mirrors/ctrl
mirrors/ctrl
1
0
Fork 0
mirror of https://github.com/postmannen/ctrl.git synced 2024-12-14 12:37:31 +00:00
Code Activity

acl verification seems to initially work

Browse source
This commit is contained in:
postmannen 2022-05-28 07:10:19 +02:00
parent 93c1ccda4b
commit 0c7ec3a5b0
2 changed files with 48 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
node_auth.go
View file

@ -372,17 +372,11 @@ func (n *nodeAuth) readKeyFile(keyFile string) (ed2519key []byte, b64Key []byte,
// verifySignature // verifySignature
func (n *nodeAuth) verifySignature(m Message) bool { func (n *nodeAuth) verifySignature(m Message) bool {
// fmt.Printf(" * DEBUG: verifySignature, method: %v\n", m.Method) log.Printf(" * DEBUG: verifySignature, method: %v\n", m.Method)
if !n.configuration.EnableSignatureCheck {
log.Printf(" * DEBUG: verifySignature: EnableSignatureCheck set to false\n")
return true
}
log.Printf(" * DEBUG: verifySignature: EnableSignatureCheck set to true\n")
// NB: Only enable signature checking for REQCliCommand for now. // NB: Only enable signature checking for REQCliCommand for now.
if m.Method != REQCliCommand { if m.Method != REQCliCommand {
// fmt.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n") log.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n")
return true return true
} }
@ -399,11 +393,7 @@ func (n *nodeAuth) verifySignature(m Message) bool {
// verifyAcl // verifyAcl
func (n *nodeAuth) verifyAcl(m Message) bool { func (n *nodeAuth) verifyAcl(m Message) bool {
// fmt.Printf(" * DEBUG: verifyAcl, method: %v\n", m.Method) fmt.Printf(" * DEBUG: verifyAcl, method: %v\n", m.Method)
if !n.configuration.EnableAclCheck {
log.Printf(" * DEBUG: verifyAcl: EnableAclCheck set to false\n")
return true
}
// NB: Only enable acl checking for REQCliCommand for now. // NB: Only enable acl checking for REQCliCommand for now.
if m.Method != REQCliCommand { if m.Method != REQCliCommand {

70
process.go
View file

@ -523,39 +523,59 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
out := []byte{} out := []byte{}
var err error var err error
// The verify functions will return true if the signature or acl is correct, doHandler := false
// but will return false if the signature or acl is wrong.
// They will also return true if the configuration flag for checking the acl
// or the signature is set to false.
sigOK := p.nodeAuth.verifySignature(message)
log.Printf("info: sigOK=%v\n", sigOK)
aclOK := p.nodeAuth.verifyAcl(message)
log.Printf("info: aclOK=%v\n", aclOK)
// We should allow to call the handler if either:
// 1. signature and acl is OK for when acl verification is enabled.
// 2. just signature is OK, if just signature checking is enabled.
// 3. Since the verify functions return true if the verification is
// disabled, the handler will be called if both are disabled.
switch { switch {
case sigOK && aclOK || sigOK:
log.Printf("info: subscriberHandler: signature and acl check successful: %v", err) // If no checking enabled we should just allow the message.
case !p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=false, EnableAclCheck=false\n")
log.Printf(" * DEBUG: no checking at all is enabled, allow the message\n")
doHandler = true
// If only sig check enabled, and sig OK, we should allow the message.
case p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=false\n")
log.Printf(" * DEBUG: only signature checking enabled, allow the message if sigOK\n")
sigOK := p.nodeAuth.verifySignature(message)
log.Printf("info: sigOK=%v\n", sigOK)
if sigOK {
doHandler = true
}
// If both sig and acl check enabled, and sig and acl OK, we should allow the message.
case p.nodeAuth.configuration.EnableSignatureCheck && p.nodeAuth.configuration.EnableAclCheck:
log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=true\n")
log.Printf(" * DEBUG: both signature and acl checking enabled, allow the message if sigOK and aclOK\n")
sigOK := p.nodeAuth.verifySignature(message)
log.Printf("info: sigOK=%v\n", sigOK)
aclOK := p.nodeAuth.verifyAcl(message)
log.Printf("info: aclOK=%v\n", aclOK)
if sigOK && aclOK {
doHandler = true
}
// none of the verification options matched, we should keep the default value
// of doHandler=false, so the handler is not done.
default:
log.Printf(" * DEBUG: verify acl/sig: None of the verify flags matched, not doing handler for message\n")
}
switch {
case doHandler:
log.Printf("info: subscriberHandler: doHandler=true: %v\n", doHandler)
out, err = mh.handler(p, message, thisNode) out, err = mh.handler(p, message, thisNode)
if err != nil { if err != nil {
er := fmt.Errorf("error: subscriberHandler: handler method failed: %v", err) er := fmt.Errorf("error: subscriberHandler: handler method failed: %v", err)
p.errorKernel.errSend(p, message, er) p.errorKernel.errSend(p, message, er)
log.Printf("%v\n", er) log.Printf("%v\n", er)
} }
case sigOK && !aclOK: default:
er := fmt.Errorf("error: subscriberHandler: acl check failed: %v", err) er := fmt.Errorf("error: subscriberHandler: doHandler=false, doing nothing")
p.errorKernel.errSend(p, message, er)
log.Printf("%v\n", er)
case !sigOK && !aclOK:
er := fmt.Errorf("error: subscriberHandler: signature and acl check failed: %v", err)
p.errorKernel.errSend(p, message, er)
log.Printf("%v\n", er)
case !sigOK:
er := fmt.Errorf("error: subscriberHandler: signature check failed: %v", err)
p.errorKernel.errSend(p, message, er) p.errorKernel.errSend(p, message, er)
log.Printf("%v\n", er) log.Printf("%v\n", er)
} }