Merge pull request #5 from lablabs/develop

Validate Public Keys

Author: Michal Muransky

README.md

@@ -24,7 +24,7 @@ This collection will:
 
 ## How to run Ansible playbooks from this collection
 
-First make sure your future destination host is up and running and you have an access to SSH Private Key file.  
+First make sure your future destination host is up and running and you have an access to SSH Private Key file.
 Prepare the Python prerequisites for Ansible Roles in this Collecion:
 
 ```bash
@@ -61,81 +61,9 @@ You may want to create a playbook to run all 3 playbooks in one run:
   tags: wireguard
 ```
 
-## Variables example
+## Variables
 
-```yaml
----
-# Directory to store WireGuard configuration on the remote hosts
-wireguard_dir: /etc/wireguard
-wireguard_clients_dir: "{{ wireguard_dir }}/clients"
-
-wireguard_clients_download_dir: clients/
-wireguard_download_clients: false
-
-# Predefined wireguard keys, this usually should be defined in ansible-vault
-wireguard_privatekey_path: "{{ wireguard_dir }}/privatekey"
-wireguard_publickey_path: "{{ wireguard_dir }}/publickey"
-wireguard_presharedkey_path: "{{ wireguard_dir }}/presharedkey"
-
-wireguard_systemd_path: /etc/systemd/network
-
-# Wireguard packages
-wireguard_repo_url: "{{ _repo_url }}"
-wireguard_distro_packages: "{{ _distro_packages }}"
-
-wireguard_packages:
-  - wireguard-dkms
-  - wireguard-tools
-
-# The default port WireGuard will listen if not specified otherwise.
-wireguard_port: 51820
-
-# Client destination Hostname
-wireguard_hostname: "{{ inventory_hostname }}"
-
-# The default interface name that wireguard should use if not specified otherwise.
-wireguard_interface: wg0
-
-# Base wireguard subnet
-wireguard_address: 10.213.213.0/24
-
-wireguard_server_ip: "{{ wireguard_address | ipaddr('network') | ipmath(1) }}"
-wireguard_subnetmask: "{{ wireguard_address | ipaddr('prefix') }}"
-
-# XXX: This role only works with PrivateKeyFile/PresharedKeyFile it doesn't support variables.
-wireguard_systemd_netdev:
-  - NetDev:
-      - Name: "{{ wireguard_interface }}"
-      - Kind: wireguard
-      - Description: "wireguard server: {{ wireguard_interface}} server on {{ wireguard_address }}"
-  - WireGuard:
-      - PrivateKey: "{{ _privkey_value['content'] | b64decode }}"
-      - ListenPort: "{{ wireguard_port }}"
-
-wireguard_systemd_network:
-  - Match:
-      - Name: "{{ wireguard_interface }}"
-  - Network:
-      - Address: "{{ wireguard_server_ip }}/{{ wireguard_subnetmask }}"
-  - Route:
-      - Destination: "{{ wireguard_address }}"
-      - Gateway: "{{ wireguard_server_ip }}"
-
-wireguard_keepalive: 25
-
-wireguard_peers_allowed_ips: "{{ ([(_wireguard_interface_addr | ipaddr('network/prefix'))] + wireguard_additional_routes) | join(\", \") }}"
-wireguard_peers: []
-  # - name: user1
-  #   allowed_ip: "10.213.213.2/32"
-  #   publickey: "asdasdasdadsasdasd"
-  # - name: user2
-  #   allowed_ip: "10.213.213.3/32"
-  #   publickey: "000000000000000000"
-  #   keepalive: 30
-  # - name: user3
-  #   allowed_ip: "10.213.213.4/32"
-  #   publickey: "111111111111111111"
-```
+[Wireguard Role Variables](roles/wireguard/defaults/main.yml)
 
 ## License
 
@@ -162,4 +90,4 @@ See [LICENSE](LICENSE) for full details.
 
 ## Author Information
 
-Created in 2021 by [Labyrinth Labs](https://www.lablabs.io/)
+Created in 2021 by [Labyrinth Labs](https://www.lablabs.io/)

molecule/default/converge.yml

@@ -26,11 +26,11 @@
     wireguard_peers:
       - name: user1
         allowed_ip: "10.213.213.2"
-        publickey: "asdasdasdadsasdasd"
+        publickey: "YXNhc21hc2Fhc3Npc2FzYXNhc2FzYXNhc2FzYXNhc3N=" # Fake Pub Key
       - name: user2
         allowed_ip: "10.213.213.3"
-        publickey: "000000000000000000"
+        publickey: "YXNhc21hc2Fhc3Npc2FzYXNhc2FzYXNhc2FzYXNhc3N=" # Fake Pub Key
         keepalive: 30
       - name: user3
         allowed_ip: "10.213.213.4"
-        publickey: "111111111111111111"
+        publickey: "YXNhc21hc2Fhc3Npc2FzYXNhc2FzYXNhc2FzYXNhc3N=" # Fake Pub Key

roles/wireguard/README.md

@@ -72,18 +72,26 @@ wireguard_systemd_network:
 
 wireguard_keepalive: 25
 
+# Additional IPs allowed to Wireguard
+# (Following list of IPs will be added to Wireguard AllowedIPs)
+wireguard_additional_routes: {}
+
 wireguard_peers_allowed_ips: "{{ ([(_wireguard_interface_addr | ipaddr('network/prefix'))] + wireguard_additional_routes) | join(\", \") }}"
 wireguard_peers: []
-  # - name: user1
-  #   allowed_ip: "10.213.213.2/32"
-  #   publickey: "asdasdasdadsasdasd"
-  # - name: user2
-  #   allowed_ip: "10.213.213.3/32"
-  #   publickey: "000000000000000000"
-  #   keepalive: 30
-  # - name: user3
-  #   allowed_ip: "10.213.213.4/32"
-  #   publickey: "111111111111111111"
+# - name: user1
+#   allowed_ip: "10.213.213.2/32"
+#   publickey: "asdasdasdadsasdasd"
+# - name: user2
+#   allowed_ip: "10.213.213.3/32"
+#   publickey: "000000000000000000"
+#   keepalive: 30
+# - name: user3
+#   allowed_ip: "10.213.213.4/32"
+#   publickey: "111111111111111111"
+
+# Test Wirequard public keys and find possible errors
+# This will check the lenght of the key (44 characters) and test if it's a valid base64 string.
+run_publickey_pre_check: true
 
 ```
 

roles/wireguard/defaults/main.yml

@@ -57,6 +57,10 @@ wireguard_systemd_network:
 
 wireguard_keepalive: 25
 
+# Additional IPs allowed to Wireguard
+# (Following list of IPs will be added to Wireguard AllowedIPs)
+wireguard_additional_routes: {}
+
 wireguard_peers_allowed_ips: "{{ ([(_wireguard_interface_addr | ipaddr('network/prefix'))] + wireguard_additional_routes) | join(\", \") }}"
 wireguard_peers: []
 # - name: user1
@@ -69,3 +73,7 @@ wireguard_peers: []
 # - name: user3
 #   allowed_ip: "10.213.213.4/32"
 #   publickey: "111111111111111111"
+
+# Test Wirequard public keys and find possible errors
+# This will check the lenght of the key (44 characters) and test if it's a valid base64 string.
+run_publickey_pre_check: true

roles/wireguard/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+
+- include_tasks: pre_check.yml
+  when: run_publickey_pre_check | bool
+
 - name: Include OS specific variables
   include_vars:
     file: "{{ lookup('first_found', possible_files) }}"

roles/wireguard/tasks/pre_check.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Check if Public Key is valid base64 string
+  assert:
+    that:
+      - " item.publickey | b64decode "
+    fail_msg: "The Public Key for user {{ item.name }} is invalid."
+  with_items: "{{ wireguard_peers }}"
+
+- name: Check if Public Key is valid base64 string
+  assert:
+    that:
+      - " item.publickey | length == 44 "
+    fail_msg: "The Lenght of Public Key for user {{ item.name }} is invalid."
+  with_items: "{{ wireguard_peers }}"

roles/wireguard/vars/main.yml

@@ -5,4 +5,4 @@ _system_arch_map:
 
 _system_arch: "{{ _arch_map[ansible_architecture] | default(ansible_architecture) }}"
 
-_wireguard_interface_addr: "{{ ansible_default_ipv4.address }}/{{ ansible_default_ipv4.netmask }}"
+_wireguard_interface_addr: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}/{{ ansible_default_ipv4.netmask }}"