watch dynsec messages,create client on node join

2024-09-21 07:46:04 +08:00 · 2022-09-14 15:59:22 +05:30 · 2022-09-14 15:59:22 +05:30 · 5270c1ede8
parent 08a6ed483c
commit 5270c1ede8
5 changed files with 76 additions and 10 deletions
--- a/controllers/node.go
+++ b/controllers/node.go
@ -591,6 +591,33 @@ func createNode(w http.ResponseWriter, r *http.Request) {
 		returnErrorResponse(w, r, formatError(err, "internal"))
 		return
 	}
+	// Create client for this node in Mq
+	// Delete Any Existing Client
+	mq.DynSecChan <- mq.DynSecAction{
+		ActionType: mq.CreateClient,
+		Payload: mq.MqDynsecPayload{
+			Commands: []mq.MqDynSecCmd{
+				{
+					Command:  mq.CreateClientCmd,
+					Username: node.ID,
+					Password: node.Password,
+					Clientid: node.ID,
+					Roles: []mq.MqDynSecRole{
+						{
+							Rolename: "node",
+							Priority: -1,
+						},
+					},
+					Groups: []mq.MqDynSecGroup{
+						{
+							Groupname: "nodes",
+							Priority:  -1,
+						},
+					},
+				},
+			},
+		},
+	}

 	response := models.NodeGet{
 		Node:         node,
--- a/docker/dynamic-security.json
+++ b/docker/dynamic-security.json
@ -1,9 +1,9 @@
 {
 	"clients":	[{
-			"username":	"bob",
+			"username":	"Netmaker-Admin",
 			"textName":	"Dynsec admin user",
-			"password":	"JEfqgJum2mlJa51WTGdvEAs2Rnc8vno14yAsAhxbjo9nKs0GAgL0+YM2iOUaW/GFK8L/B0EkbP5qd1AeyBdRTg==",
-			"salt":	"MgoCdNVGYMqJh+nU",
+			"password":	"T42rorlC/mAP+i19g/YqMlWShPpfo8F/nBz2ZQNRcjAnfczrgu4rIQam9z7T/87NBIHxqR1wMlCIvRN5JApHcw==",
+			"salt":	"lHl24sEf+lJ/kFHk",
 			"iterations":	101,
 			"roles":	[{
 					"rolename":	"admin"
@ -43,12 +43,18 @@
 					"acltype":	"unsubscribePattern",
 					"topic":	"#",
 					"allow":	true
-				}]
+				},
+				{
+					"acltype":	"publishClientSend",
+					"topic":	"#",
+					"allow":	true
+				}
+			]
 		}],
 	"defaultACLAccess":	{
-		"publishClientSend":	false,
+		"publishClientSend":	true,
 		"publishClientReceive":	true,
-		"subscribe":	false,
+		"subscribe":	true,
 		"unsubscribe":	true
 	}
 }
--- a/docker/mosquitto.conf
+++ b/docker/mosquitto.conf
@ -12,7 +12,8 @@
 # allow_anonymous true

 per_listener_settings false
-
+listener 8883
+allow_anonymous false
 listener 1883
 allow_anonymous false
 plugin /usr/lib/mosquitto_dynamic_security.so
--- a/mq/dynsec.go
+++ b/mq/dynsec.go
@ -5,21 +5,34 @@ import (
 	"encoding/json"
 	"fmt"

+	mqtt "github.com/eclipse/paho.mqtt.golang"
 	"github.com/gravitl/netmaker/logger"
 )

-const DynamicSecTopic = "$CONTROL/dynamic-security/#"
+const DynamicSecSubTopic = "$CONTROL/dynamic-security/#"
+const DynamicSecPubTopic = "$CONTROL/dynamic-security/v1"

 type DynSecActionType string

 var (
 	CreateClient            DynSecActionType = "CREATE_CLIENT"
+	DisableClient           DynSecActionType = "DISABLE_CLIENT"
+	EnableClient            DynSecActionType = "ENABLE_CLIENT"
+	DeleteClient            DynSecActionType = "DELETE_CLIENT"
 	CreateAdminClient       DynSecActionType = "CREATE_ADMIN_CLIENT"
+	ModifyClient            DynSecActionType = "MODIFY_CLIENT"
 	DISABLE_EXISTING_ADMINS DynSecActionType = "DISABLE_EXISTING_ADMINS"
 )

+var (
+	CreateClientCmd  = "createClient"
+	DisableClientCmd = "disableClient"
+	DeleteClientCmd  = "deleteClient"
+	ModifyClientCmd  = "modifyClient"
+)
+
 const mqDynSecAdmin = "Netmaker-Admin"
-const defaultAdminPassword = "hello-world"
+const defaultAdminPassword = "Netmaker-Admin"

 type MqDynSecGroup struct {
 	Groupname string `json:"groupname"`
@ -31,10 +44,19 @@ type MqDynSecRole struct {
 	Priority int    `json:"priority"`
 }

+type Acl struct {
+	AclType  string `json:"acl_type"`
+	Topic    string `json:"topic"`
+	Priority int    `json:"priority"`
+	Allow    bool   `json:"allow"`
+}
+
 type MqDynSecCmd struct {
 	Command         string          `json:"command"`
 	Username        string          `json:"username"`
 	Password        string          `json:"password"`
+	RoleName        string          `json:"rolename,omitempty"`
+	Acls            []Acl           `json:"acls,omitempty"`
 	Clientid        string          `json:"clientid"`
 	Textname        string          `json:"textname"`
 	Textdescription string          `json:"textdescription"`
@ -64,7 +86,7 @@ func DynamicSecManager(ctx context.Context) {
 			if err != nil {
 				continue
 			}
-			if token := mqclient.Publish(DynamicSecTopic, 2, false, d); token.Error() != nil {
+			if token := mqclient.Publish(DynamicSecPubTopic, 2, false, d); token.Error() != nil {
 				logger.Log(0, fmt.Sprintf("failed to perform action [%s]: %v",
 					dynSecAction.ActionType, token.Error()))
 			}
@ -72,3 +94,9 @@ func DynamicSecManager(ctx context.Context) {

 	}
 }
+
+func watchDynSecTopic(client mqtt.Client, msg mqtt.Message) {
+
+	logger.Log(1, fmt.Sprintf("----->WatchDynSecTopic Message: %+v", string(msg.Payload())))
+
+}
--- a/mq/mq.go
+++ b/mq/mq.go
@ -52,6 +52,10 @@ func SetupMQTT() {
 			client.Disconnect(240)
 			logger.Log(0, "node client subscription failed")
 		}
+		if token := client.Subscribe(DynamicSecSubTopic, 0, mqtt.MessageHandler(watchDynSecTopic)); token.WaitTimeout(MQ_TIMEOUT*time.Second) && token.Error() != nil {
+			client.Disconnect(240)
+			logger.Log(0, "Dynamic security client subscription failed")
+		}

 		opts.SetOrderMatters(true)
 		opts.SetResumeSubs(true)