1
0
Fork 0
mirror of https://github.com/postmannen/ctrl.git synced 2024-12-14 12:37:31 +00:00
ctrl/node_auth.go

475 lines
12 KiB
Go
Raw Normal View History

package ctrl
2022-02-07 03:23:13 +00:00
import (
"crypto/ed25519"
"encoding/base64"
2022-04-21 11:21:36 +00:00
"encoding/json"
2022-02-07 03:23:13 +00:00
"fmt"
2022-04-21 11:21:36 +00:00
"io"
2022-02-07 03:23:13 +00:00
"os"
"path/filepath"
"strings"
2022-02-07 03:23:13 +00:00
"sync"
)
2022-05-24 11:45:41 +00:00
// nodeAuth is the structure that holds both keys and acl's
// that the running ctrl node shall use for authorization.
// It holds a mutex to use when interacting with the map.
2022-04-21 11:21:36 +00:00
type nodeAuth struct {
2022-05-24 11:45:41 +00:00
// ACL that defines where a node is allowed to recieve from.
nodeAcl *nodeAcl
// All the public keys for nodes a node is allowed to receive from.
publicKeys *publicKeys
2022-02-07 03:23:13 +00:00
// Full path to the signing keys folder
SignKeyFolder string
// Full path to private signing key.
SignKeyPrivateKeyPath string
// Full path to public signing key.
SignKeyPublicKeyPath string
// private key for ed25519 signing.
SignPrivateKey []byte
// public key for ed25519 signing.
SignPublicKey []byte
configuration *Configuration
errorKernel *errorKernel
}
2022-04-21 11:21:36 +00:00
func newNodeAuth(configuration *Configuration, errorKernel *errorKernel) *nodeAuth {
n := nodeAuth{
nodeAcl: newNodeAcl(configuration, errorKernel),
publicKeys: newPublicKeys(configuration, errorKernel),
2022-05-24 11:45:41 +00:00
configuration: configuration,
errorKernel: errorKernel,
2022-02-07 03:23:13 +00:00
}
// Set the signing key paths.
2022-04-21 11:21:36 +00:00
n.SignKeyFolder = filepath.Join(configuration.ConfigFolder, "signing")
n.SignKeyPrivateKeyPath = filepath.Join(n.SignKeyFolder, "private.key")
n.SignKeyPublicKeyPath = filepath.Join(n.SignKeyFolder, "public.key")
2022-02-07 03:23:13 +00:00
2022-04-21 11:21:36 +00:00
err := n.loadSigningKeys()
2022-02-07 03:23:13 +00:00
if err != nil {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("newNodeAuth: %v", err)
errorKernel.logError(er)
2022-02-07 03:23:13 +00:00
os.Exit(1)
}
2022-04-21 11:21:36 +00:00
return &n
}
2022-02-07 03:23:13 +00:00
2022-05-24 11:45:41 +00:00
// --------------------- ACL ---------------------
type aclAndHash struct {
Acl map[Node]map[command]struct{}
Hash [32]byte
}
func newAclAndHash() aclAndHash {
a := aclAndHash{
Acl: make(map[Node]map[command]struct{}),
}
return a
}
type nodeAcl struct {
// allowed is a map for holding all the allowed signatures.
aclAndHash aclAndHash
filePath string
mu sync.Mutex
errorKernel *errorKernel
configuration *Configuration
2022-05-24 11:45:41 +00:00
}
func newNodeAcl(c *Configuration, errorKernel *errorKernel) *nodeAcl {
2022-05-24 11:45:41 +00:00
n := nodeAcl{
aclAndHash: newAclAndHash(),
filePath: filepath.Join(c.DatabaseFolder, "node_aclmap.txt"),
errorKernel: errorKernel,
configuration: c,
2022-05-24 11:45:41 +00:00
}
2022-05-24 11:53:37 +00:00
err := n.loadFromFile()
if err != nil {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("error: newNodeAcl: loading acl's from file: %v", err)
errorKernel.logError(er)
2022-05-24 11:53:37 +00:00
// os.Exit(1)
}
2022-05-24 11:45:41 +00:00
return &n
}
// loadFromFile will try to load all the currently stored acl's from file,
// and return the error if it fails.
// If no file is found a nil error is returned.
func (n *nodeAcl) loadFromFile() error {
if _, err := os.Stat(n.filePath); os.IsNotExist(err) {
// Just logging the error since it is not crucial that a key file is missing,
// since a new one will be created on the next update.
er := fmt.Errorf("acl: loadFromFile: no acl file found at %v", n.filePath)
n.errorKernel.logDebug(er)
2022-05-24 11:45:41 +00:00
return nil
}
fh, err := os.OpenFile(n.filePath, os.O_RDONLY, 0660)
2022-05-24 11:45:41 +00:00
if err != nil {
return fmt.Errorf("error: failed to open acl file: %v", err)
}
defer fh.Close()
b, err := io.ReadAll(fh)
if err != nil {
return err
}
n.mu.Lock()
defer n.mu.Unlock()
err = json.Unmarshal(b, &n.aclAndHash)
if err != nil {
return err
}
er := fmt.Errorf("nodeAcl: loadFromFile: Loaded existing acl's from file: %v", n.aclAndHash.Hash)
n.errorKernel.logDebug(er)
2022-05-24 11:45:41 +00:00
return nil
}
2022-05-24 11:45:41 +00:00
// saveToFile will save the acl to file for persistent storage.
// An error is returned if it fails.
func (n *nodeAcl) saveToFile() error {
fh, err := os.OpenFile(n.filePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0660)
2022-05-24 11:45:41 +00:00
if err != nil {
return fmt.Errorf("error: failed to acl file: %v", err)
}
defer fh.Close()
n.mu.Lock()
defer n.mu.Unlock()
enc := json.NewEncoder(fh)
enc.SetEscapeHTML(false)
err = enc.Encode(n.aclAndHash)
// HERE
// b, err := json.Marshal(n.aclAndHash)
2022-05-24 11:45:41 +00:00
if err != nil {
return err
}
// _, err = fh.Write(b)
// if err != nil {
// return err
// }
2022-05-24 11:45:41 +00:00
return nil
}
2022-05-24 11:45:41 +00:00
// --------------------- KEYS ---------------------
2022-05-16 05:15:38 +00:00
type keysAndHash struct {
Keys map[Node][]byte
Hash [32]byte
}
func newKeysAndHash() *keysAndHash {
kh := keysAndHash{
Keys: make(map[Node][]byte),
}
return &kh
}
type publicKeys struct {
keysAndHash *keysAndHash
mu sync.Mutex
filePath string
errorKernel *errorKernel
configuration *Configuration
}
func newPublicKeys(c *Configuration, errorKernel *errorKernel) *publicKeys {
p := publicKeys{
keysAndHash: newKeysAndHash(),
filePath: filepath.Join(c.DatabaseFolder, "publickeys.txt"),
errorKernel: errorKernel,
configuration: c,
2022-04-21 11:21:36 +00:00
}
err := p.loadFromFile()
if err != nil {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("error: newPublicKeys: loading public keys from file: %v", err)
errorKernel.logError(er)
2022-04-21 11:21:36 +00:00
// os.Exit(1)
}
return &p
}
2022-04-21 11:21:36 +00:00
// loadFromFile will try to load all the currently stored public keys from file,
// and return the error if it fails.
// If no file is found a nil error is returned.
func (p *publicKeys) loadFromFile() error {
if _, err := os.Stat(p.filePath); os.IsNotExist(err) {
// Just logging the error since it is not crucial that a key file is missing,
// since a new one will be created on the next update.
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("no public keys file found at %v, new file will be created", p.filePath)
p.errorKernel.logInfo(er)
2022-04-21 11:21:36 +00:00
return nil
}
fh, err := os.OpenFile(p.filePath, os.O_RDONLY, 0660)
2022-04-21 11:21:36 +00:00
if err != nil {
return fmt.Errorf("error: failed to open public keys file: %v", err)
}
defer fh.Close()
b, err := io.ReadAll(fh)
if err != nil {
return err
}
p.mu.Lock()
defer p.mu.Unlock()
2022-05-16 05:15:38 +00:00
err = json.Unmarshal(b, &p.keysAndHash)
2022-04-21 11:21:36 +00:00
if err != nil {
return err
}
er := fmt.Errorf("nodeAuth: loadFromFile: Loaded existing keys from file: %v", p.keysAndHash.Hash)
p.errorKernel.logDebug(er)
2022-04-21 11:21:36 +00:00
return nil
}
// saveToFile will save all the public kets to file for persistent storage.
// An error is returned if it fails.
func (p *publicKeys) saveToFile() error {
fh, err := os.OpenFile(p.filePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0660)
2022-04-21 11:21:36 +00:00
if err != nil {
return fmt.Errorf("error: failed to open public keys file: %v", err)
}
defer fh.Close()
p.mu.Lock()
defer p.mu.Unlock()
2022-05-16 05:15:38 +00:00
b, err := json.Marshal(p.keysAndHash)
2022-04-21 11:21:36 +00:00
if err != nil {
return err
}
_, err = fh.Write(b)
if err != nil {
return err
}
return nil
}
2022-02-07 03:23:13 +00:00
// loadSigningKeys will try to load the ed25519 signing keys. If the
// files are not found new keys will be generated and written to disk.
2022-04-21 11:21:36 +00:00
func (n *nodeAuth) loadSigningKeys() error {
2022-02-07 03:23:13 +00:00
// Check if folder structure exist, if not create it.
2022-04-21 11:21:36 +00:00
if _, err := os.Stat(n.SignKeyFolder); os.IsNotExist(err) {
err := os.MkdirAll(n.SignKeyFolder, 0770)
2022-02-07 03:23:13 +00:00
if err != nil {
er := fmt.Errorf("error: failed to create directory for signing keys : %v", err)
return er
}
}
// Check if there already are any keys in the etc folder.
foundKey := false
2022-04-21 11:21:36 +00:00
if _, err := os.Stat(n.SignKeyPublicKeyPath); !os.IsNotExist(err) {
2022-02-07 03:23:13 +00:00
foundKey = true
}
2022-04-21 11:21:36 +00:00
if _, err := os.Stat(n.SignKeyPrivateKeyPath); !os.IsNotExist(err) {
2022-02-07 03:23:13 +00:00
foundKey = true
}
// If no keys where found generete a new pair, load them into the
// processes struct fields, and write them to disk.
if !foundKey {
pub, priv, err := ed25519.GenerateKey(nil)
if err != nil {
er := fmt.Errorf("error: failed to generate ed25519 keys for signing: %v", err)
return er
}
pubB64string := base64.RawStdEncoding.EncodeToString(pub)
privB64string := base64.RawStdEncoding.EncodeToString(priv)
// Write public key to file.
2022-04-21 11:21:36 +00:00
err = n.writeSigningKey(n.SignKeyPublicKeyPath, pubB64string)
2022-02-07 03:23:13 +00:00
if err != nil {
return err
}
// Write private key to file.
2022-04-21 11:21:36 +00:00
err = n.writeSigningKey(n.SignKeyPrivateKeyPath, privB64string)
2022-02-07 03:23:13 +00:00
if err != nil {
return err
}
// Also store the keys in the processes structure so we can
// reference them from there when we need them.
2022-04-21 11:21:36 +00:00
n.SignPublicKey = pub
n.SignPrivateKey = priv
2022-02-07 03:23:13 +00:00
er := fmt.Errorf("info: no signing keys found, generating new keys")
n.errorKernel.logInfo(er)
2022-02-07 03:23:13 +00:00
// We got the new generated keys now, so we can return.
return nil
}
// Key files found, load them into the processes struct fields.
2022-04-21 11:21:36 +00:00
pubKey, _, err := n.readKeyFile(n.SignKeyPublicKeyPath)
2022-02-07 03:23:13 +00:00
if err != nil {
return err
}
2022-04-21 11:21:36 +00:00
n.SignPublicKey = pubKey
2022-02-07 03:23:13 +00:00
2022-04-21 11:21:36 +00:00
privKey, _, err := n.readKeyFile(n.SignKeyPrivateKeyPath)
2022-02-07 03:23:13 +00:00
if err != nil {
return err
}
2022-04-21 11:21:36 +00:00
n.SignPublicKey = pubKey
n.SignPrivateKey = privKey
2022-02-07 03:23:13 +00:00
return nil
}
// writeSigningKey will write the base64 encoded signing key to file.
2022-04-21 11:21:36 +00:00
func (n *nodeAuth) writeSigningKey(realPath string, keyB64 string) error {
fh, err := os.OpenFile(realPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0660)
2022-02-07 03:23:13 +00:00
if err != nil {
er := fmt.Errorf("error: failed to open key file for writing: %v", err)
return er
}
defer fh.Close()
_, err = fh.Write([]byte(keyB64))
if err != nil {
er := fmt.Errorf("error: failed to write key to file: %v", err)
return er
}
return nil
}
// readKeyFile will take the path of a key file as input, read the base64
// encoded data, decode the data. It will return the raw data as []byte,
// the base64 encoded data, and any eventual error.
2022-04-21 11:21:36 +00:00
func (n *nodeAuth) readKeyFile(keyFile string) (ed2519key []byte, b64Key []byte, err error) {
2022-02-07 03:23:13 +00:00
fh, err := os.Open(keyFile)
if err != nil {
er := fmt.Errorf("error: failed to open key file: %v", err)
return nil, nil, er
}
defer fh.Close()
b, err := io.ReadAll(fh)
2022-02-07 03:23:13 +00:00
if err != nil {
er := fmt.Errorf("error: failed to read key file: %v", err)
return nil, nil, er
}
key, err := base64.RawStdEncoding.DecodeString(string(b))
if err != nil {
er := fmt.Errorf("error: failed to base64 decode key data: %v", err)
return nil, nil, er
}
return key, b, nil
}
// verifySignature
2022-04-21 11:21:36 +00:00
func (n *nodeAuth) verifySignature(m Message) bool {
2022-05-27 05:57:23 +00:00
// NB: Only enable signature checking for REQCliCommand for now.
if m.Method != REQCliCommand {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("verifySignature: not REQCliCommand and will not do signature check, method: %v", m.Method)
n.errorKernel.logInfo(er)
return true
}
2022-02-07 03:23:13 +00:00
// Verify if the signature matches.
argsStringified := argsToString(m.MethodArgs)
var ok bool
err := func() error {
n.publicKeys.mu.Lock()
pubKey := n.publicKeys.keysAndHash.Keys[m.FromNode]
if len(pubKey) != 32 {
2023-01-12 11:01:01 +00:00
err := fmt.Errorf("length of publicKey not equal to 32: %v", len(pubKey))
return err
}
ok = ed25519.Verify(pubKey, []byte(argsStringified), m.ArgSignature)
n.publicKeys.mu.Unlock()
return nil
}()
if err != nil {
n.errorKernel.logError(err)
}
2022-02-07 03:23:13 +00:00
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("info: verifySignature, result: %v, fromNode: %v, method: %v", ok, m.FromNode, m.Method)
n.errorKernel.logInfo(er)
2022-05-27 05:57:23 +00:00
return ok
}
// verifyAcl
func (n *nodeAuth) verifyAcl(m Message) bool {
// NB: Only enable acl checking for REQCliCommand for now.
if m.Method != REQCliCommand {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("verifyAcl: not REQCliCommand and will not do acl check, method: %v", m.Method)
n.errorKernel.logInfo(er)
2022-05-27 05:57:23 +00:00
return true
}
argsStringified := argsToString(m.MethodArgs)
// Verify if the command matches the one in the acl map.
n.nodeAcl.mu.Lock()
defer n.nodeAcl.mu.Unlock()
cmdMap, ok := n.nodeAcl.aclAndHash.Acl[m.FromNode]
if !ok {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("verifyAcl: The fromNode=%v was not found in the acl", m.FromNode)
n.errorKernel.logError(er)
2022-05-27 05:57:23 +00:00
return false
}
_, ok = cmdMap[command("*")]
if ok {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("verifyAcl: The acl said \"*\", all commands allowed from node=%v", m.FromNode)
n.errorKernel.logInfo(er)
return true
}
2022-05-27 05:57:23 +00:00
_, ok = cmdMap[command(argsStringified)]
if !ok {
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("verifyAcl: The command=%v was NOT FOUND in the acl", m.MethodArgs)
n.errorKernel.logInfo(er)
2022-05-27 05:57:23 +00:00
return false
}
2023-01-12 11:01:01 +00:00
er := fmt.Errorf("verifyAcl: the command was FOUND in the acl, verifyAcl, result: %v, fromNode: %v, method: %v", ok, m.FromNode, m.Method)
n.errorKernel.logInfo(er)
2022-02-07 03:23:13 +00:00
return true
2022-02-07 03:23:13 +00:00
}
// argsToString takes args in the format of []string and returns a string.
func argsToString(args []string) string {
return strings.Join(args, " ")
}