Formatting of peers and dns worked

Former-commit-id: 9281fbd222
2026-02-07 21:46:40 +00:00 · 2025-11-25 14:19:36 -05:00
parent d8ced86d19
commit 50525aaf8d
9 changed files with 674 additions and 555 deletions
--- a/peers/manager.go
+++ b/peers/manager.go
@@ -0,0 +1,401 @@
+package peers
+
+import (
+	"fmt"
+	"net"
+	"sync"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/olm/dns"
+	"github.com/fosrl/olm/network"
+	"github.com/fosrl/olm/peermonitor"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+type PeerManager struct {
+	mu            sync.RWMutex
+	device        *device.Device
+	peers         map[int]SiteConfig
+	peerMonitor   *peermonitor.PeerMonitor
+	dnsProxy      *dns.DNSProxy
+	interfaceName string
+	privateKey    wgtypes.Key
+}
+
+func NewPeerManager(dev *device.Device, monitor *peermonitor.PeerMonitor, dnsProxy *dns.DNSProxy, interfaceName string, privateKey wgtypes.Key) *PeerManager {
+	return &PeerManager{
+		device:        dev,
+		peers:         make(map[int]SiteConfig),
+		peerMonitor:   monitor,
+		dnsProxy:      dnsProxy,
+		interfaceName: interfaceName,
+		privateKey:    privateKey,
+	}
+}
+
+func (pm *PeerManager) GetPeer(siteId int) (SiteConfig, bool) {
+	pm.mu.RLock()
+	defer pm.mu.RUnlock()
+	peer, ok := pm.peers[siteId]
+	return peer, ok
+}
+
+func (pm *PeerManager) GetAllPeers() []SiteConfig {
+	pm.mu.RLock()
+	defer pm.mu.RUnlock()
+	peers := make([]SiteConfig, 0, len(pm.peers))
+	for _, peer := range pm.peers {
+		peers = append(peers, peer)
+	}
+	return peers
+}
+
+func (pm *PeerManager) AddPeer(siteConfig SiteConfig, endpoint string) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	// build the allowed IPs list from the remote subnets and aliases and add them to the peer
+	allowedIPs := make([]string, 0, len(siteConfig.RemoteSubnets)+len(siteConfig.Aliases))
+	allowedIPs = append(allowedIPs, siteConfig.RemoteSubnets...)
+	for _, alias := range siteConfig.Aliases {
+		allowedIPs = append(allowedIPs, alias.AliasAddress+"/32")
+	}
+	siteConfig.AllowedIps = allowedIPs
+
+	if err := ConfigurePeer(pm.device, siteConfig, pm.privateKey, endpoint, pm.peerMonitor); err != nil {
+		return err
+	}
+
+	if err := network.AddRouteForServerIP(siteConfig.ServerIP, pm.interfaceName); err != nil {
+		logger.Error("Failed to add route for server IP: %v", err)
+	}
+	if err := network.AddRoutes(siteConfig.RemoteSubnets, pm.interfaceName); err != nil {
+		logger.Error("Failed to add routes for remote subnets: %v", err)
+	}
+	for _, alias := range siteConfig.Aliases {
+		address := net.ParseIP(alias.AliasAddress)
+		if address == nil {
+			continue
+		}
+		pm.dnsProxy.AddDNSRecord(alias.Alias, address)
+	}
+
+	pm.peers[siteConfig.SiteId] = siteConfig
+	return nil
+}
+
+func (pm *PeerManager) RemovePeer(siteId int) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	if err := RemovePeer(pm.device, siteId, peer.PublicKey, pm.peerMonitor); err != nil {
+		return err
+	}
+
+	if err := network.RemoveRouteForServerIP(peer.ServerIP, pm.interfaceName); err != nil {
+		logger.Error("Failed to remove route for server IP: %v", err)
+	}
+
+	if err := network.RemoveRoutes(peer.RemoteSubnets); err != nil {
+		logger.Error("Failed to remove routes for remote subnets: %v", err)
+	}
+
+	// For aliases
+	for _, alias := range peer.Aliases {
+		address := net.ParseIP(alias.AliasAddress)
+		if address == nil {
+			continue
+		}
+		pm.dnsProxy.RemoveDNSRecord(alias.Alias, address)
+	}
+
+	delete(pm.peers, siteId)
+	return nil
+}
+
+func (pm *PeerManager) UpdatePeer(siteConfig SiteConfig, endpoint string) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	oldPeer, exists := pm.peers[siteConfig.SiteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteConfig.SiteId)
+	}
+
+	// If public key changed, remove old peer first
+	if siteConfig.PublicKey != oldPeer.PublicKey {
+		if err := RemovePeer(pm.device, siteConfig.SiteId, oldPeer.PublicKey, pm.peerMonitor); err != nil {
+			logger.Error("Failed to remove old peer: %v", err)
+		}
+	}
+
+	if err := ConfigurePeer(pm.device, siteConfig, pm.privateKey, endpoint, pm.peerMonitor); err != nil {
+		return err
+	}
+
+	// Handle remote subnet route changes
+	// Calculate added and removed subnets
+	oldSubnets := make(map[string]bool)
+	for _, s := range oldPeer.RemoteSubnets {
+		oldSubnets[s] = true
+	}
+	newSubnets := make(map[string]bool)
+	for _, s := range siteConfig.RemoteSubnets {
+		newSubnets[s] = true
+	}
+
+	var addedSubnets []string
+	var removedSubnets []string
+
+	for s := range newSubnets {
+		if !oldSubnets[s] {
+			addedSubnets = append(addedSubnets, s)
+		}
+	}
+	for s := range oldSubnets {
+		if !newSubnets[s] {
+			removedSubnets = append(removedSubnets, s)
+		}
+	}
+
+	// Remove routes for removed subnets
+	if len(removedSubnets) > 0 {
+		if err := network.RemoveRoutes(removedSubnets); err != nil {
+			logger.Error("Failed to remove routes: %v", err)
+		}
+	}
+
+	// Add routes for added subnets
+	if len(addedSubnets) > 0 {
+		if err := network.AddRoutes(addedSubnets, pm.interfaceName); err != nil {
+			logger.Error("Failed to add routes: %v", err)
+		}
+	}
+
+	// Update aliases
+	// Remove old aliases
+	for _, alias := range oldPeer.Aliases {
+		address := net.ParseIP(alias.AliasAddress)
+		if address == nil {
+			continue
+		}
+		pm.dnsProxy.RemoveDNSRecord(alias.Alias, address)
+	}
+	// Add new aliases
+	for _, alias := range siteConfig.Aliases {
+		address := net.ParseIP(alias.AliasAddress)
+		if address == nil {
+			continue
+		}
+		pm.dnsProxy.AddDNSRecord(alias.Alias, address)
+	}
+
+	pm.peers[siteConfig.SiteId] = siteConfig
+	return nil
+}
+
+// addAllowedIp adds an IP (subnet) to the allowed IPs list of a peer
+// and updates WireGuard configuration. Must be called with lock held.
+func (pm *PeerManager) addAllowedIp(siteId int, ip string) error {
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	// Check if IP already exists in AllowedIps
+	for _, allowedIp := range peer.AllowedIps {
+		if allowedIp == ip {
+			return nil // Already exists
+		}
+	}
+
+	peer.AllowedIps = append(peer.AllowedIps, ip)
+
+	// Update WireGuard
+	if err := ConfigurePeer(pm.device, peer, pm.privateKey, peer.Endpoint, pm.peerMonitor); err != nil {
+		return err
+	}
+
+	pm.peers[siteId] = peer
+	return nil
+}
+
+// removeAllowedIp removes an IP (subnet) from the allowed IPs list of a peer
+// and updates WireGuard configuration. Must be called with lock held.
+func (pm *PeerManager) removeAllowedIp(siteId int, cidr string) error {
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	found := false
+
+	// Remove from AllowedIps
+	newAllowedIps := make([]string, 0, len(peer.AllowedIps))
+	for _, allowedIp := range peer.AllowedIps {
+		if allowedIp == cidr {
+			found = true
+			continue
+		}
+		newAllowedIps = append(newAllowedIps, allowedIp)
+	}
+
+	if !found {
+		return nil // Not found
+	}
+
+	peer.AllowedIps = newAllowedIps
+
+	// Update WireGuard
+	if err := ConfigurePeer(pm.device, peer, pm.privateKey, peer.Endpoint, pm.peerMonitor); err != nil {
+		return err
+	}
+
+	pm.peers[siteId] = peer
+	return nil
+}
+
+// AddRemoteSubnet adds an IP (subnet) to the allowed IPs list of a peer
+func (pm *PeerManager) AddRemoteSubnet(siteId int, cidr string) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	// Check if IP already exists in RemoteSubnets
+	for _, subnet := range peer.RemoteSubnets {
+		if subnet == cidr {
+			return nil // Already exists
+		}
+	}
+
+	peer.RemoteSubnets = append(peer.RemoteSubnets, cidr)
+
+	// Add to allowed IPs
+	if err := pm.addAllowedIp(siteId, cidr); err != nil {
+		return err
+	}
+
+	// Add route
+	if err := network.AddRoutes([]string{cidr}, pm.interfaceName); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// RemoveRemoteSubnet removes an IP (subnet) from the allowed IPs list of a peer
+func (pm *PeerManager) RemoveRemoteSubnet(siteId int, ip string) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	found := false
+
+	// Remove from RemoteSubnets
+	newSubnets := make([]string, 0, len(peer.RemoteSubnets))
+	for _, subnet := range peer.RemoteSubnets {
+		if subnet == ip {
+			found = true
+			continue
+		}
+		newSubnets = append(newSubnets, subnet)
+	}
+
+	if !found {
+		return nil // Not found
+	}
+
+	peer.RemoteSubnets = newSubnets
+
+	// Remove from allowed IPs
+	if err := pm.removeAllowedIp(siteId, ip); err != nil {
+		return err
+	}
+
+	// Remove route
+	if err := network.RemoveRoutes([]string{ip}); err != nil {
+		return err
+	}
+
+	pm.peers[siteId] = peer
+
+	return nil
+}
+
+// AddAlias adds an alias to a peer
+func (pm *PeerManager) AddAlias(siteId int, alias Alias) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	peer.Aliases = append(peer.Aliases, alias)
+	pm.peers[siteId] = peer
+
+	address := net.ParseIP(alias.AliasAddress)
+	if address != nil {
+		pm.dnsProxy.AddDNSRecord(alias.Alias, address)
+	}
+
+	// Add an allowed IP for the alias
+	if err := pm.addAllowedIp(siteId, alias.AliasAddress+"/32"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// RemoveAlias removes an alias from a peer
+func (pm *PeerManager) RemoveAlias(siteId int, aliasName string) error {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	peer, exists := pm.peers[siteId]
+	if !exists {
+		return fmt.Errorf("peer with site ID %d not found", siteId)
+	}
+
+	var aliasToRemove *Alias
+	newAliases := make([]Alias, 0, len(peer.Aliases))
+	for _, a := range peer.Aliases {
+		if a.Alias == aliasName {
+			aliasToRemove = &a
+			continue
+		}
+		newAliases = append(newAliases, a)
+	}
+
+	if aliasToRemove != nil {
+		address := net.ParseIP(aliasToRemove.AliasAddress)
+		if address != nil {
+			pm.dnsProxy.RemoveDNSRecord(aliasName, address)
+		}
+	}
+
+	// remove the allowed IP for the alias
+	if err := pm.removeAllowedIp(siteId, aliasToRemove.AliasAddress+"/32"); err != nil {
+		return err
+	}
+
+	peer.Aliases = newAliases
+	pm.peers[siteId] = peer
+
+	return nil
+}
--- a/peers/peer.go
+++ b/peers/peer.go
@@ -0,0 +1,130 @@
+package peers
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/util"
+	"github.com/fosrl/olm/peermonitor"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+// ConfigurePeer sets up or updates a peer within the WireGuard device
+func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes.Key, endpoint string, peerMonitor *peermonitor.PeerMonitor) error {
+	siteHost, err := util.ResolveDomain(formatEndpoint(siteConfig.Endpoint))
+	if err != nil {
+		return fmt.Errorf("failed to resolve endpoint for site %d: %v", siteConfig.SiteId, err)
+	}
+
+	// Split off the CIDR of the server IP which is just a string and add /32 for the allowed IP
+	allowedIp := strings.Split(siteConfig.ServerIP, "/")
+	if len(allowedIp) > 1 {
+		allowedIp[1] = "32"
+	} else {
+		allowedIp = append(allowedIp, "32")
+	}
+	allowedIpStr := strings.Join(allowedIp, "/")
+
+	// Collect all allowed IPs in a slice
+	var allowedIPs []string
+	allowedIPs = append(allowedIPs, allowedIpStr)
+
+	// Use AllowedIps if available, otherwise fall back to RemoteSubnets for backwards compatibility
+	subnetsToAdd := siteConfig.AllowedIps
+
+	// If we have anything to add, process them
+	if len(subnetsToAdd) > 0 {
+		// Add each subnet
+		for _, subnet := range subnetsToAdd {
+			subnet = strings.TrimSpace(subnet)
+			if subnet != "" {
+				allowedIPs = append(allowedIPs, subnet)
+			}
+		}
+	}
+
+	// Construct WireGuard config for this peer
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("private_key=%s\n", util.FixKey(privateKey.String())))
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(siteConfig.PublicKey)))
+
+	// Add each allowed IP separately
+	for _, allowedIP := range allowedIPs {
+		configBuilder.WriteString(fmt.Sprintf("allowed_ip=%s\n", allowedIP))
+	}
+
+	configBuilder.WriteString(fmt.Sprintf("endpoint=%s\n", siteHost))
+	configBuilder.WriteString("persistent_keepalive_interval=1\n")
+
+	config := configBuilder.String()
+	logger.Debug("Configuring peer with config: %s", config)
+
+	err = dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to configure WireGuard peer: %v", err)
+	}
+
+	// Set up peer monitoring
+	if peerMonitor != nil {
+		monitorAddress := strings.Split(siteConfig.ServerIP, "/")[0]
+		monitorPeer := net.JoinHostPort(monitorAddress, strconv.Itoa(int(siteConfig.ServerPort+1))) // +1 for the monitor port
+		logger.Debug("Setting up peer monitor for site %d at %s", siteConfig.SiteId, monitorPeer)
+		logger.Debug("Resolving primary relay %s for peer", endpoint)
+		primaryRelay, err := util.ResolveDomain(endpoint) // Using global endpoint variable
+		if err != nil {
+			logger.Warn("Failed to resolve primary relay endpoint for peer: %v", err)
+		}
+
+		wgConfig := &peermonitor.WireGuardConfig{
+			SiteID:       siteConfig.SiteId,
+			PublicKey:    util.FixKey(siteConfig.PublicKey),
+			ServerIP:     strings.Split(siteConfig.ServerIP, "/")[0],
+			Endpoint:     siteConfig.Endpoint,
+			PrimaryRelay: primaryRelay,
+		}
+
+		err = peerMonitor.AddPeer(siteConfig.SiteId, monitorPeer, wgConfig)
+		if err != nil {
+			logger.Warn("Failed to setup monitoring for site %d: %v", siteConfig.SiteId, err)
+		} else {
+			logger.Info("Started monitoring for site %d at %s", siteConfig.SiteId, monitorPeer)
+		}
+	}
+
+	return nil
+}
+
+// RemovePeer removes a peer from the WireGuard device
+func RemovePeer(dev *device.Device, siteId int, publicKey string, peerMonitor *peermonitor.PeerMonitor) error {
+	// Construct WireGuard config to remove the peer
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(publicKey)))
+	configBuilder.WriteString("remove=true\n")
+
+	config := configBuilder.String()
+	logger.Debug("Removing peer with config: %s", config)
+
+	err := dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to remove WireGuard peer: %v", err)
+	}
+
+	// Stop monitoring this peer
+	if peerMonitor != nil {
+		peerMonitor.RemovePeer(siteId)
+		logger.Info("Stopped monitoring for site %d", siteId)
+	}
+
+	return nil
+}
+
+func formatEndpoint(endpoint string) string {
+	if strings.Contains(endpoint, ":") {
+		return endpoint
+	}
+	return endpoint + ":51820"
+}
--- a/peers/types.go
+++ b/peers/types.go
@@ -0,0 +1,57 @@
+package peers
+
+// PeerAction represents a request to add, update, or remove a peer
+type PeerAction struct {
+	Action   string     `json:"action"`   // "add", "update", or "remove"
+	SiteInfo SiteConfig `json:"siteInfo"` // Site configuration information
+}
+
+// UpdatePeerData represents the data needed to update a peer
+type SiteConfig struct {
+	SiteId        int      `json:"siteId"`
+	Endpoint      string   `json:"endpoint,omitempty"`
+	PublicKey     string   `json:"publicKey,omitempty"`
+	ServerIP      string   `json:"serverIP,omitempty"`
+	ServerPort    uint16   `json:"serverPort,omitempty"`
+	RemoteSubnets []string `json:"remoteSubnets,omitempty"` // optional, array of subnets that this site can access
+	AllowedIps    []string `json:"allowedIps,omitempty"`    // optional, array of allowed IPs for the peer
+	Aliases       []Alias  `json:"aliases,omitempty"`       // optional, array of alias configurations
+}
+
+type Alias struct {
+	Alias        string `json:"alias"`        // the alias name
+	AliasAddress string `json:"aliasAddress"` // the alias IP address
+}
+
+// RemovePeer represents the data needed to remove a peer
+type PeerRemove struct {
+	SiteId int `json:"siteId"`
+}
+
+type RelayPeerData struct {
+	SiteId    int    `json:"siteId"`
+	Endpoint  string `json:"endpoint"`
+	PublicKey string `json:"publicKey"`
+}
+
+// PeerAdd represents the data needed to add remote subnets to a peer
+type PeerAdd struct {
+	SiteId        int      `json:"siteId"`
+	RemoteSubnets []string `json:"remoteSubnets"`     // subnets to add
+	Aliases       []Alias  `json:"aliases,omitempty"` // aliases to add
+}
+
+// RemovePeerData represents the data needed to remove remote subnets from a peer
+type RemovePeerData struct {
+	SiteId        int      `json:"siteId"`
+	RemoteSubnets []string `json:"remoteSubnets"`     // subnets to remove
+	Aliases       []Alias  `json:"aliases,omitempty"` // aliases to remove
+}
+
+type UpdatePeerData struct {
+	SiteId           int      `json:"siteId"`
+	OldRemoteSubnets []string `json:"oldRemoteSubnets"`     // old list of remote subnets
+	NewRemoteSubnets []string `json:"newRemoteSubnets"`     // new list of remote subnets
+	OldAliases       []Alias  `json:"oldAliases,omitempty"` // old list of aliases
+	NewAliases       []Alias  `json:"newAliases,omitempty"` // new list of aliases
+}