projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62505d547cd6c968f6771f6d92ddd2ad715e1994
edgeguard-native/internal/services/secrets/secrets.go
Debian 85904d0c36 feat: WireGuard (server + client + peers + QR) + shared UI components 
WireGuard
---------
* Migration 0013: wireguard_interfaces (server|client mode, key envelope-
  encrypted) + wireguard_peers (per-server roster). Drop old empty
  0005-Schema (Option-A peer_type, kein Iface-FK), neuer Aufbau mit
  zwei Tabellen + FK.
* internal/services/secrets: Box mit AES-256-GCM, Master-Key in
  /var/lib/edgeguard/.master_key (lazy-create, 0600). Sealed/Open
  für PrivateKey + PSK.
* internal/services/wireguard: KeyGen (Curve25519 mit clamping),
  PublicFromPrivate (für Import), InterfacesRepo, PeersRepo, Importer
  (parst /etc/wireguard/*.conf, server vs. client heuristisch nach
  ListenPort + Peer-Anzahl).
* internal/wireguard: Renderer schreibt /etc/edgeguard/wireguard/<iface>.conf
  (0600), restartet wg-quick@<iface> via sudo (sudoers im postinst
  erweitert). Idempotent — re-render nur wenn content geändert.
* internal/handlers/wireguard.go: REST CRUD für interfaces+peers,
  /generate-keypair, /peers/:id/config (text/plain wg-quick conf),
  /peers/:id/qr (PNG via go-qrcode). Auto-reload nach Mutation.
* edgeguard-ctl wg-import [--path /etc/wireguard]: liest existierende
  conf-Files in die DB. Idempotent (überspringt vorhandene Iface-Namen).

Shared UI components (proxy-lb-waf design pattern)
--------------------------------------------------
* PageHeader: icon + title + subtitle + extras row, einheitlich oben
  auf jeder Page.
* ActionButtons: Edit + Delete combo mit Popconfirm + Tooltip.
* StatusDot: AntD Badge pattern statt "Yes/No" — schneller scanbar
  in dichten Tabellen.
* DataTable: pageSizeOptions [20,50,100,200] + extraActions-Alias +
  optional renderMobileCard für Card-Liste auf < md Breakpoint.
* enterprise.css: .page-header* + .datatable-toolbar Klassen.

Frontend WireGuard
------------------
* /vpn/wireguard mit zwei Tabs (Server / Client) im neuen Pattern.
* Server-Tab: Modal mit Generate-Keypair-Toggle, Peer-Roster im
  Drawer per Server. Pro Peer: QR-Code-Modal + .conf-Download.
* Client-Tab: Upstream-Card im Modal, full-tunnel-Default
  (0.0.0.0/0,::/0), Keepalive 25.
* i18n DE/EN für wg.* Block + common.* Erweiterung.

Misc
----
* Sidebar: WireGuard unter Security-Sektion.
* Nav-i18n: "Firewall (v2)" → "Firewall".
* Version 1.0.8 → 1.0.11.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 20:51:25 +02:00

134 lines
3.5 KiB
Go
Raw Blame History

// Package secrets provides envelope encryption for sensitive
// at-rest values (WireGuard private keys, peer PSKs, possibly more
// later). The master key lives in /var/lib/edgeguard/.master_key
// (32 bytes, 0600 root-owned via postinst — but readable by the
// edgeguard user via group), generated lazily on first use if
// missing.
//
// On-disk format per ciphertext: nonce (12 byte) || aes-gcm ciphertext.
// Plaintext is never logged or returned outside this package's
// callers.
package secrets
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"errors"
"fmt"
"io"
"os"
"path/filepath"
"sync"
)
const masterKeyLen = 32
// DefaultMasterKeyPath is the file that holds the box master key.
// Override via the EDGEGUARD_MASTER_KEY env var for tests.
const DefaultMasterKeyPath = "/var/lib/edgeguard/.master_key"
// Box uses AES-256-GCM with a static master key to seal/unseal
// values. Concurrency-safe; the cipher is initialised once.
type Box struct {
once sync.Once
aead cipher.AEAD
err error
path string
}
// New returns a Box that loads / lazily creates the master key at
// the given path. Pass empty string to use DefaultMasterKeyPath.
func New(path string) *Box {
if path == "" {
path = DefaultMasterKeyPath
}
return &Box{path: path}
}
func (b *Box) init() {
b.once.Do(func() {
key, err := loadOrCreateMasterKey(b.path)
if err != nil {
b.err = fmt.Errorf("master key: %w", err)
return
}
blk, err := aes.NewCipher(key)
if err != nil {
b.err = fmt.Errorf("aes cipher: %w", err)
return
}
aead, err := cipher.NewGCM(blk)
if err != nil {
b.err = fmt.Errorf("gcm: %w", err)
return
}
b.aead = aead
})
}
// Seal returns nonce||ciphertext. Empty input → empty output (so
// callers can store NULL for "not set" without a special case).
func (b *Box) Seal(plaintext []byte) ([]byte, error) {
if len(plaintext) == 0 {
return nil, nil
}
b.init()
if b.err != nil {
return nil, b.err
}
nonce := make([]byte, b.aead.NonceSize())
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return nil, fmt.Errorf("nonce: %w", err)
}
out := b.aead.Seal(nil, nonce, plaintext, nil)
return append(nonce, out...), nil
}
// Open is the inverse of Seal. Empty input → empty output.
func (b *Box) Open(blob []byte) ([]byte, error) {
if len(blob) == 0 {
return nil, nil
}
b.init()
if b.err != nil {
return nil, b.err
}
ns := b.aead.NonceSize()
if len(blob) < ns+1 {
return nil, errors.New("ciphertext too short")
}
nonce, ct := blob[:ns], blob[ns:]
pt, err := b.aead.Open(nil, nonce, ct, nil)
if err != nil {
return nil, fmt.Errorf("decrypt: %w", err)
}
return pt, nil
}
func loadOrCreateMasterKey(path string) ([]byte, error) {
if data, err := os.ReadFile(path); err == nil {
if len(data) != masterKeyLen {
return nil, fmt.Errorf("master key file has wrong length %d, want %d", len(data), masterKeyLen)
}
return data, nil
} else if !errors.Is(err, os.ErrNotExist) {
return nil, err
}
// Generate. Make sure the parent dir exists; postinst should
// have created /var/lib/edgeguard already, but in dev (`go run`
// without sudo) we create it best-effort.
if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
return nil, fmt.Errorf("mkdir parent: %w", err)
}
key := make([]byte, masterKeyLen)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
return nil, fmt.Errorf("rand: %w", err)
}
if err := os.WriteFile(path, key, 0o600); err != nil {
return nil, fmt.Errorf("write: %w", err)
}
return key, nil
}
Reference in New Issue View Git Blame Copy Permalink