Audit changes
This commit is contained in:
jdl
@@ -89,7 +89,7 @@ func (a *API) Session_Delete(sessionID string) {
|
||||
}
|
||||
|
||||
const (
|
||||
sessionTTLSecs = 24 * 21 * time.Hour // sessions expire 21 days after last use
|
||||
sessionTTL = 24 * 21 * time.Hour // sessions expire 21 days after last use
|
||||
sessionSweepEvery = time.Hour // cadence of expired-session eviction
|
||||
)
|
||||
|
||||
@@ -108,7 +108,7 @@ func (a *API) Session_Get(sessionID string) Session {
|
||||
return Session{}
|
||||
}
|
||||
|
||||
if time.Since(s.LastSeenAt) > sessionTTLSecs {
|
||||
if time.Since(s.LastSeenAt) > sessionTTL {
|
||||
delete(a.sessions, sessionID)
|
||||
return Session{}
|
||||
}
|
||||
@@ -160,7 +160,7 @@ func (a *API) sweepSessions() {
|
||||
for range time.Tick(sessionSweepEvery) {
|
||||
a.sessionsMu.Lock()
|
||||
for id, s := range a.sessions {
|
||||
if time.Since(s.LastSeenAt) > sessionTTLSecs {
|
||||
if time.Since(s.LastSeenAt) > sessionTTL {
|
||||
delete(a.sessions, id)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
package hub
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"errors"
|
||||
"log"
|
||||
"net/http"
|
||||
@@ -64,8 +63,9 @@ func (app *App) handlePeer(pattern string, fn peerHandlerFunc) {
|
||||
return
|
||||
}
|
||||
|
||||
// Not doing constant time compare because index lookup time dominates.
|
||||
peer, err := app.api.Peer_GetByAPIKey(apiKey)
|
||||
if err != nil || subtle.ConstantTimeCompare([]byte(peer.APIKey), []byte(apiKey)) != 1 {
|
||||
if err != nil {
|
||||
http.Error(w, "Not authorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -44,7 +44,6 @@ type App struct {
|
||||
vpnNet netip.Prefix
|
||||
privKey wgtypes.Key
|
||||
pubKey wgtypes.Key
|
||||
isRelay bool
|
||||
isPublic bool
|
||||
localDomain string
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ func addRelayPeer(t *testing.T, a *App, vpnIP string, ep netip.AddrPort) *Peer {
|
||||
// newTestApp returns a minimal App wired to a fakeWGDevice and fakeControlConn.
|
||||
// vpnIP is the local VPN address (e.g. "10.0.0.1").
|
||||
// isPublic / isRelay describe the local node's role.
|
||||
func newTestApp(t *testing.T, vpnIP string, isPublic, isRelay bool) (*App, *fakeWGDevice, *fakeControlConn) {
|
||||
func newTestApp(t *testing.T, vpnIP string, isPublic bool) (*App, *fakeWGDevice, *fakeControlConn) {
|
||||
t.Helper()
|
||||
privKey, err := wgtypes.GeneratePrivateKey()
|
||||
if err != nil {
|
||||
@@ -47,7 +47,6 @@ func newTestApp(t *testing.T, vpnIP string, isPublic, isRelay bool) (*App, *fake
|
||||
privKey: privKey,
|
||||
pubKey: privKey.PublicKey(),
|
||||
isPublic: isPublic,
|
||||
isRelay: isRelay,
|
||||
dev: dev,
|
||||
controlConn: cc,
|
||||
peersByKey: make(map[wgtypes.Key]*Peer),
|
||||
|
||||
@@ -89,7 +89,6 @@ func New(
|
||||
vpnNet: state.VPNNet,
|
||||
privKey: state.PrivKey,
|
||||
pubKey: state.PrivKey.PublicKey(),
|
||||
isRelay: state.IsRelay,
|
||||
isPublic: state.IsPublic,
|
||||
localDomain: localDomain,
|
||||
|
||||
|
||||
@@ -85,7 +85,7 @@ func TestOnAddPeer(t *testing.T) {
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
a, dev, _ := newTestApp(t, "10.0.0.1", false, false)
|
||||
a, dev, _ := newTestApp(t, "10.0.0.1", false)
|
||||
key := mustKey(t)
|
||||
if tc.setup != nil {
|
||||
tc.setup(a, key)
|
||||
@@ -192,7 +192,7 @@ func TestOnRemovePeer(t *testing.T) {
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
a, dev, _ := newTestApp(t, "10.0.0.1", false, false)
|
||||
a, dev, _ := newTestApp(t, "10.0.0.1", false)
|
||||
key := tc.setup(t, a)
|
||||
dev.Calls = nil
|
||||
a.onRemovePeer(key)
|
||||
@@ -289,7 +289,7 @@ func TestSwitchActiveRelay(t *testing.T) {
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
a, dev, _ := newTestApp(t, "10.0.0.1", false, false)
|
||||
a, dev, _ := newTestApp(t, "10.0.0.1", false)
|
||||
tc.setup(t, a)
|
||||
dev.Calls = nil
|
||||
a.switchActiveRelay()
|
||||
|
||||
@@ -112,7 +112,7 @@ func (d *Device) SetRelay(pubKey wgtypes.Key, endpoint netip.AddrPort, network n
|
||||
})
|
||||
}
|
||||
|
||||
// AddProbe adds a peer with no AllowedIPs and a 5s keepalive. WireGuard will
|
||||
// AddProbe adds a peer with no AllowedIPs and an 8s keepalive. WireGuard will
|
||||
// attempt handshakes without routing any traffic through this peer yet.
|
||||
func (d *Device) AddProbe(pubKey wgtypes.Key, endpoint netip.AddrPort) error {
|
||||
keepalive := ProbeKeepalive
|
||||
|
||||
Reference in New Issue
Block a user