more

4 years ago · a42d3d51c3
parent 1e8368b636
commit a42d3d51c3
8 changed files with 61 additions and 8 deletions
--- a/llarp/CMakeLists.txt
+++ b/llarp/CMakeLists.txt
@ -176,8 +176,10 @@ add_library(liblokinet
  routing/transfer_traffic_message.cpp
  rpc/lokid_rpc_client.cpp
  rpc/rpc_server.cpp
+  rpc/endpoint_rpc.cpp
  service/address.cpp
  service/async_key_exchange.cpp
+  service/auth.cpp
  service/context.cpp
  service/endpoint_state.cpp
  service/endpoint_util.cpp
--- a/llarp/config/config.cpp
+++ b/llarp/config/config.cpp
@ -165,6 +165,18 @@ namespace llarp

    conf.defineOption<std::string>("network", "keyfile", false, "", AssignmentAcceptor(m_keyfile));

+    conf.defineOption<std::string>("network", "auth-url", false, "", [this](std::string arg) {
+      if (arg.empty())
+        return;
+      m_AuthUrl = std::move(arg);
+    });
+
+    conf.defineOption<std::string>("network", "auth-method", false, "", [this](std::string arg) {
+      if (arg.empty())
+        return;
+      m_AuthMethod = std::move(arg);
+    });
+
    conf.defineOption<bool>(
        "network", "reachable", false, ReachableDefault, AssignmentAcceptor(m_reachable));

@ -191,7 +203,7 @@ namespace llarp
      m_exitNode = exit;
    });

-    conf.defineOption<std::string>("network", "mapaddr", false, "", [this](std::string arg) {
+    conf.defineOption<std::string>("network", "mapaddr", false, true, "", [this](std::string arg) {
      if (arg.empty())
        return;
      huint128_t ip;
@ -906,6 +918,20 @@ namespace llarp
            "on the server and may pose liability concerns. Enable at your own risk.",
        });

+    def.addOptionComments(
+        "network",
+        "auth-url",
+        {
+            "lmq endpoint to talk to for authenticating new sessions",
+        });
+
+    def.addOptionComments(
+        "network",
+        "auth-method",
+        {
+            "lmq function to call for authenticating new sessions",
+        });
+
    // TODO: define the order of precedence (e.g. is whitelist applied before blacklist?)
    //       additionally, what's default? What if I don't whitelist anything?
    def.addOptionComments(
--- a/llarp/config/config.hpp
+++ b/llarp/config/config.hpp
@ -82,6 +82,9 @@ namespace llarp
    std::optional<service::Address> m_exitNode;
    std::unordered_map<huint128_t, service::Address> m_mapAddrs;

+    std::optional<std::string> m_AuthUrl;
+    std::optional<std::string> m_AuthMethod;
+
    // TODO:
    // on-up
    // on-down
--- a/llarp/handlers/tun.cpp
+++ b/llarp/handlers/tun.cpp
@ -17,6 +17,7 @@
 #include <util/meta/memfn.hpp>
 #include <util/thread/logic.hpp>
 #include <nodedb.hpp>
+#include <rpc/endpoint_rpc.hpp>

 #include <util/str.hpp>

@ -114,6 +115,14 @@ namespace llarp
        LogInfo(Name(), " setting to be not reachable by default");
      }

+      if (conf.m_AuthUrl.has_value() and conf.m_AuthMethod.has_value())
+      {
+        auto auth = std::make_shared<rpc::EndpointAuthRPC>(
+            *conf.m_AuthUrl, *conf.m_AuthMethod, Router()->lmq(), shared_from_this());
+        auth->Start();
+        m_AuthPolicy = std::move(auth);
+      }
+
      /*
       * TODO: reinstate this option (it's not even clear what section this came from...)
       *
--- a/llarp/rpc/endpoint_rpc.cpp
+++ b/llarp/rpc/endpoint_rpc.cpp
@ -5,8 +5,8 @@ namespace llarp::rpc
 {
  EndpointAuthRPC::EndpointAuthRPC(
      std::string url, std::string method, LMQ_ptr lmq, Endpoint_ptr endpoint)
-      : m_URL(std::move(url))
-      , m_Method(std::move(method))
+      : m_AuthURL(std::move(url))
+      , m_AuthMethod(std::move(method))
      , m_LMQ(std::move(lmq))
      , m_Endpoint(std::move(endpoint))
  {
@ -16,7 +16,7 @@ namespace llarp::rpc
  EndpointAuthRPC::Start()
  {
    m_LMQ->connect_remote(
-        m_URL,
+        m_AuthURL,
        [self = shared_from_this()](lokimq::ConnectionID c) {
          self->m_Conn = std::move(c);
          LogInfo("connected to endpoint auth server via ", c);
@ -29,27 +29,34 @@ namespace llarp::rpc

  void
  EndpointAuthRPC::AuthenticateAsync(
-      llarp::service::Address from, std::function<void(service::AuthResult)> hook)
+      llarp::service::Address from,
+      llarp::service::ConvoTag,
+      std::function<void(service::AuthResult)> hook)
  {
    if (not m_Conn.has_value())
    {
+      LogWarn("No connection to ", m_AuthURL);
      m_Endpoint->RouterLogic()->Call([hook]() { hook(service::AuthResult::eAuthFailed); });
      return;
    }
+    LogInfo("try auth: ", m_AuthMethod);
    // call method with 1 parameter: the loki address of the remote
-    m_LMQ->send(
+    m_LMQ->request(
        *m_Conn,
        m_AuthMethod,
-        [self = shared_from_this(), hook](bool success, std::vector<std::string> data) {
+        [self = shared_from_this(), hook, from = from.ToString()](
+            bool success, std::vector<std::string> data) {
          service::AuthResult result = service::AuthResult::eAuthFailed;
          if (success and not data.empty())
          {
+            LogInfo("auth reply: ", data[0]);
            const auto maybe = service::ParseAuthResult(data[0]);
            if (maybe.has_value())
            {
              result = *maybe;
            }
          }
+          LogInfo("auth result for ", from, " ", result);
          self->m_Endpoint->RouterLogic()->Call([hook, result]() { hook(result); });
        },
        from.ToString());
--- a/llarp/rpc/endpoint_rpc.hpp
+++ b/llarp/rpc/endpoint_rpc.hpp
@ -1,6 +1,7 @@
 #pragma once

 #include <service/auth.hpp>
+#include <lokimq/lokimq.h>

 namespace llarp::service
 {
@ -19,6 +20,9 @@ namespace llarp::rpc
        std::string url, std::string method, LMQ_ptr lmq, Endpoint_ptr endpoint);
    ~EndpointAuthRPC() = default;

+    void
+    Start();
+
    void
    AuthenticateAsync(
        llarp::service::Address from,
--- a/llarp/service/endpoint.hpp
+++ b/llarp/service/endpoint.hpp
@ -441,6 +441,7 @@ namespace llarp
      hooks::Backend_ptr m_OnReady;
      bool m_PublishIntroSet = true;
      std::unique_ptr<EndpointState> m_state;
+      std::shared_ptr<IAuthPolicy> m_AuthPolicy;

     private:
      void
@ -457,7 +458,6 @@ namespace llarp
      ConvoMap&       Sessions();
      // clang-format on
      thread::Queue<RecvDataEvent> m_RecvQueue;
-      std::shared_ptr<IAuthPolicy> m_AuthPolicy;
    };

    using Endpoint_ptr = std::shared_ptr<Endpoint>;
--- a/llarp/service/protocol.cpp
+++ b/llarp/service/protocol.cpp
@ -342,6 +342,7 @@ namespace llarp
                AuthResult result) {
              if (result == AuthResult::eAuthAccepted)
              {
+                LogInfo("Accepted Convo T=", msg->tag);
                handler->PutIntroFor(msg->tag, msg->introReply);
                handler->PutReplyIntroFor(msg->tag, fromIntro);
                handler->PutSenderFor(msg->tag, msg->sender, true);
@ -350,6 +351,7 @@ namespace llarp
              }
              else
              {
+                LogInfo("Rejected Convo T=", msg->tag);
                handler->SendAuthReject(path, from, msg->tag, result);
              }
            });