2023-01-02 13:56:10 +00:00
|
|
|
|
package client
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2023-01-18 22:32:23 +00:00
|
|
|
|
"encoding/base64"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
"encoding/json"
|
|
|
|
|
|
"fmt"
|
|
|
|
|
|
"os"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/jaypipes/ghw/pkg/block"
|
2023-01-18 22:32:23 +00:00
|
|
|
|
"github.com/kairos-io/kairos-challenger/pkg/constants"
|
2023-01-24 11:03:08 +00:00
|
|
|
|
"github.com/kairos-io/kairos-challenger/pkg/payload"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
"github.com/kairos-io/kcrypt/pkg/bus"
|
2023-01-18 15:02:17 +00:00
|
|
|
|
"github.com/kairos-io/tpm-helpers"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
"github.com/mudler/go-pluggable"
|
2023-01-18 22:32:23 +00:00
|
|
|
|
"github.com/mudler/yip/pkg/utils"
|
2023-01-02 13:56:10 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
2023-01-19 13:24:33 +00:00
|
|
|
|
var errPartNotFound error = fmt.Errorf("pass for partition not found")
|
2023-01-02 13:56:10 +00:00
|
|
|
|
|
|
|
|
|
|
func NewClient() (*Client, error) {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
conf, err := unmarshalConfig()
|
2023-01-02 13:56:10 +00:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return &Client{Config: conf}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ❯ echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
|
|
|
|
|
|
func (c *Client) Start() error {
|
|
|
|
|
|
factory := pluggable.NewPluginFactory()
|
|
|
|
|
|
|
|
|
|
|
|
// Input: bus.EventInstallPayload
|
|
|
|
|
|
// Expected output: map[string]string{}
|
|
|
|
|
|
factory.Add(bus.EventDiscoveryPassword, func(e *pluggable.Event) pluggable.EventResponse {
|
|
|
|
|
|
|
|
|
|
|
|
b := &block.Partition{}
|
|
|
|
|
|
err := json.Unmarshal([]byte(e.Data), b)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return pluggable.EventResponse{
|
|
|
|
|
|
Error: fmt.Sprintf("failed reading partitions: %s", err.Error()),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
pass, err := c.waitPass(b, 30)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return pluggable.EventResponse{
|
|
|
|
|
|
Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return pluggable.EventResponse{
|
|
|
|
|
|
Data: pass,
|
|
|
|
|
|
}
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-24 11:03:08 +00:00
|
|
|
|
func (c *Client) generatePass(postEndpoint string, p *block.Partition) error {
|
|
|
|
|
|
|
|
|
|
|
|
rand := utils.RandomString(32)
|
|
|
|
|
|
pass, err := tpm.EncryptBlob([]byte(rand))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
bpass := base64.RawURLEncoding.EncodeToString(pass)
|
|
|
|
|
|
|
|
|
|
|
|
opts := []tpm.Option{
|
|
|
|
|
|
tpm.WithAdditionalHeader("label", p.Label),
|
|
|
|
|
|
tpm.WithAdditionalHeader("name", p.Name),
|
|
|
|
|
|
tpm.WithAdditionalHeader("uuid", p.UUID),
|
|
|
|
|
|
}
|
|
|
|
|
|
conn, err := tpm.Connection(postEndpoint, opts...)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-24 15:19:33 +00:00
|
|
|
|
func (c *Client) waitPass(p *block.Partition, attempts int) (string, error) {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
// IF we don't have any server configured, just do local
|
2023-01-19 13:24:33 +00:00
|
|
|
|
if c.Config.Kcrypt.Challenger.Server == "" {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
return localPass(c.Config)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-19 13:24:33 +00:00
|
|
|
|
challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Challenger.Server)
|
|
|
|
|
|
postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Challenger.Server)
|
2023-01-18 22:32:23 +00:00
|
|
|
|
|
2023-01-02 13:56:10 +00:00
|
|
|
|
for tries := 0; tries < attempts; tries++ {
|
2023-01-18 22:32:23 +00:00
|
|
|
|
var generated bool
|
2023-01-24 15:19:33 +00:00
|
|
|
|
pass, generated, err := getPass(challengeEndpoint, p)
|
2023-01-24 11:03:08 +00:00
|
|
|
|
if err == errPartNotFound {
|
|
|
|
|
|
// IF server doesn't have a pass for us, then we generate one and we set it
|
|
|
|
|
|
err = c.generatePass(postEndpoint, p)
|
|
|
|
|
|
if err != nil {
|
2023-01-24 15:19:33 +00:00
|
|
|
|
return "", err
|
2023-01-24 11:03:08 +00:00
|
|
|
|
}
|
|
|
|
|
|
// Attempt to fetch again - validate that the server has it now
|
|
|
|
|
|
tries = 0
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
if generated { // passphrase is encrypted
|
|
|
|
|
|
return c.decryptPassphrase(pass)
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-24 15:19:33 +00:00
|
|
|
|
if err == nil { // passphrase avilable, no errors
|
|
|
|
|
|
return "", err
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
|
|
|
|
|
time.Sleep(1 * time.Second) // network errors? retry
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
2023-01-24 15:19:33 +00:00
|
|
|
|
return "", fmt.Errorf("could not get passphrase from remote endpoint")
|
2023-01-02 13:56:10 +00:00
|
|
|
|
}
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
|
|
|
|
|
// decryptPassphrase decodes (base64) and decrypts the passphrase returned
|
|
|
|
|
|
// by the challenger server.
|
|
|
|
|
|
func (c *Client) decryptPassphrase(pass string) (string, error) {
|
|
|
|
|
|
blob, err := base64.RawURLEncoding.DecodeString(pass)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Decrypt and return it to unseal the LUKS volume
|
|
|
|
|
|
opts := []tpm.TPMOption{}
|
|
|
|
|
|
if c.Config.Kcrypt.Challenger.CIndex != "" {
|
|
|
|
|
|
opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
|
|
|
|
|
|
}
|
|
|
|
|
|
if c.Config.Kcrypt.Challenger.TPMDevice != "" {
|
|
|
|
|
|
opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
|
|
|
|
|
|
}
|
2023-01-19 14:06:53 +00:00
|
|
|
|
passBytes, err := tpm.DecryptBlob(blob, opts...)
|
2023-01-19 13:46:35 +00:00
|
|
|
|
|
|
|
|
|
|
return string(passBytes), err
|
|
|
|
|
|
}
|
