feat[agent-manager]: own and validate the agent-installation connection key locally

Author: Kbayero

agent-manager/agent/agent.pb.go

@@ -32,8 +32,10 @@ type AgentService struct {
 	CacheAgentKeyMutex    sync.RWMutex
 	CommandResultChannel  map[string]chan *CommandResult
 	CommandResultChannelM sync.Mutex
-
-	DBConnection *database.DB
+	connKey               string
+	connKeyID             uint
+	connKeyMutex          sync.RWMutex
+	DBConnection          *database.DB
 }
 
 func (s *AgentService) ValidateAgentKey(key string, id uint) bool {
@@ -62,6 +64,11 @@ func InitAgentService() error {
 		for _, agent := range agents {
 			AgentServ.CacheAgentKey[agent.ID] = agent.AgentKey
 		}
+
+		if e := AgentServ.loadConnectionKey(); e != nil {
+			err = e
+			return
+		}
 	})
 	return err
 }

agent-manager/agent/agent_grpc.pb.go

@@ -0,0 +1,93 @@
+package agent
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/hex"
+	"fmt"
+
+	"github.com/threatwinds/go-sdk/catcher"
+	"github.com/utmstack/UTMStack/agent-manager/models"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"gorm.io/gorm"
+)
+
+func (s *AgentService) loadConnectionKey() error {
+	var rows []models.ConnectionKey
+	if _, err := s.DBConnection.GetAll(&rows, ""); err != nil {
+		return fmt.Errorf("failed to load connection key: %v", err)
+	}
+
+	if len(rows) > 0 {
+		s.connKeyMutex.Lock()
+		s.connKeyID = rows[0].ID
+		s.connKey = rows[0].Key
+		s.connKeyMutex.Unlock()
+		return nil
+	}
+
+	key, err := generateConnectionKey()
+	if err != nil {
+		return err
+	}
+	row := models.ConnectionKey{Key: key}
+	if err := s.DBConnection.Create(&row); err != nil {
+		return fmt.Errorf("failed to create connection key: %v", err)
+	}
+	s.connKeyMutex.Lock()
+	s.connKeyID = row.ID
+	s.connKey = row.Key
+	s.connKeyMutex.Unlock()
+	catcher.Info("Generated agent connection key", map[string]any{"process": "agent-manager"})
+	return nil
+}
+
+// ValidateConnectionKey reports whether the presented key matches the current
+// connection key.
+func (s *AgentService) ValidateConnectionKey(key string) bool {
+	s.connKeyMutex.RLock()
+	defer s.connKeyMutex.RUnlock()
+	if s.connKey == "" {
+		return false
+	}
+	return subtle.ConstantTimeCompare([]byte(key), []byte(s.connKey)) == 1
+}
+
+func (s *AgentService) GetConnectionKey(ctx context.Context, req *ConnectionKeyRequest) (*ConnectionKeyResponse, error) {
+	s.connKeyMutex.RLock()
+	key := s.connKey
+	s.connKeyMutex.RUnlock()
+	return &ConnectionKeyResponse{ConnectionKey: key}, nil
+}
+
+func (s *AgentService) RotateConnectionKey(ctx context.Context, req *ConnectionKeyRequest) (*ConnectionKeyResponse, error) {
+	key, err := generateConnectionKey()
+	if err != nil {
+		return nil, status.Error(codes.Internal, fmt.Sprintf("failed to generate connection key: %v", err))
+	}
+
+	s.connKeyMutex.RLock()
+	id := s.connKeyID
+	s.connKeyMutex.RUnlock()
+
+	if err := s.DBConnection.Upsert(&models.ConnectionKey{Model: gorm.Model{ID: id}, Key: key}, "id = ?", map[string]interface{}{"key": key}, id); err != nil {
+		return nil, status.Error(codes.Internal, fmt.Sprintf("failed to persist connection key: %v", err))
+	}
+
+	s.connKeyMutex.Lock()
+	s.connKey = key
+	s.connKeyMutex.Unlock()
+
+	catcher.Info("Rotated agent connection key", map[string]any{"process": "agent-manager"})
+	return &ConnectionKeyResponse{ConnectionKey: key}, nil
+}
+
+func generateConnectionKey() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("failed to read random bytes: %v", err)
+	}
+	return hex.EncodeToString(b), nil
+}

agent-manager/agent/agent_imp.go

@@ -8,7 +8,6 @@ import (
 	"strings"
 
 	"github.com/utmstack/UTMStack/agent-manager/config"
-	"github.com/utmstack/UTMStack/agent-manager/utils"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
@@ -90,7 +89,7 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 			return status.Error(codes.PermissionDenied, "invalid type")
 		}
 	case "connection-key":
-		if !utils.IsConnectionKeyValid(fmt.Sprintf(config.PanelConnectionKeyUrl, config.UTMHost), authConnectionKey[0]) {
+		if !AgentServ.ValidateConnectionKey(authConnectionKey[0]) {
 			return status.Error(codes.PermissionDenied, "invalid connection key")
 		}
 	case "internal-key":

agent-manager/agent/connectionkey_imp.go

@@ -39,14 +39,15 @@ func InternalKeyRoutes() []string {
 		"/agent.CollectorService/ListCollector",
 
 		"/agent.PanelService/ProcessCommand",
+		"/agent.PanelService/GetConnectionKey",
+		"/agent.PanelService/RotateConnectionKey",
 		"/agent.PanelCollectorService/RegisterCollectorConfig",
 
 		"/grpc.health.v1.Health/Check",
 	}
 }
 
 var (
-	PanelConnectionKeyUrl     = "%s/api/authenticateFederationServiceManager"
 	CheckEvery                = 5 * time.Minute
 	CertPath                  = "/cert/utm.crt"
 	CertKeyPath               = "/cert/utm.key"

agent-manager/agent/interceptor.go

@@ -4,7 +4,7 @@ import "github.com/utmstack/UTMStack/agent-manager/models"
 
 func MigrateDatabase() error {
 	db := GetDB()
-	err := db.Migrate(&models.Agent{}, &models.AgentCommand{}, &models.LastSeen{}, &models.Collector{})
+	err := db.Migrate(&models.Agent{}, &models.AgentCommand{}, &models.LastSeen{}, &models.Collector{}, &models.ConnectionKey{})
 	if err != nil {
 		return err
 	}

agent-manager/config/global_const.go

@@ -0,0 +1,8 @@
+package models
+
+import "gorm.io/gorm"
+
+type ConnectionKey struct {
+	gorm.Model
+	Key string `gorm:"not null"`
+}

agent-manager/database/migration.go

@@ -18,6 +18,14 @@ service AgentService {
 
 service PanelService {
   rpc ProcessCommand (stream UtmCommand) returns (stream CommandResult){}
+  rpc GetConnectionKey(ConnectionKeyRequest) returns (ConnectionKeyResponse) {}
+  rpc RotateConnectionKey(ConnectionKeyRequest) returns (ConnectionKeyResponse) {}
+}
+
+message ConnectionKeyRequest {}
+
+message ConnectionKeyResponse {
+  string connection_key = 1;
 }
 
 enum AgentCommandStatus {

agent-manager/models/connection_key.go

@@ -2,23 +2,8 @@ package utils
 
 import (
 	"crypto/subtle"
-	"crypto/tls"
-	"net/http"
-	"strings"
 )
 
-func IsConnectionKeyValid(panelUrl string, token string) bool {
-	requestBody := strings.NewReader(token)
-	tlsConfig := &tls.Config{InsecureSkipVerify: true}
-	transport := &http.Transport{TLSClientConfig: tlsConfig}
-	client := &http.Client{Transport: transport}
-	resp, err := client.Post(panelUrl, "application/json", requestBody)
-	if err != nil || resp.StatusCode != http.StatusOK {
-		return false
-	}
-	return true
-}
-
 func IsKeyPairValid(key string, id uint, cache map[uint]string) (string, bool) {
 	agentKey, ok := cache[id]
 	if !ok {