mirror of
https://github.com/fosrl/newt.git
synced 2026-02-20 11:56:39 +00:00
93 lines
2.9 KiB
Go
93 lines
2.9 KiB
Go
package authdaemon
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
|
|
"github.com/fosrl/newt/logger"
|
|
)
|
|
|
|
// registerRoutes registers all API routes. Add new endpoints here.
|
|
func (s *Server) registerRoutes() {
|
|
s.mux.HandleFunc("/health", s.handleHealth)
|
|
s.mux.HandleFunc("/connection", s.handleConnection)
|
|
}
|
|
|
|
// ConnectionMetadata is the metadata object in POST /connection.
|
|
type ConnectionMetadata struct {
|
|
Sudo bool `json:"sudo"`
|
|
Homedir bool `json:"homedir"`
|
|
}
|
|
|
|
// ConnectionRequest is the JSON body for POST /connection.
|
|
type ConnectionRequest struct {
|
|
CaCert string `json:"caCert"`
|
|
NiceId string `json:"niceId"`
|
|
Username string `json:"username"`
|
|
Metadata ConnectionMetadata `json:"metadata"`
|
|
}
|
|
|
|
// healthResponse is the JSON body for GET /health.
|
|
type healthResponse struct {
|
|
Status string `json:"status"`
|
|
}
|
|
|
|
// handleHealth responds with 200 and {"status":"ok"}.
|
|
func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(healthResponse{Status: "ok"})
|
|
}
|
|
|
|
// ProcessConnection runs the same logic as POST /connection: CA cert, sshd config, user create/reconcile, principals.
|
|
// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
|
|
func (s *Server) ProcessConnection(req ConnectionRequest) {
|
|
logger.Info("connection: niceId=%q username=%q metadata.sudo=%v metadata.homedir=%v",
|
|
req.NiceId, req.Username, req.Metadata.Sudo, req.Metadata.Homedir)
|
|
|
|
cfg := &s.cfg
|
|
if cfg.CACertPath != "" {
|
|
if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert); err != nil {
|
|
logger.Warn("auth-daemon: write CA cert: %v", err)
|
|
}
|
|
sshdConfig := cfg.SSHDConfigPath
|
|
if sshdConfig == "" {
|
|
sshdConfig = "/etc/ssh/sshd_config"
|
|
}
|
|
if err := ensureSSHDTrustedUserCAKeys(sshdConfig, cfg.CACertPath); err != nil {
|
|
logger.Warn("auth-daemon: sshd_config: %v", err)
|
|
}
|
|
if cfg.ReloadSSHCommand != "" {
|
|
if err := reloadSSHD(cfg.ReloadSSHCommand); err != nil {
|
|
logger.Warn("auth-daemon: reload sshd: %v", err)
|
|
}
|
|
}
|
|
}
|
|
if err := ensureUser(req.Username, req.Metadata); err != nil {
|
|
logger.Warn("auth-daemon: ensure user: %v", err)
|
|
}
|
|
if cfg.PrincipalsFilePath != "" {
|
|
if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil {
|
|
logger.Warn("auth-daemon: write principals: %v", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
// handleConnection accepts POST with connection payload and delegates to ProcessConnection.
|
|
func (s *Server) handleConnection(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
var req ConnectionRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
|
return
|
|
}
|
|
s.ProcessConnection(req)
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|