2023-01-02 13:56:10 +00:00
|
|
|
|
package client
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2023-01-18 22:32:23 +00:00
|
|
|
|
"encoding/base64"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
"encoding/json"
|
|
|
|
|
|
"fmt"
|
|
|
|
|
|
"os"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/jaypipes/ghw/pkg/block"
|
2023-01-18 22:32:23 +00:00
|
|
|
|
"github.com/kairos-io/kairos-challenger/pkg/constants"
|
2023-01-24 11:03:08 +00:00
|
|
|
|
"github.com/kairos-io/kairos-challenger/pkg/payload"
|
2025-05-06 09:18:50 +00:00
|
|
|
|
"github.com/kairos-io/kairos-sdk/kcrypt/bus"
|
2023-01-18 15:02:17 +00:00
|
|
|
|
"github.com/kairos-io/tpm-helpers"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
"github.com/mudler/go-pluggable"
|
2023-01-18 22:32:23 +00:00
|
|
|
|
"github.com/mudler/yip/pkg/utils"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
2024-01-22 17:48:12 +00:00
|
|
|
|
// Because of how go-pluggable works, we can't just print to stdout
|
|
|
|
|
|
const LOGFILE = "/tmp/kcrypt-challenger-client.log"
|
|
|
|
|
|
|
2023-01-19 13:24:33 +00:00
|
|
|
|
var errPartNotFound error = fmt.Errorf("pass for partition not found")
|
2023-02-09 08:49:32 +00:00
|
|
|
|
var errBadCertificate error = fmt.Errorf("unknown certificate")
|
2023-01-02 13:56:10 +00:00
|
|
|
|
|
|
|
|
|
|
func NewClient() (*Client, error) {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
conf, err := unmarshalConfig()
|
2023-01-02 13:56:10 +00:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return &Client{Config: conf}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ❯ echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
|
|
|
|
|
|
func (c *Client) Start() error {
|
2024-01-22 17:48:12 +00:00
|
|
|
|
if err := os.RemoveAll(LOGFILE); err != nil { // Start fresh
|
|
|
|
|
|
return fmt.Errorf("removing the logfile: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-02 13:56:10 +00:00
|
|
|
|
factory := pluggable.NewPluginFactory()
|
|
|
|
|
|
|
|
|
|
|
|
// Input: bus.EventInstallPayload
|
|
|
|
|
|
// Expected output: map[string]string{}
|
|
|
|
|
|
factory.Add(bus.EventDiscoveryPassword, func(e *pluggable.Event) pluggable.EventResponse {
|
|
|
|
|
|
|
|
|
|
|
|
b := &block.Partition{}
|
|
|
|
|
|
err := json.Unmarshal([]byte(e.Data), b)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return pluggable.EventResponse{
|
|
|
|
|
|
Error: fmt.Sprintf("failed reading partitions: %s", err.Error()),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
pass, err := c.waitPass(b, 30)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return pluggable.EventResponse{
|
|
|
|
|
|
Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return pluggable.EventResponse{
|
|
|
|
|
|
Data: pass,
|
|
|
|
|
|
}
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-01-22 17:48:12 +00:00
|
|
|
|
func (c *Client) generatePass(postEndpoint string, headers map[string]string, p *block.Partition) error {
|
2023-01-24 11:03:08 +00:00
|
|
|
|
|
|
|
|
|
|
rand := utils.RandomString(32)
|
|
|
|
|
|
pass, err := tpm.EncryptBlob([]byte(rand))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
bpass := base64.RawURLEncoding.EncodeToString(pass)
|
|
|
|
|
|
|
|
|
|
|
|
opts := []tpm.Option{
|
2023-02-09 07:52:51 +00:00
|
|
|
|
tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
|
2023-02-09 09:24:10 +00:00
|
|
|
|
tpm.AppendCustomCAToSystemCA,
|
2023-05-09 22:24:58 +00:00
|
|
|
|
tpm.WithAdditionalHeader("label", p.FilesystemLabel),
|
2023-01-24 11:03:08 +00:00
|
|
|
|
tpm.WithAdditionalHeader("name", p.Name),
|
|
|
|
|
|
tpm.WithAdditionalHeader("uuid", p.UUID),
|
|
|
|
|
|
}
|
2024-01-22 17:48:12 +00:00
|
|
|
|
for k, v := range headers {
|
|
|
|
|
|
opts = append(opts, tpm.WithAdditionalHeader(k, v))
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-24 11:03:08 +00:00
|
|
|
|
conn, err := tpm.Connection(postEndpoint, opts...)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-24 16:40:00 +00:00
|
|
|
|
func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
|
2024-01-22 17:48:12 +00:00
|
|
|
|
additionalHeaders := map[string]string{}
|
|
|
|
|
|
serverURL := c.Config.Kcrypt.Challenger.Server
|
|
|
|
|
|
|
|
|
|
|
|
// If we don't have any server configured, just do local
|
|
|
|
|
|
if serverURL == "" {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
return localPass(c.Config)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-01-22 17:48:12 +00:00
|
|
|
|
if c.Config.Kcrypt.Challenger.MDNS {
|
|
|
|
|
|
serverURL, additionalHeaders, err = queryMDNS(serverURL)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
getEndpoint := fmt.Sprintf("%s/getPass", serverURL)
|
|
|
|
|
|
postEndpoint := fmt.Sprintf("%s/postPass", serverURL)
|
2023-01-18 22:32:23 +00:00
|
|
|
|
|
2023-01-02 13:56:10 +00:00
|
|
|
|
for tries := 0; tries < attempts; tries++ {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
var generated bool
|
2024-01-22 17:48:12 +00:00
|
|
|
|
pass, generated, err = getPass(getEndpoint, additionalHeaders, c.Config.Kcrypt.Challenger.Certificate, p)
|
2023-01-24 11:03:08 +00:00
|
|
|
|
if err == errPartNotFound {
|
|
|
|
|
|
// IF server doesn't have a pass for us, then we generate one and we set it
|
2024-01-22 17:48:12 +00:00
|
|
|
|
err = c.generatePass(postEndpoint, additionalHeaders, p)
|
2023-01-24 11:03:08 +00:00
|
|
|
|
if err != nil {
|
2023-01-24 16:40:00 +00:00
|
|
|
|
return
|
2023-01-24 11:03:08 +00:00
|
|
|
|
}
|
|
|
|
|
|
// Attempt to fetch again - validate that the server has it now
|
|
|
|
|
|
tries = 0
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
2023-02-09 08:49:32 +00:00
|
|
|
|
|
2023-01-19 13:46:35 +00:00
|
|
|
|
if generated { // passphrase is encrypted
|
|
|
|
|
|
return c.decryptPassphrase(pass)
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2023-02-09 08:49:32 +00:00
|
|
|
|
if err == errBadCertificate { // No need to retry, won't succeed.
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-24 16:53:38 +00:00
|
|
|
|
if err == nil { // passphrase available, no errors
|
2023-01-24 16:40:00 +00:00
|
|
|
|
return
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
2024-01-22 17:48:12 +00:00
|
|
|
|
logToFile("Failed with error: %s . Will retry.\n", err.Error())
|
2023-01-19 13:46:35 +00:00
|
|
|
|
time.Sleep(1 * time.Second) // network errors? retry
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
2023-01-24 16:40:00 +00:00
|
|
|
|
return
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
|
|
|
|
|
// decryptPassphrase decodes (base64) and decrypts the passphrase returned
|
|
|
|
|
|
// by the challenger server.
|
|
|
|
|
|
func (c *Client) decryptPassphrase(pass string) (string, error) {
|
|
|
|
|
|
blob, err := base64.RawURLEncoding.DecodeString(pass)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Decrypt and return it to unseal the LUKS volume
|
|
|
|
|
|
opts := []tpm.TPMOption{}
|
|
|
|
|
|
if c.Config.Kcrypt.Challenger.CIndex != "" {
|
|
|
|
|
|
opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
|
|
|
|
|
|
}
|
|
|
|
|
|
if c.Config.Kcrypt.Challenger.TPMDevice != "" {
|
|
|
|
|
|
opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
|
|
|
|
|
|
}
|
2023-01-19 14:06:53 +00:00
|
|
|
|
passBytes, err := tpm.DecryptBlob(blob, opts...)
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
|
|
|
|
|
return string(passBytes), err
|
|
|
|
|
|
}
|
2024-01-22 17:48:12 +00:00
|
|
|
|
|
|
|
|
|
|
func logToFile(format string, a ...any) {
|
|
|
|
|
|
s := fmt.Sprintf(format, a...)
|
|
|
|
|
|
file, err := os.OpenFile(LOGFILE, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
panic(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
defer file.Close()
|
|
|
|
|
|
|
|
|
|
|
|
file.WriteString(s)
|
|
|
|
|
|
}
|
