Add peer add and delete support

api/v1/guard.proto

@@ -8,9 +8,11 @@ import "google/protobuf/empty.proto";
 option go_package = "github.com/crosbymichael/guard/api/v1;v1";
 
 service Wireguard {
-	rpc Create(CreateRequest) returns (CreateResponse);
+	rpc Create(CreateRequest) returns (TunnelResponse);
 	rpc Delete(DeleteRequest) returns (google.protobuf.Empty);
 	rpc List(google.protobuf.Empty) returns (ListResponse);
+	rpc AddPeer(AddPeerRequest) returns (TunnelResponse);
+	rpc DeletePeer(DeletePeerRequest) returns (TunnelResponse);
 }
 
 message CreateRequest {
@@ -19,10 +21,20 @@ message CreateRequest {
 	string address = 3;
 }
 
-message CreateResponse {
+message TunnelResponse {
 	Tunnel tunnel = 1;
 }
 
+message AddPeerRequest {
+	string id = 1 [(gogoproto.customname) = "ID"];
+	Peer peer = 2;
+}
+
+message DeletePeerRequest {
+	string id = 1 [(gogoproto.customname) = "ID"];
+	string peer_id = 2 [(gogoproto.customname) = "PeerID"];
+}
+
 message DeleteRequest {
 	string id = 1 [(gogoproto.customname) = "ID"];
 }
@@ -42,11 +54,11 @@ message Tunnel {
 }
 
 message Peer {
-	string public_key = 1;
+	string id = 1 [(gogoproto.customname) = "ID"];
-	repeated string allowed_ips = 2 [(gogoproto.customname) = "AllowedIPs"];
+	string public_key = 2;
-	string endpoint = 3;
+	repeated string allowed_ips = 3 [(gogoproto.customname) = "AllowedIPs"];
-	uint32 persistent_keepalive = 4;
+	string endpoint = 4;
-	string comment = 5;
+	uint32 persistent_keepalive = 5;
 }
 
 message Masquerade {

api/v1/tunnel.go

@@ -47,7 +47,7 @@ PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -
 {{end}}
 
 {{range $peer := .Peers -}}
-# {{$peer.Comment}}
+# {{$peer.ID}}
 [Peer]
 PublicKey = {{$peer.PublicKey}}
 AllowedIPs = {{joinIPs $peer.AllowedIPs}}

main.go

@@ -82,6 +82,7 @@ func main() {
 		deleteCommand,
 		listCommand,
 		serverCommand,
+		peersCommand,
 	}
 	if err := app.Run(os.Args); err != nil {
 		fmt.Fprintln(os.Stderr, err)
@@ -193,6 +194,89 @@ var listCommand = cli.Command{
 	},
 }
 
+var peersCommand = cli.Command{
+	Name:        "peers",
+	Description: "manage peers",
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "tunnel,t",
+			Usage: "tunnel name",
+		},
+	},
+	Subcommands: []cli.Command{
+		{
+			Name:        "add",
+			Description: "add a peer",
+			Flags: []cli.Flag{
+				cli.StringFlag{
+					Name:  "key,k",
+					Usage: "public key",
+				},
+				cli.StringFlag{
+					Name:  "ip,i",
+					Usage: "ip cidr for the peer",
+				},
+			},
+			Action: func(clix *cli.Context) error {
+				conn, err := grpc.Dial(clix.GlobalString("address"), grpc.WithInsecure())
+				if err != nil {
+					return errors.Wrap(err, "dial server")
+				}
+				defer conn.Close()
+
+				var (
+					ctx    = cancelContext()
+					client = v1.NewWireguardClient(conn)
+				)
+
+				r, err := client.AddPeer(ctx, &v1.AddPeerRequest{
+					ID: clix.GlobalString("tunnel"),
+					Peer: &v1.Peer{
+						ID:        clix.Args().First(),
+						PublicKey: clix.String("key"),
+						AllowedIPs: []string{
+							clix.String("ip"),
+						},
+					},
+				})
+				if err != nil {
+					return err
+				}
+				enc := json.NewEncoder(os.Stdout)
+				enc.SetIndent("", " ")
+				return enc.Encode(r.Tunnel)
+			},
+		},
+		{
+			Name:        "delete",
+			Description: "delete a peer",
+			Action: func(clix *cli.Context) error {
+				conn, err := grpc.Dial(clix.GlobalString("address"), grpc.WithInsecure())
+				if err != nil {
+					return errors.Wrap(err, "dial server")
+				}
+				defer conn.Close()
+
+				var (
+					ctx    = cancelContext()
+					client = v1.NewWireguardClient(conn)
+				)
+
+				r, err := client.DeletePeer(ctx, &v1.DeletePeerRequest{
+					ID:     clix.GlobalString("tunnel"),
+					PeerID: clix.Args().First(),
+				})
+				if err != nil {
+					return err
+				}
+				enc := json.NewEncoder(os.Stdout)
+				enc.SetIndent("", " ")
+				return enc.Encode(r.Tunnel)
+			},
+		},
+	},
+}
+
 var deleteCommand = cli.Command{
 	Name:        "delete",
 	Description: "delete a tunnel",

server.go

@@ -44,7 +44,10 @@ import (
 
 var empty = &types.Empty{}
 
-const defaultWireguardDir = "/etc/wireguard"
+const (
+	defaultWireguardDir = "/etc/wireguard"
+	tunnelData          = "tunnel.json"
+)
 
 func newServer(dir string) (*server, error) {
 	if err := os.MkdirAll(defaultWireguardDir, 0700); err != nil {
@@ -59,7 +62,7 @@ type server struct {
 	dir string
 }
 
-func (s *server) Create(ctx context.Context, r *v1.CreateRequest) (*v1.CreateResponse, error) {
+func (s *server) Create(ctx context.Context, r *v1.CreateRequest) (*v1.TunnelResponse, error) {
 	if r.ID == "" {
 		return nil, errors.New("tunnel id cannot be empty")
 	}
@@ -87,8 +90,7 @@ func (s *server) Create(ctx context.Context, r *v1.CreateRequest) (*v1.CreateRes
 		PrivateKey: key,
 	}
 
-	dataPath := filepath.Join(path, "tunnel.json")
+	if err := s.saveTunnel(&t); err != nil {
-	if err := saveTunnel(dataPath, &t); err != nil {
 		return nil, err
 	}
 	if err := s.saveConf(&t); err != nil {
@@ -102,11 +104,67 @@ func (s *server) Create(ctx context.Context, r *v1.CreateRequest) (*v1.CreateRes
 	if err := wgquick(ctx, "start", t.ID); err != nil {
 		return nil, errors.Wrap(err, "start tunnel")
 	}
-	return &v1.CreateResponse{
+	return &v1.TunnelResponse{
 		Tunnel: &t,
 	}, nil
 }
 
+func (s *server) AddPeer(ctx context.Context, r *v1.AddPeerRequest) (*v1.TunnelResponse, error) {
+	if r.ID == "" {
+		return nil, errors.New("tunnel id cannot be empty")
+	}
+	t, err := s.loadTunnel(r.ID)
+	if err != nil {
+		return nil, err
+	}
+	t.Peers = append(t.Peers, r.Peer)
+
+	if err := s.saveTunnel(t); err != nil {
+		return nil, err
+	}
+	if err := s.saveConf(t); err != nil {
+		return nil, err
+	}
+	if err := wgquick(ctx, "restart", t.ID); err != nil {
+		return nil, errors.Wrap(err, "restart tunnel")
+	}
+	return &v1.TunnelResponse{
+		Tunnel: t,
+	}, nil
+}
+
+func (s *server) DeletePeer(ctx context.Context, r *v1.DeletePeerRequest) (*v1.TunnelResponse, error) {
+	if r.ID == "" {
+		return nil, errors.New("tunnel id cannot be empty")
+	}
+	if r.PeerID == "" {
+		return nil, errors.New("peer id cannot be empty")
+	}
+	t, err := s.loadTunnel(r.ID)
+	if err != nil {
+		return nil, err
+	}
+	var peers []*v1.Peer
+	for _, p := range t.Peers {
+		if p.ID != r.PeerID {
+			peers = append(peers, p)
+		}
+	}
+	t.Peers = peers
+	if err := s.saveTunnel(t); err != nil {
+		return nil, err
+	}
+	if err := s.saveConf(t); err != nil {
+		return nil, err
+	}
+	if err := wgquick(ctx, "restart", t.ID); err != nil {
+		return nil, errors.Wrap(err, "restart tunnel")
+	}
+	return &v1.TunnelResponse{
+		Tunnel: t,
+	}, nil
+}
+
 func (s *server) Delete(ctx context.Context, r *v1.DeleteRequest) (*types.Empty, error) {
 	if r.ID == "" {
 		return nil, errors.New("tunnel id cannot be empty")
@@ -137,15 +195,11 @@ func (s *server) List(ctx context.Context, _ *types.Empty) (*v1.ListResponse, er
 		if !f.IsDir() {
 			continue
 		}
-		data, err := ioutil.ReadFile(filepath.Join(s.dir, f.Name(), "tunnel.json"))
+		t, err := s.loadTunnel(f.Name())
 		if err != nil {
-			return nil, errors.Wrapf(err, "read %s", f.Name())
+			return nil, err
 		}
-		var t v1.Tunnel
+		r.Tunnels = append(r.Tunnels, t)
-		if err := json.Unmarshal(data, &t); err != nil {
-			return nil, errors.Wrap(err, "unmarshal tunnel")
-		}
-		r.Tunnels = append(r.Tunnels, &t)
 	}
 	return &r, nil
 }
@@ -163,7 +217,20 @@ func (s *server) saveConf(t *v1.Tunnel) error {
 	return nil
 }
 
-func saveTunnel(path string, t *v1.Tunnel) error {
+func (s *server) loadTunnel(id string) (*v1.Tunnel, error) {
+	data, err := ioutil.ReadFile(filepath.Join(s.dir, id, tunnelData))
+	if err != nil {
+		return nil, errors.Wrapf(err, "read %s", id)
+	}
+	var t v1.Tunnel
+	if err := json.Unmarshal(data, &t); err != nil {
+		return nil, errors.Wrap(err, "unmarshal tunnel")
+	}
+	return &t, nil
+}
+
+func (s *server) saveTunnel(t *v1.Tunnel) error {
+	path := filepath.Join(s.dir, t.ID, tunnelData)
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
 	if err != nil {
 		return errors.Wrap(err, "create data.json")