hello reigster contains signatures of nodes

central_auth.go

@@ -1,18 +1,34 @@
 package steward
 
+import "sync"
+
 type signatureBase32 string
 type argsString string
-
 type centralAuth struct {
-	schema map[Node]map[argsString]signatureBase32
-
-	configuration *Configuration
+	schema         map[Node]map[argsString]signatureBase32
+	nodePublicKeys nodePublicKeys
+	configuration  *Configuration
 }
 
-func newCentralAuth() *centralAuth {
+func newCentralAuth(configuration *Configuration) *centralAuth {
 	a := centralAuth{
-		schema: make(map[Node]map[argsString]signatureBase32),
+		schema:         make(map[Node]map[argsString]signatureBase32),
+		nodePublicKeys: *newNodePublicKeys(),
+		configuration:  configuration,
 	}
 
 	return &a
 }
+
+type nodePublicKeys struct {
+	mu     sync.Mutex
+	keyMap map[Node]string
+}
+
+func newNodePublicKeys() *nodePublicKeys {
+	n := nodePublicKeys{
+		keyMap: make(map[Node]string),
+	}
+
+	return &n
+}

configuration_flags.go

@@ -61,7 +61,7 @@ type Configuration struct {
 	// Full path to the NKEY's seed file
 	NkeySeedFile string
 	// NkeyPublicKey
-	NkeyPublicKey string
+	NkeyPublicKey string `toml:"-"`
 	// The host and port to expose the data folder
 	ExposeDataFolder string
 	// Timeout for error messages

doc/concept/auth/auth.md

@@ -32,6 +32,10 @@ This can be done at the subject level on the broker since we are using NKEY's to
   * Only CentralAuth can send REQAuthUpdate, REQCertUpdate to nodes.
   * Only CentralAuth can receive REQAddAuth or REQDelAuth.
 
+#### Signing authorization updates to nodes
+
+Authorization updates to nodes should be signed with the private key of the central auth server, so the receving node can verify the signature and then update the node's authorization.
+
 ### Hello register
 
 Create a database of all the nodes from where we have received hello messages which is stored persistently to disk. We can then use this register as the source for what nodes are in the network, whom to ask for public keys.

processes.go

@@ -263,7 +263,8 @@ func (s startup) pubREQHello(p process) {
 		ticker := time.NewTicker(time.Second * time.Duration(p.configuration.StartPubREQHello))
 		for {
 
-			d := fmt.Sprintf("Hello from %v\n", p.node)
+			// d := fmt.Sprintf("Hello from %v\n", p.node)
+			d := proc.configuration.NkeyPublicKey
 
 			m := Message{
 				FileName:   "hello.log",
@@ -356,7 +357,7 @@ func (s startup) subREQHello(p process) {
 	// of the nodes we've received hello's from in the sayHelloNodes map,
 	// which is the information we pass along to generate metrics.
 	proc.procFunc = func(ctx context.Context, procFuncCh chan Message) error {
-		sayHelloNodes := make(map[Node]struct{})
+		// sayHelloNodes := make(map[Node]struct{})
 
 		for {
 			// Receive a copy of the message sent from the method handler.
@@ -372,10 +373,13 @@ func (s startup) subREQHello(p process) {
 			}
 
 			// Add an entry for the node in the map
-			sayHelloNodes[m.FromNode] = struct{}{}
+			s.server.centralAuth.nodePublicKeys.mu.Lock()
+			s.server.centralAuth.nodePublicKeys.keyMap[m.FromNode] = string(m.Data)
+			fmt.Printf(" * MAP CONTENT:\n %v\n", s.server.centralAuth.nodePublicKeys.keyMap)
+			s.server.centralAuth.nodePublicKeys.mu.Unlock()
 
 			// update the prometheus metrics
-			s.metrics.promHelloNodesTotal.Set(float64(len(sayHelloNodes)))
+			s.metrics.promHelloNodesTotal.Set(float64(len(s.server.centralAuth.nodePublicKeys.keyMap)))
 			s.metrics.promHelloNodesContactLast.With(prometheus.Labels{"nodeName": string(m.FromNode)}).SetToCurrentTime()
 
 		}

server.go

@@ -162,7 +162,7 @@ func NewServer(configuration *Configuration, version string) (*server, error) {
 		errorKernel:    errorKernel,
 		signatures:     signatures,
 		helloRegister:  newHelloRegister(),
-		centralAuth:    newCentralAuth(),
+		centralAuth:    newCentralAuth(configuration),
 	}
 
 	s.processes = newProcesses(ctx, &s)