From fa1e4442d7f32c82521b2a3e7266ab77e8669a4e Mon Sep 17 00:00:00 2001
From: "kali kaneko (leap communications)" <kali@leap.se>
Date: Sun, 13 Feb 2022 17:24:56 +0100
Subject: make http api endpoint optional

---
 main.go | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index a66da4b..66dc655 100644
--- a/main.go
+++ b/main.go
@@ -16,6 +16,7 @@
 package main
 
 import (
+	"bytes"
 	"encoding/json"
 	"flag"
 	"fmt"
@@ -121,6 +122,8 @@ func (g *geodb) geolocateGateways(b *bonafide) {
 	g.GatewayMap = make(map[[3]float64][]gateway)
 	gatewayPoints := make([]kdtree.Point, 0)
 
+	log.Printf("There are %d gateways.\n", len(b.eip.Gateways))
+
 	for i := 0; i < len(b.eip.Gateways); i++ {
 		gw := b.eip.Gateways[i]
 		coord := geolocateCity(gw.Location)
@@ -221,7 +224,7 @@ func main() {
 	var port = flag.Int("port", 9001, "port where the service listens on")
 	var metricsPort = flag.Int("metricsPort", 9002, "port where the metrics server listens on")
 	var dbpath = flag.String("geodb", "/var/lib/GeoIP/GeoLite2-City.mmdb", "path to the GeoLite2-City database")
-	var api = flag.String("api", "", "API to fetch eip-service.json from (default: black.riseup.net). MENSHEN_API environment variable can be setup instead.")
+	var api = flag.String("api", "", "API to fetch eip-service.json from (default: https://black.riseup.net). MENSHEN_API environment variable can be setup instead.")
 	var notls = flag.Bool("notls", false, "disable TLS on the service")
 	var key = flag.String("server_key", "", "path to the key file for TLS")
 	var crt = flag.String("server_crt", "", "path to the cert file for TLS")
@@ -247,14 +250,18 @@ func main() {
 	envAPI := os.Getenv("MENSHEN_API")
 	if envAPI != "" {
 		log.Println("MENSHEN_API = " + envAPI)
-		configuredAPI = "https://" + envAPI
+		configuredAPI = envAPI
 	} else {
 		if *api == "" {
+			log.Println("using riseup api")
 			configuredAPI = apiForRiseup
 		} else {
-			configuredAPI = "https://" + *api
+			configuredAPI = *api
 		}
 	}
+	if !isValidAPIURI(configuredAPI) {
+		log.Fatal("Invalid API: " + configuredAPI)
+	}
 
 	db, err := geoip2.Open(*dbpath)
 	if err != nil {
@@ -265,7 +272,7 @@ func main() {
 	earth := ellipsoid.Init("WGS84", ellipsoid.Degrees, ellipsoid.Meter, ellipsoid.LongitudeIsSymmetric, ellipsoid.BearingIsSymmetric)
 	geoipdb := geodb{db, forbidden, nil, nil, nil, &earth}
 
-	log.Println("Seeding gateway list...")
+	log.Println("Seeding gateway list from " + configuredAPI)
 	bonafide := newBonafide(configuredAPI)
 	bonafide.getGateways()
 
@@ -313,3 +320,17 @@ func main() {
 		log.Fatal("error in listenAndServe[TLS]: ", err)
 	}
 }
+
+func isValidAPIURI(uri string) bool {
+	if bytes.HasPrefix([]byte(uri), []byte("https://")) {
+		return true
+	}
+	if bytes.HasPrefix([]byte(uri), []byte("http://")) {
+		if os.Getenv("INSECURE_API") == "true" {
+			return true
+		} else {
+			log.Println("ERROR: Please pass INSECURE_API=true if you need to use a http:// endpoint.")
+		}
+	}
+	return false
+}
-- 
cgit v1.2.3