shellhub-io
diff --git a/Diff for: ‎agent/go.mod
+3 b/Diff for: ‎agent/go.mod
+3
diff --git a/Diff for: ‎agent/go.sum
+9 b/Diff for: ‎agent/go.sum
+9
diff --git a/Diff for: ‎agent/main.go
+35-11 b/Diff for: ‎agent/main.go
+35-11
diff --git a/Diff for: ‎api/services/errors.go
+10 b/Diff for: ‎api/services/errors.go
+10
diff --git a/Diff for: ‎api/services/namespace.go
+31 b/Diff for: ‎api/services/namespace.go
+31
diff --git a/Diff for: ‎api/services/namespace_test.go
+5 b/Diff for: ‎api/services/namespace_test.go
+5
diff --git a/Diff for: ‎docker-compose.agent.yml
+1 b/Diff for: ‎docker-compose.agent.yml
+1
diff --git a/Diff for: ‎go.mod
+3 b/Diff for: ‎go.mod
+3
diff --git a/Diff for: ‎pkg/agent/agent.go
+11 b/Diff for: ‎pkg/agent/agent.go
+11
diff --git a/Diff for: ‎pkg/agent/pkg/tunnel/tunnel.go
+32 b/Diff for: ‎pkg/agent/pkg/tunnel/tunnel.go
+32
diff --git a/Diff for: ‎pkg/agent/vpn/handlers.go
+49 b/Diff for: ‎pkg/agent/vpn/handlers.go
+49
@@ -48,7 +48,10 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/sftp v1.13.5 // indirect
 	github.com/sethvargo/go-envconfig v0.9.0 // indirect
+	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
+	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
 	go.opentelemetry.io/otel v1.26.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 // indirect
 
@@ -98,6 +98,8 @@ github.com/shellhub-io/ssh v0.0.0-20230224143412-edd48dfd6eea h1:7tEI9nukSYZViCj
 github.com/shellhub-io/ssh v0.0.0-20230224143412-edd48dfd6eea/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D9tmUCz4VNwm9MfrtPr0SU2qSX8=
+github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8/go.mod h1:P5HUIBuIWKbyjl083/loAegFkfbFNx5i2qEP4CNbm7E=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -118,6 +120,11 @@ github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyC
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
 github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo=
 github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
+github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
+github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
+github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
@@ -159,6 +166,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 
@@ -109,7 +109,7 @@ func main() {
 				"tenant_id":          cfg.TenantID,
 				"server_address":     cfg.ServerAddress,
 				"preferred_hostname": cfg.PreferredHostname,
-			}).Info("Listening for connections")
+			}).Info("Listening for SSH connections")
 
 			// Disable check update in development mode
 			if AgentVersion != "latest" {
@@ -163,23 +163,47 @@ func main() {
 				}()
 			}
 
-			if err := ag.ListenSSH(ctx); err != nil {
-				log.WithError(err).WithFields(log.Fields{
-					"version":            AgentVersion,
-					"mode":               mode,
-					"tenant_id":          cfg.TenantID,
-					"server_address":     cfg.ServerAddress,
-					"preferred_hostname": cfg.PreferredHostname,
-				}).Fatal("Failed to listen for SSH connections")
-			}
+			go func() {
+				if err := ag.ListenSSH(ctx); err != nil {
+					log.WithError(err).WithFields(log.Fields{
+						"version":            AgentVersion,
+						"mode":               mode,
+						"tenant_id":          cfg.TenantID,
+						"server_address":     cfg.ServerAddress,
+						"preferred_hostname": cfg.PreferredHostname,
+					}).Fatal("Failed to listen for SSH connections")
+				}
+			}()
+
+			go func() {
+				if !cfg.VPN {
+					log.Info("VPN is disable")
+
+					return
+				}
+
+				log.Debug("VPN enabled")
+
+				for {
+					log.Info("VPN connected")
+
+					if err := ag.ConnectVPN(ctx); err != nil {
+						log.WithError(err).Error("Connect to VPN lost. Retrying in 10 seconds.")
+					}
+
+					time.Sleep(10 * time.Second)
+				}
+			}()
+
+			<-ctx.Done()
 
 			log.WithFields(log.Fields{
 				"version":            AgentVersion,
 				"mode":               mode,
 				"tenant_id":          cfg.TenantID,
 				"server_address":     cfg.ServerAddress,
 				"preferred_hostname": cfg.PreferredHostname,
-			}).Info("Stopped listening for connections")
+			}).Info("Agent Stopped")
 		},
 	}
 
 
@@ -130,6 +130,8 @@ var (
 	ErrAPIKeyDuplicated             = errors.New("APIKey duplicated", ErrLayer, ErrCodeDuplicated)
 	ErrAuthForbidden                = errors.New("user is authenticated but cannot access this resource", ErrLayer, ErrCodeForbidden)
 	ErrRoleInvalid                  = errors.New("role is invalid", ErrLayer, ErrCodeForbidden)
+	ErrNamespaceIPInvalid           = errors.New("ip is invalid", ErrLayer, ErrCodeForbidden)
+	ErrNamespaceIPNotPrivate        = errors.New("ip is not a private address", ErrLayer, ErrCodeForbidden)
 )
 
 func NewErrRoleInvalid() error {
@@ -471,3 +473,11 @@ func NewErrDeviceMaxDevicesReached(count int) error {
 func NewErrAuthForbidden() error {
 	return NewErrForbidden(ErrAuthForbidden, nil)
 }
+
+func NewErrNamespaceIPInvalid() error {
+	return NewErrInvalid(ErrNamespaceIPInvalid, nil, nil)
+}
+
+func NewErrNamespaceIPNotPrivate() error {
+	return NewErrInvalid(ErrNamespaceIPNotPrivate, nil, nil)
+}
@@ -3,11 +3,13 @@ package services
 import (
 	"context"
 	"errors"
+	"net"
 	"strings"
 
 	"github.com/shellhub-io/shellhub/api/store"
 	"github.com/shellhub-io/shellhub/api/store/mongo"
 	"github.com/shellhub-io/shellhub/pkg/api/authorizer"
+	"github.com/shellhub-io/shellhub/pkg/api/internalclient"
 	req "github.com/shellhub-io/shellhub/pkg/api/internalclient"
 	"github.com/shellhub-io/shellhub/pkg/api/requests"
 	"github.com/shellhub-io/shellhub/pkg/clock"
@@ -205,6 +207,27 @@ func (s *service) EditNamespace(ctx context.Context, req *requests.NamespaceEdit
 		ConnectionAnnouncement: req.Settings.ConnectionAnnouncement,
 	}
 
+	if envs.IsEnterprise() {
+		changes.VPNEnable = req.VPN.Enable
+
+		if req.VPN.Address != nil {
+			address := *req.VPN.Address
+			ip := net.IPv4(address[0], address[1], address[2], address[3])
+
+			if ip.IsLoopback() || ip.IsUnspecified() {
+				return nil, NewErrNamespaceIPInvalid()
+			}
+
+			if !ip.IsPrivate() {
+				return nil, NewErrNamespaceIPNotPrivate()
+			}
+
+			changes.VPNAddress = &address
+		}
+
+		changes.VPNMask = req.VPN.Mask
+	}
+
 	if err := s.store.NamespaceEdit(ctx, req.Tenant, changes); err != nil {
 		switch {
 		case errors.Is(err, store.ErrNoDocuments):
@@ -214,6 +237,14 @@ func (s *service) EditNamespace(ctx context.Context, req *requests.NamespaceEdit
 		}
 	}
 
+	if envs.IsEnterprise() {
+		cli := s.client.(internalclient.Client)
+
+		if err := cli.VPNStopRouter(req.Tenant); err != nil {
+			return nil, err
+		}
+	}
+
 	return s.store.NamespaceGet(ctx, req.Tenant, true)
 }
 
 
@@ -827,6 +827,7 @@ func TestEditNamespace(t *testing.T) {
 			tenantID:      "xxxxx",
 			namespaceName: "newname",
 			requiredMocks: func() {
+				envMock.On("Get", "SHELLHUB_ENTERPRISE").Return("false").Once()
 				mock.On("NamespaceEdit", ctx, "xxxxx", &models.NamespaceChanges{Name: "newname"}).
 					Return(store.ErrNoDocuments).
 					Once()
@@ -841,6 +842,7 @@ func TestEditNamespace(t *testing.T) {
 			tenantID:      "xxxxx",
 			namespaceName: "newname",
 			requiredMocks: func() {
+				envMock.On("Get", "SHELLHUB_ENTERPRISE").Return("false").Once()
 				mock.On("NamespaceEdit", ctx, "xxxxx", &models.NamespaceChanges{Name: "newname"}).
 					Return(errors.New("error")).
 					Once()
@@ -855,6 +857,7 @@ func TestEditNamespace(t *testing.T) {
 			namespaceName: "newName",
 			tenantID:      "xxxxx",
 			requiredMocks: func() {
+				envMock.On("Get", "SHELLHUB_ENTERPRISE").Return("false").Once()
 				mock.On("NamespaceEdit", ctx, "xxxxx", &models.NamespaceChanges{Name: "newname"}).
 					Return(nil).
 					Once()
@@ -881,6 +884,7 @@ func TestEditNamespace(t *testing.T) {
 			namespaceName: "newname",
 			tenantID:      "xxxxx",
 			requiredMocks: func() {
+				envMock.On("Get", "SHELLHUB_ENTERPRISE").Return("false").Once()
 				mock.On("NamespaceEdit", ctx, "xxxxx", &models.NamespaceChanges{Name: "newname"}).
 					Return(nil).
 					Once()
@@ -890,6 +894,7 @@ func TestEditNamespace(t *testing.T) {
 					Name:     "newname",
 				}
 
+				envMock.On("Get", "SHELLHUB_ENTERPRISE").Return("false").Once()
 				mock.On("NamespaceGet", ctx, "xxxxx", true).
 					Return(namespace, nil).
 					Once()
 
@@ -19,6 +19,7 @@ services:
       - SHELLHUB_PRIVATE_KEY=/go/src/github.com/shellhub-io/shellhub/agent/shellhub.key
       - SHELLHUB_TENANT_ID=00000000-0000-4000-0000-000000000000
       - SHELLHUB_VERSION=${SHELLHUB_VERSION}
+      - SHELLHUB_VPN=${SHELLHUB_VPN}
       - SHELLHUB_LOG_LEVEL=${SHELLHUB_LOG_LEVEL}
       - SHELLHUB_LOG_FORMAT=${SHELLHUB_LOG_FORMAT}
     volumes:
 
@@ -27,8 +27,10 @@ require (
 	github.com/pkg/sftp v1.13.5
 	github.com/sethvargo/go-envconfig v0.9.0
 	github.com/sirupsen/logrus v1.9.3
+	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
 	github.com/stretchr/testify v1.9.0
 	github.com/testcontainers/testcontainers-go/modules/redis v0.32.0
+	github.com/vishvananda/netlink v1.2.1-beta.2
 	golang.org/x/crypto v0.22.0
 	golang.org/x/sys v0.19.0
 )
@@ -96,6 +98,7 @@ require (
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
+	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
 	github.com/vmihailenco/go-tinylfu v0.2.2 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 
@@ -50,6 +50,7 @@ import (
 	"github.com/shellhub-io/shellhub/pkg/agent/pkg/keygen"
 	"github.com/shellhub-io/shellhub/pkg/agent/pkg/sysinfo"
 	"github.com/shellhub-io/shellhub/pkg/agent/ssh"
+	"github.com/shellhub-io/shellhub/pkg/agent/vpn"
 	"github.com/shellhub-io/shellhub/pkg/api/client"
 	"github.com/shellhub-io/shellhub/pkg/envs"
 	"github.com/shellhub-io/shellhub/pkg/models"
@@ -114,6 +115,9 @@ type Config struct {
 	// MaxRetryConnectionTimeout specifies the maximum time, in seconds, that an agent will wait
 	// before attempting to reconnect to the ShellHub server. Default is 60 seconds.
 	MaxRetryConnectionTimeout int `env:"MAX_RETRY_CONNECTION_TIMEOUT,default=60" validate:"min=10,max=120"`
+
+	// Defines if the device will try to connect to the namespace's VPN.
+	VPN bool `env:"VPN,default=false"`
 }
 
 func LoadConfigFromEnv() (*Config, map[string]interface{}, error) {
@@ -163,6 +167,7 @@ type Agent struct {
 	serverInfo *models.Info
 	cli        client.Client
 	ssh        *ssh.SSH
+	vpn        *vpn.VPN
 	mode       Mode
 }
 
@@ -357,6 +362,12 @@ func (a *Agent) ListenSSH(ctx context.Context) error {
 	return a.ssh.Listen(ctx)
 }
 
+func (a *Agent) ConnectVPN(ctx context.Context) error {
+	a.vpn = vpn.NewVPN(a.cli, a.authData.Token)
+
+	return a.vpn.Connect(ctx)
+}
+
 // CheckUpdate gets the ShellHub's server version.
 func (a *Agent) CheckUpdate() (*semver.Version, error) {
 	info, err := a.cli.GetInfo(AgentVersion)
 
@@ -83,6 +83,38 @@ func NewTunnel() *Tunnel {
 	return t
 }
 
+const ContextKeyHTTPConn string = "http-conn"
+
+// NewCustomTunnel creates a new [Tunnel] with the route to the connect, in a POST, and close, in a DELETE, actions.
+func NewCustomTunnel(connPath string, closePath string) *Tunnel {
+	router := echo.New()
+
+	t := &Tunnel{
+		router: router,
+		srv: &http.Server{
+			Handler: router,
+			ConnContext: func(ctx context.Context, c net.Conn) context.Context {
+				return context.WithValue(ctx, ContextKeyHTTPConn, c) //nolint:revive
+			},
+		},
+		ConnHandler: func(e echo.Context) error {
+			panic("connHandler can not be nil")
+		},
+		CloseHandler: func(e echo.Context) error {
+			panic("closeHandler can not be nil")
+		},
+	}
+
+	router.POST(connPath, func(e echo.Context) error {
+		return t.ConnHandler(e)
+	})
+	router.DELETE(closePath, func(e echo.Context) error {
+		return t.CloseHandler(e)
+	})
+
+	return t
+}
+
 // Listen to reverse listener.
 func (t *Tunnel) Listen(l *revdial.Listener) error {
 	return t.srv.Serve(l)
 
@@ -0,0 +1,49 @@
+package vpn
+
+import (
+	"net"
+
+	"github.com/labstack/echo/v4"
+	log "github.com/sirupsen/logrus"
+)
+
+func handler(handler func(net.Conn, *Settings) error) func(c echo.Context) error {
+	return func(c echo.Context) error {
+		log.Debug("handler started")
+		defer log.Debug("handler done")
+
+		conn, _, err := c.Response().Hijack()
+		if err != nil {
+			log.Error(err)
+
+			return err
+		}
+
+		defer conn.Close()
+
+		settings, err := ParseSettings(c.Request().Body)
+		if err != nil {
+			log.WithError(err).Error("faild to parse the settings")
+
+			return err
+		}
+
+		// NOTE: the [handler] is called to handler the core logic of the VPN client, while this handler is used to extract
+		// the connection and the settings data.
+		if err := handler(conn, settings); err != nil {
+			log.WithError(err).Error("failed to handler the vpn connection between server and agent")
+
+			return err
+		}
+
+		return nil
+	}
+}
+
+func closeHandler(callback func() error) func(c echo.Context) error {
+	return func(c echo.Context) error {
+		log.Trace("close handler called")
+
+		return callback()
+	}
+}