From 20bad4e2ee0b30ae725b38ba5a7e105e11bbd881 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Sun, 22 Jan 2023 16:27:04 +0400 Subject: [PATCH] remove unwanted roles --- mq/dynsec.go | 1 - mq/dynsec_clients.go | 71 +++----------------- mq/dynsec_helper.go | 151 ++----------------------------------------- 3 files changed, 14 insertions(+), 209 deletions(-) diff --git a/mq/dynsec.go b/mq/dynsec.go index 4f1342ac..db36c210 100644 --- a/mq/dynsec.go +++ b/mq/dynsec.go @@ -180,7 +180,6 @@ func Configure() error { exporterMQClient.Iterations = 101 exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt)) dynConfig.Clients = append(dynConfig.Clients, exporterMQClient) - dynConfig.Roles = append(dynConfig.Roles, exporterMQRole) } data, err := json.MarshalIndent(dynConfig, "", " ") if err != nil { diff --git a/mq/dynsec_clients.go b/mq/dynsec_clients.go index 8f904247..7ae71fb5 100644 --- a/mq/dynsec_clients.go +++ b/mq/dynsec_clients.go @@ -8,46 +8,9 @@ type MqClient struct { Networks []string } -// ModifyClient - modifies an existing client's network roles -func ModifyClient(client *MqClient) error { - - roles := []MqDynSecRole{ - { - Rolename: HostGenericRole, - Priority: -1, - }, - { - Rolename: getHostRoleName(client.ID), - Priority: -1, - }, - } - - for i := range client.Networks { - roles = append(roles, MqDynSecRole{ - Rolename: client.Networks[i], - Priority: -1, - }, - ) - } - - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: ModifyClientCmd, - Username: client.ID, - Textname: client.Text, - Roles: roles, - Groups: make([]MqDynSecGroup, 0), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - // DeleteMqClient - removes a client from the DynSec system func DeleteMqClient(hostID string) error { - deleteHostRole(hostID) + event := MqDynsecPayload{ Commands: []MqDynSecCmd{ { @@ -62,29 +25,6 @@ func DeleteMqClient(hostID string) error { // CreateMqClient - creates an MQ DynSec client func CreateMqClient(client *MqClient) error { - err := createHostRole(client.ID) - if err != nil { - return err - } - roles := []MqDynSecRole{ - { - Rolename: HostGenericRole, - Priority: -1, - }, - { - Rolename: getHostRoleName(client.ID), - Priority: -1, - }, - } - - for i := range client.Networks { - roles = append(roles, MqDynSecRole{ - Rolename: client.Networks[i], - Priority: -1, - }, - ) - } - event := MqDynsecPayload{ Commands: []MqDynSecCmd{ { @@ -92,8 +32,13 @@ func CreateMqClient(client *MqClient) error { Username: client.ID, Password: client.Password, Textname: client.Text, - Roles: roles, - Groups: make([]MqDynSecGroup, 0), + Roles: []MqDynSecRole{ + { + Rolename: genericRole, + Priority: -1, + }, + }, + Groups: make([]MqDynSecGroup, 0), }, }, } diff --git a/mq/dynsec_helper.go b/mq/dynsec_helper.go index f854dc90..94568dfd 100644 --- a/mq/dynsec_helper.go +++ b/mq/dynsec_helper.go @@ -1,7 +1,6 @@ package mq import ( - "encoding/json" "errors" "fmt" "time" @@ -13,14 +12,8 @@ import ( const ( // constant for admin role adminRole = "admin" - // constant for server role - serverRole = "server" - // constant for exporter role - exporterRole = "exporter" - // constant for node role - NodeRole = "node" - // HostGenericRole constant for host role - HostGenericRole = "host" + // constant for generic role + genericRole = "generic" // const for dynamic security file dynamicSecurityFile = "dynamic-security.json" @@ -50,7 +43,7 @@ var ( Iterations: 0, Roles: []clientRole{ { - Rolename: serverRole, + Rolename: genericRole, }, }, }, @@ -62,14 +55,9 @@ var ( Acls: fetchAdminAcls(), }, { - Rolename: serverRole, - Acls: fetchServerAcls(), + Rolename: genericRole, + Acls: fetchServerAcls(), //TODO fetch generic acls }, - { - Rolename: HostGenericRole, - Acls: fetchNodeAcls(), - }, - exporterMQRole, }, DefaultAcl: defaultAccessAcl{ PublishClientSend: false, @@ -87,31 +75,12 @@ var ( Iterations: 101, Roles: []clientRole{ { - Rolename: exporterRole, + Rolename: genericRole, }, }, } - exporterMQRole = role{ - Rolename: exporterRole, - Acls: fetchExporterAcls(), - } ) -// DynListCLientsCmdResp - struct for list clients response from MQ -type DynListCLientsCmdResp struct { - Responses []struct { - Command string `json:"command"` - Error string `json:"error"` - Data ListClientsData `json:"data"` - } `json:"responses"` -} - -// ListClientsData - struct for list clients data -type ListClientsData struct { - Clients []string `json:"clients"` - TotalCount int `json:"totalCount"` -} - // GetAdminClient - fetches admin client of the MQ func GetAdminClient() (mqtt.Client, error) { opts := mqtt.NewClientOptions() @@ -128,47 +97,6 @@ func GetAdminClient() (mqtt.Client, error) { return mqclient, connecterr } -// ListClients - to list all clients in the MQ -func ListClients(client mqtt.Client) (ListClientsData, error) { - respChan := make(chan mqtt.Message, 10) - defer close(respChan) - command := "listClients" - resp := ListClientsData{} - msg := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: command, - }, - }, - } - client.Subscribe("$CONTROL/dynamic-security/v1/response", 2, mqtt.MessageHandler(func(c mqtt.Client, m mqtt.Message) { - respChan <- m - })) - defer client.Unsubscribe() - d, _ := json.Marshal(msg) - token := client.Publish("$CONTROL/dynamic-security/v1", 2, true, d) - if !token.WaitTimeout(30) || token.Error() != nil { - var err error - if token.Error() == nil { - err = errors.New("connection timeout") - } else { - err = token.Error() - } - return resp, err - } - - for m := range respChan { - msg := DynListCLientsCmdResp{} - json.Unmarshal(m.Payload(), &msg) - for _, mI := range msg.Responses { - if mI.Command == command { - return mI.Data, nil - } - } - } - return resp, errors.New("resp not found") -} - // fetches host related acls func fetchHostAcls(hostID string) []Acl { return []Acl{ @@ -229,73 +157,6 @@ func FetchNetworkAcls(network string) []Acl { } } -// DeleteNetworkRole - deletes a network role from DynSec system -func DeleteNetworkRole(network string) error { - // Deletes the network role from MQ - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: DeleteRoleCmd, - RoleName: network, - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -func deleteHostRole(hostID string) error { - // Deletes the hostID role from MQ - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: DeleteRoleCmd, - RoleName: getHostRoleName(hostID), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -// CreateNetworkRole - createss a network role from DynSec system -func CreateNetworkRole(network string) error { - // Create Role with acls for the network - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: CreateRoleCmd, - RoleName: network, - Textname: "Network wide role with Acls for nodes", - Acls: FetchNetworkAcls(network), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -// creates role for the host with ID. -func createHostRole(hostID string) error { - // Create Role with acls for the host - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: CreateRoleCmd, - RoleName: getHostRoleName(hostID), - Textname: "host role with Acls for hosts", - Acls: fetchHostAcls(hostID), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -func getHostRoleName(hostID string) string { - return fmt.Sprintf("host-%s", hostID) -} - // serverAcls - fetches server role related acls func fetchServerAcls() []Acl { return []Acl{