netmaker/mq/dynsec.go

package mq

import (
	"crypto/sha512"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"os"
	"time"

	mqtt "github.com/eclipse/paho.mqtt.golang"
	"github.com/gravitl/netmaker/functions"
	"github.com/gravitl/netmaker/logger"
	"github.com/gravitl/netmaker/logic"
	"github.com/gravitl/netmaker/netclient/ncutils"
	"github.com/gravitl/netmaker/servercfg"
	"golang.org/x/crypto/pbkdf2"
)

// mq client for admin
var mqAdminClient mqtt.Client

const (
	// constant for client command
	CreateClientCmd = "createClient"
	// constant for disable command
	DisableClientCmd = "disableClient"
	// constant for delete client command
	DeleteClientCmd = "deleteClient"
	// constant for modify client command
	ModifyClientCmd = "modifyClient"

	// constant for create role command
	CreateRoleCmd = "createRole"
	// constant for delete role command
	DeleteRoleCmd = "deleteRole"

	// constant for admin user name
	mqAdminUserName = "Netmaker-Admin"
	// constant for server user name
	mqNetmakerServerUserName = "Netmaker-Server"
	// constant for exporter user name
	mqExporterUserName = "Netmaker-Exporter"

	// DynamicSecSubTopic - constant for dynamic security subscription topic
	dynamicSecSubTopic = "$CONTROL/dynamic-security/#"
	// DynamicSecPubTopic - constant for dynamic security subscription topic
	dynamicSecPubTopic = "$CONTROL/dynamic-security/v1"
)

// struct for dynamic security file
type dynJSON struct {
	Clients    []client         `json:"clients"`
	Roles      []role           `json:"roles"`
	DefaultAcl defaultAccessAcl `json:"defaultACLAccess"`
}

// struct for client role
type clientRole struct {
	Rolename string `json:"rolename"`
}

// struct for MQ client
type client struct {
	Username   string       `json:"username"`
	TextName   string       `json:"textName"`
	Password   string       `json:"password"`
	Salt       string       `json:"salt"`
	Iterations int          `json:"iterations"`
	Roles      []clientRole `json:"roles"`
}

// struct for MQ role
type role struct {
	Rolename string `json:"rolename"`
	Acls     []Acl  `json:"acls"`
}

// struct for default acls
type defaultAccessAcl struct {
	PublishClientSend    bool `json:"publishClientSend"`
	PublishClientReceive bool `json:"publishClientReceive"`
	Subscribe            bool `json:"subscribe"`
	Unsubscribe          bool `json:"unsubscribe"`
}

// MqDynSecGroup - struct for MQ client group
type MqDynSecGroup struct {
	Groupname string `json:"groupname"`
	Priority  int    `json:"priority"`
}

// MqDynSecRole - struct for MQ client role
type MqDynSecRole struct {
	Rolename string `json:"rolename"`
	Priority int    `json:"priority"`
}

// Acl - struct for MQ acls
type Acl struct {
	AclType  string `json:"acltype"`
	Topic    string `json:"topic"`
	Priority int    `json:"priority,omitempty"`
	Allow    bool   `json:"allow"`
}

// MqDynSecCmd - struct for MQ dynamic security command
type MqDynSecCmd struct {
	Command         string          `json:"command"`
	Username        string          `json:"username"`
	Password        string          `json:"password"`
	RoleName        string          `json:"rolename,omitempty"`
	Acls            []Acl           `json:"acls,omitempty"`
	Clientid        string          `json:"clientid"`
	Textname        string          `json:"textname"`
	Textdescription string          `json:"textdescription"`
	Groups          []MqDynSecGroup `json:"groups"`
	Roles           []MqDynSecRole  `json:"roles"`
}

// MqDynsecPayload - struct for dynamic security command payload
type MqDynsecPayload struct {
	Commands []MqDynSecCmd `json:"commands"`
}

// encodePasswordToPBKDF2 - encodes the given password with PBKDF2 hashing for MQ
func encodePasswordToPBKDF2(password string, salt string, iterations int, keyLength int) string {
	binaryEncoded := pbkdf2.Key([]byte(password), []byte(salt), iterations, keyLength, sha512.New)
	return base64.StdEncoding.EncodeToString(binaryEncoded)
}

// Configure - configures the dynamic initial configuration for MQ
func Configure() error {

	logger.Log(0, "Configuring MQ...")
	dynConfig := dynConfigInI
	path := functions.GetNetmakerPath() + ncutils.GetSeparator() + dynamicSecurityFile

	password := servercfg.GetMqAdminPassword()
	if password == "" {
		return errors.New("MQ admin password not provided")
	}
	if logic.CheckIfFileExists(path) {
		data, err := os.ReadFile(path)
		if err == nil {
			var cfg dynJSON
			err = json.Unmarshal(data, &cfg)
			if err == nil {
				logger.Log(0, "MQ config exists already, So Updating Existing Config...")
				dynConfig = cfg
			}
		}
	}
	exporter := false
	for i, cI := range dynConfig.Clients {
		if cI.Username == mqAdminUserName || cI.Username == mqNetmakerServerUserName {
			salt := logic.RandomString(12)
			hashed := encodePasswordToPBKDF2(password, salt, 101, 64)
			cI.Password = hashed
			cI.Iterations = 101
			cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
			dynConfig.Clients[i] = cI
		} else if servercfg.Is_EE && cI.Username == mqExporterUserName {
			exporter = true
			exporterPassword := servercfg.GetLicenseKey()
			salt := logic.RandomString(12)
			hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64)
			cI.Password = hashed
			cI.Iterations = 101
			cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
			dynConfig.Clients[i] = cI
		}
	}
	if servercfg.Is_EE && !exporter {
		exporterPassword := servercfg.GetLicenseKey()
		salt := logic.RandomString(12)
		hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64)
		exporterMQClient.Password = hashed
		exporterMQClient.Iterations = 101
		exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
		dynConfig.Clients = append(dynConfig.Clients, exporterMQClient)
		dynConfig.Roles = append(dynConfig.Roles, exporterMQRole)
	}
	data, err := json.MarshalIndent(dynConfig, "", " ")
	if err != nil {
		return err
	}
	return os.WriteFile(path, data, 0755)
}

// PublishEventToDynSecTopic - publishes the message to dynamic security topic
func PublishEventToDynSecTopic(payload MqDynsecPayload) error {

	d, err := json.Marshal(payload)
	if err != nil {
		return err
	}
	var connecterr error
	if token := mqAdminClient.Publish(dynamicSecPubTopic, 2, false, d); !token.WaitTimeout(MQ_TIMEOUT*time.Second) || token.Error() != nil {
		if token.Error() == nil {
			connecterr = errors.New("connect timeout")
		} else {
			connecterr = token.Error()
		}
	}
	return connecterr
}

// watchDynSecTopic - message handler for dynamic security responses
func watchDynSecTopic(client mqtt.Client, msg mqtt.Message) {

	logger.Log(1, fmt.Sprintf("----->WatchDynSecTopic Message: %+v", string(msg.Payload())))

}
dynsec intial code 2022-09-14 02:03:39 +08:00			`package mq`

			`import (`
configure mq on startup 2022-09-26 19:27:10 +08:00			`"crypto/sha512"`
			`"encoding/base64"`
dynsec intial code 2022-09-14 02:03:39 +08:00			`"encoding/json"`
configure mq on startup 2022-09-26 19:27:10 +08:00			`"errors"`
dynsec intial code 2022-09-14 02:03:39 +08:00			`"fmt"`
configure mq on startup 2022-09-26 19:27:10 +08:00			`"os"`
added roles,acls for clients 2022-09-30 01:24:41 +08:00			`"time"`
dynsec intial code 2022-09-14 02:03:39 +08:00
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			`mqtt "github.com/eclipse/paho.mqtt.golang"`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`"github.com/gravitl/netmaker/functions"`
dynsec intial code 2022-09-14 02:03:39 +08:00			`"github.com/gravitl/netmaker/logger"`
configure mq on startup 2022-09-26 19:27:10 +08:00			`"github.com/gravitl/netmaker/logic"`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`"github.com/gravitl/netmaker/netclient/ncutils"`
configure mq on startup 2022-09-26 19:27:10 +08:00			`"github.com/gravitl/netmaker/servercfg"`
			`"golang.org/x/crypto/pbkdf2"`
dynsec intial code 2022-09-14 02:03:39 +08:00			`)`

added comments 2022-09-30 02:29:18 +08:00			`// mq client for admin`
configure mq on startup 2022-09-26 19:27:10 +08:00			`var mqAdminClient mqtt.Client`

added comments 2022-09-30 02:29:18 +08:00			`const (`
			`// constant for client command`
			`CreateClientCmd = "createClient"`
			`// constant for disable command`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			`DisableClientCmd = "disableClient"`
added comments 2022-09-30 02:29:18 +08:00			`// constant for delete client command`
			`DeleteClientCmd = "deleteClient"`
			`// constant for modify client command`
			`ModifyClientCmd = "modifyClient"`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00
added comments 2022-09-30 02:29:18 +08:00			`// constant for create role command`
added roles,acls for clients 2022-09-30 01:24:41 +08:00			`CreateRoleCmd = "createRole"`
added comments 2022-09-30 02:29:18 +08:00			`// constant for delete role command`
added roles,acls for clients 2022-09-30 01:24:41 +08:00			`DeleteRoleCmd = "deleteRole"`

added comments 2022-09-30 02:29:18 +08:00			`// constant for admin user name`
			`mqAdminUserName = "Netmaker-Admin"`
			`// constant for server user name`
			`mqNetmakerServerUserName = "Netmaker-Server"`
			`// constant for exporter user name`
			`mqExporterUserName = "Netmaker-Exporter"`
PR comments resolved 2022-10-01 08:57:30 +08:00
			`// DynamicSecSubTopic - constant for dynamic security subscription topic`
			`dynamicSecSubTopic = "$CONTROL/dynamic-security/#"`
			`// DynamicSecPubTopic - constant for dynamic security subscription topic`
			`dynamicSecPubTopic = "$CONTROL/dynamic-security/v1"`
added comments 2022-09-30 02:29:18 +08:00			`)`

			`// struct for dynamic security file`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`type dynJSON struct {`
			Clients []client `json:"clients"`
			Roles []role `json:"roles"`
			DefaultAcl defaultAccessAcl `json:"defaultACLAccess"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// struct for client role`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`type clientRole struct {`
			Rolename string `json:"rolename"`
			`}`
added comments 2022-09-30 02:29:18 +08:00
			`// struct for MQ client`
configure mq on startup 2022-09-26 19:27:10 +08:00			`type client struct {`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			Username string `json:"username"`
			TextName string `json:"textName"`
			Password string `json:"password"`
			Salt string `json:"salt"`
			Iterations int `json:"iterations"`
			Roles []clientRole `json:"roles"`
configure mq on startup 2022-09-26 19:27:10 +08:00			`}`

added comments 2022-09-30 02:29:18 +08:00			`// struct for MQ role`
configure mq on startup 2022-09-26 19:27:10 +08:00			`type role struct {`
			Rolename string `json:"rolename"`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			Acls []Acl `json:"acls"`
configure mq on startup 2022-09-26 19:27:10 +08:00			`}`

added comments 2022-09-30 02:29:18 +08:00			`// struct for default acls`
configure mq on startup 2022-09-26 19:27:10 +08:00			`type defaultAccessAcl struct {`
			PublishClientSend bool `json:"publishClientSend"`
			PublishClientReceive bool `json:"publishClientReceive"`
			Subscribe bool `json:"subscribe"`
			Unsubscribe bool `json:"unsubscribe"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// MqDynSecGroup - struct for MQ client group`
dynsec intial code 2022-09-14 02:03:39 +08:00			`type MqDynSecGroup struct {`
			Groupname string `json:"groupname"`
			Priority int `json:"priority"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// MqDynSecRole - struct for MQ client role`
dynsec intial code 2022-09-14 02:03:39 +08:00			`type MqDynSecRole struct {`
			Rolename string `json:"rolename"`
			Priority int `json:"priority"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// Acl - struct for MQ acls`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			`type Acl struct {`
json tag fix,create client with password before hashing 2022-09-28 20:28:43 +08:00			AclType string `json:"acltype"`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			Topic string `json:"topic"`
json tag fix,create client with password before hashing 2022-09-28 20:28:43 +08:00			Priority int `json:"priority,omitempty"`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			Allow bool `json:"allow"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// MqDynSecCmd - struct for MQ dynamic security command`
dynsec intial code 2022-09-14 02:03:39 +08:00			`type MqDynSecCmd struct {`
			Command string `json:"command"`
			Username string `json:"username"`
			Password string `json:"password"`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			RoleName string `json:"rolename,omitempty"`
			Acls []Acl `json:"acls,omitempty"`
dynsec intial code 2022-09-14 02:03:39 +08:00			Clientid string `json:"clientid"`
			Textname string `json:"textname"`
			Textdescription string `json:"textdescription"`
			Groups []MqDynSecGroup `json:"groups"`
			Roles []MqDynSecRole `json:"roles"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// MqDynsecPayload - struct for dynamic security command payload`
dynsec intial code 2022-09-14 02:03:39 +08:00			`type MqDynsecPayload struct {`
			Commands []MqDynSecCmd `json:"commands"`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// encodePasswordToPBKDF2 - encodes the given password with PBKDF2 hashing for MQ`
configure mq on startup 2022-09-26 19:27:10 +08:00			`func encodePasswordToPBKDF2(password string, salt string, iterations int, keyLength int) string {`
			`binaryEncoded := pbkdf2.Key([]byte(password), []byte(salt), iterations, keyLength, sha512.New)`
			`return base64.StdEncoding.EncodeToString(binaryEncoded)`
			`}`

added comments 2022-09-30 02:29:18 +08:00			`// Configure - configures the dynamic initial configuration for MQ`
configure mq on startup 2022-09-26 19:27:10 +08:00			`func Configure() error {`
use local variable for mq configuration 2022-10-21 16:01:42 +08:00
keep the passwords in sync 2022-10-21 14:40:12 +08:00			`logger.Log(0, "Configuring MQ...")`
use local variable for mq configuration 2022-10-21 16:01:42 +08:00			`dynConfig := dynConfigInI`
add subscription pattern to acls,fix NaN value in metrics for uptime,get real iface name for mac 2022-09-30 21:01:57 +08:00			`path := functions.GetNetmakerPath() + ncutils.GetSeparator() + dynamicSecurityFile`
keep the passwords in sync 2022-10-21 14:40:12 +08:00
configure mq on startup 2022-09-26 19:27:10 +08:00			`password := servercfg.GetMqAdminPassword()`
			`if password == "" {`
			`return errors.New("MQ admin password not provided")`
			`}`
keep the passwords in sync 2022-10-21 14:40:12 +08:00			`if logic.CheckIfFileExists(path) {`
			`data, err := os.ReadFile(path)`
			`if err == nil {`
check for umarshal errors 2022-10-21 15:54:22 +08:00			`var cfg dynJSON`
			`err = json.Unmarshal(data, &cfg)`
			`if err == nil {`
			`logger.Log(0, "MQ config exists already, So Updating Existing Config...")`
			`dynConfig = cfg`
			`}`
keep the passwords in sync 2022-10-21 14:40:12 +08:00			`}`
			`}`
add exporter client if not present 2022-10-21 15:33:28 +08:00			`exporter := false`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`for i, cI := range dynConfig.Clients {`
configure mq on startup 2022-09-26 19:27:10 +08:00			`if cI.Username == mqAdminUserName \|\| cI.Username == mqNetmakerServerUserName {`
			`salt := logic.RandomString(12)`
			`hashed := encodePasswordToPBKDF2(password, salt, 101, 64)`
			`cI.Password = hashed`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`cI.Iterations = 101`
configure mq on startup 2022-09-26 19:27:10 +08:00			`cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt))`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`dynConfig.Clients[i] = cI`
check if EE to configure exporter for MQ 2022-09-30 01:59:24 +08:00			`} else if servercfg.Is_EE && cI.Username == mqExporterUserName {`
add exporter client if not present 2022-10-21 15:33:28 +08:00			`exporter = true`
check if EE to configure exporter for MQ 2022-09-30 01:59:24 +08:00			`exporterPassword := servercfg.GetLicenseKey()`
			`salt := logic.RandomString(12)`
			`hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64)`
			`cI.Password = hashed`
			`cI.Iterations = 101`
			`cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt))`
			`dynConfig.Clients[i] = cI`
configure mq on startup 2022-09-26 19:27:10 +08:00			`}`
			`}`
add exporter client if not present 2022-10-21 15:33:28 +08:00			`if servercfg.Is_EE && !exporter {`
			`exporterPassword := servercfg.GetLicenseKey()`
			`salt := logic.RandomString(12)`
			`hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64)`
			`exporterMQClient.Password = hashed`
			`exporterMQClient.Iterations = 101`
			`exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt))`
			`dynConfig.Clients = append(dynConfig.Clients, exporterMQClient)`
			`dynConfig.Roles = append(dynConfig.Roles, exporterMQRole)`
			`}`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`data, err := json.MarshalIndent(dynConfig, "", " ")`
configure mq on startup 2022-09-26 19:27:10 +08:00			`if err != nil {`
			`return err`
			`}`
create client for nodes on authenticate,generate dyn sec file on startup 2022-09-27 20:06:33 +08:00			`return os.WriteFile(path, data, 0755)`
configure mq on startup 2022-09-26 19:27:10 +08:00			`}`

added comments 2022-09-30 02:29:18 +08:00			`// PublishEventToDynSecTopic - publishes the message to dynamic security topic`
			`func PublishEventToDynSecTopic(payload MqDynsecPayload) error {`
dynsec intial code 2022-09-14 02:03:39 +08:00
added comments 2022-09-30 02:29:18 +08:00			`d, err := json.Marshal(payload)`
rm channel 2022-09-27 00:25:24 +08:00			`if err != nil {`
			`return err`
			`}`
added roles,acls for clients 2022-09-30 01:24:41 +08:00			`var connecterr error`
added comments 2022-09-30 02:29:18 +08:00			`if token := mqAdminClient.Publish(dynamicSecPubTopic, 2, false, d); !token.WaitTimeout(MQ_TIMEOUT*time.Second) \|\| token.Error() != nil {`
added roles,acls for clients 2022-09-30 01:24:41 +08:00			`if token.Error() == nil {`
			`connecterr = errors.New("connect timeout")`
			`} else {`
			`connecterr = token.Error()`
			`}`
dynsec intial code 2022-09-14 02:03:39 +08:00			`}`
added roles,acls for clients 2022-09-30 01:24:41 +08:00			`return connecterr`
dynsec intial code 2022-09-14 02:03:39 +08:00			`}`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00
added comments 2022-09-30 02:29:18 +08:00			`// watchDynSecTopic - message handler for dynamic security responses`
watch dynsec messages,create client on node join 2022-09-14 18:29:22 +08:00			`func watchDynSecTopic(client mqtt.Client, msg mqtt.Message) {`

			`logger.Log(1, fmt.Sprintf("----->WatchDynSecTopic Message: %+v", string(msg.Payload())))`

			`}`