2022-02-09 11:15:00 +01:00
package steward
2022-02-09 14:59:40 +01:00
2022-04-05 10:35:59 +02:00
import (
2022-04-07 14:18:28 +02:00
"bytes"
2022-06-01 07:29:25 +02:00
"crypto/sha256"
2022-04-05 10:35:59 +02:00
"fmt"
"log"
"path/filepath"
2022-06-01 07:29:25 +02:00
"sort"
2022-04-05 10:35:59 +02:00
"sync"
2022-06-01 07:29:25 +02:00
"github.com/fxamacker/cbor/v2"
2022-04-05 10:35:59 +02:00
bolt "go.etcd.io/bbolt"
)
2022-04-04 10:29:14 +02:00
2022-04-20 06:26:01 +02:00
// centralAuth holds the logic related to handling public keys and auth maps.
2022-02-09 14:59:40 +01:00
type centralAuth struct {
2022-05-16 07:15:38 +02:00
// acl and authorization level related data and methods.
2022-05-18 09:21:14 +02:00
accessLists * accessLists
2022-05-16 07:15:38 +02:00
// public key distribution related data and methods.
2023-01-12 12:01:01 +01:00
pki * pki
configuration * Configuration
errorKernel * errorKernel
2022-05-11 09:55:27 +02:00
}
// newCentralAuth will return a new and prepared *centralAuth
func newCentralAuth ( configuration * Configuration , errorKernel * errorKernel ) * centralAuth {
2023-01-12 12:01:01 +01:00
c := centralAuth {
configuration : configuration ,
errorKernel : errorKernel ,
}
2022-06-01 13:04:34 +02:00
c . pki = newPKI ( configuration , errorKernel )
2022-06-01 17:35:23 +02:00
c . accessLists = newAccessLists ( c . pki , errorKernel , configuration )
2022-06-01 15:58:17 +02:00
c . generateACLsForAllNodes ( )
2022-05-11 09:55:27 +02:00
return & c
}
2022-05-16 07:15:38 +02:00
// nodesAcked is the structure that holds all the keys that we have
// acknowledged, and that are allowed to be distributed within the
// system. It also contains a hash of all those keys.
type nodesAcked struct {
mu sync . Mutex
keysAndHash * keysAndHash
}
// newNodesAcked will return a prepared *nodesAcked structure.
func newNodesAcked ( ) * nodesAcked {
n := nodesAcked {
keysAndHash : newKeysAndHash ( ) ,
}
return & n
}
// pki holds the data and method relevant to key handling and distribution.
2022-05-12 09:25:10 +02:00
type pki struct {
2022-05-16 07:15:38 +02:00
nodesAcked * nodesAcked
2022-04-20 18:33:52 +02:00
nodeNotAckedPublicKeys * nodeNotAckedPublicKeys
configuration * Configuration
db * bolt . DB
bucketNamePublicKeys string
errorKernel * errorKernel
2022-04-05 10:35:59 +02:00
}
2022-05-11 09:55:27 +02:00
// newKeys will return a prepared *keys with input values set.
2022-05-12 09:25:10 +02:00
func newPKI ( configuration * Configuration , errorKernel * errorKernel ) * pki {
p := pki {
2022-04-07 14:18:28 +02:00
// schema: make(map[Node]map[argsString]signatureBase32),
2022-05-16 07:15:38 +02:00
nodesAcked : newNodesAcked ( ) ,
2022-04-20 18:33:52 +02:00
nodeNotAckedPublicKeys : newNodeNotAckedPublicKeys ( configuration ) ,
configuration : configuration ,
bucketNamePublicKeys : "publicKeys" ,
errorKernel : errorKernel ,
2022-04-05 10:35:59 +02:00
}
databaseFilepath := filepath . Join ( configuration . DatabaseFolder , "auth.db" )
// Open the database file for persistent storage of public keys.
2023-01-10 06:50:28 +01:00
db , err := bolt . Open ( databaseFilepath , 0660 , nil )
2022-04-05 10:35:59 +02:00
if err != nil {
2023-01-12 08:48:01 +01:00
er := fmt . Errorf ( "newPKI: error: failed to open db: %v" , err )
errorKernel . logConsoleOnlyIfDebug ( er , configuration )
2022-06-09 08:42:49 +02:00
return & p
2022-04-05 10:35:59 +02:00
}
2022-05-12 09:25:10 +02:00
p . db = db
2022-04-05 10:35:59 +02:00
2022-04-05 12:02:45 +02:00
// Get public keys from db storage.
2022-05-12 09:25:10 +02:00
keys , err := p . dbDumpPublicKey ( )
2022-04-05 10:35:59 +02:00
if err != nil {
2023-01-12 08:48:01 +01:00
er := fmt . Errorf ( "newPKI: dbPublicKeyDump failed, probably empty db: %v" , err )
errorKernel . logConsoleOnlyIfDebug ( er , configuration )
2022-04-05 10:35:59 +02:00
}
2022-04-05 12:02:45 +02:00
// Only assign from storage to in memory map if the storage contained any values.
if keys != nil {
2022-05-16 07:15:38 +02:00
p . nodesAcked . keysAndHash . Keys = keys
2022-04-05 12:02:45 +02:00
for k , v := range keys {
2023-01-12 08:48:01 +01:00
er := fmt . Errorf ( "newPKI: public keys db contains: %v, %v" , k , [ ] byte ( v ) )
errorKernel . logConsoleOnlyIfDebug ( er , configuration )
2022-04-05 12:02:45 +02:00
}
}
2022-04-05 10:35:59 +02:00
2022-05-16 07:15:38 +02:00
// Get the current hash from db if one exists.
hash , err := p . dbViewHash ( )
if err != nil {
log . Printf ( "debug: dbViewHash failed: %v\n" , err )
}
if hash != nil {
var h [ 32 ] byte
copy ( h [ : ] , hash )
p . nodesAcked . keysAndHash . Hash = h
}
2022-05-12 09:25:10 +02:00
return & p
2022-02-09 14:59:40 +01:00
}
2022-04-05 10:35:59 +02:00
// addPublicKey to the db if the node do not exist, or if it is a new value.
2022-06-01 15:11:23 +02:00
func ( c * centralAuth ) addPublicKey ( proc process , msg Message ) {
2022-04-05 10:35:59 +02:00
// Check if a key for the current node already exists in the map.
2022-06-01 15:11:23 +02:00
c . pki . nodesAcked . mu . Lock ( )
existingKey , ok := c . pki . nodesAcked . keysAndHash . Keys [ msg . FromNode ]
c . pki . nodesAcked . mu . Unlock ( )
2022-04-05 10:35:59 +02:00
2022-04-07 14:18:28 +02:00
if ok && bytes . Equal ( existingKey , msg . Data ) {
2022-10-05 09:16:22 +02:00
er := fmt . Errorf ( "info: public key value for REGISTERED node %v is the same, doing nothing" , msg . FromNode )
proc . errorKernel . logConsoleOnlyIfDebug ( er , proc . configuration )
2022-04-05 10:35:59 +02:00
return
}
2022-06-01 15:11:23 +02:00
c . pki . nodeNotAckedPublicKeys . mu . Lock ( )
existingNotAckedKey , ok := c . pki . nodeNotAckedPublicKeys . KeyMap [ msg . FromNode ]
2022-04-20 18:33:52 +02:00
// We only want to send one notification to the error kernel about new key detection,
// so we check if the values are the same as the one we already got before we continue
// with registering and logging for the the new key.
if ok && bytes . Equal ( existingNotAckedKey , msg . Data ) {
2022-06-01 15:11:23 +02:00
c . pki . nodeNotAckedPublicKeys . mu . Unlock ( )
2022-04-20 18:33:52 +02:00
return
2022-04-05 10:35:59 +02:00
}
2022-06-01 15:11:23 +02:00
c . pki . nodeNotAckedPublicKeys . KeyMap [ msg . FromNode ] = msg . Data
c . pki . nodeNotAckedPublicKeys . mu . Unlock ( )
2022-04-20 18:33:52 +02:00
er := fmt . Errorf ( "info: detected new public key for node: %v. This key will need to be authorized by operator to be allowed into the system" , msg . FromNode )
2022-06-01 15:11:23 +02:00
c . pki . errorKernel . infoSend ( proc , msg , er )
2023-01-06 08:48:21 +01:00
c . pki . errorKernel . logConsoleOnlyIfDebug ( er , c . pki . configuration )
2022-04-05 10:35:59 +02:00
}
2022-06-01 07:29:25 +02:00
// deletePublicKeys to the db if the node do not exist, or if it is a new value.
2022-06-01 15:11:23 +02:00
func ( c * centralAuth ) deletePublicKeys ( proc process , msg Message , nodes [ ] string ) {
2022-06-01 07:29:25 +02:00
// Check if a key for the current node already exists in the map.
func ( ) {
2022-06-01 15:11:23 +02:00
c . pki . nodesAcked . mu . Lock ( )
defer c . pki . nodesAcked . mu . Unlock ( )
2022-06-01 07:29:25 +02:00
for _ , n := range nodes {
2022-06-01 15:11:23 +02:00
delete ( c . pki . nodesAcked . keysAndHash . Keys , Node ( n ) )
2022-06-01 07:29:25 +02:00
}
} ( )
2022-10-05 09:16:22 +02:00
err := c . pki . dbDeletePublicKeys ( c . pki . bucketNamePublicKeys , nodes )
if err != nil {
2023-01-11 08:38:15 +01:00
proc . errorKernel . errSend ( proc , msg , err , logWarning )
2022-10-05 09:16:22 +02:00
}
2022-06-01 07:29:25 +02:00
er := fmt . Errorf ( "info: detected new public key for node: %v. This key will need to be authorized by operator to be allowed into the system" , msg . FromNode )
2022-10-05 09:16:22 +02:00
proc . errorKernel . logConsoleOnlyIfDebug ( er , proc . configuration )
2022-06-01 15:11:23 +02:00
c . pki . errorKernel . infoSend ( proc , msg , er )
2022-06-01 07:29:25 +02:00
}
2022-05-06 07:47:12 +02:00
// // dbGetPublicKey will look up and return a specific value if it exists for a key in a bucket in a DB.
// func (c *centralAuth) dbGetPublicKey(node string) ([]byte, error) {
// var value []byte
// // View is a help function to get values out of the database.
// err := c.db.View(func(tx *bolt.Tx) error {
// //Open a bucket to get key's and values from.
// bu := tx.Bucket([]byte(c.bucketNamePublicKeys))
// if bu == nil {
// log.Printf("info: no db bucket exist: %v\n", c.bucketNamePublicKeys)
// return nil
// }
//
// v := bu.Get([]byte(node))
// if len(v) == 0 {
// log.Printf("info: view: key not found\n")
// return nil
// }
//
// value = v
//
// return nil
// })
//
// return value, err
// }
2022-04-05 10:35:59 +02:00
2022-10-05 09:16:22 +02:00
// dbUpdatePublicKey will update the public key for a node in the db.
2022-05-12 09:25:10 +02:00
func ( p * pki ) dbUpdatePublicKey ( node string , value [ ] byte ) error {
err := p . db . Update ( func ( tx * bolt . Tx ) error {
2022-04-05 10:35:59 +02:00
//Create a bucket
2022-05-12 09:25:10 +02:00
bu , err := tx . CreateBucketIfNotExists ( [ ] byte ( p . bucketNamePublicKeys ) )
2022-04-05 10:35:59 +02:00
if err != nil {
return fmt . Errorf ( "error: CreateBuckerIfNotExists failed: %v" , err )
}
//Put a value into the bucket.
if err := bu . Put ( [ ] byte ( node ) , [ ] byte ( value ) ) ; err != nil {
return err
}
//If all was ok, we should return a nil for a commit to happen. Any error
// returned will do a rollback.
return nil
} )
return err
}
2022-06-01 07:29:25 +02:00
// dbDeletePublicKeys will delete the specified key from the specified
// bucket if it exists.
func ( p * pki ) dbDeletePublicKeys ( bucket string , nodes [ ] string ) error {
err := p . db . Update ( func ( tx * bolt . Tx ) error {
bu := tx . Bucket ( [ ] byte ( bucket ) )
for _ , n := range nodes {
err := bu . Delete ( [ ] byte ( n ) )
if err != nil {
2022-10-05 09:16:22 +02:00
er := fmt . Errorf ( "error: delete key in bucket %v failed: %v" , bucket , err )
p . errorKernel . logConsoleOnlyIfDebug ( er , p . configuration )
return er
2022-06-01 07:29:25 +02:00
}
}
return nil
} )
return err
}
2022-10-05 09:16:22 +02:00
// dbUpdateHash will update the public key for a node in the db.
2022-05-16 07:15:38 +02:00
func ( p * pki ) dbUpdateHash ( hash [ ] byte ) error {
err := p . db . Update ( func ( tx * bolt . Tx ) error {
//Create a bucket
bu , err := tx . CreateBucketIfNotExists ( [ ] byte ( "hash" ) )
if err != nil {
return fmt . Errorf ( "error: CreateBuckerIfNotExists failed: %v" , err )
}
//Put a value into the bucket.
if err := bu . Put ( [ ] byte ( "hash" ) , [ ] byte ( hash ) ) ; err != nil {
return err
}
//If all was ok, we should return a nil for a commit to happen. Any error
// returned will do a rollback.
return nil
} )
return err
}
2022-06-01 15:11:23 +02:00
func ( c * centralAuth ) updateHash ( proc process , message Message ) {
c . pki . nodesAcked . mu . Lock ( )
defer c . pki . nodesAcked . mu . Unlock ( )
2022-06-01 07:29:25 +02:00
type NodesAndKeys struct {
Node Node
Key [ ] byte
}
// Create a slice of all the map keys, and its value.
sortedNodesAndKeys := [ ] NodesAndKeys { }
// Range the map, and add each k/v to the sorted slice, to be sorted later.
2022-06-01 15:11:23 +02:00
for k , v := range c . pki . nodesAcked . keysAndHash . Keys {
2022-06-01 07:29:25 +02:00
nk := NodesAndKeys {
Node : k ,
Key : v ,
}
sortedNodesAndKeys = append ( sortedNodesAndKeys , nk )
}
// sort the slice based on the node name.
// Sort all the commands.
sort . SliceStable ( sortedNodesAndKeys , func ( i , j int ) bool {
return sortedNodesAndKeys [ i ] . Node < sortedNodesAndKeys [ j ] . Node
} )
// Then create a hash based on the sorted slice.
b , err := cbor . Marshal ( sortedNodesAndKeys )
if err != nil {
er := fmt . Errorf ( "error: methodREQKeysAllow, failed to marshal slice, and will not update hash for public keys: %v" , err )
2023-01-12 12:01:01 +01:00
c . pki . errorKernel . errSend ( proc , message , er , logError )
2022-06-01 07:29:25 +02:00
return
}
// Store the key in the key value map.
hash := sha256 . Sum256 ( b )
2022-06-01 15:11:23 +02:00
c . pki . nodesAcked . keysAndHash . Hash = hash
2022-06-01 07:29:25 +02:00
// Store the key to the db for persistence.
2022-06-01 15:11:23 +02:00
c . pki . dbUpdateHash ( hash [ : ] )
2022-06-01 07:29:25 +02:00
if err != nil {
er := fmt . Errorf ( "error: methodREQKeysAllow, failed to store the hash into the db: %v" , err )
2023-01-12 12:01:01 +01:00
c . pki . errorKernel . errSend ( proc , message , er , logError )
2022-06-01 07:29:25 +02:00
return
}
}
2022-05-16 07:15:38 +02:00
// dbViewHash will look up and return a specific value if it exists for a key in a bucket in a DB.
func ( p * pki ) dbViewHash ( ) ( [ ] byte , error ) {
var value [ ] byte
// View is a help function to get values out of the database.
err := p . db . View ( func ( tx * bolt . Tx ) error {
//Open a bucket to get key's and values from.
bu := tx . Bucket ( [ ] byte ( "hash" ) )
if bu == nil {
2023-01-12 12:01:01 +01:00
er := fmt . Errorf ( "info: no db hash bucket exist" )
p . errorKernel . logWarn ( er , p . configuration )
2022-05-16 07:15:38 +02:00
return nil
}
v := bu . Get ( [ ] byte ( "hash" ) )
if len ( v ) == 0 {
2023-01-12 12:01:01 +01:00
er := fmt . Errorf ( "info: view: hash key not found" )
p . errorKernel . logWarn ( er , p . configuration )
2022-05-16 07:15:38 +02:00
return nil
}
value = v
return nil
} )
return value , err
}
2022-05-06 07:47:12 +02:00
// // deleteKeyFromBucket will delete the specified key from the specified
// // bucket if it exists.
// func (c *centralAuth) dbDeletePublicKey(key string) error {
// err := c.db.Update(func(tx *bolt.Tx) error {
// bu := tx.Bucket([]byte(c.bucketNamePublicKeys))
//
// err := bu.Delete([]byte(key))
// if err != nil {
// log.Printf("error: delete key in bucket %v failed: %v\n", c.bucketNamePublicKeys, err)
// }
//
// return nil
// })
//
// return err
// }
2022-04-05 10:35:59 +02:00
// dumpBucket will dump out all they keys and values in the
// specified bucket, and return a sorted []samDBValue
2022-05-12 09:25:10 +02:00
func ( p * pki ) dbDumpPublicKey ( ) ( map [ Node ] [ ] byte , error ) {
2022-04-07 14:18:28 +02:00
m := make ( map [ Node ] [ ] byte )
2022-04-05 10:35:59 +02:00
2022-05-12 09:25:10 +02:00
err := p . db . View ( func ( tx * bolt . Tx ) error {
bu := tx . Bucket ( [ ] byte ( p . bucketNamePublicKeys ) )
2022-04-05 10:35:59 +02:00
if bu == nil {
return fmt . Errorf ( "error: dumpBucket: tx.bucket returned nil" )
}
// For each element found in the DB, print it.
bu . ForEach ( func ( k , v [ ] byte ) error {
2022-04-07 14:18:28 +02:00
m [ Node ( k ) ] = v
2022-04-05 10:35:59 +02:00
return nil
} )
return nil
} )
if err != nil {
return nil , err
2022-02-09 14:59:40 +01:00
}
2022-04-05 10:35:59 +02:00
return m , nil
2022-02-09 14:59:40 +01:00
}
2022-04-04 10:29:14 +02:00
2022-04-20 18:33:52 +02:00
// --- HERE
// nodeNotAckedPublicKeys holds all the gathered but not acknowledged public
// keys of nodes in the system.
type nodeNotAckedPublicKeys struct {
mu sync . RWMutex
KeyMap map [ Node ] [ ] byte
}
// newNodeNotAckedPublicKeys will return a prepared type of nodePublicKeys.
func newNodeNotAckedPublicKeys ( configuration * Configuration ) * nodeNotAckedPublicKeys {
n := nodeNotAckedPublicKeys {
KeyMap : make ( map [ Node ] [ ] byte ) ,
}
return & n
}