Update

.mockery.yaml

@@ -0,0 +1,4 @@
+inpackage: True
+with-expecter: True
+testonly: True
+include-auto-generated: False

Makefile

@@ -27,6 +27,11 @@ update:
 	@go get -u all
 	go mod tidy
 
+.PHONY: generate
+generate:
+	@go install github.com/vektra/mockery/[email protected]
+	mockery
+
 .PHONY: models
 models:
 	@go install github.com/volatiletech/sqlboiler/v4@latest

db/schema.sql

@@ -134,7 +134,14 @@ CREATE TABLE public.auth_attempt_log (
     auth_attempt_log_theme_spec_path text NOT NULL,
     auth_attempt_log_opennds_version character varying(20) NOT NULL,
     auth_attempt_log_created_at timestamp without time zone DEFAULT CURRENT_TIMESTAMP NOT NULL,
-    auth_attempt_log_updated_at timestamp without time zone
+    auth_attempt_log_updated_at timestamp without time zone,
+    auth_attempt_log_rhid text NOT NULL,
+    auth_attempt_log_session_length_minutes bigint NOT NULL,
+    auth_attempt_log_upload_rate_threshold bigint NOT NULL,
+    auth_attempt_log_download_rate_threshold bigint NOT NULL,
+    auth_attempt_log_upload_quota bigint NOT NULL,
+    auth_attempt_log_download_quota bigint NOT NULL,
+    auth_attempt_log_custom_value json
 );
 
 
@@ -236,6 +243,55 @@ COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_created_at IS 'create
 COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_updated_at IS 'updated timestamp';
 
 
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_rhid; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_rhid IS 'hashed client hid with gateway password';
+
+
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_session_length_minutes; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_session_length_minutes IS 'session length minutes';
+
+
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_upload_rate_threshold; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_upload_rate_threshold IS 'upload rate threshold (KB/s)';
+
+
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_download_rate_threshold; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_download_rate_threshold IS 'download rate threshold (KB/s)';
+
+
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_upload_quota; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_upload_quota IS 'upload quota (KB)';
+
+
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_download_quota; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_download_quota IS 'download quota (KB)';
+
+
+--
+-- Name: COLUMN auth_attempt_log.auth_attempt_log_custom_value; Type: COMMENT; Schema: public; Owner: -
+--
+
+COMMENT ON COLUMN public.auth_attempt_log.auth_attempt_log_custom_value IS 'json serialized custom tags';
+
+
 --
 -- Name: gateway; Type: TABLE; Schema: public; Owner: -
 --

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/redis/go-redis/v9 v9.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4
+	github.com/volatiletech/null/v8 v8.1.2
 	github.com/volatiletech/sqlboiler/v4 v4.15.0
 	github.com/volatiletech/strmangle v0.0.5
 	gopkg.in/yaml.v3 v3.0.1
@@ -25,6 +26,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/friendsofgo/errors v0.9.2 // indirect
+	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/klauspost/compress v1.16.3 // indirect
@@ -36,6 +38,7 @@ require (
 	github.com/valyala/fasthttp v1.49.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	github.com/volatiletech/inflect v0.0.1 // indirect
+	github.com/volatiletech/randomize v0.0.1 // indirect
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/net v0.12.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect

pkg/auth/policy.go

@@ -0,0 +1,83 @@
+package auth
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+)
+
+type ClientPolicy struct {
+	ClientRHID               string
+	SessionDuration          time.Duration // Session Duration: minutes
+	UploadRateThresholdKBs   int64         // Upload Rate Limit Threshold: Kb/s
+	DownloadRateThresholdKBs int64         // Download Rate Limit Threshold: Kb/s
+	UploadQuotaKB            int64         // Upload Quota: KBytes
+	DownloadQuotaKB          int64         // Download Quota: KBytes
+
+	Custom map[string]any // Custom values
+}
+
+func (c *ClientPolicy) toAuthAttemptLog() {
+	// TODO: implement
+	panic("not implemented")
+}
+
+// toOpenNDSFormat converts ClientPolicy to the format that is expected by opennds auth daemon ("authmon")
+func (c *ClientPolicy) toOpenNDSFormat() string {
+	custom := ""
+	if c.Custom != nil && len(c.Custom) > 0 {
+		idx := 0
+		kvFormats := make([]string, len(c.Custom))
+
+		for k, v := range c.Custom {
+			kvFormats[idx] = fmt.Sprintf("%s=%s", k, v)
+			idx += 1
+		}
+
+		custom = strings.Join(kvFormats, ", ")
+	}
+
+	format := fmt.Sprintf(
+		"%s %d %d %d %d %d %s",
+		c.ClientRHID,
+		int64(c.SessionDuration.Minutes()),
+		c.UploadRateThresholdKBs,
+		c.DownloadRateThresholdKBs,
+		c.UploadQuotaKB,
+		c.DownloadQuotaKB,
+		base64.StdEncoding.EncodeToString([]byte(custom)),
+	)
+
+	format = url.QueryEscape(format)
+	// NOTE(@Kcrong): url.QueryEscape replaces spaces with "+", but opennds needs "%20"
+	format = strings.ReplaceAll(format, "+", "%20")
+
+	return format
+}
+
+func (c *ClientPolicy) AddTag(key string, value any) {
+	c.Custom[key] = value
+}
+
+func NewClientPolicy(
+	rhid string,
+	durationMinutes int64,
+	uploadRate,
+	downloadRate,
+	uploadQuota,
+	downloadQuota int64,
+	tags map[string]any,
+) *ClientPolicy {
+
+	return &ClientPolicy{
+		ClientRHID:               rhid,
+		SessionDuration:          time.Duration(durationMinutes) * time.Minute,
+		UploadRateThresholdKBs:   uploadRate,
+		DownloadRateThresholdKBs: downloadRate,
+		UploadQuotaKB:            uploadQuota,
+		DownloadQuotaKB:          downloadQuota,
+		Custom:                   tags,
+	}
+}

pkg/auth/provider.go

@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
+)
+
+// Provider is an interface for client(RHID) authentication
+type Provider interface {
+	ListClients(ctx context.Context, gateway string) ([]string, error)
+	AddClient(ctx context.Context, gateway, rhid string, policy *ClientPolicy) error
+	DeleteClient(ctx context.Context, gateway, rhid string) error
+}
+
+type provider struct {
+	redisCli *redis.Client
+}
+
+func hash(s string) string {
+	bs := sha256.Sum256([]byte(s))
+
+	return hex.EncodeToString(bs[:])
+}
+
+func (p provider) ListClients(ctx context.Context, gateway string) ([]string, error) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (p provider) AddClient(ctx context.Context, gateway, rhid string, policy *ClientPolicy) error {
+	gwHash := hash(gateway)
+	if err := p.redisCli.LPush(ctx, gwHash, rhid).Err(); err != nil {
+		return errors.WithStack(err)
+	}
+
+	key := fmt.Sprintf("%s-%s", gwHash, rhid)
+	if err := p.redisCli.Set(ctx, key, policy.toOpenNDSFormat(), 0).Err(); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+func (p provider) DeleteClient(ctx context.Context, gateway, rhid string) error {
+	//TODO implement me
+	panic("implement me")
+}
+
+func NewProvider(redisCli *redis.Client) Provider {
+	return &provider{redisCli: redisCli}
+}