tools/dhtnet_crtmgr/main.cpp

/*
 *  Copyright (C) 2023 Savoir-faire Linux Inc.
 *
 *  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
#include "dhtnet_crtmgr.h"
#include"common.h"

#include <iostream>
#include <fstream>
#include <unistd.h>
#include <getopt.h>
#if __has_include(<fmt/std.h>)
#include <fmt/std.h>
#else
#include <fmt/ostream.h>
#endif


struct dhtnet_crtmgr_params
{
    bool help {false};
    bool version {false};
    std::filesystem::path ca {};
    std::filesystem::path output {};
    std::filesystem::path privatekey {};
    bool identifier {false};
    std::string name {};
    bool setup {false};
    bool interactive {false};
};
static const constexpr struct option long_options[]
    = {{"help", no_argument, nullptr, 'h'},
       {"version", no_argument, nullptr, 'v'},
       {"certificate", required_argument, nullptr, 'c'},
       {"output", required_argument, nullptr, 'o'},
       {"privatekey", required_argument, nullptr, 'p'},
       {"name", required_argument, nullptr, 'n'},
       {"identifier", no_argument, nullptr, 'a'},
       {"setup", no_argument, nullptr, 's'},
       {"interactive", no_argument, nullptr, 'i'},
       {nullptr, 0, nullptr, 0}};

dhtnet_crtmgr_params
parse_args(int argc, char** argv)
{
    dhtnet_crtmgr_params params;
    int opt;
    while ((opt = getopt_long(argc, argv, "hvasic:o:p:n:", long_options, nullptr)) != -1) {
        switch (opt) {
        case 'h':
            params.help = true;
            break;
        case 'v':
            params.version = true;
            break;
        case 'c':
            params.ca = optarg;
            break;
        case 'o':
            params.output = optarg;
            break;
        case 'p':
            params.privatekey = optarg;
            break;
        case 'a':
            params.identifier = true;
            break;
        case 'n':
            params.name = optarg;
            break;
        case 's':
            params.setup = true;
            break;
        case 'i':
            params.interactive = true;
            break;
        default:
            std::cerr << "Invalid option" << std::endl;
            exit(EXIT_FAILURE);
        }
    }

    if (params.output.empty() && !params.identifier && !params.help && !params.version && !params.interactive) {
        std::cerr << "Error: The path to save the generated certificate is not provided.\n Please specify the path using the -o option.\n";
        exit(EXIT_FAILURE);
    }
    return params;
}


int create_yaml_config(std::filesystem::path file, std::filesystem::path certificate, std::filesystem::path privateKey, bool is_client)
{
    std::ofstream yaml_file (file);
    if (yaml_file.is_open()) {
        yaml_file << "# The bootstrap node serves as the entry point to the DHT network.\n";
        yaml_file << "# By default, bootstrap.jami.net is configured for the public DHT network and should be used for personal use only.\n";
        yaml_file << "# For production environments, it is recommended to set up your own bootstrap node to establish your own DHT network.\n";
        yaml_file << "# Documentation: https://docs.jami.net/en_US/user/lan-only.html#boostraping\n";
        yaml_file << "bootstrap: \"bootstrap.jami.net\"\n";

        yaml_file << "\n# TURN server is used as a fallback for connections if the NAT block all possible connections.\n";
        yaml_file << "# By default is turn.jami.net (which uses coturn) but can be any TURN.\n";
        yaml_file << "# Developer must set up their own TURN server.\n";
        yaml_file << "# Documentation: https://docs.jami.net/en_US/developer/going-further/setting-up-your-own-turn-server.html\n";
        yaml_file << "turn_host: \"turn.jami.net\"\n";
        yaml_file << "turn_user: \"ring\"\n";
        yaml_file << "turn_pass: \"ring\"\n";
        yaml_file << "turn_realm: \"ring\"\n";

        yaml_file << "\n# When verbose is set to true, the server logs all incoming connections\n";
        yaml_file << "verbose: false\n";

        yaml_file << "\n# If true, will send request to use UPNP if available\n";
        yaml_file << "enable_upnp: true\n";

        yaml_file << "\n# On server, identities are saved in /etc/dhtnet/id/\n";
        yaml_file << "# On client, they are generaly saved in ~/.dnc/\n";
        yaml_file << "certificate: " << certificate << "\n";
        yaml_file << "privateKey: " << privateKey << "\n";
        if (is_client) {
            yaml_file << "\n# When dnc server receives connexions, it forwards them to service at specified IP:port requested by CLIENT\n";
            yaml_file << "# By default, it forwards them to SSH server running on localhost at port 22\n";
            yaml_file << "ip: \"127.0.0.1\"\n";
            yaml_file << "port: 22\n";
        } else {
            yaml_file << "\n# When anonymous is set to true, the server accepts any connection without checking CA\n";
            yaml_file << "# When anonymous is set to false, the server allows only connection which are issued by the same CA as the server\n";
            yaml_file << "anonymous: false\n";

            yaml_file << "\n# List of authorized services\n";
            yaml_file << "# Each service is defined by an IP and a port\n";
            yaml_file << "# If no authorized services are defined, the server will accept any connection.\n";
            yaml_file << "authorized_services:\n";
            yaml_file << "  - ip: \"127.0.0.1\"\n";
            yaml_file << "    port: 22\n";
            yaml_file << "  # - ip: \"127.0.0.1\"\n";
            yaml_file << "  #   port: 80\n";
            yaml_file << "  # - ip: \"127.0.0.1\"\n";
            yaml_file << "  #   port: 443\n";
        }
        yaml_file.close();
        Log("Configuration file created in {}\n", file);
    } else {
        fmt::print(stderr, "Error: Could not create configuration file {}.\n", file);
        return 1;
    }
    return 0;
}

int configure_ssh_config(std::filesystem::path yaml_config)
{
    std::filesystem::path home_dir = getenv("HOME");
    if (home_dir.empty()) {
        fmt::print(stderr, "Error: HOME environment variable is not set. Cannot configure SSH.\n");
        return 1;
    }
    std::filesystem::path ssh_dir = home_dir / ".ssh";
    if (!std::filesystem::exists(ssh_dir)) {
        fmt::print(stderr, "Error: {} folder doesn't exist. Install and configure ssh client first.\n", ssh_dir);
        return 1;
    }
    std::filesystem::path ssh_config = ssh_dir / "config";
    if (std::filesystem::exists(ssh_config)) {
        std::ifstream ssh_file(ssh_config);
        std::string line;
        while (std::getline(ssh_file, line)) {
            if (line.find("Host dnc") != std::string::npos) {
                Log("Info: dnc configuration already exists in ssh config. File is left untouched\n");
                return 0;
            }
        }
    }
    std::ofstream ssh_file(ssh_config, std::ios::app);
    if (ssh_file.is_open()) {
        ssh_file << "\nHost dnc/*\n";
        ssh_file << "    ProxyCommand dnc -d " << yaml_config << " $(basename %h)\n";
        ssh_file.close();
        Log("SSH configuration added to {}\n", ssh_config);
    } else {
        fmt::print(stderr, "Error: Could not open ssh config file.\n");
        return 1;
    }
    return 0;
}

// https://en.cppreference.com/w/cpp/string/byte/tolower
std::string str_tolower(std::string s)
{
    std::transform(s.begin(), s.end(), s.begin(),
        [](unsigned char c){ return std::tolower(c); } // correct
    );
    return s;
}

int
main(int argc, char** argv)
{
    auto params = parse_args(argc, argv);

    if (params.help) {
        Log("Usage: dhtnet-crtmgr [options]\n"
                "\nOptions:\n"
                "  -h, --help                Display this help message and then exit.\n"
                "  -v, --version             Show the version of the program.\n"
                "  -p, --privatekey [FILE]   Provide the path to the private key as an argument.\n"
                "  -c, --certificate [FILE]  Provide the path to the certificate as an argument.\n"
                "  -o, --output [FOLDER]     Provide the path where the generated certificate should be saved as an argument.\n"
                "  -a, --identifier          Display the user identifier.\n"
                "  -n, --name [NAME]         Provide the name of the certificate to be generated.\n"
                "  -s, --setup               Create an CA and a certificate.\n"
                "  -i, --interactive         Interactively create and setup identities.\n");
        return EXIT_SUCCESS;
    }

    if (params.version) {
        Log("dhtnet-crtmgr v1.0\n");
        return EXIT_SUCCESS;
    }
    // check if the public key id is requested
    if (params.identifier) {
        if (params.ca.empty() || params.privatekey.empty()) {
            fmt::print(stderr, "Error: The path to the private key and the certificate is not provided.\n Please specify the path for the private key and the certificate using the -p and -c options.\n");
            exit(EXIT_FAILURE);
        }
        auto identity = dhtnet::loadIdentity(params.privatekey, params.ca);
        Log("Public key id: {}\n", identity.second->getId());
        return EXIT_SUCCESS;
    }

    // check if the interactive mode is requested
    if (params.interactive) {
        // Ask user if he want to setup client or server config
        std::string usage = "";
        do {
            Log("Generate identity for server or client? [(C)lient/(s)erver] (default: client): ");
            std::getline(std::cin, usage);
            usage = str_tolower(usage);
            if (usage == "s") usage = "server";
            if (usage == "c") usage = "client";
            if (usage.empty()) usage = "client";
        } while (usage != "server" && usage != "client");

        // In case user select client mode, Ask if we should sign using server CA (required for anonymous: false)
        std::string use_server_ca = "";
        if (usage == "client") {
            do {
                Log("Sign client certificate using server CA? [Y/n] (default: yes): ");
                std::getline(std::cin, use_server_ca);
                use_server_ca = str_tolower(use_server_ca);
                if (use_server_ca == "y") use_server_ca = "yes";
                if (use_server_ca == "n") use_server_ca = "no";
                if (use_server_ca.empty()) use_server_ca = "yes";
            } while (use_server_ca != "yes" && use_server_ca != "no");
        }

        // Before asking for save folder, pre-compute default locations
        std::filesystem::path home_dir = getenv("HOME");
        if (home_dir.empty()) home_dir = "/tmp/.dnc";
        else if (usage == "server") home_dir = "/etc/dhtnet";
        else home_dir = home_dir / ".dnc";

        std::string input_folder;

        // Ask where to store identity files
        std::filesystem::path folder;
        Log("Enter the path to save identities and config [{}]: ", home_dir);
        std::getline(std::cin, input_folder);
        if (input_folder.empty()) {
            folder = home_dir;
        } else {
            folder = input_folder;
        }
        folder = std::filesystem::absolute(folder);

        std::error_code e;
        std::filesystem::create_directories(folder, e);
        if (e) {
            fmt::print(stderr, "Error: Could not create directory {}. {}\n", folder, e.message());
            return EXIT_FAILURE;
        }

        if (usage == "client") {
            // Use existing CA or generate new CA
            dht::crypto::Identity ca;
            if (use_server_ca == "yes") {
                try {
                    std::filesystem::path server_ca = "/etc/dhtnet/CA";
                    ca = dhtnet::loadIdentity(server_ca / "ca-server.pem", server_ca / "ca-server.crt");
                    if (!ca.first || !ca.second) {
                        throw std::runtime_error("Failed to load server CA");
                    }
                }
                catch (const std::exception& e) {
                    fmt::print(stderr, "Error: Could not load server CA. Please generate server CA first.\n");
                    return EXIT_FAILURE;
                }
            } else {
                ca = dhtnet::generateIdentity(folder, "ca");
                if (!ca.first || !ca.second) {
                    fmt::print(stderr, "Error: Could not generate CA.\n");
                    return EXIT_FAILURE;
                }
                Log("Generated CA in {}: {} {}\n", folder, "ca", ca.second->getId());
            }

            // Generate client certificate
            auto id = dhtnet::generateIdentity(folder, "certificate", ca);
            if (!id.first || !id.second) {
                fmt::print(stderr, "Error: Could not generate certificate.\n");
                return EXIT_FAILURE;
            }
            Log("Generated certificate in {}: {} {}\n", folder, "certificate", id.second->getId());

            // Create configuration file with generated keys
            std::filesystem::path yaml_config{folder / "config.yml"};
            if (create_yaml_config(yaml_config, folder / "certificate.crt", folder / "certificate.pem", true) != 0) {
                return EXIT_FAILURE;
            }

            // Ask user if he want to configure SSH
            std::string ssh_setup = "";
            do {
                Log("Configure SSH to support dnc protocol? [Y/n] (default: yes): ");
                std::getline(std::cin, ssh_setup);
                ssh_setup = str_tolower(ssh_setup);
                if (ssh_setup == "y") ssh_setup = "yes";
                if (ssh_setup == "n") ssh_setup = "no";
                if (ssh_setup.empty()) ssh_setup = "yes";
            } while (ssh_setup != "yes" && ssh_setup != "no");

            if (ssh_setup == "yes") {
                if (configure_ssh_config(yaml_config) != 0) {
                    return EXIT_FAILURE;
                }
            }

            return EXIT_SUCCESS;
        } else {
            // Create configuration file with generated keys
            std::filesystem::path yaml_config{folder / "dnc.yaml"};
            std::string overwrite = "";
            if (std::filesystem::exists(yaml_config)) {
                do {
                    Log("Configuration file already exists in {}. Overwrite it? [y/N] (default: no): ", yaml_config);
                    std::getline(std::cin, overwrite);
                    overwrite = str_tolower(overwrite);
                    if (overwrite == "y") overwrite = "yes";
                    if (overwrite == "n") overwrite = "no";
                    if (overwrite.empty()) overwrite = "no";
                } while (overwrite != "yes" && overwrite != "no");
            } else {
                overwrite = "yes"; // File doesn't exist, create it
            }
            if (overwrite == "yes") {
                if (create_yaml_config(yaml_config, folder / "id" / "id-server.crt", folder / "id" / "id-server.pem", false) != 0) {
                    return EXIT_FAILURE;
                }
            }
            params.setup = true;
            params.output = folder;
        }
    }

    // check if the setup is requested
    if (params.setup) {
        // create CA  with name ca-server
        std::filesystem::path path_ca = params.output / "CA";
        auto ca = dhtnet::generateIdentity(path_ca, "ca-server");
        if (!ca.first || !ca.second) {
            fmt::print(stderr, "Error: Could not generate CA.\n");
            return EXIT_FAILURE;
        }
        Log("Generated CA in {}: {} {}\n", path_ca, "ca-server", ca.second->getId());
        // create identity with name id-server
        std::filesystem::path path_id = params.output / "id";
        auto identity = dhtnet::generateIdentity(path_id, "id-server", ca);
        if (!identity.first || !identity.second) {
            fmt::print(stderr, "Error: Could not generate certificate.\n");
            return EXIT_FAILURE;
        }
        Log("Generated certificate in {}: {} {}\n", path_id,"id-server", identity.second->getId());
        return EXIT_SUCCESS;
    }

    if (params.ca.empty() || params.privatekey.empty()) {
        if (params.name.empty()) {
            auto ca = dhtnet::generateIdentity(params.output, "ca");
            if (!ca.first || !ca.second) {
                fmt::print(stderr, "Error: Could not generate CA.\n");
                return EXIT_FAILURE;
            }
            Log("Generated certificate in {}: {} {}\n", params.output, "ca", ca.second->getId());
        }else{
            auto ca = dhtnet::generateIdentity(params.output, params.name);
            if (!ca.first || !ca.second) {
                fmt::print(stderr, "Error: Could not generate CA.\n");
                return EXIT_FAILURE;
            }
            Log("Generated certificate in {}: {} {}\n", params.output, params.name, ca.second->getId());
        }
    }else{
        auto ca = dhtnet::loadIdentity(params.privatekey, params.ca);
        if (params.name.empty()) {
            auto id = dhtnet::generateIdentity(params.output, "certificate", ca);
            if (!id.first || !id.second) {
                fmt::print(stderr, "Error: Could not generate certificate.\n");
                return EXIT_FAILURE;
            }
            Log("Generated certificate in {}: {} {}\n", params.output, "certificate", id.second->getId());
        }else{
            auto id = dhtnet::generateIdentity(params.output, params.name, ca);
            if (!id.first || !id.second) {
                fmt::print(stderr, "Error: Could not generate certificate.\n");
                return EXIT_FAILURE;
            }
            Log("Generated certificate in {}: {} {}\n", params.output, params.name, id.second->getId());
        }
    }
    return EXIT_SUCCESS;
}