Initial commit

Author: mjm918

.gitignore

@@ -0,0 +1,27 @@
+### Go template
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+*.db
+*.yaml
+*.json
+*.toml

README.md

@@ -0,0 +1,51 @@
+# Jerusalem Tunnel
+
+Jerusalem Tunnel is a cross-platform `ngrok` alternative written in Go. It allows clients to reserve a port and complete
+a handshake using a secret key shared between the server and the client, identified uniquely by a clientID.
+
+## Features
+
+- **Cross-Platform**: Works on Windows, macOS, and Linux.
+- **Port Reservation**: Reserve a port for the client.
+- **Secure Handshake**: Client and server complete a handshake using a secret key and unique clientID.
+
+## Installation
+
+1. Ensure you have [Go 1.22](https://golang.org/dl/) or later installed.
+2. Clone the repository:
+
+    ```bash
+    git clone https://github.com/yourusername/jerusalem-tunnel.git
+    cd jerusalem-tunnel
+    ```
+
+3. Build the project:
+
+    ```bash
+    go build -o jerusalem-tunnel main.go
+    ```
+
+## Usage
+
+Start the server:
+
+    ./jerusalem-tunnel server --config config.yaml
+
+
+## Configuration
+
+The server requires a configuration file in YAML format to run. Example `server.yaml`:
+
+```yaml
+PORT_RANGE: "2000...8999"
+SECRET_KEY: "2y6sUp8cBSfNDk7Jq5uLm0xHAIOb9ZGqE4hR1WVXtCwKjP3dYzvTn2QiFXe8rMb6"
+SERVER_PORT: 8901
+```
+
+## Contributing
+
+Contributions are welcome! Please fork the repository and submit a pull request.
+
+## License
+
+This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.

app.go

@@ -0,0 +1,75 @@
+package main
+
+import (
+	"github.com/common-nighthawk/go-figure"
+	"github.com/spf13/viper"
+	"log"
+	"os"
+	"strconv"
+	"strings"
+)
+
+func main() {
+	art := figure.NewColorFigure("Jerusalem", "slant", "green", true)
+	art.Print()
+
+	print("\n\n")
+
+	viper.AutomaticEnv()
+	viper.SetConfigName("server")
+	viper.AddConfigPath(".")
+	viper.AddConfigPath("$HOME/.config/jerusalem")
+	viper.AddConfigPath("/etc/jerusalem/")
+
+	if len(os.Args) > 1 && strings.HasPrefix(os.Args[1], "--config") {
+		configPath := strings.Split(os.Args[1], "=")
+		if len(configPath) > 1 {
+			viper.SetConfigFile(configPath[1])
+		}
+	}
+
+	if err := viper.ReadInConfig(); err != nil {
+		log.Printf("Config file not found: %v", err)
+	}
+
+	// Read variables
+	pStr := strings.TrimSpace(viper.GetString("server_port"))
+	s := strings.TrimSpace(viper.GetString("secret_key"))
+	pr := strings.TrimSpace(viper.GetString("port_range"))
+
+	if pr == "" || !strings.Contains(pr, "...") {
+		log.Fatal("missing or invalid PORT_RANGE")
+	}
+	if pStr == "" {
+		log.Fatal("missing SERVER_PORT")
+	}
+	if s == "" {
+		s = DefaultSecret
+	}
+	if len(s) != 64 {
+		log.Fatal("SECRET_KEY must be 64 characters long")
+	}
+
+	prParts := strings.Split(pr, "...")
+	minP, err := strconv.ParseUint(prParts[0], 10, 16)
+	if err != nil || minP < 1024 || minP > 65535 {
+		log.Fatalf("invalid PORT_RANGE: %v", err)
+	}
+	maxP, err := strconv.ParseUint(prParts[1], 10, 16)
+	if err != nil || maxP < 1024 || maxP > 65535 || maxP < minP {
+		log.Fatalf("invalid PORT_RANGE: %v", err)
+	}
+	p, err := strconv.ParseUint(pStr, 10, 16)
+	if err != nil || p < 1024 || p > 65535 {
+		log.Fatalf("invalid SERVER_PORT: %s", pStr)
+	}
+	db, err := NewTCPClientRepository()
+	if err != nil {
+		log.Fatalf("error creating database: %v", err)
+	}
+
+	svr := NewServer(uint16(p), RangeInclusive{min: uint16(minP), max: uint16(maxP)}, db, &s)
+	if err := svr.StartServer(); err != nil {
+		log.Fatalf("Server error: %v", err)
+	}
+}

auth.go

@@ -0,0 +1,147 @@
+package main
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"github.com/google/uuid"
+	"net"
+	"slices"
+	"strconv"
+	"strings"
+)
+
+// Authenticator represents an object responsible for handling client authentication and generating and validating answers.
+//
+// Fields:
+// - k []byte: the secret key used for generating answers and validating answers.
+// - pr *RangeInclusive: the range of ports used for finding free ports during authentication.
+// - db *TcpClientRepository: the repository for accessing TCP client data.
+//
+// Methods:
+// - GenerateAnswer(ch uuid.UUID) string: generates an answer for a challenge.
+// - ValidateAnswer(ch uuid.UUID, ans string) bool: validates an answer for a challenge.
+// - PerformServerHandshake(stream *Codec) error: performs the server handshake with the client.
+// - handleClientAuth(stream *Codec, id string) error: handles the client authentication process.
+// - findFreePort() (uint16, error): finds a free port within the specified range.
+type Authenticator struct {
+	k  []byte
+	pr *RangeInclusive
+	db *TcpClientRepository
+}
+
+// NewAuthenticator creates a new instance of the Authenticator struct and initializes it with the provided parameters.
+// The secret parameter is used to generate the authentication key, which is a SHA-256 hash of the secret.
+// The db parameter is a reference to a TcpClientRepository, which is used to interact with the client database.
+// The pr parameter is a reference to a RangeInclusive struct, which represents the range of ports that can be used.
+// The function returns a pointer to the newly created Authenticator instance.
+func NewAuthenticator(secret string, db *TcpClientRepository, pr *RangeInclusive) *Authenticator {
+	h := sha256.Sum256([]byte(secret))
+	return &Authenticator{k: h[:], pr: pr, db: db}
+}
+
+// GenerateAnswer generates an answer using the HMAC-SHA256 algorithm.
+// It takes a uuid.UUID as a challenge, appends it to the key provided during
+// Authenticator initialization, and computes the HMAC-SHA256 hash. The result
+// is then encoded to a hexadecimal string and returned.
+func (a *Authenticator) GenerateAnswer(ch uuid.UUID) string {
+	m := hmac.New(sha256.New, a.k)
+	m.Write(ch[:])
+	return hex.EncodeToString(m.Sum(nil))
+}
+
+// ValidateAnswer validates the answer provided by the client for a challenge.
+// It decodes the answer from a hex-string to bytes and computes the HMAC of
+// the challenge using the provided key. Then it checks if the computed HMAC
+// is equal to the decoded answer. Returns true if the answer is valid, false
+// otherwise.
+func (a *Authenticator) ValidateAnswer(ch uuid.UUID, ans string) bool {
+	b, err := hex.DecodeString(ans)
+	if err != nil {
+		return false
+	}
+	m := hmac.New(sha256.New, a.k)
+	m.Write(ch[:])
+	em := m.Sum(nil)
+	return hmac.Equal(em, b)
+}
+
+// PerformServerHandshake performs the server-side handshake process with a client.
+// It sends a challenge message to the client, receives the client's response,
+// validates it, and handles the authentication process if the response is valid.
+// If the handshake fails at any step, an error is returned.
+func (a *Authenticator) PerformServerHandshake(stream *Codec) error {
+	ch := uuid.New()
+	if err := stream.Send(ServerMessage{Type: MtChallenge, Challenge: ch}); err != nil {
+		return err
+	}
+
+	var msg ClientMessage
+	ctx, cancel := context.WithTimeout(context.Background(), NetworkTimeout)
+	defer cancel()
+
+	if err := stream.Recv(ctx, &msg); err != nil {
+		return err
+	}
+
+	if msg.Type == MtAuthenticate && a.ValidateAnswer(ch, msg.Authenticate) {
+		if err := a.handleClientAuth(stream, msg.ClientId); err != nil {
+			return err
+		}
+	} else {
+		return ErrInvalidSecret
+	}
+
+	return nil
+}
+
+// `handleClientAuth` handles the authentication of a client. It validates the client ID, retrieves the client information from the database, generates a free port if necessary, stores the client information in the database, and sends the free port to the client through the stream.
+func (a *Authenticator) handleClientAuth(stream *Codec, id string) error {
+	if strings.TrimSpace(id) == "" {
+		return ErrInvalidClientId
+	}
+
+	c, ex, err := a.db.GetByClientID(id)
+	if err != nil {
+		return err
+	}
+
+	var p uint16
+	if !ex {
+		bl, err := a.db.GetAllPorts()
+		if err != nil {
+			return err
+		}
+		p, err = a.findFreePort(bl)
+		if err != nil {
+			return err
+		}
+		err = a.db.Create(&TCPClient{ID: p, ClientID: id, Port: p})
+		if err != nil {
+			return err
+		}
+	} else {
+		p = c.Port
+	}
+
+	return stream.Send(ServerMessage{Type: MtFreePort, Port: p})
+}
+
+// findFreePort finds a free port within the range of min and max ports specified in the Authenticator's RangeInclusive property.
+// It tries to listen on each port in the range and returns the first port that is available.
+// If no port is available, it returns an error indicating that no port was found in the specified range.
+func (a *Authenticator) findFreePort(skip []uint16) (uint16, error) {
+	for p := a.pr.min; p <= a.pr.max; p++ {
+		if slices.Contains(skip, p) {
+			continue
+		}
+		l, err := net.Listen("tcp", ":"+strconv.Itoa(int(p)))
+		if err == nil {
+			l.Close()
+			return p, nil
+		}
+	}
+	return 0, fmt.Errorf("no available port found in the range %d-%d", a.pr.min, a.pr.max)
+}

codec.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"net"
+)
+
+// Codec is a type that represents a codec for encoding and decoding data to and from a network connection using JSON format.
+// It contains fields for the underlying JSON encoder and decoder, as well as the network connection itself.
+// The Codec type provides methods for receiving, sending, and closing the connection.
+//
+// Usage example:
+//
+//	conn, _ := net.Dial("tcp", "localhost:8080")
+//	codec := NewCodec(conn)
+//	defer codec.Close()
+//
+//	err := codec.Send(data)
+//	if err != nil {
+//		log.Fatal(err)
+//	}
+//
+//	err = codec.RecvTimeout(&result)
+//	if err != nil {
+//		log.Fatal(err)
+//	}
+//
+//	err = codec.Close()
+//	if err != nil {
+//		log.Fatal(err)
+//	}
+type Codec struct {
+	decoder *json.Decoder
+	encoder *json.Encoder
+	conn    net.Conn
+}
+
+// NewCodec creates a new instance of the Codec struct using the provided net.Conn connection.
+// The Codec is responsible for encoding and decoding messages between the client and server.
+// It sets the decoder and encoder to use the JSON format and assigns the connection to the codec.
+// The returned Codec pointer can be used to send and receive messages.
+func NewCodec(conn net.Conn) *Codec {
+	return &Codec{
+		decoder: json.NewDecoder(conn),
+		encoder: json.NewEncoder(conn),
+		conn:    conn,
+	}
+}
+
+// Recv reads a message from the codec's decoder and assigns it to the provided variable.
+// It uses a separate goroutine to decode the message, so it can be cancelled using the provided context.
+// If the context is cancelled, Recv returns the context error.
+// If decoding the message fails, Recv returns the decoding error.
+// Usage example: st.Recv(ctx, &msg)
+func (d *Codec) Recv(ctx context.Context, v interface{}) error {
+	errChan := make(chan error, 1)
+	go func() {
+		errChan <- d.decoder.Decode(v)
+	}()
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case err := <-errChan:
+		return err
+	}
+}
+
+func (d *Codec) RecvTimeout(v interface{}) error {
+	ctx, cancel := context.WithTimeout(context.Background(), NetworkTimeout)
+	defer cancel()
+	return d.Recv(ctx, v)
+}
+
+// Send sends the given value to the remote connection using the encoder of the Codec.
+// It returns an error if the encoding process fails.
+func (d *Codec) Send(v interface{}) error {
+	return d.encoder.Encode(v)
+}
+
+// Close closes the underlying network connection of the Codec and releases any resources associated with it.
+// It returns an error if there was a problem closing the connection.
+func (d *Codec) Close() error {
+	return d.conn.Close()
+}