mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2024-12-20 21:43:08 +00:00
1789 lines
60 KiB
C++
1789 lines
60 KiB
C++
/*
|
|
* ZeroTier One - Network Virtualization Everywhere
|
|
* Copyright (C) 2011-2015 ZeroTier, Inc.
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <time.h>
|
|
|
|
#ifndef _WIN32
|
|
#include <sys/time.h>
|
|
#endif
|
|
#include <sys/types.h>
|
|
|
|
#include <algorithm>
|
|
#include <utility>
|
|
#include <stdexcept>
|
|
#include <set>
|
|
#include <map>
|
|
|
|
#include "../include/ZeroTierOne.h"
|
|
#include "../node/Constants.hpp"
|
|
|
|
#include "EmbeddedNetworkController.hpp"
|
|
|
|
#include "../node/Node.hpp"
|
|
#include "../node/Utils.hpp"
|
|
#include "../node/CertificateOfMembership.hpp"
|
|
#include "../node/NetworkConfig.hpp"
|
|
#include "../node/Dictionary.hpp"
|
|
#include "../node/InetAddress.hpp"
|
|
#include "../node/MAC.hpp"
|
|
#include "../node/Address.hpp"
|
|
|
|
using json = nlohmann::json;
|
|
|
|
// API version reported via JSON control plane
|
|
#define ZT_NETCONF_CONTROLLER_API_VERSION 3
|
|
|
|
// Number of requests to remember in member history
|
|
#define ZT_NETCONF_DB_MEMBER_HISTORY_LENGTH 24
|
|
|
|
// Min duration between requests for an address/nwid combo to prevent floods
|
|
#define ZT_NETCONF_MIN_REQUEST_PERIOD 1000
|
|
|
|
// Nodes are considered active if they've queried in less than this long
|
|
#define ZT_NETCONF_NODE_ACTIVE_THRESHOLD (ZT_NETWORK_AUTOCONF_DELAY * 2)
|
|
|
|
namespace ZeroTier {
|
|
|
|
// Get JSON values as unsigned integers, strings, or booleans, doing type conversion if possible
|
|
static uint64_t _jI(const json &jv,const uint64_t dfl)
|
|
{
|
|
if (jv.is_number()) {
|
|
return (uint64_t)jv;
|
|
} else if (jv.is_string()) {
|
|
std::string s = jv;
|
|
return Utils::strToU64(s.c_str());
|
|
} else if (jv.is_boolean()) {
|
|
return ((bool)jv ? 1ULL : 0ULL);
|
|
}
|
|
return dfl;
|
|
}
|
|
static bool _jB(const json &jv,const bool dfl)
|
|
{
|
|
if (jv.is_boolean()) {
|
|
return (bool)jv;
|
|
} else if (jv.is_number()) {
|
|
return ((uint64_t)jv > 0ULL);
|
|
} else if (jv.is_string()) {
|
|
std::string s = jv;
|
|
if (s.length() > 0) {
|
|
switch(s[0]) {
|
|
case 't':
|
|
case 'T':
|
|
case '1':
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
return dfl;
|
|
}
|
|
static std::string _jS(const json &jv,const char *dfl)
|
|
{
|
|
if (jv.is_string()) {
|
|
return jv;
|
|
} else if (jv.is_number()) {
|
|
char tmp[64];
|
|
Utils::snprintf(tmp,sizeof(tmp),"%llu",(uint64_t)jv);
|
|
return tmp;
|
|
} else if (jv.is_boolean()) {
|
|
return ((bool)jv ? std::string("1") : std::string("0"));
|
|
}
|
|
return std::string((dfl) ? dfl : "");
|
|
}
|
|
|
|
static json _renderRule(ZT_VirtualNetworkRule &rule)
|
|
{
|
|
char tmp[128];
|
|
json r = json::object();
|
|
const ZT_VirtualNetworkRuleType rt = (ZT_VirtualNetworkRuleType)(rule.t & 0x3f);
|
|
|
|
switch(rt) {
|
|
case ZT_NETWORK_RULE_ACTION_DROP:
|
|
r["type"] = "ACTION_DROP";
|
|
break;
|
|
case ZT_NETWORK_RULE_ACTION_ACCEPT:
|
|
r["type"] = "ACTION_ACCEPT";
|
|
break;
|
|
case ZT_NETWORK_RULE_ACTION_TEE:
|
|
r["type"] = "ACTION_TEE";
|
|
r["address"] = Address(rule.v.fwd.address).toString();
|
|
r["flags"] = (unsigned int)rule.v.fwd.flags;
|
|
r["length"] = (unsigned int)rule.v.fwd.length;
|
|
break;
|
|
case ZT_NETWORK_RULE_ACTION_WATCH:
|
|
r["type"] = "ACTION_WATCH";
|
|
r["address"] = Address(rule.v.fwd.address).toString();
|
|
r["flags"] = (unsigned int)rule.v.fwd.flags;
|
|
r["length"] = (unsigned int)rule.v.fwd.length;
|
|
break;
|
|
case ZT_NETWORK_RULE_ACTION_REDIRECT:
|
|
r["type"] = "ACTION_REDIRECT";
|
|
r["address"] = Address(rule.v.fwd.address).toString();
|
|
r["flags"] = (unsigned int)rule.v.fwd.flags;
|
|
break;
|
|
case ZT_NETWORK_RULE_ACTION_DEBUG_LOG:
|
|
r["type"] = "ACTION_DEBUG_LOG";
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
if (r.size() == 0) {
|
|
switch(rt) {
|
|
case ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS:
|
|
r["type"] = "MATCH_SOURCE_ZEROTIER_ADDRESS";
|
|
r["zt"] = Address(rule.v.zt).toString();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_DEST_ZEROTIER_ADDRESS:
|
|
r["type"] = "MATCH_DEST_ZEROTIER_ADDRESS";
|
|
r["zt"] = Address(rule.v.zt).toString();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_VLAN_ID:
|
|
r["type"] = "MATCH_VLAN_ID";
|
|
r["vlanId"] = (unsigned int)rule.v.vlanId;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_VLAN_PCP:
|
|
r["type"] = "MATCH_VLAN_PCP";
|
|
r["vlanPcp"] = (unsigned int)rule.v.vlanPcp;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_VLAN_DEI:
|
|
r["type"] = "MATCH_VLAN_DEI";
|
|
r["vlanDei"] = (unsigned int)rule.v.vlanDei;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_MAC_SOURCE:
|
|
r["type"] = "MATCH_MAC_SOURCE";
|
|
Utils::snprintf(tmp,sizeof(tmp),"%.2x:%.2x:%.2x:%.2x:%.2x:%.2x",(unsigned int)rule.v.mac[0],(unsigned int)rule.v.mac[1],(unsigned int)rule.v.mac[2],(unsigned int)rule.v.mac[3],(unsigned int)rule.v.mac[4],(unsigned int)rule.v.mac[5]);
|
|
r["mac"] = tmp;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_MAC_DEST:
|
|
r["type"] = "MATCH_MAC_DEST";
|
|
Utils::snprintf(tmp,sizeof(tmp),"%.2x:%.2x:%.2x:%.2x:%.2x:%.2x",(unsigned int)rule.v.mac[0],(unsigned int)rule.v.mac[1],(unsigned int)rule.v.mac[2],(unsigned int)rule.v.mac[3],(unsigned int)rule.v.mac[4],(unsigned int)rule.v.mac[5]);
|
|
r["mac"] = tmp;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE:
|
|
r["type"] = "MATCH_IPV4_SOURCE";
|
|
r["ip"] = InetAddress(&(rule.v.ipv4.ip),4,(unsigned int)rule.v.ipv4.mask).toString();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IPV4_DEST:
|
|
r["type"] = "MATCH_IPV4_DEST";
|
|
r["ip"] = InetAddress(&(rule.v.ipv4.ip),4,(unsigned int)rule.v.ipv4.mask).toString();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IPV6_SOURCE:
|
|
r["type"] = "MATCH_IPV6_SOURCE";
|
|
r["ip"] = InetAddress(rule.v.ipv6.ip,16,(unsigned int)rule.v.ipv6.mask).toString();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IPV6_DEST:
|
|
r["type"] = "MATCH_IPV6_DEST";
|
|
r["ip"] = InetAddress(rule.v.ipv6.ip,16,(unsigned int)rule.v.ipv6.mask).toString();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IP_TOS:
|
|
r["type"] = "MATCH_IP_TOS";
|
|
r["ipTos"] = (unsigned int)rule.v.ipTos;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL:
|
|
r["type"] = "MATCH_IP_PROTOCOL";
|
|
r["ipProtocol"] = (unsigned int)rule.v.ipProtocol;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
|
|
r["type"] = "MATCH_ETHERTYPE";
|
|
r["etherType"] = (unsigned int)rule.v.etherType;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_ICMP:
|
|
r["type"] = "MATCH_ICMP";
|
|
r["icmpType"] = (unsigned int)rule.v.icmp.type;
|
|
if ((rule.v.icmp.flags & 0x01) != 0)
|
|
r["icmpCode"] = (unsigned int)rule.v.icmp.code;
|
|
else r["icmpCode"] = json();
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE:
|
|
r["type"] = "MATCH_IP_SOURCE_PORT_RANGE";
|
|
r["start"] = (unsigned int)rule.v.port[0];
|
|
r["end"] = (unsigned int)rule.v.port[1];
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE:
|
|
r["type"] = "MATCH_IP_DEST_PORT_RANGE";
|
|
r["start"] = (unsigned int)rule.v.port[0];
|
|
r["end"] = (unsigned int)rule.v.port[1];
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
|
|
r["type"] = "MATCH_CHARACTERISTICS";
|
|
Utils::snprintf(tmp,sizeof(tmp),"%.16llx",rule.v.characteristics);
|
|
r["mask"] = tmp;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
|
|
r["type"] = "MATCH_FRAME_SIZE_RANGE";
|
|
r["start"] = (unsigned int)rule.v.frameSize[0];
|
|
r["end"] = (unsigned int)rule.v.frameSize[1];
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_RANDOM:
|
|
r["type"] = "MATCH_RANDOM";
|
|
r["probability"] = (unsigned long)rule.v.randomProbability;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE:
|
|
r["type"] = "MATCH_TAGS_DIFFERENCE";
|
|
r["id"] = rule.v.tag.id;
|
|
r["value"] = rule.v.tag.value;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND:
|
|
r["type"] = "MATCH_TAGS_BITWISE_AND";
|
|
r["id"] = rule.v.tag.id;
|
|
r["value"] = rule.v.tag.value;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR:
|
|
r["type"] = "MATCH_TAGS_BITWISE_OR";
|
|
r["id"] = rule.v.tag.id;
|
|
r["value"] = rule.v.tag.value;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR:
|
|
r["type"] = "MATCH_TAGS_BITWISE_XOR";
|
|
r["id"] = rule.v.tag.id;
|
|
r["value"] = rule.v.tag.value;
|
|
break;
|
|
case ZT_NETWORK_RULE_MATCH_TAGS_EQUAL:
|
|
r["type"] = "MATCH_TAGS_EQUAL";
|
|
r["id"] = rule.v.tag.id;
|
|
r["value"] = rule.v.tag.value;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
if (r.size() > 0) {
|
|
r["not"] = ((rule.t & 0x80) != 0);
|
|
r["or"] = ((rule.t & 0x40) != 0);
|
|
}
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
static bool _parseRule(json &r,ZT_VirtualNetworkRule &rule)
|
|
{
|
|
if (!r.is_object())
|
|
return false;
|
|
|
|
const std::string t(_jS(r["type"],""));
|
|
memset(&rule,0,sizeof(ZT_VirtualNetworkRule));
|
|
|
|
if (_jB(r["not"],false))
|
|
rule.t = 0x80;
|
|
else rule.t = 0x00;
|
|
if (_jB(r["or"],false))
|
|
rule.t |= 0x40;
|
|
|
|
if (t == "ACTION_DROP") {
|
|
rule.t |= ZT_NETWORK_RULE_ACTION_DROP;
|
|
return true;
|
|
} else if (t == "ACTION_ACCEPT") {
|
|
rule.t |= ZT_NETWORK_RULE_ACTION_ACCEPT;
|
|
return true;
|
|
} else if (t == "ACTION_TEE") {
|
|
rule.t |= ZT_NETWORK_RULE_ACTION_TEE;
|
|
rule.v.fwd.address = Utils::hexStrToU64(_jS(r["address"],"0").c_str()) & 0xffffffffffULL;
|
|
rule.v.fwd.flags = (uint32_t)(_jI(r["flags"],0ULL) & 0xffffffffULL);
|
|
rule.v.fwd.length = (uint16_t)(_jI(r["length"],0ULL) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "ACTION_WATCH") {
|
|
rule.t |= ZT_NETWORK_RULE_ACTION_WATCH;
|
|
rule.v.fwd.address = Utils::hexStrToU64(_jS(r["address"],"0").c_str()) & 0xffffffffffULL;
|
|
rule.v.fwd.flags = (uint32_t)(_jI(r["flags"],0ULL) & 0xffffffffULL);
|
|
rule.v.fwd.length = (uint16_t)(_jI(r["length"],0ULL) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "ACTION_REDIRECT") {
|
|
rule.t |= ZT_NETWORK_RULE_ACTION_REDIRECT;
|
|
rule.v.fwd.address = Utils::hexStrToU64(_jS(r["zt"],"0").c_str()) & 0xffffffffffULL;
|
|
rule.v.fwd.flags = (uint32_t)(_jI(r["flags"],0ULL) & 0xffffffffULL);
|
|
return true;
|
|
} else if (t == "ACTION_DEBUG_LOG") {
|
|
rule.t |= ZT_NETWORK_RULE_ACTION_DEBUG_LOG;
|
|
return true;
|
|
} else if (t == "MATCH_SOURCE_ZEROTIER_ADDRESS") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS;
|
|
rule.v.zt = Utils::hexStrToU64(_jS(r["zt"],"0").c_str()) & 0xffffffffffULL;
|
|
return true;
|
|
} else if (t == "MATCH_DEST_ZEROTIER_ADDRESS") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_DEST_ZEROTIER_ADDRESS;
|
|
rule.v.zt = Utils::hexStrToU64(_jS(r["zt"],"0").c_str()) & 0xffffffffffULL;
|
|
return true;
|
|
} else if (t == "MATCH_VLAN_ID") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_VLAN_ID;
|
|
rule.v.vlanId = (uint16_t)(_jI(r["vlanId"],0ULL) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_VLAN_PCP") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_VLAN_PCP;
|
|
rule.v.vlanPcp = (uint8_t)(_jI(r["vlanPcp"],0ULL) & 0xffULL);
|
|
return true;
|
|
} else if (t == "MATCH_VLAN_DEI") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_VLAN_DEI;
|
|
rule.v.vlanDei = (uint8_t)(_jI(r["vlanDei"],0ULL) & 0xffULL);
|
|
return true;
|
|
} else if (t == "MATCH_MAC_SOURCE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_MAC_SOURCE;
|
|
const std::string mac(_jS(r["mac"],"0"));
|
|
Utils::unhex(mac.c_str(),(unsigned int)mac.length(),rule.v.mac,6);
|
|
return true;
|
|
} else if (t == "MATCH_MAC_DEST") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_MAC_DEST;
|
|
const std::string mac(_jS(r["mac"],"0"));
|
|
Utils::unhex(mac.c_str(),(unsigned int)mac.length(),rule.v.mac,6);
|
|
return true;
|
|
} else if (t == "MATCH_IPV4_SOURCE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IPV4_SOURCE;
|
|
InetAddress ip(_jS(r["ip"],"0.0.0.0"));
|
|
rule.v.ipv4.ip = reinterpret_cast<struct sockaddr_in *>(&ip)->sin_addr.s_addr;
|
|
rule.v.ipv4.mask = Utils::ntoh(reinterpret_cast<struct sockaddr_in *>(&ip)->sin_port) & 0xff;
|
|
if (rule.v.ipv4.mask > 32) rule.v.ipv4.mask = 32;
|
|
return true;
|
|
} else if (t == "MATCH_IPV4_DEST") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IPV4_DEST;
|
|
InetAddress ip(_jS(r["ip"],"0.0.0.0"));
|
|
rule.v.ipv4.ip = reinterpret_cast<struct sockaddr_in *>(&ip)->sin_addr.s_addr;
|
|
rule.v.ipv4.mask = Utils::ntoh(reinterpret_cast<struct sockaddr_in *>(&ip)->sin_port) & 0xff;
|
|
if (rule.v.ipv4.mask > 32) rule.v.ipv4.mask = 32;
|
|
return true;
|
|
} else if (t == "MATCH_IPV6_SOURCE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IPV6_SOURCE;
|
|
InetAddress ip(_jS(r["ip"],"::0"));
|
|
memcpy(rule.v.ipv6.ip,reinterpret_cast<struct sockaddr_in6 *>(&ip)->sin6_addr.s6_addr,16);
|
|
rule.v.ipv6.mask = Utils::ntoh(reinterpret_cast<struct sockaddr_in6 *>(&ip)->sin6_port) & 0xff;
|
|
if (rule.v.ipv6.mask > 128) rule.v.ipv6.mask = 128;
|
|
return true;
|
|
} else if (t == "MATCH_IPV6_DEST") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IPV6_DEST;
|
|
InetAddress ip(_jS(r["ip"],"::0"));
|
|
memcpy(rule.v.ipv6.ip,reinterpret_cast<struct sockaddr_in6 *>(&ip)->sin6_addr.s6_addr,16);
|
|
rule.v.ipv6.mask = Utils::ntoh(reinterpret_cast<struct sockaddr_in6 *>(&ip)->sin6_port) & 0xff;
|
|
if (rule.v.ipv6.mask > 128) rule.v.ipv6.mask = 128;
|
|
return true;
|
|
} else if (t == "MATCH_IP_TOS") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IP_TOS;
|
|
rule.v.ipTos = (uint8_t)(_jI(r["ipTos"],0ULL) & 0xffULL);
|
|
return true;
|
|
} else if (t == "MATCH_IP_PROTOCOL") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IP_PROTOCOL;
|
|
rule.v.ipProtocol = (uint8_t)(_jI(r["ipProtocol"],0ULL) & 0xffULL);
|
|
return true;
|
|
} else if (t == "MATCH_ETHERTYPE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_ETHERTYPE;
|
|
rule.v.etherType = (uint16_t)(_jI(r["etherType"],0ULL) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_ICMP") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_ICMP;
|
|
rule.v.icmp.type = (uint8_t)(_jI(r["icmpType"],0ULL) & 0xffULL);
|
|
json &code = r["icmpCode"];
|
|
if (code.is_null()) {
|
|
rule.v.icmp.code = 0;
|
|
rule.v.icmp.flags = 0x00;
|
|
} else {
|
|
rule.v.icmp.code = (uint8_t)(_jI(code,0ULL) & 0xffULL);
|
|
rule.v.icmp.flags = 0x01;
|
|
}
|
|
return true;
|
|
} else if (t == "MATCH_IP_SOURCE_PORT_RANGE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE;
|
|
rule.v.port[0] = (uint16_t)(_jI(r["start"],0ULL) & 0xffffULL);
|
|
rule.v.port[1] = (uint16_t)(_jI(r["end"],(uint64_t)rule.v.port[0]) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_IP_DEST_PORT_RANGE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE;
|
|
rule.v.port[0] = (uint16_t)(_jI(r["start"],0ULL) & 0xffffULL);
|
|
rule.v.port[1] = (uint16_t)(_jI(r["end"],(uint64_t)rule.v.port[0]) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_CHARACTERISTICS") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_CHARACTERISTICS;
|
|
if (r.count("mask")) {
|
|
json &v = r["mask"];
|
|
if (v.is_number()) {
|
|
rule.v.characteristics = v;
|
|
} else {
|
|
std::string tmp = v;
|
|
rule.v.characteristics = Utils::hexStrToU64(tmp.c_str());
|
|
}
|
|
}
|
|
return true;
|
|
} else if (t == "MATCH_FRAME_SIZE_RANGE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE;
|
|
rule.v.frameSize[0] = (uint16_t)(_jI(r["start"],0ULL) & 0xffffULL);
|
|
rule.v.frameSize[1] = (uint16_t)(_jI(r["end"],(uint64_t)rule.v.frameSize[0]) & 0xffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_RANDOM") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_RANDOM;
|
|
rule.v.randomProbability = (uint32_t)(_jI(r["probability"],0ULL) & 0xffffffffULL);
|
|
} else if (t == "MATCH_TAGS_DIFFERENCE") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE;
|
|
rule.v.tag.id = (uint32_t)(_jI(r["id"],0ULL) & 0xffffffffULL);
|
|
rule.v.tag.value = (uint32_t)(_jI(r["value"],0ULL) & 0xffffffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_TAGS_BITWISE_AND") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND;
|
|
rule.v.tag.id = (uint32_t)(_jI(r["id"],0ULL) & 0xffffffffULL);
|
|
rule.v.tag.value = (uint32_t)(_jI(r["value"],0ULL) & 0xffffffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_TAGS_BITWISE_OR") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR;
|
|
rule.v.tag.id = (uint32_t)(_jI(r["id"],0ULL) & 0xffffffffULL);
|
|
rule.v.tag.value = (uint32_t)(_jI(r["value"],0ULL) & 0xffffffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_TAGS_BITWISE_XOR") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR;
|
|
rule.v.tag.id = (uint32_t)(_jI(r["id"],0ULL) & 0xffffffffULL);
|
|
rule.v.tag.value = (uint32_t)(_jI(r["value"],0ULL) & 0xffffffffULL);
|
|
return true;
|
|
} else if (t == "MATCH_TAGS_EQUAL") {
|
|
rule.t |= ZT_NETWORK_RULE_MATCH_TAGS_EQUAL;
|
|
rule.v.tag.id = (uint32_t)(_jI(r["id"],0ULL) & 0xffffffffULL);
|
|
rule.v.tag.value = (uint32_t)(_jI(r["value"],0ULL) & 0xffffffffULL);
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
EmbeddedNetworkController::EmbeddedNetworkController(Node *node,const char *dbPath) :
|
|
_threadsStarted(false),
|
|
_db(dbPath),
|
|
_node(node)
|
|
{
|
|
OSUtils::mkdir(dbPath);
|
|
OSUtils::lockDownFile(dbPath,true); // networks might contain auth tokens, etc., so restrict directory permissions
|
|
}
|
|
|
|
EmbeddedNetworkController::~EmbeddedNetworkController()
|
|
{
|
|
Mutex::Lock _l(_threads_m);
|
|
if (_threadsStarted) {
|
|
for(int i=0;i<(ZT_EMBEDDEDNETWORKCONTROLLER_BACKGROUND_THREAD_COUNT*2);++i)
|
|
_queue.post((_RQEntry *)0);
|
|
for(int i=0;i<ZT_EMBEDDEDNETWORKCONTROLLER_BACKGROUND_THREAD_COUNT;++i)
|
|
Thread::join(_threads[i]);
|
|
}
|
|
}
|
|
|
|
void EmbeddedNetworkController::init(const Identity &signingId,Sender *sender)
|
|
{
|
|
this->_sender = sender;
|
|
this->_signingId = signingId;
|
|
}
|
|
|
|
void EmbeddedNetworkController::request(
|
|
uint64_t nwid,
|
|
const InetAddress &fromAddr,
|
|
uint64_t requestPacketId,
|
|
const Identity &identity,
|
|
const Dictionary<ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY> &metaData)
|
|
{
|
|
if (((!_signingId)||(!_signingId.hasPrivate()))||(_signingId.address().toInt() != (nwid >> 24))||(!_sender))
|
|
return;
|
|
|
|
{
|
|
Mutex::Lock _l(_threads_m);
|
|
if (!_threadsStarted) {
|
|
for(int i=0;i<ZT_EMBEDDEDNETWORKCONTROLLER_BACKGROUND_THREAD_COUNT;++i)
|
|
_threads[i] = Thread::start(this);
|
|
}
|
|
_threadsStarted = true;
|
|
}
|
|
|
|
_RQEntry *qe = new _RQEntry;
|
|
qe->nwid = nwid;
|
|
qe->requestPacketId = requestPacketId;
|
|
qe->fromAddr = fromAddr;
|
|
qe->identity = identity;
|
|
qe->metaData = metaData;
|
|
_queue.post(qe);
|
|
}
|
|
|
|
unsigned int EmbeddedNetworkController::handleControlPlaneHttpGET(
|
|
const std::vector<std::string> &path,
|
|
const std::map<std::string,std::string> &urlArgs,
|
|
const std::map<std::string,std::string> &headers,
|
|
const std::string &body,
|
|
std::string &responseBody,
|
|
std::string &responseContentType)
|
|
{
|
|
if ((path.size() > 0)&&(path[0] == "network")) {
|
|
|
|
if ((path.size() >= 2)&&(path[1].length() == 16)) {
|
|
const uint64_t nwid = Utils::hexStrToU64(path[1].c_str());
|
|
char nwids[24];
|
|
Utils::snprintf(nwids,sizeof(nwids),"%.16llx",(unsigned long long)nwid);
|
|
|
|
json network;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
network = _db.get("network",nwids,0);
|
|
}
|
|
if (!network.size())
|
|
return 404;
|
|
|
|
if (path.size() >= 3) {
|
|
|
|
if (path[2] == "member") {
|
|
|
|
if (path.size() >= 4) {
|
|
const uint64_t address = Utils::hexStrToU64(path[3].c_str());
|
|
|
|
json member;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
member = _db.get("network",nwids,"member",Address(address).toString(),0);
|
|
}
|
|
if (!member.size())
|
|
return 404;
|
|
|
|
_addMemberNonPersistedFields(member,OSUtils::now());
|
|
responseBody = member.dump(2);
|
|
responseContentType = "application/json";
|
|
|
|
return 200;
|
|
} else {
|
|
|
|
Mutex::Lock _l(_db_m);
|
|
|
|
responseBody = "{";
|
|
std::string pfx(std::string("network/") + nwids + "member/");
|
|
_db.filter(pfx,120000,[&responseBody](const std::string &n,const json &member) {
|
|
if (member.size() > 0) {
|
|
responseBody.append((responseBody.length() == 1) ? "\"" : ",\"");
|
|
responseBody.append(_jS(member["id"],""));
|
|
responseBody.append("\":");
|
|
responseBody.append(_jS(member["revision"],"0"));
|
|
}
|
|
return true; // never delete
|
|
});
|
|
responseBody.push_back('}');
|
|
responseContentType = "application/json";
|
|
|
|
return 200;
|
|
}
|
|
|
|
} else if ((path[2] == "test")&&(path.size() >= 4)) {
|
|
|
|
Mutex::Lock _l(_circuitTests_m);
|
|
std::map< uint64_t,_CircuitTestEntry >::iterator cte(_circuitTests.find(Utils::hexStrToU64(path[3].c_str())));
|
|
if ((cte != _circuitTests.end())&&(cte->second.test)) {
|
|
|
|
responseBody = "[";
|
|
responseBody.append(cte->second.jsonResults);
|
|
responseBody.push_back(']');
|
|
responseContentType = "application/json";
|
|
|
|
return 200;
|
|
|
|
} // else 404
|
|
|
|
} // else 404
|
|
|
|
} else {
|
|
|
|
const uint64_t now = OSUtils::now();
|
|
_NetworkMemberInfo nmi;
|
|
_getNetworkMemberInfo(now,nwid,nmi);
|
|
_addNetworkNonPersistedFields(network,now,nmi);
|
|
responseBody = network.dump(2);
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
|
|
}
|
|
} else if (path.size() == 1) {
|
|
|
|
std::set<std::string> networkIds;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
_db.filter("network/",120000,[&networkIds](const std::string &n,const json &obj) {
|
|
if (n.length() == (16 + 8))
|
|
networkIds.insert(n.substr(8));
|
|
return true; // do not delete
|
|
});
|
|
}
|
|
|
|
responseBody.push_back('[');
|
|
for(std::set<std::string>::iterator i(networkIds.begin());i!=networkIds.end();++i) {
|
|
responseBody.append((responseBody.length() == 1) ? "\"" : ",\"");
|
|
responseBody.append(*i);
|
|
responseBody.append("\"");
|
|
}
|
|
responseBody.push_back(']');
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
|
|
} // else 404
|
|
|
|
} else {
|
|
|
|
char tmp[4096];
|
|
Utils::snprintf(tmp,sizeof(tmp),"{\n\t\"controller\": true,\n\t\"apiVersion\": %d,\n\t\"clock\": %llu\n}\n",ZT_NETCONF_CONTROLLER_API_VERSION,(unsigned long long)OSUtils::now());
|
|
responseBody = tmp;
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
|
|
}
|
|
|
|
return 404;
|
|
}
|
|
|
|
unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
|
|
const std::vector<std::string> &path,
|
|
const std::map<std::string,std::string> &urlArgs,
|
|
const std::map<std::string,std::string> &headers,
|
|
const std::string &body,
|
|
std::string &responseBody,
|
|
std::string &responseContentType)
|
|
{
|
|
if (path.empty())
|
|
return 404;
|
|
|
|
json b;
|
|
try {
|
|
b = json::parse(body);
|
|
if (!b.is_object()) {
|
|
responseBody = "{ \"message\": \"body is not a JSON object\" }";
|
|
responseContentType = "application/json";
|
|
return 400;
|
|
}
|
|
} catch ( ... ) {
|
|
responseBody = "{ \"message\": \"body JSON is invalid\" }";
|
|
responseContentType = "application/json";
|
|
return 400;
|
|
}
|
|
const uint64_t now = OSUtils::now();
|
|
|
|
if (path[0] == "network") {
|
|
|
|
if ((path.size() >= 2)&&(path[1].length() == 16)) {
|
|
uint64_t nwid = Utils::hexStrToU64(path[1].c_str());
|
|
char nwids[24];
|
|
Utils::snprintf(nwids,sizeof(nwids),"%.16llx",(unsigned long long)nwid);
|
|
|
|
if (path.size() >= 3) {
|
|
|
|
if ((path.size() == 4)&&(path[2] == "member")&&(path[3].length() == 10)) {
|
|
uint64_t address = Utils::hexStrToU64(path[3].c_str());
|
|
char addrs[24];
|
|
Utils::snprintf(addrs,sizeof(addrs),"%.10llx",(unsigned long long)address);
|
|
|
|
json member;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
member = _db.get("network",nwids,"member",Address(address).toString(),0);
|
|
}
|
|
json origMember(member); // for detecting changes
|
|
_initMember(member);
|
|
|
|
try {
|
|
if (b.count("activeBridge")) member["activeBridge"] = _jB(b["activeBridge"],false);
|
|
if (b.count("noAutoAssignIps")) member["noAutoAssignIps"] = _jB(b["noAutoAssignIps"],false);
|
|
|
|
if (b.count("authorized")) {
|
|
const bool newAuth = _jB(b["authorized"],false);
|
|
if (newAuth != _jB(member["authorized"],false)) {
|
|
member["authorized"] = newAuth;
|
|
member[((newAuth) ? "lastAuthorizedTime" : "lastDeauthorizedTime")] = now;
|
|
|
|
json ah;
|
|
ah["a"] = newAuth;
|
|
ah["by"] = "api";
|
|
ah["ts"] = now;
|
|
ah["ct"] = json();
|
|
ah["c"] = json();
|
|
member["authHistory"].push_back(ah);
|
|
}
|
|
}
|
|
|
|
if (b.count("ipAssignments")) {
|
|
json &ipa = b["ipAssignments"];
|
|
if (ipa.is_array()) {
|
|
json mipa(json::array());
|
|
for(unsigned long i=0;i<ipa.size();++i) {
|
|
std::string ips = ipa[i];
|
|
InetAddress ip(ips);
|
|
if ((ip.ss_family == AF_INET)||(ip.ss_family == AF_INET6)) {
|
|
mipa.push_back(ip.toIpString());
|
|
}
|
|
}
|
|
member["ipAssignments"] = mipa;
|
|
}
|
|
}
|
|
|
|
if (b.count("tags")) {
|
|
json &tags = b["tags"];
|
|
if (tags.is_array()) {
|
|
std::map<uint64_t,uint64_t> mtags;
|
|
for(unsigned long i=0;i<tags.size();++i) {
|
|
json &tag = tags[i];
|
|
if ((tag.is_array())&&(tag.size() == 2))
|
|
mtags[_jI(tag[0],0ULL) & 0xffffffffULL] = _jI(tag[1],0ULL) & 0xffffffffULL;
|
|
}
|
|
json mtagsa = json::array();
|
|
for(std::map<uint64_t,uint64_t>::iterator t(mtags.begin());t!=mtags.end();++t) {
|
|
json ta = json::array();
|
|
ta.push_back(t->first);
|
|
ta.push_back(t->second);
|
|
mtagsa.push_back(ta);
|
|
}
|
|
member["tags"] = mtagsa;
|
|
}
|
|
}
|
|
|
|
if (b.count("capabilities")) {
|
|
json &capabilities = b["capabilities"];
|
|
if (capabilities.is_array()) {
|
|
json mcaps = json::array();
|
|
for(unsigned long i=0;i<capabilities.size();++i) {
|
|
mcaps.push_back(_jI(capabilities[i],0ULL));
|
|
}
|
|
std::sort(mcaps.begin(),mcaps.end());
|
|
mcaps.erase(std::unique(mcaps.begin(),mcaps.end()),mcaps.end());
|
|
member["capabilities"] = mcaps;
|
|
}
|
|
}
|
|
} catch ( ... ) {
|
|
responseBody = "{ \"message\": \"exception while processing parameters in JSON body\" }";
|
|
responseContentType = "application/json";
|
|
return 400;
|
|
}
|
|
|
|
member["id"] = addrs;
|
|
member["address"] = addrs; // legacy
|
|
member["nwid"] = nwids;
|
|
|
|
if (member != origMember) {
|
|
member["lastModified"] = now;
|
|
json &revj = member["revision"];
|
|
member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL);
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
_db.put("network",nwids,"member",Address(address).toString(),member);
|
|
}
|
|
_pushMemberUpdate(now,nwid,member);
|
|
}
|
|
|
|
// Add non-persisted fields
|
|
member["clock"] = now;
|
|
|
|
responseBody = member.dump(2);
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
} else if ((path.size() == 3)&&(path[2] == "test")) {
|
|
|
|
Mutex::Lock _l(_circuitTests_m);
|
|
|
|
ZT_CircuitTest *test = (ZT_CircuitTest *)malloc(sizeof(ZT_CircuitTest));
|
|
memset(test,0,sizeof(ZT_CircuitTest));
|
|
|
|
Utils::getSecureRandom(&(test->testId),sizeof(test->testId));
|
|
test->credentialNetworkId = nwid;
|
|
test->ptr = (void *)this;
|
|
json hops = b["hops"];
|
|
if (hops.is_array()) {
|
|
for(unsigned long i=0;i<hops.size();++i) {
|
|
json &hops2 = hops[i];
|
|
if (hops2.is_array()) {
|
|
for(unsigned long j=0;j<hops2.size();++j) {
|
|
std::string s = hops2[j];
|
|
test->hops[test->hopCount].addresses[test->hops[test->hopCount].breadth++] = Utils::hexStrToU64(s.c_str()) & 0xffffffffffULL;
|
|
}
|
|
} else if (hops2.is_string()) {
|
|
std::string s = hops2;
|
|
test->hops[test->hopCount].addresses[test->hops[test->hopCount].breadth++] = Utils::hexStrToU64(s.c_str()) & 0xffffffffffULL;
|
|
}
|
|
}
|
|
}
|
|
test->reportAtEveryHop = (_jB(b["reportAtEveryHop"],true) ? 1 : 0);
|
|
|
|
if (!test->hopCount) {
|
|
::free((void *)test);
|
|
responseBody = "{ \"message\": \"a test must contain at least one hop\" }";
|
|
responseContentType = "application/json";
|
|
return 400;
|
|
}
|
|
|
|
test->timestamp = OSUtils::now();
|
|
|
|
_CircuitTestEntry &te = _circuitTests[test->testId];
|
|
te.test = test;
|
|
te.jsonResults = "";
|
|
|
|
if (_node)
|
|
_node->circuitTestBegin(test,&(EmbeddedNetworkController::_circuitTestCallback));
|
|
else return 500;
|
|
|
|
char json[1024];
|
|
Utils::snprintf(json,sizeof(json),"{\"testId\":\"%.16llx\"}",test->testId);
|
|
responseBody = json;
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
|
|
} // else 404
|
|
|
|
} else {
|
|
// POST to network ID
|
|
|
|
json network;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
|
|
// Magic ID ending with ______ picks a random unused network ID
|
|
if (path[1].substr(10) == "______") {
|
|
nwid = 0;
|
|
uint64_t nwidPrefix = (Utils::hexStrToU64(path[1].substr(0,10).c_str()) << 24) & 0xffffffffff000000ULL;
|
|
uint64_t nwidPostfix = 0;
|
|
for(unsigned long k=0;k<100000;++k) { // sanity limit on trials
|
|
Utils::getSecureRandom(&nwidPostfix,sizeof(nwidPostfix));
|
|
uint64_t tryNwid = nwidPrefix | (nwidPostfix & 0xffffffULL);
|
|
if ((tryNwid & 0xffffffULL) == 0ULL) tryNwid |= 1ULL;
|
|
Utils::snprintf(nwids,sizeof(nwids),"%.16llx",(unsigned long long)tryNwid);
|
|
if (_db.get("network",nwids,120000).size() <= 0) {
|
|
nwid = tryNwid;
|
|
break;
|
|
}
|
|
}
|
|
if (!nwid)
|
|
return 503;
|
|
}
|
|
|
|
network = _db.get("network",nwids,0);
|
|
}
|
|
json origNetwork(network); // for detecting changes
|
|
_initNetwork(network);
|
|
|
|
try {
|
|
if (b.count("name")) network["name"] = _jS(b["name"],"");
|
|
if (b.count("private")) network["private"] = _jB(b["private"],true);
|
|
if (b.count("enableBroadcast")) network["enableBroadcast"] = _jB(b["enableBroadcast"],false);
|
|
if (b.count("allowPassiveBridging")) network["allowPassiveBridging"] = _jB(b["allowPassiveBridging"],false);
|
|
if (b.count("multicastLimit")) network["multicastLimit"] = _jI(b["multicastLimit"],32ULL);
|
|
|
|
if (b.count("v4AssignMode")) {
|
|
json nv4m;
|
|
json &v4m = b["v4AssignMode"];
|
|
if (v4m.is_string()) { // backward compatibility
|
|
nv4m["zt"] = (_jS(v4m,"") == "zt");
|
|
} else if (v4m.is_object()) {
|
|
nv4m["zt"] = _jB(v4m["zt"],false);
|
|
} else nv4m["zt"] = false;
|
|
network["v4AssignMode"] = nv4m;
|
|
}
|
|
|
|
if (b.count("v6AssignMode")) {
|
|
json nv6m;
|
|
json &v6m = b["v6AssignMode"];
|
|
if (!nv6m.is_object()) nv6m = json::object();
|
|
if (v6m.is_string()) { // backward compatibility
|
|
std::vector<std::string> v6ms(Utils::split(_jS(v6m,"").c_str(),",","",""));
|
|
std::sort(v6ms.begin(),v6ms.end());
|
|
v6ms.erase(std::unique(v6ms.begin(),v6ms.end()),v6ms.end());
|
|
nv6m["rfc4193"] = false;
|
|
nv6m["zt"] = false;
|
|
nv6m["6plane"] = false;
|
|
for(std::vector<std::string>::iterator i(v6ms.begin());i!=v6ms.end();++i) {
|
|
if (*i == "rfc4193")
|
|
nv6m["rfc4193"] = true;
|
|
else if (*i == "zt")
|
|
nv6m["zt"] = true;
|
|
else if (*i == "6plane")
|
|
nv6m["6plane"] = true;
|
|
}
|
|
} else if (v6m.is_object()) {
|
|
if (v6m.count("rfc4193")) nv6m["rfc4193"] = _jB(v6m["rfc4193"],false);
|
|
if (v6m.count("zt")) nv6m["zt"] = _jB(v6m["zt"],false);
|
|
if (v6m.count("6plane")) nv6m["6plane"] = _jB(v6m["6plane"],false);
|
|
} else {
|
|
nv6m["rfc4193"] = false;
|
|
nv6m["zt"] = false;
|
|
nv6m["6plane"] = false;
|
|
}
|
|
network["v6AssignMode"] = nv6m;
|
|
}
|
|
|
|
if (b.count("routes")) {
|
|
json &rts = b["routes"];
|
|
if (rts.is_array()) {
|
|
json nrts = json::array();
|
|
for(unsigned long i=0;i<rts.size();++i) {
|
|
json &rt = rts[i];
|
|
if (rt.is_object()) {
|
|
json &target = rt["target"];
|
|
json &via = rt["via"];
|
|
if (target.is_string()) {
|
|
InetAddress t(target.get<std::string>());
|
|
InetAddress v;
|
|
if (via.is_string()) v.fromString(via.get<std::string>());
|
|
if ( ((t.ss_family == AF_INET)||(t.ss_family == AF_INET6)) && (t.netmaskBitsValid()) ) {
|
|
json tmp;
|
|
tmp["target"] = t.toString();
|
|
if (v.ss_family == t.ss_family)
|
|
tmp["via"] = v.toIpString();
|
|
else tmp["via"] = json();
|
|
nrts.push_back(tmp);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
network["routes"] = nrts;
|
|
}
|
|
}
|
|
|
|
if (b.count("ipAssignmentPools")) {
|
|
json &ipp = b["ipAssignmentPools"];
|
|
if (ipp.is_array()) {
|
|
json nipp = json::array();
|
|
for(unsigned long i=0;i<ipp.size();++i) {
|
|
json &ip = ipp[i];
|
|
if ((ip.is_object())&&(ip.count("ipRangeStart"))&&(ip.count("ipRangeEnd"))) {
|
|
InetAddress f(_jS(ip["ipRangeStart"],""));
|
|
InetAddress t(_jS(ip["ipRangeEnd"],""));
|
|
if ( ((f.ss_family == AF_INET)||(f.ss_family == AF_INET6)) && (f.ss_family == t.ss_family) ) {
|
|
json tmp = json::object();
|
|
tmp["ipRangeStart"] = f.toIpString();
|
|
tmp["ipRangeEnd"] = t.toIpString();
|
|
nipp.push_back(tmp);
|
|
}
|
|
}
|
|
}
|
|
network["ipAssignmentPools"] = nipp;
|
|
}
|
|
}
|
|
|
|
if (b.count("rules")) {
|
|
json &rules = b["rules"];
|
|
if (rules.is_array()) {
|
|
json nrules = json::array();
|
|
for(unsigned long i=0;i<rules.size();++i) {
|
|
json &rule = rules[i];
|
|
if (rule.is_object()) {
|
|
ZT_VirtualNetworkRule ztr;
|
|
if (_parseRule(rule,ztr))
|
|
nrules.push_back(_renderRule(ztr));
|
|
}
|
|
}
|
|
network["rules"] = nrules;
|
|
}
|
|
}
|
|
|
|
if (b.count("authTokens")) {
|
|
json &authTokens = b["authTokens"];
|
|
if (authTokens.is_array()) {
|
|
json nat = json::array();
|
|
for(unsigned long i=0;i<authTokens.size();++i) {
|
|
json &token = authTokens[i];
|
|
if (token.is_object()) {
|
|
std::string tstr = token["token"];
|
|
if (tstr.length() > 0) {
|
|
json t = json::object();
|
|
t["token"] = tstr;
|
|
t["expires"] = _jI(token["expires"],0ULL);
|
|
t["maxUsesPerMember"] = _jI(token["maxUsesPerMember"],0ULL);
|
|
nat.push_back(t);
|
|
}
|
|
}
|
|
}
|
|
network["authTokens"] = nat;
|
|
}
|
|
}
|
|
|
|
if (b.count("capabilities")) {
|
|
json &capabilities = b["capabilities"];
|
|
if (capabilities.is_array()) {
|
|
std::map< uint64_t,json > ncaps;
|
|
for(unsigned long i=0;i<capabilities.size();++i) {
|
|
json &cap = capabilities[i];
|
|
if (cap.is_object()) {
|
|
json ncap = json::object();
|
|
const uint64_t capId = _jI(cap["id"],0ULL);
|
|
ncap["id"] = capId;
|
|
|
|
json &rules = cap["rules"];
|
|
json nrules = json::array();
|
|
if (rules.is_array()) {
|
|
for(unsigned long i=0;i<rules.size();++i) {
|
|
json &rule = rules[i];
|
|
if (rule.is_object()) {
|
|
ZT_VirtualNetworkRule ztr;
|
|
if (_parseRule(rule,ztr))
|
|
nrules.push_back(_renderRule(ztr));
|
|
}
|
|
}
|
|
}
|
|
ncap["rules"] = nrules;
|
|
|
|
ncaps[capId] = ncap;
|
|
}
|
|
}
|
|
|
|
json ncapsa = json::array();
|
|
for(std::map< uint64_t,json >::iterator c(ncaps.begin());c!=ncaps.end();++c)
|
|
ncapsa.push_back(c->second);
|
|
network["capabilities"] = ncapsa;
|
|
}
|
|
}
|
|
} catch ( ... ) {
|
|
responseBody = "{ \"message\": \"exception occurred while parsing body variables\" }";
|
|
responseContentType = "application/json";
|
|
return 400;
|
|
}
|
|
|
|
network["id"] = nwids;
|
|
network["nwid"] = nwids; // legacy
|
|
|
|
if (network != origNetwork) {
|
|
json &revj = network["revision"];
|
|
network["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL);
|
|
network["lastModified"] = now;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
_db.put("network",nwids,network);
|
|
}
|
|
std::string pfx("network/"); pfx.append(nwids); pfx.append("/member/");
|
|
_db.filter(pfx,120000,[this,&now,&nwid](const std::string &n,const json &obj) {
|
|
_pushMemberUpdate(now,nwid,obj);
|
|
return true; // do not delete
|
|
});
|
|
}
|
|
|
|
_NetworkMemberInfo nmi;
|
|
_getNetworkMemberInfo(now,nwid,nmi);
|
|
_addNetworkNonPersistedFields(network,now,nmi);
|
|
|
|
responseBody = network.dump(2);
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
} // else 404
|
|
|
|
} // else 404
|
|
|
|
} // else 404
|
|
|
|
return 404;
|
|
}
|
|
|
|
unsigned int EmbeddedNetworkController::handleControlPlaneHttpDELETE(
|
|
const std::vector<std::string> &path,
|
|
const std::map<std::string,std::string> &urlArgs,
|
|
const std::map<std::string,std::string> &headers,
|
|
const std::string &body,
|
|
std::string &responseBody,
|
|
std::string &responseContentType)
|
|
{
|
|
if (path.empty())
|
|
return 404;
|
|
|
|
if (path[0] == "network") {
|
|
if ((path.size() >= 2)&&(path[1].length() == 16)) {
|
|
const uint64_t nwid = Utils::hexStrToU64(path[1].c_str());
|
|
|
|
char nwids[24];
|
|
Utils::snprintf(nwids,sizeof(nwids),"%.16llx",nwid);
|
|
json network;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
network = _db.get("network",nwids,0);
|
|
}
|
|
if (!network.size())
|
|
return 404;
|
|
|
|
if (path.size() >= 3) {
|
|
if ((path.size() == 4)&&(path[2] == "member")&&(path[3].length() == 10)) {
|
|
const uint64_t address = Utils::hexStrToU64(path[3].c_str());
|
|
|
|
Mutex::Lock _l(_db_m);
|
|
|
|
json member = _db.get("network",nwids,"member",Address(address).toString(),0);
|
|
_db.erase("network",nwids,"member",Address(address).toString());
|
|
|
|
if (!member.size())
|
|
return 404;
|
|
responseBody = member.dump(2);
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
}
|
|
} else {
|
|
Mutex::Lock _l(_db_m);
|
|
|
|
std::string pfx("network/"); pfx.append(nwids);
|
|
_db.filter(pfx,120000,[](const std::string &n,const json &obj) {
|
|
return false; // delete
|
|
});
|
|
|
|
Mutex::Lock _l2(_nmiCache_m);
|
|
_nmiCache.erase(nwid);
|
|
|
|
responseBody = network.dump(2);
|
|
responseContentType = "application/json";
|
|
return 200;
|
|
}
|
|
} // else 404
|
|
|
|
} // else 404
|
|
|
|
return 404;
|
|
}
|
|
|
|
void EmbeddedNetworkController::threadMain()
|
|
throw()
|
|
{
|
|
for(;;) {
|
|
_RQEntry *const qe = _queue.get();
|
|
if (!qe) break; // enqueue a NULL to terminate threads
|
|
try {
|
|
_request(qe->nwid,qe->fromAddr,qe->requestPacketId,qe->identity,qe->metaData);
|
|
} catch ( ... ) {}
|
|
delete qe;
|
|
}
|
|
}
|
|
|
|
void EmbeddedNetworkController::_circuitTestCallback(ZT_Node *node,ZT_CircuitTest *test,const ZT_CircuitTestReport *report)
|
|
{
|
|
char tmp[65535];
|
|
EmbeddedNetworkController *const self = reinterpret_cast<EmbeddedNetworkController *>(test->ptr);
|
|
|
|
if (!test)
|
|
return;
|
|
if (!report)
|
|
return;
|
|
|
|
Mutex::Lock _l(self->_circuitTests_m);
|
|
std::map< uint64_t,_CircuitTestEntry >::iterator cte(self->_circuitTests.find(test->testId));
|
|
|
|
if (cte == self->_circuitTests.end()) { // sanity check: a circuit test we didn't launch?
|
|
self->_node->circuitTestEnd(test);
|
|
::free((void *)test);
|
|
return;
|
|
}
|
|
|
|
Utils::snprintf(tmp,sizeof(tmp),
|
|
"%s{\n"
|
|
"\t\"timestamp\": %llu," ZT_EOL_S
|
|
"\t\"testId\": \"%.16llx\"," ZT_EOL_S
|
|
"\t\"upstream\": \"%.10llx\"," ZT_EOL_S
|
|
"\t\"current\": \"%.10llx\"," ZT_EOL_S
|
|
"\t\"receivedTimestamp\": %llu," ZT_EOL_S
|
|
"\t\"sourcePacketId\": \"%.16llx\"," ZT_EOL_S
|
|
"\t\"flags\": %llu," ZT_EOL_S
|
|
"\t\"sourcePacketHopCount\": %u," ZT_EOL_S
|
|
"\t\"errorCode\": %u," ZT_EOL_S
|
|
"\t\"vendor\": %d," ZT_EOL_S
|
|
"\t\"protocolVersion\": %u," ZT_EOL_S
|
|
"\t\"majorVersion\": %u," ZT_EOL_S
|
|
"\t\"minorVersion\": %u," ZT_EOL_S
|
|
"\t\"revision\": %u," ZT_EOL_S
|
|
"\t\"platform\": %d," ZT_EOL_S
|
|
"\t\"architecture\": %d," ZT_EOL_S
|
|
"\t\"receivedOnLocalAddress\": \"%s\"," ZT_EOL_S
|
|
"\t\"receivedFromRemoteAddress\": \"%s\"" ZT_EOL_S
|
|
"}",
|
|
((cte->second.jsonResults.length() > 0) ? ",\n" : ""),
|
|
(unsigned long long)report->timestamp,
|
|
(unsigned long long)test->testId,
|
|
(unsigned long long)report->upstream,
|
|
(unsigned long long)report->current,
|
|
(unsigned long long)OSUtils::now(),
|
|
(unsigned long long)report->sourcePacketId,
|
|
(unsigned long long)report->flags,
|
|
report->sourcePacketHopCount,
|
|
report->errorCode,
|
|
(int)report->vendor,
|
|
report->protocolVersion,
|
|
report->majorVersion,
|
|
report->minorVersion,
|
|
report->revision,
|
|
(int)report->platform,
|
|
(int)report->architecture,
|
|
reinterpret_cast<const InetAddress *>(&(report->receivedOnLocalAddress))->toString().c_str(),
|
|
reinterpret_cast<const InetAddress *>(&(report->receivedFromRemoteAddress))->toString().c_str());
|
|
|
|
cte->second.jsonResults.append(tmp);
|
|
}
|
|
|
|
void EmbeddedNetworkController::_request(
|
|
uint64_t nwid,
|
|
const InetAddress &fromAddr,
|
|
uint64_t requestPacketId,
|
|
const Identity &identity,
|
|
const Dictionary<ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY> &metaData)
|
|
{
|
|
if (((!_signingId)||(!_signingId.hasPrivate()))||(_signingId.address().toInt() != (nwid >> 24))||(!_sender))
|
|
return;
|
|
|
|
const uint64_t now = OSUtils::now();
|
|
|
|
if (requestPacketId) {
|
|
Mutex::Lock _l(_lastRequestTime_m);
|
|
uint64_t &lrt = _lastRequestTime[std::pair<uint64_t,uint64_t>(identity.address().toInt(),nwid)];
|
|
if ((now - lrt) <= ZT_NETCONF_MIN_REQUEST_PERIOD)
|
|
return;
|
|
lrt = now;
|
|
}
|
|
|
|
char nwids[24];
|
|
Utils::snprintf(nwids,sizeof(nwids),"%.16llx",nwid);
|
|
json network;
|
|
json member;
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
network = _db.get("network",nwids,0);
|
|
member = _db.get("network",nwids,"member",identity.address().toString(),0);
|
|
}
|
|
|
|
if (!network.size()) {
|
|
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_OBJECT_NOT_FOUND);
|
|
return;
|
|
}
|
|
|
|
json origMember(member); // for detecting modification later
|
|
_initMember(member);
|
|
|
|
{
|
|
std::string haveIdStr(_jS(member["identity"],""));
|
|
if (haveIdStr.length() > 0) {
|
|
// If we already know this member's identity perform a full compare. This prevents
|
|
// a "collision" from being able to auth onto our network in place of an already
|
|
// known member.
|
|
try {
|
|
if (Identity(haveIdStr.c_str()) != identity) {
|
|
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_ACCESS_DENIED);
|
|
return;
|
|
}
|
|
} catch ( ... ) {
|
|
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_ACCESS_DENIED);
|
|
return;
|
|
}
|
|
} else {
|
|
// If we do not yet know this member's identity, learn it.
|
|
member["identity"] = identity.toString(false);
|
|
}
|
|
}
|
|
|
|
// These are always the same, but make sure they are set
|
|
member["id"] = identity.address().toString();
|
|
member["address"] = member["id"];
|
|
member["nwid"] = nwids;
|
|
|
|
// Determine whether and how member is authorized
|
|
const char *authorizedBy = (const char *)0;
|
|
bool autoAuthorized = false;
|
|
json autoAuthCredentialType,autoAuthCredential;
|
|
if (_jB(member["authorized"],false)) {
|
|
authorizedBy = "memberIsAuthorized";
|
|
} else if (!_jB(network["private"],true)) {
|
|
authorizedBy = "networkIsPublic";
|
|
if (!member.count("authorized"))
|
|
autoAuthorized = true;
|
|
} else {
|
|
char presentedAuth[512];
|
|
if (metaData.get(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_AUTH,presentedAuth,sizeof(presentedAuth)) > 0) {
|
|
presentedAuth[511] = (char)0; // sanity check
|
|
|
|
// Check for bearer token presented by member
|
|
if ((strlen(presentedAuth) > 6)&&(!strncmp(presentedAuth,"token:",6))) {
|
|
const char *const presentedToken = presentedAuth + 6;
|
|
|
|
json &authTokens = network["authTokens"];
|
|
if (authTokens.is_array()) {
|
|
for(unsigned long i=0;i<authTokens.size();++i) {
|
|
json &token = authTokens[i];
|
|
if (token.is_object()) {
|
|
const uint64_t expires = _jI(token["expires"],0ULL);
|
|
const uint64_t maxUses = _jI(token["maxUsesPerMember"],0ULL);
|
|
std::string tstr = _jS(token["token"],"");
|
|
|
|
if (((expires == 0ULL)||(expires > now))&&(tstr == presentedToken)) {
|
|
bool usable = (maxUses == 0);
|
|
if (!usable) {
|
|
uint64_t useCount = 0;
|
|
json &ahist = member["authHistory"];
|
|
if (ahist.is_array()) {
|
|
for(unsigned long j=0;j<ahist.size();++j) {
|
|
json &ah = ahist[j];
|
|
if ((_jS(ah["ct"],"") == "token")&&(_jS(ah["c"],"") == tstr)&&(_jB(ah["a"],false)))
|
|
++useCount;
|
|
}
|
|
}
|
|
usable = (useCount < maxUses);
|
|
}
|
|
if (usable) {
|
|
authorizedBy = "token";
|
|
autoAuthorized = true;
|
|
autoAuthCredentialType = "token";
|
|
autoAuthCredential = tstr;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// If we auto-authorized, update member record
|
|
if ((autoAuthorized)&&(authorizedBy)) {
|
|
member["authorized"] = true;
|
|
member["lastAuthorizedTime"] = now;
|
|
|
|
json ah;
|
|
ah["a"] = true;
|
|
ah["by"] = authorizedBy;
|
|
ah["ts"] = now;
|
|
ah["ct"] = autoAuthCredentialType;
|
|
ah["c"] = autoAuthCredential;
|
|
member["authHistory"].push_back(ah);
|
|
|
|
json &revj = member["revision"];
|
|
member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL);
|
|
}
|
|
|
|
// Log this request
|
|
if (requestPacketId) { // only log if this is a request, not for generated pushes
|
|
json rlEntry = json::object();
|
|
rlEntry["ts"] = now;
|
|
rlEntry["authorized"] = (authorizedBy) ? true : false;
|
|
rlEntry["authorizedBy"] = (authorizedBy) ? authorizedBy : "";
|
|
rlEntry["clientMajorVersion"] = metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MAJOR_VERSION,0);
|
|
rlEntry["clientMinorVersion"] = metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MINOR_VERSION,0);
|
|
rlEntry["clientRevision"] = metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_REVISION,0);
|
|
rlEntry["clientProtocolVersion"] = metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_PROTOCOL_VERSION,0);
|
|
if (fromAddr)
|
|
rlEntry["fromAddr"] = fromAddr.toString();
|
|
|
|
json recentLog = json::array();
|
|
recentLog.push_back(rlEntry);
|
|
json &oldLog = member["recentLog"];
|
|
if (oldLog.is_array()) {
|
|
for(unsigned long i=0;i<oldLog.size();++i) {
|
|
recentLog.push_back(oldLog[i]);
|
|
if (recentLog.size() >= ZT_NETCONF_DB_MEMBER_HISTORY_LENGTH)
|
|
break;
|
|
}
|
|
}
|
|
member["recentLog"] = recentLog;
|
|
|
|
// Also only do this on real requests
|
|
member["lastRequestMetaData"] = metaData.data();
|
|
}
|
|
|
|
// If they are not authorized, STOP!
|
|
if (!authorizedBy) {
|
|
if (origMember != member) {
|
|
member["lastModified"] = now;
|
|
Mutex::Lock _l(_db_m);
|
|
_db.put("network",nwids,"member",identity.address().toString(),member);
|
|
}
|
|
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_ACCESS_DENIED);
|
|
return;
|
|
}
|
|
|
|
// -------------------------------------------------------------------------
|
|
// If we made it this far, they are authorized.
|
|
// -------------------------------------------------------------------------
|
|
|
|
NetworkConfig nc;
|
|
_NetworkMemberInfo nmi;
|
|
_getNetworkMemberInfo(now,nwid,nmi);
|
|
|
|
uint64_t credentialtmd = ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA;
|
|
if (now > nmi.mostRecentDeauthTime) {
|
|
// If we recently de-authorized a member, shrink credential TTL/max delta to
|
|
// be below the threshold required to exclude it. Cap this to a min/max to
|
|
// prevent jitter or absurdly large values.
|
|
const uint64_t deauthWindow = now - nmi.mostRecentDeauthTime;
|
|
if (deauthWindow < ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA) {
|
|
credentialtmd = ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA;
|
|
} else if (deauthWindow < (ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA + 5000ULL)) {
|
|
credentialtmd = deauthWindow - 5000ULL;
|
|
}
|
|
}
|
|
|
|
nc.networkId = nwid;
|
|
nc.type = _jB(network["private"],true) ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC;
|
|
nc.timestamp = now;
|
|
nc.credentialTimeMaxDelta = credentialtmd;
|
|
nc.revision = _jI(network["revision"],0ULL);
|
|
nc.issuedTo = identity.address();
|
|
if (_jB(network["enableBroadcast"],true)) nc.flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST;
|
|
if (_jB(network["allowPassiveBridging"],false)) nc.flags |= ZT_NETWORKCONFIG_FLAG_ALLOW_PASSIVE_BRIDGING;
|
|
Utils::scopy(nc.name,sizeof(nc.name),_jS(network["name"],"").c_str());
|
|
nc.multicastLimit = (unsigned int)_jI(network["multicastLimit"],32ULL);
|
|
|
|
for(std::set<Address>::const_iterator ab(nmi.activeBridges.begin());ab!=nmi.activeBridges.end();++ab) {
|
|
nc.addSpecialist(*ab,ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE);
|
|
}
|
|
|
|
json &v4AssignMode = network["v4AssignMode"];
|
|
json &v6AssignMode = network["v6AssignMode"];
|
|
json &ipAssignmentPools = network["ipAssignmentPools"];
|
|
json &routes = network["routes"];
|
|
json &rules = network["rules"];
|
|
json &capabilities = network["capabilities"];
|
|
json &memberCapabilities = member["capabilities"];
|
|
json &memberTags = member["tags"];
|
|
|
|
if (metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV,0) <= 0) {
|
|
// Old versions with no rules engine support get an allow everything rule.
|
|
// Since rules are enforced bidirectionally, newer versions *will* still
|
|
// enforce rules on the inbound side.
|
|
nc.ruleCount = 1;
|
|
nc.rules[0].t = ZT_NETWORK_RULE_ACTION_ACCEPT;
|
|
} else {
|
|
if (rules.is_array()) {
|
|
for(unsigned long i=0;i<rules.size();++i) {
|
|
if (nc.ruleCount >= ZT_MAX_NETWORK_RULES)
|
|
break;
|
|
if (_parseRule(rules[i],nc.rules[nc.ruleCount]))
|
|
++nc.ruleCount;
|
|
}
|
|
}
|
|
|
|
if ((memberCapabilities.is_array())&&(memberCapabilities.size() > 0)&&(capabilities.is_array())) {
|
|
std::map< uint64_t,json * > capsById;
|
|
for(unsigned long i=0;i<capabilities.size();++i) {
|
|
json &cap = capabilities[i];
|
|
if (cap.is_object())
|
|
capsById[_jI(cap["id"],0ULL) & 0xffffffffULL] = ∩
|
|
}
|
|
|
|
for(unsigned long i=0;i<memberCapabilities.size();++i) {
|
|
const uint64_t capId = _jI(memberCapabilities[i],0ULL) & 0xffffffffULL;
|
|
json *cap = capsById[capId];
|
|
if ((cap->is_object())&&(cap->size() > 0)) {
|
|
ZT_VirtualNetworkRule capr[ZT_MAX_CAPABILITY_RULES];
|
|
unsigned int caprc = 0;
|
|
json &caprj = (*cap)["rules"];
|
|
if ((caprj.is_array())&&(caprj.size() > 0)) {
|
|
for(unsigned long j=0;j<caprj.size();++j) {
|
|
if (caprc >= ZT_MAX_CAPABILITY_RULES)
|
|
break;
|
|
if (_parseRule(caprj[j],capr[caprc]))
|
|
++caprc;
|
|
}
|
|
}
|
|
nc.capabilities[nc.capabilityCount] = Capability((uint32_t)capId,nwid,now,1,capr,caprc);
|
|
if (nc.capabilities[nc.capabilityCount].sign(_signingId,identity.address()))
|
|
++nc.capabilityCount;
|
|
if (nc.capabilityCount >= ZT_MAX_NETWORK_CAPABILITIES)
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (memberTags.is_array()) {
|
|
std::map< uint32_t,uint32_t > tagsById;
|
|
for(unsigned long i=0;i<memberTags.size();++i) {
|
|
json &t = memberTags[i];
|
|
if ((t.is_array())&&(t.size() == 2))
|
|
tagsById[(uint32_t)(_jI(t[0],0ULL) & 0xffffffffULL)] = (uint32_t)(_jI(t[1],0ULL) & 0xffffffffULL);
|
|
}
|
|
for(std::map< uint32_t,uint32_t >::const_iterator t(tagsById.begin());t!=tagsById.end();++t) {
|
|
if (nc.tagCount >= ZT_MAX_NETWORK_TAGS)
|
|
break;
|
|
nc.tags[nc.tagCount] = Tag(nwid,now,identity.address(),t->first,t->second);
|
|
if (nc.tags[nc.tagCount].sign(_signingId))
|
|
++nc.tagCount;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (routes.is_array()) {
|
|
for(unsigned long i=0;i<routes.size();++i) {
|
|
if (nc.routeCount >= ZT_MAX_NETWORK_ROUTES)
|
|
break;
|
|
json &route = routes[i];
|
|
json &target = route["target"];
|
|
json &via = route["via"];
|
|
if (target.is_string()) {
|
|
const InetAddress t(target.get<std::string>());
|
|
InetAddress v;
|
|
if (via.is_string()) v.fromString(via.get<std::string>());
|
|
if ((t.ss_family == AF_INET)||(t.ss_family == AF_INET6)) {
|
|
ZT_VirtualNetworkRoute *r = &(nc.routes[nc.routeCount]);
|
|
*(reinterpret_cast<InetAddress *>(&(r->target))) = t;
|
|
if (v.ss_family == t.ss_family)
|
|
*(reinterpret_cast<InetAddress *>(&(r->via))) = v;
|
|
++nc.routeCount;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
const bool noAutoAssignIps = _jB(member["noAutoAssignIps"],false);
|
|
|
|
if ((v6AssignMode.is_object())&&(!noAutoAssignIps)) {
|
|
if ((_jB(v6AssignMode["rfc4193"],false))&&(nc.staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES)) {
|
|
nc.staticIps[nc.staticIpCount++] = InetAddress::makeIpv6rfc4193(nwid,identity.address().toInt());
|
|
nc.flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION;
|
|
}
|
|
if ((_jB(v6AssignMode["6plane"],false))&&(nc.staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES)) {
|
|
nc.staticIps[nc.staticIpCount++] = InetAddress::makeIpv66plane(nwid,identity.address().toInt());
|
|
nc.flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION;
|
|
}
|
|
}
|
|
|
|
bool haveManagedIpv4AutoAssignment = false;
|
|
bool haveManagedIpv6AutoAssignment = false; // "special" NDP-emulated address types do not count
|
|
json ipAssignments = member["ipAssignments"]; // we want to make a copy
|
|
if (ipAssignments.is_array()) {
|
|
for(unsigned long i=0;i<ipAssignments.size();++i) {
|
|
if (!ipAssignments[i].is_string())
|
|
continue;
|
|
std::string ips = ipAssignments[i];
|
|
InetAddress ip(ips);
|
|
|
|
// IP assignments are only pushed if there is a corresponding local route. We also now get the netmask bits from
|
|
// this route, ignoring the netmask bits field of the assigned IP itself. Using that was worthless and a source
|
|
// of user error / poor UX.
|
|
int routedNetmaskBits = 0;
|
|
for(unsigned int rk=0;rk<nc.routeCount;++rk) {
|
|
if ( (!nc.routes[rk].via.ss_family) && (reinterpret_cast<const InetAddress *>(&(nc.routes[rk].target))->containsAddress(ip)) )
|
|
routedNetmaskBits = reinterpret_cast<const InetAddress *>(&(nc.routes[rk].target))->netmaskBits();
|
|
}
|
|
|
|
if (routedNetmaskBits > 0) {
|
|
if (nc.staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES) {
|
|
ip.setPort(routedNetmaskBits);
|
|
nc.staticIps[nc.staticIpCount++] = ip;
|
|
}
|
|
if (ip.ss_family == AF_INET)
|
|
haveManagedIpv4AutoAssignment = true;
|
|
else if (ip.ss_family == AF_INET6)
|
|
haveManagedIpv6AutoAssignment = true;
|
|
}
|
|
}
|
|
} else {
|
|
ipAssignments = json::array();
|
|
}
|
|
|
|
if ( (ipAssignmentPools.is_array()) && ((v6AssignMode.is_object())&&(_jB(v6AssignMode["zt"],false))) && (!haveManagedIpv6AutoAssignment) && (!noAutoAssignIps) ) {
|
|
for(unsigned long p=0;((p<ipAssignmentPools.size())&&(!haveManagedIpv6AutoAssignment));++p) {
|
|
json &pool = ipAssignmentPools[p];
|
|
if (pool.is_object()) {
|
|
InetAddress ipRangeStart(_jS(pool["ipRangeStart"],""));
|
|
InetAddress ipRangeEnd(_jS(pool["ipRangeEnd"],""));
|
|
if ( (ipRangeStart.ss_family == AF_INET6) && (ipRangeEnd.ss_family == AF_INET6) ) {
|
|
uint64_t s[2],e[2],x[2],xx[2];
|
|
memcpy(s,ipRangeStart.rawIpData(),16);
|
|
memcpy(e,ipRangeEnd.rawIpData(),16);
|
|
s[0] = Utils::ntoh(s[0]);
|
|
s[1] = Utils::ntoh(s[1]);
|
|
e[0] = Utils::ntoh(e[0]);
|
|
e[1] = Utils::ntoh(e[1]);
|
|
x[0] = s[0];
|
|
x[1] = s[1];
|
|
|
|
for(unsigned int trialCount=0;trialCount<1000;++trialCount) {
|
|
if ((trialCount == 0)&&(e[1] > s[1])&&((e[1] - s[1]) >= 0xffffffffffULL)) {
|
|
// First see if we can just cram a ZeroTier ID into the higher 64 bits. If so do that.
|
|
xx[0] = Utils::hton(x[0]);
|
|
xx[1] = Utils::hton(x[1] + identity.address().toInt());
|
|
} else {
|
|
// Otherwise pick random addresses -- this technically doesn't explore the whole range if the lower 64 bit range is >= 1 but that won't matter since that would be huge anyway
|
|
Utils::getSecureRandom((void *)xx,16);
|
|
if ((e[0] > s[0]))
|
|
xx[0] %= (e[0] - s[0]);
|
|
else xx[0] = 0;
|
|
if ((e[1] > s[1]))
|
|
xx[1] %= (e[1] - s[1]);
|
|
else xx[1] = 0;
|
|
xx[0] = Utils::hton(x[0] + xx[0]);
|
|
xx[1] = Utils::hton(x[1] + xx[1]);
|
|
}
|
|
|
|
InetAddress ip6((const void *)xx,16,0);
|
|
|
|
// Check if this IP is within a local-to-Ethernet routed network
|
|
int routedNetmaskBits = 0;
|
|
for(unsigned int rk=0;rk<nc.routeCount;++rk) {
|
|
if ( (!nc.routes[rk].via.ss_family) && (nc.routes[rk].target.ss_family == AF_INET6) && (reinterpret_cast<const InetAddress *>(&(nc.routes[rk].target))->containsAddress(ip6)) )
|
|
routedNetmaskBits = reinterpret_cast<const InetAddress *>(&(nc.routes[rk].target))->netmaskBits();
|
|
}
|
|
|
|
// If it's routed, then try to claim and assign it and if successful end loop
|
|
if ((routedNetmaskBits > 0)&&(!nmi.allocatedIps.count(ip6))) {
|
|
ipAssignments.push_back(ip6.toIpString());
|
|
member["ipAssignments"] = ipAssignments;
|
|
ip6.setPort((unsigned int)routedNetmaskBits);
|
|
if (nc.staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES)
|
|
nc.staticIps[nc.staticIpCount++] = ip6;
|
|
haveManagedIpv6AutoAssignment = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( (ipAssignmentPools.is_array()) && ((v4AssignMode.is_object())&&(_jB(v4AssignMode["zt"],false))) && (!haveManagedIpv4AutoAssignment) && (!noAutoAssignIps) ) {
|
|
for(unsigned long p=0;((p<ipAssignmentPools.size())&&(!haveManagedIpv4AutoAssignment));++p) {
|
|
json &pool = ipAssignmentPools[p];
|
|
if (pool.is_object()) {
|
|
InetAddress ipRangeStartIA(_jS(pool["ipRangeStart"],""));
|
|
InetAddress ipRangeEndIA(_jS(pool["ipRangeEnd"],""));
|
|
if ( (ipRangeStartIA.ss_family == AF_INET) && (ipRangeEndIA.ss_family == AF_INET) ) {
|
|
uint32_t ipRangeStart = Utils::ntoh((uint32_t)(reinterpret_cast<struct sockaddr_in *>(&ipRangeStartIA)->sin_addr.s_addr));
|
|
uint32_t ipRangeEnd = Utils::ntoh((uint32_t)(reinterpret_cast<struct sockaddr_in *>(&ipRangeEndIA)->sin_addr.s_addr));
|
|
if ((ipRangeEnd < ipRangeStart)||(ipRangeStart == 0))
|
|
continue;
|
|
uint32_t ipRangeLen = ipRangeEnd - ipRangeStart;
|
|
|
|
// Start with the LSB of the member's address
|
|
uint32_t ipTrialCounter = (uint32_t)(identity.address().toInt() & 0xffffffff);
|
|
|
|
for(uint32_t k=ipRangeStart,trialCount=0;((k<=ipRangeEnd)&&(trialCount < 1000));++k,++trialCount) {
|
|
uint32_t ip = (ipRangeLen > 0) ? (ipRangeStart + (ipTrialCounter % ipRangeLen)) : ipRangeStart;
|
|
++ipTrialCounter;
|
|
if ((ip & 0x000000ff) == 0x000000ff)
|
|
continue; // don't allow addresses that end in .255
|
|
|
|
// Check if this IP is within a local-to-Ethernet routed network
|
|
int routedNetmaskBits = -1;
|
|
for(unsigned int rk=0;rk<nc.routeCount;++rk) {
|
|
if (nc.routes[rk].target.ss_family == AF_INET) {
|
|
uint32_t targetIp = Utils::ntoh((uint32_t)(reinterpret_cast<const struct sockaddr_in *>(&(nc.routes[rk].target))->sin_addr.s_addr));
|
|
int targetBits = Utils::ntoh((uint16_t)(reinterpret_cast<const struct sockaddr_in *>(&(nc.routes[rk].target))->sin_port));
|
|
if ((ip & (0xffffffff << (32 - targetBits))) == targetIp) {
|
|
routedNetmaskBits = targetBits;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
// If it's routed, then try to claim and assign it and if successful end loop
|
|
const InetAddress ip4(Utils::hton(ip),0);
|
|
if ((routedNetmaskBits > 0)&&(!nmi.allocatedIps.count(ip4))) {
|
|
ipAssignments.push_back(ip4.toIpString());
|
|
member["ipAssignments"] = ipAssignments;
|
|
if (nc.staticIpCount < ZT_MAX_ZT_ASSIGNED_ADDRESSES) {
|
|
struct sockaddr_in *const v4ip = reinterpret_cast<struct sockaddr_in *>(&(nc.staticIps[nc.staticIpCount++]));
|
|
v4ip->sin_family = AF_INET;
|
|
v4ip->sin_port = Utils::hton((uint16_t)routedNetmaskBits);
|
|
v4ip->sin_addr.s_addr = Utils::hton(ip);
|
|
}
|
|
haveManagedIpv4AutoAssignment = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
CertificateOfMembership com(now,credentialtmd,nwid,identity.address());
|
|
if (com.sign(_signingId)) {
|
|
nc.com = com;
|
|
} else {
|
|
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_INTERNAL_SERVER_ERROR);
|
|
return;
|
|
}
|
|
|
|
if (member != origMember) {
|
|
member["lastModified"] = now;
|
|
Mutex::Lock _l(_db_m);
|
|
_db.put("network",nwids,"member",identity.address().toString(),member);
|
|
}
|
|
|
|
_sender->ncSendConfig(nwid,requestPacketId,identity.address(),nc,metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_VERSION,0) < 6);
|
|
}
|
|
|
|
void EmbeddedNetworkController::_getNetworkMemberInfo(uint64_t now,uint64_t nwid,_NetworkMemberInfo &nmi)
|
|
{
|
|
char pfx[256];
|
|
Utils::snprintf(pfx,sizeof(pfx),"network/%.16llx/member",nwid);
|
|
|
|
{
|
|
Mutex::Lock _l(_nmiCache_m);
|
|
std::map<uint64_t,_NetworkMemberInfo>::iterator c(_nmiCache.find(nwid));
|
|
if ((c != _nmiCache.end())&&((now - c->second.nmiTimestamp) < 1000)) { // a short duration cache but limits CPU use on big networks
|
|
nmi = c->second;
|
|
return;
|
|
}
|
|
}
|
|
|
|
{
|
|
Mutex::Lock _l(_db_m);
|
|
_db.filter(pfx,120000,[&nmi,&now](const std::string &n,const json &member) {
|
|
try {
|
|
if (_jB(member["authorized"],false)) {
|
|
++nmi.authorizedMemberCount;
|
|
|
|
if (member.count("recentLog")) {
|
|
const json &mlog = member["recentLog"];
|
|
if ((mlog.is_array())&&(mlog.size() > 0)) {
|
|
const json &mlog1 = mlog[0];
|
|
if (mlog1.is_object()) {
|
|
if ((now - _jI(mlog1["ts"],0ULL)) < ZT_NETCONF_NODE_ACTIVE_THRESHOLD)
|
|
++nmi.activeMemberCount;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (_jB(member["activeBridge"],false)) {
|
|
nmi.activeBridges.insert(_jS(member["id"],"0000000000"));
|
|
}
|
|
|
|
if (member.count("ipAssignments")) {
|
|
const json &mips = member["ipAssignments"];
|
|
if (mips.is_array()) {
|
|
for(unsigned long i=0;i<mips.size();++i) {
|
|
InetAddress mip(_jS(mips[i],""));
|
|
if ((mip.ss_family == AF_INET)||(mip.ss_family == AF_INET6))
|
|
nmi.allocatedIps.insert(mip);
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
nmi.mostRecentDeauthTime = std::max(nmi.mostRecentDeauthTime,_jI(member["lastDeauthorizedTime"],0ULL));
|
|
}
|
|
} catch ( ... ) {}
|
|
return true;
|
|
});
|
|
}
|
|
nmi.nmiTimestamp = now;
|
|
|
|
{
|
|
Mutex::Lock _l(_nmiCache_m);
|
|
_nmiCache[nwid] = nmi;
|
|
}
|
|
}
|
|
|
|
void EmbeddedNetworkController::_pushMemberUpdate(uint64_t now,uint64_t nwid,const nlohmann::json &member)
|
|
{
|
|
try {
|
|
const std::string idstr = member["identity"];
|
|
const std::string mdstr = member["lastRequestMetaData"];
|
|
if ((idstr.length() > 0)&&(mdstr.length() > 0)) {
|
|
const Identity id(idstr);
|
|
bool online;
|
|
{
|
|
Mutex::Lock _l(_lastRequestTime_m);
|
|
std::map<std::pair<uint64_t,uint64_t>,uint64_t>::iterator lrt(_lastRequestTime.find(std::pair<uint64_t,uint64_t>(id.address().toInt(),nwid)));
|
|
online = ( (lrt != _lastRequestTime.end()) && ((now - lrt->second) < ZT_NETWORK_AUTOCONF_DELAY) );
|
|
}
|
|
Dictionary<ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY> *metaData = new Dictionary<ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY>(mdstr.c_str());
|
|
try {
|
|
this->request(nwid,InetAddress(),0,id,*metaData);
|
|
} catch ( ... ) {}
|
|
delete metaData;
|
|
}
|
|
} catch ( ... ) {}
|
|
}
|
|
|
|
} // namespace ZeroTier
|