mendersoftware / mender / 8fbc121d225795f8eff22fd8b59bcf6c56fa43ac

func NewAuthManager(conf AuthManagerConfig) *MenderAuthManager {

        if conf.KeyStore == nil || conf.IdentitySource == nil ||

                conf.AuthDataStore == nil {

                return nil

        }

        httpConfig := client.Config{}

        if conf.Config != nil {

                httpConfig = conf.Config.GetHttpConfig()

        }

        api, err := client.NewApiClient(httpConfig)

        if err != nil {

        tenantToken := client.AuthToken(conf.TenantToken)

        wsDialer, err := client.NewWebsocketDialer(httpConfig)

        if err != nil {

        proxy, err := proxy.NewProxyController(api, wsDialer, "", "")

        if err != nil {

        mgr := &MenderAuthManager{

                &menderAuthManagerService{

                        inChan:         make(chan AuthManagerRequest, authManagerInMessageChanSize),

                        broadcastChans: map[string]chan AuthManagerResponse{},

                        quitReq:        make(chan bool),

                        quitResp:       make(chan bool),

                        workerChan:     make(chan AuthManagerRequest, authManagerWorkerQueueSize),

                        api:            api,

                        authReq:        client.NewAuth(),

                        config:         conf.Config,

                        keyStore:       conf.KeyStore,

                        idSrc:          conf.IdentitySource,

                        tenantToken:    tenantToken,

                        localProxy:     proxy,

                },

        }

        if err := mgr.keyStore.Load(); err != nil && !store.IsNoKeys(err) {

                log.Errorf("Failed to load device keys: %v", err)

                // Otherwise ignore error returned from Load() call. It will

                // just result in an empty keyStore which in turn will cause

                // regeneration of keys.

        }

        _ = conf.AuthDataStore.WriteTransaction(func(txn store.Transaction) error {

                _ = txn.Remove(datastore.AuthTokenName)

                _ = txn.Remove(datastore.AuthTokenCacheInvalidatorName)

                return nil

        })

        return mgr

func (m *MenderAuthManager) EnableDBus(api dbus.DBusAPI) {

        if m.hasStarted {

        m.dbus = api

func (m *MenderAuthManager) GetInMessageChan() chan<- AuthManagerRequest {

        // Auto-start the service if it hasn't been started already.

        m.Start()

        return m.inChan

}

func (m *MenderAuthManager) GetBroadcastMessageChan(name string) <-chan AuthManagerResponse {

        // Auto-start the service if it hasn't been started already.

        m.Start()

        m.broadcastChansMutex.Lock()

        defer m.broadcastChansMutex.Unlock()

        if m.broadcastChans[name] == nil {

                m.broadcastChans[name] = make(chan AuthManagerResponse, 1)

        }

        return m.broadcastChans[name]

func (m *menderAuthManagerService) registerDBusCallbacks() (unregisterFunc func()) {

        // GetJwtToken

        m.dbus.RegisterMethodCallCallback(

                AuthManagerDBusPath,

                AuthManagerDBusInterfaceName,

                "GetJwtToken",

                func(objectPath, interfaceName, methodName string, parameters string) (interface{}, error) {

                        respChan := make(chan AuthManagerResponse)

                        m.inChan <- AuthManagerRequest{

                                Action:          ActionGetAuthToken,

                                ResponseChannel: respChan,

                        }

                        select {

                        case message := <-respChan:

                                tokenAndServerURL := dbus.TokenAndServerURL{

                                        Token:     string(message.AuthToken),

                                        ServerURL: m.localProxy.GetServerUrl(),

                                }

                                return tokenAndServerURL, message.Error

        m.dbus.RegisterMethodCallCallback(

                AuthManagerDBusPath,

                AuthManagerDBusInterfaceName,

                "FetchJwtToken",

                func(objectPath, interfaceName, methodName string, parameters string) (interface{}, error) {

                        respChan := make(chan AuthManagerResponse)

                        m.inChan <- AuthManagerRequest{

                                Action:          ActionFetchAuthToken,

                                ResponseChannel: respChan,

                        }

                        select {

                        case message := <-respChan:

                                return message.Event == EventFetchAuthToken, message.Error

        return func() {

                m.dbus.UnregisterMethodCallCallback(

                        AuthManagerDBusPath,

                        AuthManagerDBusInterfaceName,

                        "FetchJwtToken",

                )

                m.dbus.UnregisterMethodCallCallback(

                        AuthManagerDBusPath,

                        AuthManagerDBusInterfaceName,

                        "GetJwtToken",

                )

        }

func (m *MenderAuthManager) Start() {

        if m.menderAuthManagerService.hasStarted {

                return

        }

        m.menderAuthManagerService.hasStarted = true

        initDone := make(chan struct{}, 1)

        go m.menderAuthManagerService.run(initDone)

        // Wait for initialization to finish.

        <-initDone

        runtime.SetFinalizer(m, func(m *MenderAuthManager) {

                m.Stop()

        })

func (m *menderAuthManagerService) run(initDone chan struct{}) {

        // When we are being stopped, make sure they know that this happened.

        defer func() {

                // Checking for panic here is just to avoid deadlocking if we

                // get an unexpected panic: Let it propagate instead of blocking

                // on the channel. If the program is correct, this should never

                // be non-nil.

                if recover() == nil {

                        m.quitResp <- true

                }

        if m.dbus != nil {

                if dbusConn, err := m.dbus.BusGet(dbus.GBusTypeSystem); err == nil {

                        m.dbusConn = dbusConn

                        nameGid, err := m.dbus.BusOwnNameOnConnection(dbusConn, AuthManagerDBusObjectName,

                                dbus.DBusNameOwnerFlagsAllowReplacement|dbus.DBusNameOwnerFlagsReplace)

                        if err != nil {

                        defer m.dbus.BusUnownName(nameGid)

                        intGid, err := m.dbus.BusRegisterInterface(

                                dbusConn,

                                AuthManagerDBusPath,

                                AuthManagerDBusInterface,

                        )

                        if err != nil {

                        defer m.dbus.BusUnregisterInterface(dbusConn, intGid)

                        unregisterFunc := m.registerDBusCallbacks()

                        defer unregisterFunc()

                        dbusLoop := m.dbus.MainLoopNew()

                        go m.dbus.MainLoopRun(dbusLoop)

                        defer m.dbus.MainLoopQuit(dbusLoop)

        initDone <- struct{}{}

        go m.longRunningWorkerLoop()

        // run the auth manager main loop

        running := true

        for running {

                select {

                case msg := <-m.inChan:

                        switch msg.Action {

                        case ActionGetAuthToken:

                                log.Debug("received the GET_AUTH_TOKEN action")

                                m.getAuthToken(msg.ResponseChannel)

                        case ActionFetchAuthToken:

                                log.Debug("received the FETCH_AUTH_TOKEN action")

                                // notify the sender we'll fetch the token

                                resp := AuthManagerResponse{Event: EventFetchAuthToken}

                                msg.ResponseChannel <- resp

                                // Potentially long running operation, use worker.

                                select {

                                case m.workerChan <- msg:

                                default:

                case <-m.quitReq:

                        running = false

                        m.workerChan <- AuthManagerRequest{}

func (m *menderAuthManagerService) longRunningWorkerLoop() {

        for msg := range m.workerChan {

                switch msg.Action {

                case ActionFetchAuthToken:

                        m.fetchAuthToken()

                case "":

                        // Quit loop.

                        return

func (m *MenderAuthManager) Stop() {

        if !m.menderAuthManagerService.hasStarted {

        m.menderAuthManagerService.quitReq <- true

        <-m.menderAuthManagerService.quitResp

        m.menderAuthManagerService.hasStarted = false

        m.localProxy.Stop()

        runtime.SetFinalizer(m, nil)

func (m *menderAuthManagerService) getAuthToken(responseChannel chan<- AuthManagerResponse) {

        msg := AuthManagerResponse{

                AuthToken: m.authToken,

                ServerURL: m.serverURL,

                Event:     EventGetAuthToken,

        }

        responseChannel <- msg

}

func (m *menderAuthManagerService) broadcast(message AuthManagerResponse) {

        m.broadcastChansMutex.Lock()

        for _, broadcastChan := range m.broadcastChans {

                select {

                case broadcastChan <- message:

        m.broadcastChansMutex.Unlock()

        // emit signal on dbus, if available

        if m.dbus != nil {

                tokenAndServerURL := dbus.TokenAndServerURL{

                        Token:     string(message.AuthToken),

                        ServerURL: string(message.ServerURL),

                }

                _ = m.dbus.EmitSignal(m.dbusConn, "", AuthManagerDBusPath,

                        AuthManagerDBusInterfaceName, AuthManagerDBusSignalJwtTokenStateChange,

                        tokenAndServerURL)

        }

func (m *menderAuthManagerService) broadcastAuthTokenStateChange() {

        m.localProxy.Stop()

        if m.authToken != "" {

                // reconfigure proxy

                err := m.localProxy.Reconfigure(string(m.serverURL), string(m.authToken))

                if err != nil {

                } else {

                        m.localProxy.Start()

                }

        m.broadcast(AuthManagerResponse{

                Event:     EventAuthTokenStateChange,

                AuthToken: m.authToken,

                ServerURL: client.ServerURL(m.localProxy.GetServerUrl()),

        })

func (m *menderAuthManagerService) fetchAuthToken() {

        var rsp []byte

        var err error

        var server *client.MenderServer

        resp := AuthManagerResponse{Event: EventFetchAuthToken}

        defer func() {

                m.broadcastAuthTokenStateChange()

        }()

        if err := m.Bootstrap(); err != nil {

        serverIterator := nextServerIterator(*m.config)

        if serverIterator == nil {

        if server = serverIterator(); server == nil {

        var serverURL string

        for {

                serverURL = server.ServerURL

                rsp, err = m.authReq.Request(m.api, serverURL, m)

                if err == nil {

                        // SUCCESS!

                        break

                log.Errorf("Failed to authorize with %q: %s",

                        server.ServerURL, err.Error())

                server = serverIterator()

                if server == nil {

                        break

                log.Infof("Attempting to authorize with %q.",

                        server.ServerURL)

        if err != nil {

                // Generate and report error.

                errCause := errors.Cause(err)

                if errCause == client.AuthErrorUnauthorized {

                        m.authToken = ""

                        m.serverURL = ""

                }

                err := NewTransientError(errors.Wrap(err, "authorization request failed"))

                resp.Error = err

                return

        if len(rsp) == 0 {

        m.authToken = client.AuthToken(rsp)

        m.serverURL = client.ServerURL(serverURL)

        log.Infof("successfully received new authorization data from server %s", m.serverURL)

func (m *menderAuthManagerService) ForceBootstrap() {

        m.forceBootstrap = true

}

func (m *menderAuthManagerService) Bootstrap() menderError {

        if !m.needsBootstrap() {

                return nil

        }

        return m.doBootstrap()

func (m *menderAuthManagerService) needsBootstrap() bool {

        if m.forceBootstrap {

                return true

        }

        if !m.HasKey() {

                log.Debugf("Needs keys")

                return true

        }

        return false

func (m *menderAuthManagerService) doBootstrap() menderError {

        if !m.HasKey() || m.forceBootstrap {

                log.Infof("Device keys not present or bootstrap forced, generating")

                err := m.GenerateKey()

                if err != nil {

                        if store.IsStaticKey(err) {

                        } else {

                                return NewFatalError(err)

                        }

        m.forceBootstrap = false

        return nil

func (m *menderAuthManagerService) MakeAuthRequest() (*client.AuthRequest, error) {

        var err error

        authd := client.AuthReqData{}

        idata, err := m.idSrc.Get()

        if err != nil {

                return nil, errors.Wrapf(err, "failed to obtain identity data")

        }

        authd.IdData = idata

        // fill device public key

        authd.Pubkey, err = m.keyStore.PublicPEM()

        if err != nil {

                return nil, errors.Wrapf(err, "failed to obtain device public key")

        }

        tentok := strings.TrimSpace(string(m.tenantToken))

        log.Debugf("Tenant token: %s", tentok)

        // fill tenant token

        authd.TenantToken = string(tentok)

        log.Debugf("Authorization data: %v", authd)

        reqdata, err := authd.ToBytes()

        if err != nil {

        sig, err := m.keyStore.Sign(reqdata)

        if err != nil {

        return &client.AuthRequest{

                Data:      reqdata,

                Token:     client.AuthToken(tentok),

                Signature: sig,

        }, nil

func (m *menderAuthManagerService) HasKey() bool {

        return m.keyStore.Private() != nil

}

func (m *menderAuthManagerService) GenerateKey() error {

        if err := m.keyStore.Generate(); err != nil {

                if store.IsStaticKey(err) {

                        return err

                }

        if err := m.keyStore.Save(); err != nil {

                log.Errorf("Failed to save device key: %s", err)

                return NewFatalError(err)

        }

        return nil