gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-11-11 01:01:05 +08:00
Code Issues Projects Releases Packages Wiki Activity

remove unwanted roles

Browse source
This commit is contained in:
Abhishek Kondur 2023-01-22 16:27:04 +04:00
parent f17787751c
commit 20bad4e2ee
3 changed files with 14 additions and 209 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
mq/dynsec.go
View file

@ -180,7 +180,6 @@ func Configure() error {
exporterMQClient.Iterations = 101 exporterMQClient.Iterations = 101
exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt)) exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
dynConfig.Clients = append(dynConfig.Clients, exporterMQClient) dynConfig.Clients = append(dynConfig.Clients, exporterMQClient)
dynConfig.Roles = append(dynConfig.Roles, exporterMQRole)
} }
data, err := json.MarshalIndent(dynConfig, "", " ") data, err := json.MarshalIndent(dynConfig, "", " ")
if err != nil { if err != nil {

69
mq/dynsec_clients.go
View file

@ -8,46 +8,9 @@ type MqClient struct {
Networks []string Networks []string
} }
// ModifyClient - modifies an existing client's network roles
func ModifyClient(client *MqClient) error {
roles := []MqDynSecRole{
{
Rolename: HostGenericRole,
Priority: -1,
},
{
Rolename: getHostRoleName(client.ID),
Priority: -1,
},
}
for i := range client.Networks {
roles = append(roles, MqDynSecRole{
Rolename: client.Networks[i],
Priority: -1,
},
)
}
event := MqDynsecPayload{
Commands: []MqDynSecCmd{
{
Command: ModifyClientCmd,
Username: client.ID,
Textname: client.Text,
Roles: roles,
Groups: make([]MqDynSecGroup, 0),
},
},
}
return publishEventToDynSecTopic(event)
}
// DeleteMqClient - removes a client from the DynSec system // DeleteMqClient - removes a client from the DynSec system
func DeleteMqClient(hostID string) error { func DeleteMqClient(hostID string) error {
deleteHostRole(hostID)
event := MqDynsecPayload{ event := MqDynsecPayload{
Commands: []MqDynSecCmd{ Commands: []MqDynSecCmd{
{ {
@ -62,29 +25,6 @@ func DeleteMqClient(hostID string) error {
// CreateMqClient - creates an MQ DynSec client // CreateMqClient - creates an MQ DynSec client
func CreateMqClient(client *MqClient) error { func CreateMqClient(client *MqClient) error {
err := createHostRole(client.ID)
if err != nil {
return err
}
roles := []MqDynSecRole{
{
Rolename: HostGenericRole,
Priority: -1,
},
{
Rolename: getHostRoleName(client.ID),
Priority: -1,
},
}
for i := range client.Networks {
roles = append(roles, MqDynSecRole{
Rolename: client.Networks[i],
Priority: -1,
},
)
}
event := MqDynsecPayload{ event := MqDynsecPayload{
Commands: []MqDynSecCmd{ Commands: []MqDynSecCmd{
{ {
@ -92,7 +32,12 @@ func CreateMqClient(client *MqClient) error {
Username: client.ID, Username: client.ID,
Password: client.Password, Password: client.Password,
Textname: client.Text, Textname: client.Text,
Roles: roles, Roles: []MqDynSecRole{
{
Rolename: genericRole,
Priority: -1,
},
},
Groups: make([]MqDynSecGroup, 0), Groups: make([]MqDynSecGroup, 0),
}, },
}, },

151
mq/dynsec_helper.go
View file

@ -1,7 +1,6 @@
package mq package mq
import ( import (
"encoding/json"
"errors" "errors"
"fmt" "fmt"
"time" "time"
@ -13,14 +12,8 @@ import (
const ( const (
// constant for admin role // constant for admin role
adminRole = "admin" adminRole = "admin"
// constant for server role // constant for generic role
serverRole = "server" genericRole = "generic"
// constant for exporter role
exporterRole = "exporter"
// constant for node role
NodeRole = "node"
// HostGenericRole constant for host role
HostGenericRole = "host"
// const for dynamic security file // const for dynamic security file
dynamicSecurityFile = "dynamic-security.json" dynamicSecurityFile = "dynamic-security.json"
@ -50,7 +43,7 @@ var (
Iterations: 0, Iterations: 0,
Roles: []clientRole{ Roles: []clientRole{
{ {
Rolename: serverRole, Rolename: genericRole,
}, },
}, },
}, },
@ -62,14 +55,9 @@ var (
Acls: fetchAdminAcls(), Acls: fetchAdminAcls(),
}, },
{ {
Rolename: serverRole, Rolename: genericRole,
Acls: fetchServerAcls(), Acls: fetchServerAcls(), //TODO fetch generic acls
}, },
{
Rolename: HostGenericRole,
Acls: fetchNodeAcls(),
},
exporterMQRole,
}, },
DefaultAcl: defaultAccessAcl{ DefaultAcl: defaultAccessAcl{
PublishClientSend: false, PublishClientSend: false,
@ -87,31 +75,12 @@ var (
Iterations: 101, Iterations: 101,
Roles: []clientRole{ Roles: []clientRole{
{ {
Rolename: exporterRole, Rolename: genericRole,
}, },
}, },
} }
exporterMQRole = role{
Rolename: exporterRole,
Acls: fetchExporterAcls(),
}
) )
// DynListCLientsCmdResp - struct for list clients response from MQ
type DynListCLientsCmdResp struct {
Responses []struct {
Command string `json:"command"`
Error string `json:"error"`
Data ListClientsData `json:"data"`
} `json:"responses"`
}
// ListClientsData - struct for list clients data
type ListClientsData struct {
Clients []string `json:"clients"`
TotalCount int `json:"totalCount"`
}
// GetAdminClient - fetches admin client of the MQ // GetAdminClient - fetches admin client of the MQ
func GetAdminClient() (mqtt.Client, error) { func GetAdminClient() (mqtt.Client, error) {
opts := mqtt.NewClientOptions() opts := mqtt.NewClientOptions()
@ -128,47 +97,6 @@ func GetAdminClient() (mqtt.Client, error) {
return mqclient, connecterr return mqclient, connecterr
} }
// ListClients - to list all clients in the MQ
func ListClients(client mqtt.Client) (ListClientsData, error) {
respChan := make(chan mqtt.Message, 10)
defer close(respChan)
command := "listClients"
resp := ListClientsData{}
msg := MqDynsecPayload{
Commands: []MqDynSecCmd{
{
Command: command,
},
},
}
client.Subscribe("$CONTROL/dynamic-security/v1/response", 2, mqtt.MessageHandler(func(c mqtt.Client, m mqtt.Message) {
respChan <- m
}))
defer client.Unsubscribe()
d, _ := json.Marshal(msg)
token := client.Publish("$CONTROL/dynamic-security/v1", 2, true, d)
if !token.WaitTimeout(30) || token.Error() != nil {
var err error
if token.Error() == nil {
err = errors.New("connection timeout")
} else {
err = token.Error()
}
return resp, err
}
for m := range respChan {
msg := DynListCLientsCmdResp{}
json.Unmarshal(m.Payload(), &msg)
for _, mI := range msg.Responses {
if mI.Command == command {
return mI.Data, nil
}
}
}
return resp, errors.New("resp not found")
}
// fetches host related acls // fetches host related acls
func fetchHostAcls(hostID string) []Acl { func fetchHostAcls(hostID string) []Acl {
return []Acl{ return []Acl{
@ -229,73 +157,6 @@ func FetchNetworkAcls(network string) []Acl {
} }
} }
// DeleteNetworkRole - deletes a network role from DynSec system
func DeleteNetworkRole(network string) error {
// Deletes the network role from MQ
event := MqDynsecPayload{
Commands: []MqDynSecCmd{
{
Command: DeleteRoleCmd,
RoleName: network,
},
},
}
return publishEventToDynSecTopic(event)
}
func deleteHostRole(hostID string) error {
// Deletes the hostID role from MQ
event := MqDynsecPayload{
Commands: []MqDynSecCmd{
{
Command: DeleteRoleCmd,
RoleName: getHostRoleName(hostID),
},
},
}
return publishEventToDynSecTopic(event)
}
// CreateNetworkRole - createss a network role from DynSec system
func CreateNetworkRole(network string) error {
// Create Role with acls for the network
event := MqDynsecPayload{
Commands: []MqDynSecCmd{
{
Command: CreateRoleCmd,
RoleName: network,
Textname: "Network wide role with Acls for nodes",
Acls: FetchNetworkAcls(network),
},
},
}
return publishEventToDynSecTopic(event)
}
// creates role for the host with ID.
func createHostRole(hostID string) error {
// Create Role with acls for the host
event := MqDynsecPayload{
Commands: []MqDynSecCmd{
{
Command: CreateRoleCmd,
RoleName: getHostRoleName(hostID),
Textname: "host role with Acls for hosts",
Acls: fetchHostAcls(hostID),
},
},
}
return publishEventToDynSecTopic(event)
}
func getHostRoleName(hostID string) string {
return fmt.Sprintf("host-%s", hostID)
}
// serverAcls - fetches server role related acls // serverAcls - fetches server role related acls
func fetchServerAcls() []Acl { func fetchServerAcls() []Acl {
return []Acl{ return []Acl{