fix: create-certs.sh

gjmzj · gjmzj · commit 8e98356789ff · 2023-07-30T13:05:50.000+08:00
diff --git a/deploy/certs-utils/create-certs.sh b/deploy/certs-utils/create-certs.sh
@@ -35,7 +35,6 @@ function create_certs() {
   docker load -i "$BASE/down/cfssl-utils-$CFSSL_VER.tar" > /dev/null
 
   # clean
-  docker ps -a --format="{{ .Names }}"|grep cfssl-utils > /dev/null && \
   logger info "save current certs in backup" && \
   cp -r "$BASE/certs" "$BASE/backup/certs.$(date +'%Y%m%d%H%M%S')" && \
   logger info "stop&remove container: cfssl-utils" && \
@@ -58,11 +57,14 @@ function create_certs() {
   logger info "create agent.pem/agent-key.pem..."
   docker exec -it cfssl-utils sh -c 'cd /certs && cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=mtls agent-csr.json | cfssljson -bare agent'
 
+  logger info "stop&remove container: cfssl-utils" && \
+  docker rm -f cfssl-utils > /dev/null
 }
 
 
 BASE=$(cd "$(dirname "$0")"; pwd)
 cd "$BASE"
 mkdir -p "$BASE/down" "$BASE/certs" "$BASE/backup"
+cp -f "$BASE"/*.json "$BASE/certs/"
 
 create_certs
diff --git a/deploy/server/config/allowed-agents.yml b/deploy/server/config/allowed-agents.yml
@@ -3,7 +3,9 @@ agents:
     auth_key: NiIsInR5cCI6IkpXVCJ9
     approved_cns:
       - mtls-client
+      - ezvpn-agent
   - name: test-002
     auth_key: Yk0sInR5cCxMIkp19CoK
     approved_cns:
       - mtls-client
+      - ezvpn-agent
diff --git a/server/responder.go b/server/responder.go
@@ -91,7 +91,7 @@ func GetRegister(c echo.Context) error {
 			}
 		}
 	}
-	err := fmt.Errorf("failed to register: invalid auth key: %s", key)
+	err := fmt.Errorf("failed to register: invalid auth key(%s) or cert CN", key)
 	return Error(c, http.StatusUnauthorized, err)
 }
 
@@ -101,18 +101,10 @@ func GetSession(c echo.Context) error {
 		for _, agent := range config.AGENTS.Agents {
 			// check if the key is valid
 			if key == agent.AuthKey {
-				// check CN if mTLS is enabled
-				if c.Request().TLS != nil && len(c.Request().TLS.PeerCertificates) > 0 {
-					cn := c.Request().TLS.PeerCertificates[0].Subject.CommonName
-					for _, approved_cn := range agent.ApprovedCNs {
-						if cn == approved_cn {
-							log.Printf("agent %s@%s registered", agent.Name, c.RealIP())
-							return WebSocket(c, func(ws *websocket.Conn) error {
-								return tunnel(ws)
-							})
-						}
-					}
-				}
+				log.Printf("agent %s@%s session established", agent.Name, c.RealIP())
+				return WebSocket(c, func(ws *websocket.Conn) error {
+					return tunnel(ws)
+				})
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ func GetRegister(c echo.Context) error {`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`	`}`
`94`		`- err := fmt.Errorf("failed to register: invalid auth key: %s", key)`
	`94`	`+ err := fmt.Errorf("failed to register: invalid auth key(%s) or cert CN", key)`
`95`	`95`	`return Error(c, http.StatusUnauthorized, err)`
`96`	`96`	`}`
`97`	`97`
`@@ -101,18 +101,10 @@ func GetSession(c echo.Context) error {`
`101`	`101`	`for _, agent := range config.AGENTS.Agents {`
`102`	`102`	`// check if the key is valid`
`103`	`103`	`if key == agent.AuthKey {`
`104`		`- // check CN if mTLS is enabled`
`105`		`- if c.Request().TLS != nil && len(c.Request().TLS.PeerCertificates) > 0 {`
`106`		`- cn := c.Request().TLS.PeerCertificates[0].Subject.CommonName`
`107`		`- for _, approved_cn := range agent.ApprovedCNs {`
`108`		`- if cn == approved_cn {`
`109`		`- log.Printf("agent %s@%s registered", agent.Name, c.RealIP())`
`110`		`- return WebSocket(c, func(ws *websocket.Conn) error {`
`111`		`- return tunnel(ws)`
`112`		`- })`
`113`		`- }`
`114`		`- }`
`115`		`- }`
	`104`	`+ log.Printf("agent %s@%s session established", agent.Name, c.RealIP())`
	`105`	`+ return WebSocket(c, func(ws *websocket.Conn) error {`
	`106`	`+ return tunnel(ws)`
	`107`	`+ })`
`116`	`108`	`}`
`117`	`109`	`}`
`118`	`110`	`}`