wip(api,agent,ssh): devices

Author: heiytor

api/routes/sshkeys.go

@@ -160,7 +160,7 @@ func (h *Handler) EvaluateKey(c gateway.Context) error {
 		return c.JSON(http.StatusForbidden, err)
 	}
 
-	pubKey, err := h.service.GetPublicKey(c.Ctx(), c.Param(ParamPublicKeyFingerprint), device.TenantID)
+	pubKey, err := h.service.GetPublicKey(c.Ctx(), c.Param(ParamPublicKeyFingerprint), device.NamespaceID)
 	if err != nil {
 		return c.JSON(http.StatusForbidden, err)
 	}

api/services/auth.go

@@ -68,119 +68,75 @@ type AuthService interface {
 }
 
 func (s *service) AuthDevice(ctx context.Context, req requests.DeviceAuth, remoteAddr string) (*models.DeviceAuthResponse, error) {
-	var identity *models.DeviceIdentity
-	if req.Identity != nil {
-		identity = &models.DeviceIdentity{
-			MAC: req.Identity.MAC,
-		}
+	if _, err := s.store.NamespaceGet(ctx, store.NamespaceIdentID, req.TenantID); err != nil {
+		return nil, NewErrNamespaceNotFound(req.TenantID, err)
 	}
 
-	var hostname string
-	if req.Hostname != "" {
-		hostname = req.Hostname
-	}
+	if req.Hostname == "" {
+		if req.Identity == nil || req.Identity.MAC == "" {
+			return nil, NewErrAuthDeviceNoIdentityAndHostname()
+		}
 
-	if hostname == "" && (identity == nil || identity.MAC == "") {
-		return nil, NewErrAuthDeviceNoIdentityAndHostname()
+		req.Hostname = req.Identity.MAC
 	}
 
 	auth := models.DeviceAuth{
-		Hostname:  hostname,
-		Identity:  identity,
+		Hostname:  req.Hostname,
+		Identity:  &models.DeviceIdentity{MAC: req.Identity.MAC},
 		PublicKey: req.PublicKey,
 		TenantID:  req.TenantID,
 	}
 
-	uid := sha256.Sum256(structhash.Dump(auth, 1))
-	key := hex.EncodeToString(uid[:])
-
-	claims := authorizer.DeviceClaims{
-		UID:      key,
-		TenantID: req.TenantID,
-	}
-
-	token, err := jwttoken.EncodeDeviceClaims(claims, s.privKey)
+	uidSHA := sha256.Sum256(structhash.Dump(auth, 1))
+	device, err := s.store.DeviceGet(ctx, models.UID(hex.EncodeToString(uidSHA[:])))
 	if err != nil {
-		return nil, NewErrTokenSigned(err)
-	}
-
-	type Device struct {
-		Name      string
-		Namespace string
-	}
-
-	var value *Device
-
-	if err := s.cache.Get(ctx, strings.Join([]string{"auth_device", key}, "/"), &value); err == nil && value != nil {
-		return &models.DeviceAuthResponse{
-			UID:       key,
-			Token:     token,
-			Name:      value.Name,
-			Namespace: value.Namespace,
-		}, nil
-	}
-	var info *models.DeviceInfo
-	if req.Info != nil {
-		info = &models.DeviceInfo{
-			ID:         req.Info.ID,
-			PrettyName: req.Info.PrettyName,
-			Version:    req.Info.Version,
-			Arch:       req.Info.Arch,
-			Platform:   req.Info.Platform,
+		if err != store.ErrNoDocuments {
+			return nil, err
 		}
-	}
 
-	position, err := s.locator.GetPosition(net.ParseIP(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-
-	device := models.Device{
-		UID:        key,
-		Identity:   identity,
-		Info:       info,
-		PublicKey:  req.PublicKey,
-		TenantID:   req.TenantID,
-		LastSeen:   clock.Now(),
-		RemoteAddr: remoteAddr,
-		Position: &models.DevicePosition{
-			Longitude: position.Longitude,
-			Latitude:  position.Latitude,
-		},
-	}
-
-	// The order here is critical as we don't want to register devices if the tenant id is invalid
-	namespace, err := s.store.NamespaceGet(ctx, store.NamespaceIdentID, device.TenantID)
-	if err != nil {
-		return nil, NewErrNamespaceNotFound(device.TenantID, err)
-	}
+		position, err := s.locator.GetPosition(net.ParseIP(remoteAddr))
+		if err != nil {
+			return nil, err
+		}
 
-	hostname = strings.ToLower(hostname)
+		device = &models.Device{
+			ID:             hex.EncodeToString(uidSHA[:]),
+			NamespaceID:    req.TenantID,
+			SeenAt:         clock.Now(),
+			DisconnectedAt: time.Time{},
+			Status:         models.DeviceStatusPending,
+			Name:           req.Hostname,
+			MAC:            req.Identity.MAC,
+			PublicKey:      req.PublicKey,
+			Position: &models.DevicePosition{
+				Longitude: position.Longitude,
+				Latitude:  position.Latitude,
+			},
+			Info: nil,
+		}
 
-	if err := s.store.DeviceCreate(ctx, device, hostname); err != nil {
-		return nil, NewErrDeviceCreate(device, err)
-	}
+		if req.Info != nil {
+			device.Info = &models.DeviceInfo{
+				ID:         req.Info.ID,
+				PrettyName: req.Info.PrettyName,
+				Version:    req.Info.Version,
+				Arch:       req.Info.Arch,
+				Platform:   req.Info.Platform,
+			}
+		}
 
-	for _, uid := range req.Sessions {
-		if err := s.store.SessionSetLastSeen(ctx, models.UID(uid)); err != nil {
-			continue
+		if _, err := s.store.DeviceCreate(ctx, device); err != nil {
+			return nil, NewErrDeviceCreate(*device, err)
 		}
 	}
 
-	dev, err := s.store.DeviceGetByUID(ctx, models.UID(device.UID), device.TenantID)
+	claims := authorizer.DeviceClaims{UID: device.ID, TenantID: device.NamespaceID}
+	token, err := jwttoken.EncodeDeviceClaims(claims, s.privKey)
 	if err != nil {
-		return nil, NewErrDeviceNotFound(models.UID(device.UID), err)
-	}
-	if err := s.cache.Set(ctx, strings.Join([]string{"auth_device", key}, "/"), &Device{Name: dev.Name, Namespace: namespace.Name}, time.Second*30); err != nil {
-		return nil, err
+		return nil, NewErrTokenSigned(err)
 	}
 
-	return &models.DeviceAuthResponse{
-		UID:       key,
-		Token:     token,
-		Name:      dev.Name,
-		Namespace: namespace.Name,
-	}, nil
+	return &models.DeviceAuthResponse{UID: device.ID, Token: token, Name: device.Name, Namespace: "dev"}, nil
 }
 
 func (s *service) AuthLocalUser(ctx context.Context, req *requests.AuthLocalUser, sourceIP string) (*models.UserAuthResponse, int64, string, error) {