diff --git a/aggregator-server/cmd/server/main.go b/aggregator-server/cmd/server/main.go index 5236009..40e6cf3 100644 --- a/aggregator-server/cmd/server/main.go +++ b/aggregator-server/cmd/server/main.go @@ -42,6 +42,7 @@ func startWelcomeModeServer() { // Setup endpoint for web configuration router.POST("/api/setup/configure", setupHandler.ConfigureServer) + router.POST("/api/setup/generate-keys", setupHandler.GenerateSigningKeys) // Setup endpoint for web configuration router.GET("/setup", setupHandler.ShowSetupPage) @@ -171,6 +172,7 @@ func main() { rateLimitHandler := handlers.NewRateLimitHandler(rateLimiter) downloadHandler := handlers.NewDownloadHandler(filepath.Join("/app"), cfg) subsystemHandler := handlers.NewSubsystemHandler(subsystemQueries, commandQueries) + deploymentHandler := handlers.NewDeploymentHandler(registrationTokenQueries, agentQueries) // Initialize verification handler var verificationHandler *handlers.VerificationHandler @@ -318,6 +320,12 @@ func main() { admin.GET("/registration-tokens/stats", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), registrationTokenHandler.GetTokenStats) admin.GET("/registration-tokens/validate", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), registrationTokenHandler.ValidateRegistrationToken) + // Deployment routes (token management with install commands) + admin.GET("/deployment/tokens", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), deploymentHandler.ListTokens) + admin.POST("/deployment/tokens", rateLimiter.RateLimit("admin_token_gen", middleware.KeyByUserID), deploymentHandler.CreateToken) + admin.GET("/deployment/tokens/:id", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), deploymentHandler.GetToken) + admin.DELETE("/deployment/tokens/:id", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), deploymentHandler.RevokeToken) + // Rate Limit Management admin.GET("/rate-limits", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), rateLimitHandler.GetRateLimitSettings) admin.PUT("/rate-limits", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), rateLimitHandler.UpdateRateLimitSettings) diff --git a/aggregator-server/internal/api/handlers/deployment.go b/aggregator-server/internal/api/handlers/deployment.go new file mode 100644 index 0000000..feefd5c --- /dev/null +++ b/aggregator-server/internal/api/handlers/deployment.go @@ -0,0 +1,96 @@ +package handlers + +import ( + "fmt" + "net/http" + "time" + + "github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries" + "github.com/gin-gonic/gin" +) + +type DeploymentHandler struct { + registrationTokenQueries *queries.RegistrationTokenQueries + agentQueries *queries.AgentQueries +} + +func NewDeploymentHandler(regTokenQueries *queries.RegistrationTokenQueries, agentQueries *queries.AgentQueries) *DeploymentHandler { + return &DeploymentHandler{ + registrationTokenQueries: regTokenQueries, + agentQueries: agentQueries, + } +} + +// ListTokens returns all registration tokens +func (h *DeploymentHandler) ListTokens(c *gin.Context) { + tokens, err := h.registrationTokenQueries.ListAllTokens() + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list tokens"}) + return + } + c.JSON(http.StatusOK, gin.H{"tokens": tokens}) +} + +// CreateToken creates a new registration token +func (h *DeploymentHandler) CreateToken(c *gin.Context) { + var req struct { + MaxSeats int `json:"max_seats" binding:"required,min=1"` + ExpiresIn string `json:"expires_in"` // e.g., "24h", "7d" + Note string `json:"note"` // Optional note/label + } + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + + // Parse expiration duration + var duration time.Duration + var err error + if req.ExpiresIn != "" { + duration, err = time.ParseDuration(req.ExpiresIn) + if err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": "invalid expires_in format - use Go duration (e.g., 24h, 168h)"}) + return + } + } else { + duration = 24 * time.Hour // Default 24 hours + } + + expiresAt := time.Now().Add(duration) + token, err := h.registrationTokenQueries.CreateToken(req.MaxSeats, expiresAt) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create token"}) + return + } + + // Build install command + serverURL := c.Request.Host + installCommand := fmt.Sprintf("curl -sSL http://%s/api/v1/install/linux | bash -s -- %s", serverURL, token.Token) + + c.JSON(http.StatusOK, gin.H{ + "token": token, + "install_command": installCommand, + "message": "registration token created", + }) +} + +// RevokeToken revokes a registration token +func (h *DeploymentHandler) RevokeToken(c *gin.Context) { + tokenID := c.Param("id") + if err := h.registrationTokenQueries.RevokeToken(tokenID); err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to revoke token"}) + return + } + c.JSON(http.StatusOK, gin.H{"message": "token revoked"}) +} + +// GetToken returns details about a specific token +func (h *DeploymentHandler) GetToken(c *gin.Context) { + tokenID := c.Param("id") + token, err := h.registrationTokenQueries.GetTokenByID(tokenID) + if err != nil { + c.JSON(http.StatusNotFound, gin.H{"error": "token not found"}) + return + } + c.JSON(http.StatusOK, gin.H{"token": token}) +} diff --git a/aggregator-server/internal/api/handlers/setup.go b/aggregator-server/internal/api/handlers/setup.go index f142ec5..2982e6d 100644 --- a/aggregator-server/internal/api/handlers/setup.go +++ b/aggregator-server/internal/api/handlers/setup.go @@ -1,7 +1,10 @@ package handlers import ( + "crypto/ed25519" + "crypto/rand" "database/sql" + "encoding/hex" "fmt" "net/http" "strconv" @@ -409,3 +412,28 @@ func (h *SetupHandler) ConfigureServer(c *gin.Context) { }) } +// GenerateSigningKeys generates Ed25519 keypair for agent update signing +func (h *SetupHandler) GenerateSigningKeys(c *gin.Context) { + // Generate Ed25519 keypair + publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate keypair"}) + return + } + + // Encode to hex + publicKeyHex := hex.EncodeToString(publicKey) + privateKeyHex := hex.EncodeToString(privateKey) + + // Generate fingerprint (first 16 chars) + fingerprint := publicKeyHex[:16] + + c.JSON(http.StatusOK, gin.H{ + "public_key": publicKeyHex, + "private_key": privateKeyHex, + "fingerprint": fingerprint, + "algorithm": "ed25519", + "key_size": 32, + }) +} + diff --git a/aggregator-server/test-server b/aggregator-server/test-server index d50e74e..3b3d8dd 100755 Binary files a/aggregator-server/test-server and b/aggregator-server/test-server differ