From 4678332e3afaccdf179e9bc7b765440ab3d687b2 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Fri, 30 Sep 2022 20:59:03 +0530 Subject: [PATCH] make node acls generic --- controllers/node.go | 21 +-- mq/dynsec_helper.go | 307 +++++++++++++++++++++++--------------------- mq/handlers.go | 1 + 3 files changed, 167 insertions(+), 162 deletions(-) diff --git a/controllers/node.go b/controllers/node.go index 3014d6c4..8eecaff4 100644 --- a/controllers/node.go +++ b/controllers/node.go @@ -100,7 +100,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) { logic.ReturnErrorResponse(response, request, errorResponse) return } - // creates network role, node role,node client (added here to resolve any missing configuration in MQ) + // creates network role,node client (added here to resolve any missing configuration in MQ) event := mq.MqDynsecPayload{ Commands: []mq.MqDynSecCmd{ @@ -110,13 +110,6 @@ func authenticate(response http.ResponseWriter, request *http.Request) { Textname: "Network wide role with Acls for nodes", Acls: mq.FetchNetworkAcls(result.Network), }, - - { - Command: mq.CreateRoleCmd, - RoleName: fmt.Sprintf("%s-%s", "Node", result.ID), - Acls: mq.FetchNodeAcls(result.ID), - Textname: "Role for node " + result.Name, - }, { Command: mq.CreateClientCmd, Username: result.ID, @@ -124,7 +117,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) { Textname: result.Name, Roles: []mq.MqDynSecRole{ { - Rolename: fmt.Sprintf("%s-%s", "Node", result.ID), + Rolename: mq.NodeRole, Priority: -1, }, { @@ -677,7 +670,7 @@ func createNode(w http.ResponseWriter, r *http.Request) { // Create client for this node in Mq event := mq.MqDynsecPayload{ Commands: []mq.MqDynSecCmd{ - { + { // delete if any client exists already Command: mq.DeleteClientCmd, Username: node.ID, }, @@ -687,12 +680,6 @@ func createNode(w http.ResponseWriter, r *http.Request) { Textname: "Network wide role with Acls for nodes", Acls: mq.FetchNetworkAcls(node.Network), }, - { - Command: mq.CreateRoleCmd, - RoleName: fmt.Sprintf("%s-%s", "Node", node.ID), - Acls: mq.FetchNodeAcls(node.ID), - Textname: "Role for node " + node.Name, - }, { Command: mq.CreateClientCmd, Username: node.ID, @@ -700,7 +687,7 @@ func createNode(w http.ResponseWriter, r *http.Request) { Textname: node.Name, Roles: []mq.MqDynSecRole{ { - Rolename: fmt.Sprintf("%s-%s", "Node", node.ID), + Rolename: mq.NodeRole, Priority: -1, }, { diff --git a/mq/dynsec_helper.go b/mq/dynsec_helper.go index e8e1419a..db0c2ef3 100644 --- a/mq/dynsec_helper.go +++ b/mq/dynsec_helper.go @@ -17,6 +17,8 @@ const ( serverRole = "server" // constant for exporter role exporterRole = "exporter" + // constant for node role + NodeRole = "node" // const for dynamic security file dynamicSecurityFile = "dynamic-security.json" @@ -54,121 +56,15 @@ var ( Roles: []role{ { Rolename: adminRole, - Acls: []Acl{ - { - AclType: "publishClientSend", - Topic: "$CONTROL/dynamic-security/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "$CONTROL/dynamic-security/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "$CONTROL/dynamic-security/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "$SYS/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "$SYS/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "#", - Priority: -1, - Allow: true, - }, - }, + Acls: fetchAdminAcls(), }, { Rolename: serverRole, - Acls: []Acl{ - { - AclType: "publishClientSend", - Topic: "peers/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "update/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "metrics_exporter", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "ping/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "update/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "signal/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "metrics/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - }, + Acls: fetchServerAcls(), + }, + { + Rolename: NodeRole, + Acls: fetchNodeAcls(), }, }, DefaultAcl: defaultAccessAcl{ @@ -193,26 +89,7 @@ var ( } exporterMQRole = role{ Rolename: exporterRole, - Acls: []Acl{ - { - AclType: "publishClientReceive", - Topic: "metrics_exporter", - Allow: true, - Priority: -1, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - }, + Acls: fetchExporterAcls(), } ) @@ -318,35 +195,47 @@ func FetchNetworkAcls(network string) []Acl { } } -// FetchNodeAcls - fetches node acls -func FetchNodeAcls(nodeID string) []Acl { - // keeping node acls generic as of now. +// serverAcls - fetches server role related acls +func fetchServerAcls() []Acl { return []Acl{ - { - AclType: "publishClientSend", - //Topic: fmt.Sprintf("signal/%s", nodeID), - Topic: "signal/#", + AclType: "publishClientSend", + Topic: "peers/#", Priority: -1, Allow: true, }, { - AclType: "publishClientSend", - // Topic: fmt.Sprintf("update/%s", nodeID), + AclType: "publishClientSend", Topic: "update/#", Priority: -1, Allow: true, }, { - AclType: "publishClientSend", - //Topic: fmt.Sprintf("ping/%s", nodeID), + AclType: "publishClientSend", + Topic: "metrics_exporter", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientReceive", Topic: "ping/#", Priority: -1, Allow: true, }, { - AclType: "publishClientSend", - //Topic: fmt.Sprintf("metrics/%s", nodeID), + AclType: "publishClientReceive", + Topic: "update/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientReceive", + Topic: "signal/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientReceive", Topic: "metrics/#", Priority: -1, Allow: true, @@ -365,3 +254,131 @@ func FetchNodeAcls(nodeID string) []Acl { }, } } + +// fetchNodeAcls - fetches node related acls +func fetchNodeAcls() []Acl { + // keeping node acls generic as of now. + return []Acl{ + + { + AclType: "publishClientSend", + Topic: "signal/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientSend", + Topic: "update/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientSend", + Topic: "ping/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientSend", + Topic: "metrics/#", + Priority: -1, + Allow: true, + }, + { + AclType: "subscribePattern", + Topic: "#", + Priority: -1, + Allow: true, + }, + { + AclType: "unsubscribePattern", + Topic: "#", + Priority: -1, + Allow: true, + }, + } +} + +// fetchExporterAcls - fetch exporter role related acls +func fetchExporterAcls() []Acl { + return []Acl{ + { + AclType: "publishClientReceive", + Topic: "metrics_exporter", + Allow: true, + Priority: -1, + }, + { + AclType: "subscribePattern", + Topic: "#", + Priority: -1, + Allow: true, + }, + { + AclType: "unsubscribePattern", + Topic: "#", + Priority: -1, + Allow: true, + }, + } +} + +// fetchAdminAcls - fetches admin role related acls +func fetchAdminAcls() []Acl { + return []Acl{ + { + AclType: "publishClientSend", + Topic: "$CONTROL/dynamic-security/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientReceive", + Topic: "$CONTROL/dynamic-security/#", + Priority: -1, + Allow: true, + }, + { + AclType: "subscribePattern", + Topic: "$CONTROL/dynamic-security/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientReceive", + Topic: "$SYS/#", + Priority: -1, + Allow: true, + }, + { + AclType: "subscribePattern", + Topic: "$SYS/#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientReceive", + Topic: "#", + Priority: -1, + Allow: true, + }, + { + AclType: "subscribePattern", + Topic: "#", + Priority: -1, + Allow: true, + }, + { + AclType: "unsubscribePattern", + Topic: "#", + Priority: -1, + Allow: true, + }, + { + AclType: "publishClientSend", + Topic: "#", + Priority: -1, + Allow: true, + }, + } +} diff --git a/mq/handlers.go b/mq/handlers.go index 9638043f..9df5b215 100644 --- a/mq/handlers.go +++ b/mq/handlers.go @@ -71,6 +71,7 @@ func UpdateNode(client mqtt.Client, msg mqtt.Message) { logger.Log(1, "error getting node.ID sent on ", msg.Topic(), err.Error()) return } + logger.Log(0, "----------->###### Recieved Node Update for: ", id) currentNode, err := logic.GetNodeByID(id) if err != nil { logger.Log(1, "error getting node ", id, err.Error())