Refactor - now wireguard based. (#7)

2026-06-12 15:11:01 +00:00
parent 5ae075647d
commit 9a3cb2d1c2
105 changed files with 3776 additions and 4251 deletions
--- a/hub/api/db/sanitize-validate.go
+++ b/hub/api/db/sanitize-validate.go
@@ -8,9 +8,11 @@ import (

 var (
 	ErrInvalidIP       = errors.New("invalid IP")
+	ErrInvalidPeerIP   = errors.New("invalid peer IP")
 	ErrNonPrivateIP    = errors.New("non-private IP")
 	ErrInvalidPort     = errors.New("invalid port")
 	ErrInvalidNetName  = errors.New("invalid network name")
+	ErrNetNameNotLocal = errors.New("network name must end with .local")
 	ErrInvalidPeerName = errors.New("invalid peer name")
 )

@@ -21,15 +23,8 @@ func Config_Validate(c *Config) error {
 	return nil
 }

-func Session_Sanitize(s *Session) {
-}
-
-func Session_Validate(s *Session) error {
-	return nil
-}
-
 func Network_Sanitize(n *Network) {
-	n.Name = strings.TrimSpace(n.Name)
+	n.LocalDomain = strings.TrimSpace(n.LocalDomain)

 	if addr, ok := netip.AddrFromSlice(n.Network); ok {
 		n.Network = addr.AsSlice()
@@ -37,12 +32,17 @@ func Network_Sanitize(n *Network) {
 }

 func Network_Validate(c *Network) error {
-	// 16 bytes is linux limit for network interface names.
-	if len(c.Name) == 0 || len(c.Name) > 16 {
+	// 15 bytes is linux limit for network interface names. With ending .local,
+	// max length is 21.
+	if len(c.LocalDomain) == 0 || len(c.LocalDomain) > 21 {
 		return ErrInvalidNetName
 	}

-	for _, c := range c.Name {
+	if !strings.HasSuffix(c.LocalDomain, ".local") {
+		return ErrNetNameNotLocal
+	}
+
+	for _, c := range strings.TrimSuffix(c.LocalDomain, ".local") {
 		if c >= 'a' && c <= 'z' {
 			continue
 		}
@@ -66,21 +66,35 @@ func Network_Validate(c *Network) error {

 func Peer_Sanitize(p *Peer) {
 	p.Name = strings.TrimSpace(p.Name)
-	if len(p.PublicIP) != 0 {
-		addr, ok := netip.AddrFromSlice(p.PublicIP)
-		if ok && addr.Is4() {
-			p.PublicIP = addr.AsSlice()
+	if len(p.Addr4) != 0 {
+		if addr, ok := netip.AddrFromSlice(p.Addr4); ok {
+			// Unmap so an IPv4-mapped form is stored canonically as 4 bytes.
+			p.Addr4 = addr.Unmap().AsSlice()
+		}
+	}
+	if len(p.Addr6) != 0 {
+		if addr, ok := netip.AddrFromSlice(p.Addr6); ok {
+			p.Addr6 = addr.AsSlice()
 		}
 	}
 	if p.Port == 0 {
-		p.Port = 456
+		p.Port = 51820
 	}
 }

 func Peer_Validate(p *Peer) error {
-	if len(p.PublicIP) > 0 {
-		_, ok := netip.AddrFromSlice(p.PublicIP)
-		if !ok {
+	if p.PeerIP < 1 || p.PeerIP > 254 {
+		return ErrInvalidPeerIP
+	}
+	if len(p.Addr4) > 0 {
+		// Must be a genuine IPv4 address (reject an IPv6 in the v4 field).
+		if addr, ok := netip.AddrFromSlice(p.Addr4); !ok || !addr.Is4() {
+			return ErrInvalidIP
+		}
+	}
+	if len(p.Addr6) > 0 {
+		// Must be a genuine IPv6 address (reject IPv4 / IPv4-mapped in the v6 field).
+		if addr, ok := netip.AddrFromSlice(p.Addr6); !ok || !addr.Is6() || addr.Is4In6() {
 			return ErrInvalidIP
 		}
 	}
@@ -88,6 +102,9 @@ func Peer_Validate(p *Peer) error {
 		return ErrInvalidPort
 	}

+	if len(p.Name) == 0 {
+		return ErrInvalidPeerName
+	}
 	for _, c := range p.Name {
 		if c >= 'a' && c <= 'z' {
 			continue
@@ -95,10 +112,9 @@ func Peer_Validate(p *Peer) error {
 		if c >= '0' && c <= '9' {
 			continue
 		}
-		if c == '.' || c == '-' || c == '_' {
+		if c == '-' {
 			continue
 		}
-
 		return ErrInvalidPeerName
 	}