ID))); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "remove configuration")
|
||||||
|
}
|
||||||
|
return empty, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *server) List(ctx context.Context, _ *types.Empty) (*v1.ListResponse, error) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *server) saveConf(t *v1.Tunnel) error {
|
||||||
|
path := filepath.Join(s.dir, fmt.Sprintf("%s.conf", t.ID))
|
||||||
|
f, err := os.OpenFile(path, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "create tunnel conf %s", path)
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
if err := t.Render(f); err != nil {
|
||||||
|
return errors.Wrap(err, "render tunnel to config")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func saveTunnel(path string, t *v1.Tunnel) error {
|
||||||
|
f, err := os.OpenFile(path, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "create data.json")
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
if err := json.NewEncoder(f).Encode(t); err != nil {
|
||||||
|
return errors.Wrap(err, "encode tunnel")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func newPrivateKey(ctx context.Context) (string, error) {
|
||||||
|
data, err := wireguard(ctx, "genkey")
|
||||||
|
if err != nil {
|
||||||
|
return "", errors.Wrapf(err, "%s", data)
|
||||||
|
}
|
||||||
|
return string(data), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func wireguard(ctx context.Context, args ...string) ([]byte, error) {
|
||||||
|
cmd := exec.CommandContext(ctx, "wg", args...)
|
||||||
|
return cmd.CombinedOutput()
|
||||||
|
}
|
||||||
|
|
||||||
|
func wgquick(ctx context.Context, action, name string) error {
|
||||||
|
cmd := exec.CommandContext(ctx, "systemctl", action, fmt.Sprintf("wg-quick@%s", name))
|
||||||
|
out, err := cmd.CombinedOutput()
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "%s", out)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
28
template.go
Normal file
28
template.go
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
/*
|
||||||
|
Copyright (c) 2019 @crosbymichael
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person
|
||||||
|
obtaining a copy of this software and associated documentation
|
||||||
|
files (the "Software"), to deal in the Software without
|
||||||
|
restriction, including without limitation the rights to use, copy,
|
||||||
|
modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||||
|
of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be
|
||||||
|
included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
EXPRESS OR IMPLIED,
|
||||||
|
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
||||||
|
HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
DAMAGES OR OTHER LIABILITY,
|
||||||
|
WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
TORT OR OTHERWISE,
|
||||||
|
ARISING FROM, OUT OF OR IN CONNECTION WITH
|
||||||
|
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package main
|
Loading…
Reference in a new issue