-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'add-anonymous-client-mode' into main
No issue #
- Loading branch information
Showing
5 changed files
with
368 additions
and
133 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,15 +2,14 @@ | |
|
||
## Models | ||
|
||
Example Config | ||
Example Config (anonymous mode) | ||
|
||
ListenHost: "the:yggdrasil:ip:address:of:the:autoygg:server" | ||
ListenPort: 8080 | ||
GatewayOwner: "You <[email protected]>" | ||
GatewayDescription: "This is an Yggdrasil gateway operated for fun and profit" | ||
RequireRegistration: false | ||
RequireApproval: false | ||
AccessListEnabled: true | ||
AccessListEnabled: false | ||
StateDir: "/var/lib/autoygg" | ||
MaxClients: 10 | ||
LeaseTimeoutSeconds: 14400 | ||
|
@@ -26,23 +25,14 @@ Registration Model | |
gorm.Model | ||
YggIP string // Client Yggdrasil IP address | ||
PublicKey string // Client Yggdrasil PublicKey | ||
ClientName string // Registration name (optional) | ||
ClientEmail string // Registration email (optional) | ||
ClientPhone string // Registration phone (optional) | ||
Error string | ||
Approved Bool | ||
} | ||
|
||
Lease Model | ||
|
||
type lease struct { | ||
gorm.Model | ||
YggIP string // Client Yggdrasil IP address | ||
PublicKey string // Client Yggdrasil PublicKey | ||
GatewayPublicKey string | ||
ClientName string // Registration name (optional depending on operating mode) | ||
ClientEmail string // Registration email (optional depending on operating mode) | ||
ClientPhone string // Registration phone (optional depending on operating mode) | ||
ClientIP string // The tunnel IP address assigned to the client | ||
ClientNetMask int // The tunnel netmask | ||
ClientGateway string | ||
Error string | ||
Approved Bool | ||
LeaseExpires time.Time | ||
} | ||
|
||
|
@@ -56,43 +46,59 @@ ACL Model | |
|
||
## Operating Modes | ||
### Full Anonymous | ||
* Allows anybody to directly `GET /lease` to use the gateway, subject to ACL config | ||
* Allows anybody to do `POST /register` without sending personal information | ||
* Access granted automatically | ||
* RequireRegistration = false | ||
* AccessListEnabled = false | ||
|
||
### Registration | ||
* Requires all gateway users to first `POST /register` to store personal information with the gateway before requesting `POST /lease` | ||
* Requires all users to do `POST /register` with personal information (name, phone, e-mail) | ||
* Access granted automatically | ||
* RequireRegistration = true | ||
* RequireApproval = false | ||
* AccessListEnabled = false | ||
|
||
### Registration & Approval | ||
* Requires all gateway users to `POST /register` and wait for the gateway admin to manually approve the registration before the user is allowed to `POST /lease` | ||
* Requires all users to do `POST /register` with personal information (name, phone, e-mail) | ||
* Must wait for the gateway admin to manually approve the registration to use the gateway by adding an entry to the AccessList | ||
* RequireRegistration = true | ||
* RequireApproval = true | ||
* AccessListEnabled = true | ||
|
||
### Full Anonymous & Approval | ||
* Allows anybody to do `POST /register` without sending personal information | ||
* Must wait for the gateway admin to manually approve the registration to use the gateway by adding an entry to the AccessList | ||
* RequireRegistration = false | ||
* AccessListEnabled = true | ||
|
||
## ACL Modes | ||
### ACL disabled | ||
* Allows anyone with a valid registration to use the gateway | ||
* AccessListEnabled = false | ||
|
||
### ACL enabled | ||
* Allows only valid registrations with an ACL entry set to `access: true` to use the gateway | ||
* AccessListEnabled = true | ||
|
||
## ACL Check Routine: | ||
* If ACL entry exists for client IP with Access: false | ||
* Return access error | ||
* If AccessListEnabled=true and ACL entry does not exist for client IP with Access: true | ||
* Return access error | ||
|
||
## Endpoints | ||
* `GET /info`: Returns GatewayOwner, Description, RequireRegistration, ACLEnabled | ||
* `GET /info`: Returns GatewayOwner, Description, RequireRegistration, AccessListEnabled | ||
* `GET /register`: | ||
* Return access error if ACL check fails | ||
* If RequireRegistration=false: Disabled | ||
* If RequireRegistration=true: Return registration status for user if found or 404 | ||
* If AccessListEnabled=true, apply ACLs, return access error if access denied | ||
* If Registration is found, return status, otherwise return error | ||
* `POST /register`: | ||
* Return access error if ACL check fails | ||
* If RequireRegistration=false, Disabled | ||
* If ACLEnabled=true, apply ACLFile based on ACLMode, give access error if conditions not met | ||
* If RequireRegistration=true, Store registration information with Approved=false | ||
* Storing unapproved feels like the safer thing to do in case someone switches RequireApproval on and off | ||
* If AccessListEnabled=true, apply ACLs, return access error if access denied | ||
* If RequireRegistration=true: require ClientName, ClientEmail, ClientPhone to be populated, otherwise return error | ||
* Create Registration, provision client | ||
* `POST /renew`: | ||
* Return access error if ACL check fails | ||
* If RequireRegistration=true: Deny unless approved registration found | ||
* If ACLEnabled=true, apply ACLFile based on ACLMode, give access error if conditions not met | ||
* Assign lease, provision lease, and store in leases table | ||
* If AccessListEnabled=true, apply ACLs, return access error if access denied | ||
* If RequireRegistration=true: require ClientName, ClientEmail, ClientPhone to be populated, otherwise return error | ||
* If Registration is found, extend lease expiry date, otherwise return error | ||
* `POST /release`: | ||
* Return access error if ACL check fails | ||
* Remove lease from leases, teardown lease, and return success. Return 404 if lease doesn't exist | ||
* ACL Check Routine: | ||
* If acl entry exists for client IP with Access: false | ||
* Return access error | ||
* If AccessListEnabled=true and acl entry does not exist for client IP with Access: true | ||
* Return access error | ||
* If AccessListEnabled=true, apply ACLs, return access error if access denied | ||
* Remove Registration, unprovision client, and return success. Return 404 if lease doesn't exist | ||
|
||
# Client Operating Model |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.