static endpoint auth codes

2 years ago · 9a6bfe6013
parent 1dfed9e061
commit 9a6bfe6013
5 changed files with 52 additions and 16 deletions
--- a/llarp/config/config.cpp
+++ b/llarp/config/config.cpp
@ -366,6 +366,16 @@ namespace llarp
          m_AuthWhitelist.emplace(std::move(addr));
        });

+    conf.defineOption<std::string>(
+        "network",
+        "auth-static",
+        ClientOnly,
+        MultiValue,
+        Comment{
+            "manually add a static auth code to accept for endpoint auth",
+        },
+        [this](std::string arg) { m_AuthStaticTokens.emplace(std::move(arg)); });
+
    conf.defineOption<bool>(
        "network",
        "reachable",
--- a/llarp/config/config.hpp
+++ b/llarp/config/config.hpp
@ -118,6 +118,7 @@ namespace llarp
    std::optional<std::string> m_AuthUrl;
    std::optional<std::string> m_AuthMethod;
    std::unordered_set<service::Address> m_AuthWhitelist;
+    std::unordered_set<std::string> m_AuthStaticTokens;

    std::vector<llarp::dns::SRVData> m_SRVRecords;

--- a/llarp/handlers/tun.cpp
+++ b/llarp/handlers/tun.cpp
@ -183,7 +183,12 @@ namespace llarp
          method = *conf.m_AuthMethod;
        }
        auto auth = std::make_shared<rpc::EndpointAuthRPC>(
-            url, method, conf.m_AuthWhitelist, Router()->lmq(), shared_from_this());
+            url,
+            method,
+            conf.m_AuthWhitelist,
+            conf.m_AuthStaticTokens,
+            Router()->lmq(),
+            shared_from_this());
        auth->Start();
        m_AuthPolicy = std::move(auth);
      }
--- a/llarp/rpc/endpoint_rpc.cpp
+++ b/llarp/rpc/endpoint_rpc.cpp
@ -6,14 +6,16 @@ namespace llarp::rpc
  EndpointAuthRPC::EndpointAuthRPC(
      std::string url,
      std::string method,
-      Whitelist_t whitelist,
+      Whitelist_t whitelist_addrs,
+      std::unordered_set<std::string> whitelist_tokens,
      LMQ_ptr lmq,
      Endpoint_ptr endpoint)
-      : m_AuthURL(std::move(url))
-      , m_AuthMethod(std::move(method))
-      , m_AuthWhitelist(std::move(whitelist))
-      , m_LMQ(std::move(lmq))
-      , m_Endpoint(std::move(endpoint))
+      : m_AuthURL{std::move(url)}
+      , m_AuthMethod{std::move(method)}
+      , m_AuthWhitelist{std::move(whitelist_addrs)}
+      , m_AuthStaticTokens{std::move(whitelist_tokens)}
+      , m_LMQ{std::move(lmq)}
+      , m_Endpoint{std::move(endpoint)}
  {}

  void
@ -57,13 +59,6 @@ namespace llarp::rpc
      reply(service::AuthResult{service::AuthResultCode::eAuthAccepted, "explicitly whitelisted"});
      return;
    }
-    if (not m_Conn.has_value())
-    {
-      // we don't have a connection to the backend so it's failed
-      reply(service::AuthResult{
-          service::AuthResultCode::eAuthFailed, "remote has no connection to auth backend"});
-      return;
-    }

    if (msg->proto != llarp::service::ProtocolType::Auth)
    {
@ -72,9 +67,32 @@ namespace llarp::rpc
      return;
    }

+    std::string payload{(char*)msg->payload.data(), msg->payload.size()};
+
+    if (m_AuthStaticTokens.count(payload))
+    {
+      reply(service::AuthResult{service::AuthResultCode::eAuthAccepted, "explicitly whitelisted"});
+      return;
+    }
+
+    if (not m_Conn.has_value())
+    {
+      if (m_AuthStaticTokens.empty())
+      {
+        // we don't have a connection to the backend so it's failed
+        reply(service::AuthResult{
+            service::AuthResultCode::eAuthFailed, "remote has no connection to auth backend"});
+      }
+      else
+      {
+        // static auth mode
+        reply(service::AuthResult{service::AuthResultCode::eAuthRejected, "access not permitted"});
+      }
+      return;
+    }
+
    const auto authinfo = msg->EncodeAuthInfo();
    std::string_view metainfo{authinfo.data(), authinfo.size()};
-    std::string_view payload{(char*)msg->payload.data(), msg->payload.size()};
    // call method with 2 parameters: metainfo and userdata
    m_LMQ->request(
        *m_Conn,
--- a/llarp/rpc/endpoint_rpc.hpp
+++ b/llarp/rpc/endpoint_rpc.hpp
@ -20,7 +20,8 @@ namespace llarp::rpc
    explicit EndpointAuthRPC(
        std::string url,
        std::string method,
-        Whitelist_t whitelist,
+        Whitelist_t addr_whitelist,
+        std::unordered_set<std::string> token_whitelist,
        LMQ_ptr lmq,
        Endpoint_ptr endpoint);
    virtual ~EndpointAuthRPC() = default;
@ -40,6 +41,7 @@ namespace llarp::rpc
    const std::string m_AuthURL;
    const std::string m_AuthMethod;
    const Whitelist_t m_AuthWhitelist;
+    const std::unordered_set<std::string> m_AuthStaticTokens;
    LMQ_ptr m_LMQ;
    Endpoint_ptr m_Endpoint;
    std::optional<oxenmq::ConnectionID> m_Conn;