From 69d2b7fc942a4bf535156ef2d58aa3d2f828a61d Mon Sep 17 00:00:00 2001
From: Jonathan Cobb <jonathan@kyuss.org>
Date: Wed, 24 Jun 2020 19:41:15 -0400
Subject: [PATCH] passthru sage requests. better cert name.

---
 .../bubble/resources/account/AuthResource.java     |  2 +-
 .../bubble/service/cloud/AnsiblePrepService.java   |  4 ++--
 .../ansible/roles/bubble/files/bubble_role.json    |  2 +-
 .../ansible/roles/mitmproxy/files/bubble_role.json |  6 +++++-
 .../ansible/roles/mitmproxy/tasks/main.yml         |  2 +-
 .../roles/mitmproxy/templates/bubble_config.py.j2  |  3 +++
 .../packer/roles/mitmproxy/files/bubble_config.py  |  8 --------
 .../roles/mitmproxy/files/bubble_passthru.py       | 14 +++++++++-----
 8 files changed, 22 insertions(+), 19 deletions(-)
 delete mode 100644 bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_config.py

diff --git a/bubble-server/src/main/java/bubble/resources/account/AuthResource.java b/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
index 8e714d83..f940e8ee 100644
--- a/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
@@ -535,7 +535,7 @@ public class AuthResource {
         if (type == null) type = CertType.pem;
         final BubbleNetwork thisNet = configuration.getThisNetwork();
         if (thisNet == null) return die("getCaCert: thisNetwork was null");
-        final File certFile = new File(CACERTS_DIR, thisNet.getNetworkDomain()+"-ca-cert."+type.name());
+        final File certFile = new File(CACERTS_DIR, "bubble-"+thisNet.getShortId()+"-ca-cert."+type.name());
         if (!certFile.exists()) return notFound(type.name());
         return send(new FileSendableResource(certFile).setForceDownload(true));
     }
diff --git a/bubble-server/src/main/java/bubble/service/cloud/AnsiblePrepService.java b/bubble-server/src/main/java/bubble/service/cloud/AnsiblePrepService.java
index 7aa65237..c24bbc8e 100644
--- a/bubble-server/src/main/java/bubble/service/cloud/AnsiblePrepService.java
+++ b/bubble-server/src/main/java/bubble/service/cloud/AnsiblePrepService.java
@@ -113,10 +113,10 @@ public class AnsiblePrepService {
 
         // if this is a fork, and current server is local, then sage will be self
         if (fork && configuration.getThisNode().localIp4()) {
-            ctx.put("sageNode", node.getUuid());
+            ctx.put("sageNode", node);
         } else {
             // otherwise, sage will be us, the node that is launching the new node
-            ctx.put("sageNode", configuration.getThisNode().getUuid());
+            ctx.put("sageNode", configuration.getThisNode());
         }
 
         final File rolesDir = new File(automation, "roles");
diff --git a/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json b/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json
index 97fd670f..54795ec8 100644
--- a/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json
+++ b/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json
@@ -6,7 +6,7 @@
     {"name": "admin_port", "value": "[[node.adminPort]]"},
     {"name": "ssl_port", "value": "[[node.sslPort]]"},
     {"name": "public_base_uri", "value": "[[publicBaseUri]]"},
-    {"name": "sage_node", "value": "[[sageNode]]"},
+    {"name": "sage_node", "value": "[[sageNode.uuid]]"},
     {"name": "install_type", "value": "[[installType]]"},
     {"name": "promo_code_policy", "value": "[[#compare fork '==' true]][[configuration.promoCodePolicy]][[else]]disabled[[/compare]]"},
     {"name": "default_locale", "value": "[[network.locale]]"},
diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json b/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json
index cef5554c..bd7a05da 100644
--- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json
+++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json
@@ -5,6 +5,10 @@
     {"name": "bubble_network", "value": "[[node.network]]"},
     {"name": "server_name", "value": "[[node.fqdn]]"},
     {"name": "server_alias", "value": "[[network.networkDomain]]"},
-    {"name": "ssl_port", "value": "[[node.sslPort]]"}
+    {"name": "ssl_port", "value": "[[node.sslPort]]"},
+    {"name": "sage_host", "value": "[[sageNode.fqdn]]"},
+    {"name": "sage_ip4", "value": "[[sageNode.ip4]]"},
+    {"name": "sage_ip6", "value": "[[sageNode.ip6]]"},
+    {"name": "cert_name", "value": "bubble-[[network.shortId]]"}
   ]
 }
\ No newline at end of file
diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml b/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml
index 5dc90733..3a8a3a1a 100644
--- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml
+++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml
@@ -2,7 +2,7 @@
 # Copyright (c) 2020 Bubble, Inc.  All rights reserved. For personal (non-commercial) use, see license: https://getbubblenow.com/bubble-license/
 #
 - name: Set the cert name
-  shell: set_cert_name.sh /home/mitmproxy/mitmproxy {{ server_alias }}
+  shell: set_cert_name.sh /home/mitmproxy/mitmproxy {{ cert_name }}
 
 - name: Reuse bubble mitm certs if available
   shell: reuse_bubble_mitm_certs.sh
diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2 b/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2
index aee0d31e..9c6bb04f 100644
--- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2
+++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2
@@ -3,3 +3,6 @@ bubble_port = '{{ admin_port }}';
 bubble_host = '{{ server_name }}'
 bubble_host_alias = '{{ server_alias }}'
 bubble_ssl_port = '{{ ssl_port }}'
+bubble_sage_host = '{{ sage_host }}'
+bubble_sage_ip4 = '{{ sage_ip4 }}'
+bubble_sage_ip6 = '{{ sage_ip6 }}'
diff --git a/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_config.py b/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_config.py
deleted file mode 100644
index 59c1eafc..00000000
--- a/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_config.py
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Copyright (c) 2020 Bubble, Inc.  All rights reserved. For personal (non-commercial) use, see license: https://getbubblenow.com/bubble-license/
-#
-bubble_network = '{{ bubble_network }}'
-bubble_port = '{{ admin_port }}';
-bubble_host = '{{ server_name }}'
-bubble_host_alias = '{{ server_alias }}'
-bubble_ssl_port = '{{ ssl_port }}'
diff --git a/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_passthru.py b/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_passthru.py
index ca51053f..14c4d2d8 100644
--- a/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_passthru.py
+++ b/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_passthru.py
@@ -27,6 +27,7 @@ from mitmproxy.proxy.protocol import TlsLayer, RawTCPLayer
 from mitmproxy.exceptions import TlsProtocolException
 
 from bubble_api import bubble_log, bubble_passthru, bubble_activity_log, redis_set
+from bubble_config import bubble_sage_host, bubble_sage_ip4, bubble_sage_ip6
 import redis
 import json
 import subprocess
@@ -60,6 +61,10 @@ def get_local_ips():
     return local_ips
 
 
+def is_sage_request(ip, fqdns):
+    return ip == bubble_sage_ip4 or ip == bubble_sage_ip6 or bubble_sage_host in fqdns
+
+
 def passthru_cache_prefix(client_addr, server_addr):
     return REDIS_PASSTHRU_PREFIX + client_addr + '_' + server_addr
 
@@ -106,11 +111,6 @@ def check_bubble_passthru(client_addr, addr, fqdns):
 
 
 def should_passthru(client_addr, addr, fqdns):
-    # always passthru for local ips
-    if addr in get_local_ips():
-        # bubble_log('should_passthru: local ip is always passthru: '+addr)
-        return {'fqdns': fqdns, 'addr': addr, 'passthru': True}
-
     cache_key = passthru_cache_prefix(client_addr, addr)
     prefix = 'should_passthru: ip='+repr(addr)+' (fqdns='+repr(fqdns)+') cache_key='+cache_key+': '
 
@@ -141,6 +141,10 @@ def next_layer(next_layer):
             bubble_log('next_layer: enabling passthru for LOCAL server='+server_addr+' regardless of security_level='+security_level+' for client='+client_addr)
             passthru = FORCE_PASSTHRU
 
+        elif is_sage_request(server_addr, fqdns):
+            bubble_log('next_layer: enabling passthru for SAGE server='+server_addr+' regardless of security_level='+security_level+' for client='+client_addr)
+            passthru = FORCE_PASSTHRU
+
         elif security_level == 'disabled' or security_level == 'basic':
             bubble_log('next_layer: enabling passthru for server='+server_addr+' because security_level='+security_level+' for client='+client_addr)
             passthru = FORCE_PASSTHRU