1
0
Fork 0
mirror of https://github.com/postmannen/ctrl.git synced 2025-01-19 06:09:30 +00:00
ctrl/doc/concept/auth/main.go

544 lines
16 KiB
Go
Raw Normal View History

2022-05-06 07:47:12 +02:00
package main
import (
2022-05-09 18:59:38 +02:00
"crypto/sha256"
"encoding/json"
2022-05-06 07:47:12 +02:00
"fmt"
"log"
2022-05-09 07:00:52 +02:00
"os"
2022-05-06 07:47:12 +02:00
"sort"
"strings"
"sync"
2022-05-09 19:41:18 +02:00
"github.com/fxamacker/cbor/v2"
2022-05-06 07:47:12 +02:00
"github.com/go-playground/validator/v10"
)
// centralAuth
type centralAuth struct {
authorization *authorization
}
// newCentralAuth
func newCentralAuth() *centralAuth {
c := centralAuth{
authorization: newAuthorization(),
}
return &c
}
// --------------------------------------
type authorization struct {
authSchema *authSchema
}
func newAuthorization() *authorization {
a := authorization{
authSchema: newAuthSchema(),
}
return &a
}
// authSchema holds both the main schema to update by operators,
// and also the indvidual node generated data based on the main schema.
type authSchema struct {
2022-05-11 06:14:26 +02:00
// Holds the editable structures for ACL handling.
schemaMain *schemaMain
// Holds the generated based on the editable structures for ACL handling.
2022-05-06 07:47:12 +02:00
schemaGenerated *schemaGenerated
validator *validator.Validate
}
2022-05-10 06:40:27 +02:00
func newAuthSchema() *authSchema {
a := authSchema{
schemaMain: newSchemaMain(),
schemaGenerated: newSchemaGenerated(),
validator: validator.New(),
}
return &a
}
2022-05-06 07:47:12 +02:00
type node string
type command string
type nodeGroup string
type commandGroup string
2022-05-10 05:47:58 +02:00
// schemaMain is the structure that holds the user editable parts for creating ACL's.
2022-05-06 07:47:12 +02:00
type schemaMain struct {
ACLMap map[node]map[node]map[command]struct{}
NodeGroupMap map[nodeGroup]map[node]struct{}
CommandGroupMap map[commandGroup]map[command]struct{}
mu sync.Mutex
}
func newSchemaMain() *schemaMain {
s := schemaMain{
ACLMap: make(map[node]map[node]map[command]struct{}),
NodeGroupMap: make(map[nodeGroup]map[node]struct{}),
CommandGroupMap: make(map[commandGroup]map[command]struct{}),
}
return &s
}
2022-05-10 05:47:58 +02:00
// schemaGenerated is the structure that holds all the generated ACL's
// to be sent to nodes.
// The ACL's here are generated from the schemaMain.ACLMap.
2022-05-06 07:47:12 +02:00
type schemaGenerated struct {
2022-05-09 20:06:22 +02:00
ACLsToConvert map[node]map[node]map[command]struct{}
2022-05-10 06:40:27 +02:00
GeneratedACLsMap map[node]HostACLsSerializedWithHash
2022-05-09 20:06:22 +02:00
mu sync.Mutex
2022-05-06 07:47:12 +02:00
}
func newSchemaGenerated() *schemaGenerated {
s := schemaGenerated{
2022-05-09 20:06:22 +02:00
ACLsToConvert: map[node]map[node]map[command]struct{}{},
2022-05-10 06:40:27 +02:00
GeneratedACLsMap: make(map[node]HostACLsSerializedWithHash),
2022-05-06 07:47:12 +02:00
}
return &s
}
2022-05-10 06:40:27 +02:00
// HostACLsSerializedWithHash holds the serialized representation node specific ACL's in the authSchema.
2022-05-06 07:47:12 +02:00
// There is also a sha256 hash of the data.
2022-05-10 06:40:27 +02:00
type HostACLsSerializedWithHash struct {
// data is all the ACL's for a specific node serialized.
2022-05-06 07:47:12 +02:00
Data []byte
2022-05-10 06:40:27 +02:00
// hash is the sha256 hash of the ACL's.
// With maps the order are not guaranteed, so A sorted appearance
// of the ACL map for a host node is used when creating the hash,
// so the hash stays the same unless the ACL is changed.
2022-05-06 07:47:12 +02:00
Hash [32]byte
}
2022-05-11 06:14:26 +02:00
// commandAsSlice will convert the given argument into a slice representation.
// If the argument is a group, then all the members of that group will be expanded into
// the slice.
// If the argument is not a group kind of value, then only a slice with that single
// value is returned.
2022-05-10 06:40:27 +02:00
func (a *authSchema) nodeAsSlice(n node) []node {
2022-05-06 07:47:12 +02:00
nodes := []node{}
// Check if we are given a nodeGroup variable, and if we are, get all the
// nodes for that group.
if strings.HasPrefix(string(n), "grp_nodes_") {
for nd := range a.schemaMain.NodeGroupMap[nodeGroup(n)] {
nodes = append(nodes, nd)
}
} else {
// No group found meaning a single node was given as an argument.
nodes = []node{n}
}
return nodes
}
2022-05-10 06:40:27 +02:00
// commandAsSlice will convert the given argument into a slice representation.
2022-05-06 07:47:12 +02:00
// If the argument is a group, then all the members of that group will be expanded into
// the slice.
// If the argument is not a group kind of value, then only a slice with that single
// value is returned.
2022-05-10 06:40:27 +02:00
func (a *authSchema) commandAsSlice(c command) []command {
2022-05-06 07:47:12 +02:00
commands := []command{}
// Check if we are given a nodeGroup variable, and if we are, get all the
// nodes for that group.
2022-05-10 08:25:02 +02:00
if strings.HasPrefix(string(c), "grp_commands_") {
2022-05-06 07:47:12 +02:00
for cmd := range a.schemaMain.CommandGroupMap[commandGroup(c)] {
commands = append(commands, cmd)
}
} else {
// No group found meaning a single node was given as an argument, so we
// just put the single node given as the only value in the slice.
commands = []command{c}
}
return commands
}
2022-05-09 10:55:56 +02:00
// aclAdd will add a command for a fromNode.
2022-05-06 07:47:12 +02:00
// If the node or the fromNode do not exist they will be created.
// The json encoded schema for a node and the hash of those data
// will also be generated.
2022-05-09 10:55:56 +02:00
func (a *authSchema) aclAdd(host node, source node, cmd command) {
2022-05-06 07:47:12 +02:00
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
// Check if node exists in map.
2022-05-09 10:55:56 +02:00
if _, ok := a.schemaMain.ACLMap[host]; !ok {
2022-05-06 07:47:12 +02:00
// log.Printf("info: did not find node=%v in map, creating map[fromnode]map[command]struct{}\n", n)
2022-05-09 10:55:56 +02:00
a.schemaMain.ACLMap[host] = make(map[node]map[command]struct{})
2022-05-06 07:47:12 +02:00
}
2022-05-09 10:55:56 +02:00
// Check if also source node exists in map
if _, ok := a.schemaMain.ACLMap[host][source]; !ok {
2022-05-06 07:47:12 +02:00
// log.Printf("info: did not find node=%v in map, creating map[fromnode]map[command]struct{}\n", fn)
2022-05-09 10:55:56 +02:00
a.schemaMain.ACLMap[host][source] = make(map[command]struct{})
2022-05-06 07:47:12 +02:00
}
2022-05-09 10:55:56 +02:00
a.schemaMain.ACLMap[host][source][cmd] = struct{}{}
2022-05-06 07:47:12 +02:00
// err := a.generateJSONForHostOrGroup(n)
err := a.generateACLsForAllNodes()
2022-05-06 07:47:12 +02:00
if err != nil {
er := fmt.Errorf("error: addCommandForFromNode: %v", err)
log.Printf("%v\n", er)
}
// fmt.Printf(" * DEBUG: aclNodeFromnodeCommandAdd: a.schemaMain.ACLMap=%v\n", a.schemaMain.ACLMap)
}
2022-05-09 07:10:19 +02:00
// aclDeleteCommand will delete the specified command from the fromnode.
func (a *authSchema) aclDeleteCommand(host node, source node, cmd command) error {
2022-05-06 07:47:12 +02:00
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
// Check if node exists in map.
if _, ok := a.schemaMain.ACLMap[host]; !ok {
return fmt.Errorf("authSchema: no such node=%v to delete on in schema exists", host)
}
if _, ok := a.schemaMain.ACLMap[host][source]; !ok {
return fmt.Errorf("authSchema: no such fromnode=%v to delete on in schema for node=%v exists", source, host)
}
if _, ok := a.schemaMain.ACLMap[host][source][cmd]; !ok {
return fmt.Errorf("authSchema: no such command=%v from fromnode=%v to delete on in schema for node=%v exists", cmd, source, host)
}
delete(a.schemaMain.ACLMap[host][source], cmd)
err := a.generateACLsForAllNodes()
2022-05-06 07:47:12 +02:00
if err != nil {
er := fmt.Errorf("error: aclNodeFromNodeCommandDelete: %v", err)
log.Printf("%v\n", er)
}
return nil
}
2022-05-09 10:55:56 +02:00
// aclDeleteSource will delete specified source node and all commands specified for it.
2022-05-09 07:10:19 +02:00
func (a *authSchema) aclDeleteSource(host node, source node) error {
2022-05-06 07:47:12 +02:00
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
// Check if node exists in map.
if _, ok := a.schemaMain.ACLMap[host]; !ok {
return fmt.Errorf("authSchema: no such node=%v to delete on in schema exists", host)
}
if _, ok := a.schemaMain.ACLMap[host][source]; !ok {
return fmt.Errorf("authSchema: no such fromnode=%v to delete on in schema for node=%v exists", source, host)
}
delete(a.schemaMain.ACLMap[host], source)
err := a.generateACLsForAllNodes()
2022-05-06 07:47:12 +02:00
if err != nil {
er := fmt.Errorf("error: aclNodeFromnodeDelete: %v", err)
log.Printf("%v\n", er)
}
return nil
}
// generateACLsForAllNodes will generate a json encoded representation of the node specific
2022-05-06 07:47:12 +02:00
// map values of authSchema, along with a hash of the data.
//
// Will range over all the host elements defined in the ACL, create a new authParser for each one,
// and run a small state machine on each element to create the final ACL result to be used at host
// nodes.
// The result will be written to the schemaGenerated.ACLsToConvert map.
func (a *authSchema) generateACLsForAllNodes() error {
2022-05-10 06:40:27 +02:00
a.schemaGenerated.mu.Lock()
defer a.schemaGenerated.mu.Unlock()
2022-05-06 07:47:12 +02:00
a.schemaGenerated.ACLsToConvert = make(map[node]map[node]map[command]struct{})
2022-05-09 07:00:52 +02:00
// Rangle all ACL's. Both for single hosts, and group of hosts.
// ACL's that are for a group of hosts will be generated split
// out in it's indivial host name, and that current ACL will
// be added to the individual host in the ACLsToConvert map to
// built a complete picture of what the ACL's looks like for each
// individual hosts.
2022-05-06 07:47:12 +02:00
for n := range a.schemaMain.ACLMap {
//a.schemaGenerated.ACLsToConvert = make(map[node]map[node]map[command]struct{})
ap := newAuthParser(n, a)
ap.parse()
}
2022-05-09 07:00:52 +02:00
// ACLsToConvert got the complete picture of what ACL's that
// are defined for each individual host node.
// Range this map, and generate a JSON representation of all
// the ACL's each host.
func() {
for n, m := range a.schemaGenerated.ACLsToConvert {
2022-05-09 19:41:18 +02:00
// cbor marshal the data of the ACL map to store for the host node.
cb, err := cbor.Marshal(m)
2022-05-09 07:00:52 +02:00
if err != nil {
er := fmt.Errorf("error: failed to generate json for host in schemaGenerated: %v", err)
log.Printf("%v\n", er)
os.Exit(1)
}
2022-05-09 19:41:18 +02:00
// Create the hash for the data for the host node.
2022-05-09 18:59:38 +02:00
hash := func() [32]byte {
sns := a.nodeMapToSlice(n)
2022-05-09 19:41:18 +02:00
b, err := cbor.Marshal(sns)
2022-05-09 18:59:38 +02:00
if err != nil {
err := fmt.Errorf("error: authSchema, json for hash: %v", err)
log.Printf("%v\n", err)
return [32]byte{}
}
2022-05-09 19:41:18 +02:00
hash := sha256.Sum256(b)
2022-05-09 18:59:38 +02:00
return hash
}()
2022-05-09 19:41:18 +02:00
// Store both the cbor marshaled data and the hash in a structure.
2022-05-10 06:40:27 +02:00
hostSerialized := HostACLsSerializedWithHash{
2022-05-09 19:41:18 +02:00
Data: cb,
2022-05-09 18:59:38 +02:00
Hash: hash,
2022-05-09 07:00:52 +02:00
}
2022-05-09 19:41:18 +02:00
// and then store the cbor encoded data and the hash in the generated map.
2022-05-10 06:40:27 +02:00
a.schemaGenerated.GeneratedACLsMap[n] = hostSerialized
2022-05-09 07:00:52 +02:00
}
}()
2022-05-06 07:47:12 +02:00
return nil
}
// sourceNode is used to convert the ACL map structure of a host into a slice,
// and we then use the slice representation of the ACL to create the hash for
// a specific host node.
type sourceNode struct {
HostNode node
SourceCommands []sourceNodeCommands
2022-05-06 07:47:12 +02:00
}
// sourceNodeCommand is used to convert the ACL map structure of a host into a slice,
// and we then use the slice representation of the ACL to create the hash for
// a specific host node.
type sourceNodeCommands struct {
Source node
2022-05-06 07:47:12 +02:00
Commands []command
}
2022-05-11 06:14:26 +02:00
// nodeMapToSlice will return a sourceNode structure, with the map sourceNode part
2022-05-06 07:47:12 +02:00
// of the map converted into a slice. Both the from node, and the commands
2022-05-11 06:14:26 +02:00
// defined for each sourceNode are sorted.
2022-05-06 07:47:12 +02:00
// This function is used when creating the hash of the nodeMap since we can not
// guarantee the order of a hash map, but we can with a slice.
func (a *authSchema) nodeMapToSlice(host node) sourceNode {
srcNodes := sourceNode{
HostNode: host,
2022-05-06 07:47:12 +02:00
}
2022-05-09 18:59:38 +02:00
for sn, commandMap := range a.schemaGenerated.ACLsToConvert[host] {
srcC := sourceNodeCommands{
Source: sn,
2022-05-06 07:47:12 +02:00
}
for cmd := range commandMap {
2022-05-09 18:59:38 +02:00
srcC.Commands = append(srcC.Commands, cmd)
2022-05-06 07:47:12 +02:00
}
2022-05-11 06:14:26 +02:00
// Sort all the commands.
2022-05-09 18:59:38 +02:00
sort.SliceStable(srcC.Commands, func(i, j int) bool {
return srcC.Commands[i] < srcC.Commands[j]
2022-05-06 07:47:12 +02:00
})
2022-05-09 18:59:38 +02:00
srcNodes.SourceCommands = append(srcNodes.SourceCommands, srcC)
2022-05-06 07:47:12 +02:00
}
2022-05-11 06:14:26 +02:00
// Sort all the source nodes.
sort.SliceStable(srcNodes.SourceCommands, func(i, j int) bool {
return srcNodes.SourceCommands[i].Source < srcNodes.SourceCommands[j].Source
2022-05-06 07:47:12 +02:00
})
// fmt.Printf(" * nodeMapToSlice: fromNodes: %#v\n", fns)
return srcNodes
2022-05-06 07:47:12 +02:00
}
// groupNodesAddNode adds a node to a group. If the group does
// not exist it will be created.
func (a *authSchema) groupNodesAddNode(ng nodeGroup, n node) {
err := a.validator.Var(ng, "startswith=grp_nodes_")
if err != nil {
log.Printf("error: group name do not start with grp_nodes_: %v\n", err)
return
}
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
if _, ok := a.schemaMain.NodeGroupMap[ng]; !ok {
a.schemaMain.NodeGroupMap[ng] = make(map[node]struct{})
}
a.schemaMain.NodeGroupMap[ng][n] = struct{}{}
// fmt.Printf(" * groupNodesAddNode: After adding to group node looks like: %+v\n", a.schemaMain.NodeGroupMap)
err = a.generateACLsForAllNodes()
if err != nil {
er := fmt.Errorf("error: groupNodesAddNode: %v", err)
log.Printf("%v\n", er)
}
2022-05-06 07:47:12 +02:00
}
// groupNodesDeleteNode deletes a node from a group in the map.
func (a *authSchema) groupNodesDeleteNode(ng nodeGroup, n node) {
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
if _, ok := a.schemaMain.NodeGroupMap[ng][n]; !ok {
log.Printf("info: no such node with name=%v found in group=%v\n", ng, n)
return
}
delete(a.schemaMain.NodeGroupMap[ng], n)
//fmt.Printf(" * After deleting nodeGroup map looks like: %+v\n", a.schemaMain.NodeGroupMap)
err := a.generateACLsForAllNodes()
if err != nil {
er := fmt.Errorf("error: groupNodesDeleteNode: %v", err)
log.Printf("%v\n", er)
}
2022-05-06 07:47:12 +02:00
}
// groupNodesDeleteGroup deletes a nodeGroup from map.
func (a *authSchema) groupNodesDeleteGroup(ng nodeGroup) {
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
if _, ok := a.schemaMain.NodeGroupMap[ng]; !ok {
log.Printf("info: no such group found: %v\n", ng)
return
}
delete(a.schemaMain.NodeGroupMap, ng)
//fmt.Printf(" * After deleting nodeGroup map looks like: %+v\n", a.schemaMain.NodeGroupMap)
err := a.generateACLsForAllNodes()
if err != nil {
er := fmt.Errorf("error: groupNodesDeleteGroup: %v", err)
log.Printf("%v\n", er)
}
2022-05-06 07:47:12 +02:00
}
// -----
// groupCommandsAddCommand adds a command to a group. If the group does
// not exist it will be created.
func (a *authSchema) groupCommandsAddCommand(cg commandGroup, c command) {
2022-05-10 08:25:02 +02:00
err := a.validator.Var(cg, "startswith=grp_commands_")
2022-05-06 07:47:12 +02:00
if err != nil {
2022-05-10 08:25:02 +02:00
log.Printf("error: group name do not start with grp_commands_ : %v\n", err)
2022-05-06 07:47:12 +02:00
return
}
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
if _, ok := a.schemaMain.CommandGroupMap[cg]; !ok {
a.schemaMain.CommandGroupMap[cg] = make(map[command]struct{})
}
a.schemaMain.CommandGroupMap[cg][c] = struct{}{}
//fmt.Printf(" * groupCommandsAddCommand: After adding command=%v to command group=%v map looks like: %+v\n", c, cg, a.schemaMain.CommandGroupMap)
err = a.generateACLsForAllNodes()
if err != nil {
er := fmt.Errorf("error: groupCommandsAddCommand: %v", err)
log.Printf("%v\n", er)
}
2022-05-06 07:47:12 +02:00
}
// groupCommandsDeleteCommand deletes a command from a group in the map.
func (a *authSchema) groupCommandsDeleteCommand(cg commandGroup, c command) {
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
if _, ok := a.schemaMain.CommandGroupMap[cg][c]; !ok {
log.Printf("info: no such command with name=%v found in group=%v\n", c, cg)
return
}
delete(a.schemaMain.CommandGroupMap[cg], c)
//fmt.Printf(" * After deleting command=%v from group=%v map looks like: %+v\n", c, cg, a.schemaMain.CommandGroupMap)
err := a.generateACLsForAllNodes()
if err != nil {
er := fmt.Errorf("error: groupCommandsDeleteCommand: %v", err)
log.Printf("%v\n", er)
}
2022-05-06 07:47:12 +02:00
}
// groupCommandDeleteGroup deletes a commandGroup map.
func (a *authSchema) groupCommandDeleteGroup(cg commandGroup) {
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
if _, ok := a.schemaMain.CommandGroupMap[cg]; !ok {
log.Printf("info: no such group found: %v\n", cg)
return
}
delete(a.schemaMain.CommandGroupMap, cg)
//fmt.Printf(" * After deleting commandGroup=%v map looks like: %+v\n", cg, a.schemaMain.CommandGroupMap)
err := a.generateACLsForAllNodes()
if err != nil {
er := fmt.Errorf("error: groupCommandDeleteGroup: %v", err)
log.Printf("%v\n", er)
}
2022-05-06 07:47:12 +02:00
}
// exportACLs will export the current content of the main ACLMap in JSON format.
func (a *authSchema) exportACLs() ([]byte, error) {
2022-05-06 07:47:12 +02:00
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
js, err := json.Marshal(a.schemaMain.ACLMap)
if err != nil {
return nil, fmt.Errorf("error: failed to marshal schemaMain.ACLMap: %v", err)
2022-05-06 07:47:12 +02:00
}
return js, nil
}
// importACLs will import and replace all current ACL's with the ACL's provided as input.
func (a *authSchema) importACLs(js []byte) error {
a.schemaMain.mu.Lock()
defer a.schemaMain.mu.Unlock()
m := make(map[node]map[node]map[command]struct{})
err := json.Unmarshal(js, &m)
if err != nil {
return fmt.Errorf("error: failed to unmarshal into ACLMap: %v", err)
}
a.schemaMain.ACLMap = m
return nil
2022-05-06 07:47:12 +02:00
}