rpn: impl update ops and perma creds

Author: ignoramous

intra/backend/ipn_proxies.go

@@ -6,6 +6,8 @@
 
 package backend
 
+import "fmt"
+
 const ( // see ipn/proxies.go
 	// IDs for default proxies
 
@@ -83,15 +85,62 @@ const ( // see ipn/proxies.go
 	END = -3
 )
 
+// RpnOps carries options that control the behaviour of Update and RegisterWin.
+// Fields are unexported; use the Set* methods to configure.
+type RpnOps struct {
+	rotateCreds       bool   // force a new WireGuard keypair on the next Update
+	permaCreds        bool   // use permanent WireGuard (local) addresses if available
+	forceFetchServers bool   // force server-list refresh on the next Update
+	newPort           uint16 // fixed WireGuard port; 0 = random per wsRandomPort()
+}
+
+func NewRpnOps() *RpnOps {
+	return &RpnOps{}
+}
+
+func (o *RpnOps) String() string {
+	return fmt.Sprintf("rotate: %t; perma: %t; forceFetchServers: %t; port: %d",
+		o.rotateCreds, o.permaCreds, o.forceFetchServers, o.newPort)
+}
+
+// SetRotateCreds forces generation of a new WireGuard keypair on the next Update.
+// Note: Rotate and Perma are mutually exclusive; setting one to true will set the other to false.
+func (o *RpnOps) SetRotateCreds(v bool) { o.rotateCreds = v; o.permaCreds = false }
+
+// SetPermaCreds enables/disables using the permanent WG credential set in Conf().
+// Note: Rotate and Perma are mutually exclusive; setting one to true will set the other to false.
+func (o *RpnOps) SetPermaCreds(v bool) { o.permaCreds = v; o.rotateCreds = false }
+
+// SetForceFetchServers forces the server-list refresh on the next Update.
+func (o *RpnOps) SetForceFetchServers(v bool) { o.forceFetchServers = v }
+
+// SetPort pins a specific WireGuard port; 0 means random (default).
+func (o *RpnOps) SetPort(port uint16) { o.newPort = port }
+
+// Rotate reports whether a new WG keypair should be generated.
+func (o RpnOps) Rotate() bool { return o.rotateCreds }
+
+// Perma reports whether permanent WG credentials should be used in Conf().
+func (o RpnOps) Perma() bool { return o.permaCreds }
+
+// FetchServers reports whether the server-list fetch should be forced.
+func (o RpnOps) FetchServers() bool { return o.forceFetchServers }
+
+// Port returns the pinned WireGuard port, or 0 if none is set.
+func (o RpnOps) Port() uint16 {
+	return o.newPort
+}
+
 type Rpn interface {
 	// EntitlementFrom returns the RpnEntitlement represented by entitlementOrStateJson.
 	// `did` is the device identifier to use for this entitlement, if applicable; and `rpnProviderID` is the RPN provider for this entitlement, if applicable.
 	// `rpnProviderID` is the RPN provider to use with this entitlement (ex: RpnWin, RpnSE, etc).
 	EntitlementFrom(entitlementOrStateJson []byte, rpnProviderID, did string) (RpnEntitlement, error)
 	// RegisterSE registers a new SurfEasy user.
 	RegisterSE() error
-	// RegisterWin is alias for RegisterWin.
-	RegisterWin(entitlementOrStateJson []byte, did string) (json []byte, err error)
+	// RegisterWin registers (or re-registers) a Windscribe account.
+	// ops may be nil to use default behaviour.
+	RegisterWin(entitlementOrStateJson []byte, did string, ops *RpnOps) (json []byte, err error)
 	// UnregisterWin unregisters a Windscribe installation.
 	UnregisterWin() bool
 	// UnregisterSE unregisters a SurfEasy user.
@@ -163,6 +212,8 @@ type RpnAcc interface {
 	Who() string
 	// State returns the state (as json) of the account.
 	State() ([]byte, error)
+	// Ops returns the RpnOps that control the behaviour of Update.
+	Ops() *RpnOps
 	// Created returns the time (unix millis) currently active account was created.
 	Created() int64
 	// Updated returns the time (unix millis) currently active account was updated.
@@ -171,8 +222,8 @@ type RpnAcc interface {
 	Expires() int64
 	// Locations returns RpnServers encapsulating this proxy's worldwide server presence.
 	Locations() (RpnServers, error)
-	// Update updates the account creating new state.
-	Update(rotate bool) (newstate []byte, err error)
+	// Update updates the account creating new state; ops may be nil to retain current RpnOps.
+	Update(ops *RpnOps) (newstate []byte, err error)
 }
 
 // RpnEntitlement represents access to a proxy service.

intra/dns53/dot_test.go

@@ -442,7 +442,7 @@ func TestWinReaches(t *testing.T) {
 
 	const did = "deadbeefdeadbeefdeadbeefdeadbeef" // some device id
 	ilog.D("ws: read ent (sess? %t): %d", readWinJson, len(entjson))
-	if wreg, err := pxr.RegisterWin(entjson, did); err != nil {
+	if wreg, err := pxr.RegisterWin(entjson, did, nil); err != nil {
 		t.Fatal(err)
 	} else {
 		entjson = wreg

intra/ipn/proxies.go

@@ -1252,7 +1252,7 @@ func (px *proxifier) EntitlementFrom(entitlementOrStateJson []byte, id, did stri
 }
 
 // RegisterWin implements x.Rpn.
-func (px *proxifier) RegisterWin(entitlementOrState []byte, did string) (stateJson []byte, err error) {
+func (px *proxifier) RegisterWin(entitlementOrState []byte, did string, ops *x.RpnOps) (stateJson []byte, err error) {
 	defer func() {
 		px.lastWinErr.Store(err) // may be nil
 	}()
@@ -1261,10 +1261,14 @@ func (px *proxifier) RegisterWin(entitlementOrState []byte, did string) (stateJs
 		return nil, errNilWinDevice
 	}
 
+	if ops == nil {
+		ops = new(x.RpnOps)
+	}
+
 	existingStateJson := entitlementOrState
 	restore := len(existingStateJson) > 0
 
-	win, err := px.registerWin(existingStateJson, did)
+	win, err := px.registerWin(existingStateJson, did, *ops)
 	if err != nil || core.IsNil(win) {
 		log.E("proxy: ws: make failed: %v", err)
 		return nil, core.JoinErr(err, errNilWinCfg)
@@ -1284,12 +1288,12 @@ func (px *proxifier) RegisterWin(entitlementOrState []byte, did string) (stateJs
 		return nil, core.JoinErr(err, errNotRpnProxy)
 	}
 
-	log.I("proxy: ws: registered: %s / %d; new? %t", win.Who(), len(state), !restore)
+	log.I("proxy: ws: registered: %s / %d; new? %t; ops: %+v", win.Who(), len(state), !restore, ops)
 	return state, nil
 }
 
-func (px *proxifier) registerWin(entitlementOrStateJson []byte, did string) (RpnAcc, error) {
-	return px.extc.MakeWsWgFrom(entitlementOrStateJson, did)
+func (px *proxifier) registerWin(entitlementOrStateJson []byte, did string, ops x.RpnOps) (RpnAcc, error) {
+	return px.extc.MakeWsWgFrom(entitlementOrStateJson, did, ops)
 }
 
 // RegisterSE implements x.Rpn.

intra/ipn/proxy_test.go

@@ -213,7 +213,7 @@ func TestProxyReaches(t *testing.T) {
 
 	var projson []byte
 	var err error
-	if projson, err = pxr.RegisterWin(nil); err != nil {
+	if projson, err = pxr.RegisterWin(nil, "", nil); err != nil {
 		t.Fatal(err)
 	}
 	if ips, err := pxr.TestWin(); err != nil {

intra/ipn/rpn.go

@@ -46,8 +46,6 @@ type rpnp struct {
 	kids map[string]struct{}
 }
 
-type RpnMakeKind = rpn.RpnMakeKind
-
 var _ RpnProxy = (*rpnp)(nil)
 var _ RpnAcc = (*rpnp)(nil) // (useless) assertion always succeeds, see above
 var _ Proxy = (*rpnp)(nil)  // (useless) assertion always succeeds, see above
@@ -547,8 +545,8 @@ func (r *rpnp) flattenKids() (ccs []string) {
 }
 
 // Update implements RpnAcc.
-func (r *rpnp) Update(rotate bool) (newState []byte, err error) {
-	newState, err = r.RpnAcc.Update(rotate)
+func (r *rpnp) Update(ops *x.RpnOps) (newState []byte, err error) {
+	newState, err = r.RpnAcc.Update(ops)
 	if err == nil {
 		core.Gxe("rpn.fork."+r.ProviderID(), r.forkAll)
 	}

intra/ipn/rpn/cfg.go

@@ -58,24 +58,6 @@ type RpnAcc interface {
 	Conf(key string) (string, error)
 }
 
-type RpnMakeKind uint8
-
-func (k RpnMakeKind) Updating() bool {
-	return k&RpnMakeUpdate == 1
-}
-
-func (k RpnMakeKind) Rotate() bool {
-	return k&RpnMakeRotate == 1
-}
-
-const (
-	// RpnMakeNew uses persisted sub-account identity when available, on enrollment or account update.
-	RpnMakeNew RpnMakeKind = 0b0001
-	// RpnMakeUpdate makes new sub-account identity on enrollment or account update.
-	RpnMakeUpdate RpnMakeKind = 0b0010
-	RpnMakeRotate RpnMakeKind = 0b0100
-)
-
 var _ RpnAcc = (*WsClient)(nil)
 
 type BaseClient struct {
@@ -110,7 +92,8 @@ func (RpnStateless) Conf(cc string) (string, error) { return "", errRpnStateless
 
 type RpnUpdateless struct{}
 
-func (RpnUpdateless) Update(bool) ([]byte, error) { return nil, errRpnUpdateless }
+func (RpnUpdateless) Ops() *x.RpnOps                  { return nil }
+func (RpnUpdateless) Update(*x.RpnOps) ([]byte, error) { return nil, errRpnUpdateless }
 
 type RpnMultiCountryServers struct {
 	all []x.RpnServer

intra/ipn/rpn/regional.go

@@ -132,3 +132,64 @@ func (rwg *RegionalWgConf) addrCsv() string {
 	}
 	return strings.Join(addrs, ",")
 }
+
+// GenUapiConfigFrom builds an on-the-fly UAPI config string that overlays
+// the credentials from a permanent config (private key, address, DNS,
+// preshared key, allowed IPs) onto this regional config's server endpoints.
+// rwg.UapiWgConf is NOT modified; the generated string is returned directly.
+// Returns ("", false) when rwg/perma is nil or PrivateKey/Address is absent.
+func (rwg *RegionalWgConf) GenUapiConfigFrom(perma *WsWgCreds) (string, bool) {
+	if rwg == nil || perma == nil || len(perma.PrivateKey) <= 0 {
+		return "", false
+	}
+
+	addr := perma.Address
+	if len(addr) <= 0 {
+		return "", false // not a perma config
+	}
+	dns := perma.DNS
+	if len(dns) <= 0 {
+		dns = cfdns4 // fallback
+	}
+
+	// AllowedIPs from the permanent config may be comma-separated ("0.0.0.0/0, ::/0").
+	allowedips := []string{gw4}
+	if len(perma.AllowedIPs) > 0 {
+		parts := strings.Split(perma.AllowedIPs, ",")
+		allowedips = make([]string, 0, len(parts))
+		for _, p := range parts {
+			if t := strings.TrimSpace(p); len(t) > 0 {
+				allowedips = append(allowedips, t)
+			}
+		}
+	}
+
+	conf := fmt.Sprintf(`private_key=%s
+replace_peers=true
+address=%s
+dns=%s
+mtu=(auto)
+public_key=%s`,
+		toHex(perma.PrivateKey),
+		addr,
+		dns,
+		toHex(rwg.ServerPubKey),
+	)
+	if len(rwg.ServerIPPort4) > 0 {
+		conf += "\nendpoint=" + rwg.ServerIPPort4
+	}
+	if len(rwg.ServerIPPort6) > 0 {
+		conf += "\nendpoint=" + rwg.ServerIPPort6
+	}
+	if len(rwg.ServerDomainPort) > 0 {
+		conf += "\nendpoint=" + rwg.ServerDomainPort
+	}
+	if len(perma.PresharedKey) > 0 {
+		conf += "\npreshared_key=" + toHex(perma.PresharedKey)
+	}
+	for _, ip := range allowedips {
+		conf += fmt.Sprintf("\nallowed_ip=%s", ip)
+	}
+
+	return conf, true
+}