Add peer login expiration

netbirdio · braginini · Feb 13, 2023 · Feb 10, 2023 · Feb 10, 2023 · Feb 10, 2023
commit f9a99e140e1958836a0a7bffa92f0eb5ab7af9c9
diff --git a/management/server/grpcserver.go b/management/server/grpcserver.go
@@ -354,6 +354,11 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 		}
 	}
 
+	expired, left := peer.LoginExpired(24 * time.Hour)
+	if peer.UserID != "" && expired {
+		return nil, status.Errorf(codes.PermissionDenied, "peer login has expired %v ago. Please login once more", left)
+	}
+
 	var sshKey []byte
 	if loginReq.GetPeerKeys() != nil {
 		sshKey = loginReq.GetPeerKeys().GetSshPubKey()

diff --git a/management/server/peer.go b/management/server/peer.go
@@ -58,27 +58,44 @@ type Peer struct {
 	UserID string
 	// SSHKey is a public SSH key of the peer
 	SSHKey string
-	// SSHEnabled indicated whether SSH server is enabled on the peer
+	// SSHEnabled indicates whether SSH server is enabled on the peer
 	SSHEnabled bool
+	// LoginExpirationEnabled indicates whether peer's login expiration is enabled and once expired the peer has to re-login.
+	// Works with LastLogin
+	LoginExpirationEnabled bool
+	// LastLogin the time when peer performed last login operation
+	LastLogin time.Time
 }
 
 // Copy copies Peer object
 func (p *Peer) Copy() *Peer {
 	return &Peer{
-		ID:         p.ID,
-		Key:        p.Key,
-		SetupKey:   p.SetupKey,
-		IP:         p.IP,
-		Meta:       p.Meta,
-		Name:       p.Name,
-		Status:     p.Status,
-		UserID:     p.UserID,
-		SSHKey:     p.SSHKey,
-		SSHEnabled: p.SSHEnabled,
-		DNSLabel:   p.DNSLabel,
+		ID:                     p.ID,
+		Key:                    p.Key,
+		SetupKey:               p.SetupKey,
+		IP:                     p.IP,
+		Meta:                   p.Meta,
+		Name:                   p.Name,
+		Status:                 p.Status,
+		UserID:                 p.UserID,
+		SSHKey:                 p.SSHKey,
+		SSHEnabled:             p.SSHEnabled,
+		DNSLabel:               p.DNSLabel,
+		LoginExpirationEnabled: p.LoginExpirationEnabled,
+		LastLogin:              p.LastLogin,
 	}
 }
 
+// LoginExpired indicates whether peer's login has expired or not.
+// If Peer.LastLogin plus the expiresIn duration has happened already then login has expired.
+// Return true if login has expired, false otherwise and time left to expiration (negative when expired).
+func (p *Peer) LoginExpired(expiresIn time.Duration) (bool, time.Duration) {
+	expiresAt := p.LastLogin.Add(expiresIn)
+	now := time.Now()
+	left := expiresAt.Sub(now)
+	return p.LoginExpirationEnabled && (left <= 0), left
+}
+
 // FQDN returns peers FQDN combined of the peer's DNS label and the system's DNS domain
 func (p *Peer) FQDN(dnsDomain string) string {
 	if dnsDomain == "" {
@@ -100,7 +117,7 @@ func (p *PeerStatus) Copy() *PeerStatus {
 	}
 }
 
-// GetPeer looks up peer by its public WireGuard key
+// GetPeerByKey looks up peer by its public WireGuard key
 func (am *DefaultAccountManager) GetPeerByKey(peerPubKey string) (*Peer, error) {
 
 	account, err := am.Store.GetAccountByPeerPubKey(peerPubKey)

diff --git a/management/server/peer_test.go b/management/server/peer_test.go
@@ -3,11 +3,57 @@ package server
 import (
 	"github.com/stretchr/testify/assert"
 	"testing"
+	"time"
 
 	"github.com/rs/xid"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
+func TestPeer_LoginExpired(t *testing.T) {
+
+	tt := []struct {
+		name              string
+		expirationEnbaled bool
+		lastLogin         time.Time
+		expiresIn         time.Duration
+		expected          bool
+	}{
+		{
+			name:              "Peer Login Expiration Disabled. Peer Login Should Not Expire",
+			expirationEnbaled: false,
+			lastLogin:         time.Now().Add(-25 * time.Hour),
+			expiresIn:         time.Hour,
+			expected:          false,
+		},
+		{
+			name:              "Peer Login Should Expire",
+			expirationEnbaled: true,
+			lastLogin:         time.Now().Add(-25 * time.Hour),
+			expiresIn:         time.Hour,
+			expected:          true,
+		},
+		{
+			name:              "Peer Login Should Not Expire",
+			expirationEnbaled: true,
+			lastLogin:         time.Now(),
+			expiresIn:         time.Hour,
+			expected:          false,
+		},
+	}
+
+	for _, c := range tt {
+		t.Run(c.name, func(t *testing.T) {
+			peer := &Peer{
+				LoginExpirationEnabled: c.expirationEnbaled,
+				LastLogin:              c.lastLogin,
+			}
+
+			expired, _ := peer.LoginExpired(c.expiresIn)
+			assert.Equal(t, expired, c.expected)
+		})
+	}
+}
+
 func TestAccountManager_GetNetworkMap(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {