mirror of
https://github.com/postmannen/ctrl.git
synced 2025-01-18 21:59:30 +00:00
turned off escaping when saving acl to file, cleaned up acl debug to console, acl distribution and verification seems to work
This commit is contained in:
postmannen
parent
d3078a79aa
commit
8887fd4c2f
5 changed files with 41 additions and 40 deletions
|
|
@ -307,6 +307,7 @@ func (c *centralAuth) generateACLsForAllNodes() error {
|
|||
// a.schemaMain.mu.Lock()
|
||||
// defer a.schemaMain.mu.Unlock()
|
||||
enc := json.NewEncoder(fh)
|
||||
enc.SetEscapeHTML(false)
|
||||
enc.Encode(c.accessLists.schemaMain.ACLMap)
|
||||
if err != nil {
|
||||
er := fmt.Errorf("error: generateACLsForAllNodes: encoding json to file failed: %v, err: %v", c.accessLists.schemaMain.ACLMapFilePath, err)
|
||||
|
|
@ -353,7 +354,7 @@ func (c *centralAuth) generateACLsForAllNodes() error {
|
|||
// cbor marshal the data of the ACL map to store for the host node.
|
||||
cb, err := cbor.Marshal(m)
|
||||
if err != nil {
|
||||
er := fmt.Errorf("error: failed to generate cbor for host in schemaGenerated: %v", err)
|
||||
er := fmt.Errorf("error: generateACLsForAllNodes: failed to generate cbor for host in schemaGenerated: %v", err)
|
||||
log.Printf("%v\n", er)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
|
@ -364,7 +365,7 @@ func (c *centralAuth) generateACLsForAllNodes() error {
|
|||
|
||||
b, err := cbor.Marshal(sns)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("error: authSchema, json for hash: %v", err)
|
||||
err := fmt.Errorf("error: generateACLsForAllNodes: failed to generate cbor for hash: %v", err)
|
||||
log.Printf("%v\n", err)
|
||||
return [32]byte{}
|
||||
}
|
||||
|
|
|
|||
40
node_auth.go
40
node_auth.go
|
|
@ -146,15 +146,21 @@ func (n *nodeAcl) saveToFile() error {
|
|||
|
||||
n.mu.Lock()
|
||||
defer n.mu.Unlock()
|
||||
b, err := json.Marshal(n.aclAndHash)
|
||||
|
||||
enc := json.NewEncoder(fh)
|
||||
enc.SetEscapeHTML(false)
|
||||
enc.Encode(n.aclAndHash)
|
||||
|
||||
// HERE
|
||||
// b, err := json.Marshal(n.aclAndHash)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = fh.Write(b)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// _, err = fh.Write(b)
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
@ -373,11 +379,9 @@ func (n *nodeAuth) readKeyFile(keyFile string) (ed2519key []byte, b64Key []byte,
|
|||
|
||||
// verifySignature
|
||||
func (n *nodeAuth) verifySignature(m Message) bool {
|
||||
log.Printf(" * DEBUG: verifySignature, method: %v\n", m.Method)
|
||||
|
||||
// NB: Only enable signature checking for REQCliCommand for now.
|
||||
if m.Method != REQCliCommand {
|
||||
log.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n")
|
||||
log.Printf(" * DEBUG: verifySignature,not REQCliCommand and will not do signature check, method: %v\n", m.Method)
|
||||
return true
|
||||
}
|
||||
|
||||
|
|
@ -410,11 +414,9 @@ func (n *nodeAuth) verifySignature(m Message) bool {
|
|||
|
||||
// verifyAcl
|
||||
func (n *nodeAuth) verifyAcl(m Message) bool {
|
||||
log.Printf(" * DEBUG: verifyAcl, method: %v\n", m.Method)
|
||||
|
||||
// NB: Only enable acl checking for REQCliCommand for now.
|
||||
if m.Method != REQCliCommand {
|
||||
log.Printf(" * DEBUG: verifyAcl: WAS OTHER THAN CLI COMMAND\n")
|
||||
log.Printf(" * DEBUG: verifyAcl: not REQCliCommand and will not do acl check, method: %v\n", m.Method)
|
||||
return true
|
||||
}
|
||||
|
||||
|
|
@ -426,21 +428,25 @@ func (n *nodeAuth) verifyAcl(m Message) bool {
|
|||
|
||||
cmdMap, ok := n.nodeAcl.aclAndHash.Acl[m.FromNode]
|
||||
if !ok {
|
||||
log.Printf(" * DEBUG: verifyAcl: The fromNode was not found in the acl\n")
|
||||
log.Printf(" * DEBUG: verifyAcl: The fromNode=%v was not found in the acl\n", m.FromNode)
|
||||
return false
|
||||
}
|
||||
|
||||
_, ok = cmdMap[command("*")]
|
||||
if ok {
|
||||
log.Printf(" * DEBUG: verifyAcl: The acl said \"*\", all commands allowed from node=%v\n", m.FromNode)
|
||||
return true
|
||||
}
|
||||
|
||||
_, ok = cmdMap[command(argsStringified)]
|
||||
if !ok {
|
||||
log.Printf(" * DEBUG: verifyAcl: The command was NOT FOUND in the acl\n")
|
||||
log.Printf(" * DEBUG: verifyAcl: The command=%v was NOT FOUND in the acl\n", m.MethodArgs)
|
||||
return false
|
||||
}
|
||||
|
||||
log.Printf(" * DEBUG: verifyAcl: The command was FOUND in the acl\n")
|
||||
log.Printf(" * DEBUG: The command was FOUND in the acl, verifyAcl, result: %v, fromNode: %v, method: %v\n", ok, m.FromNode, m.Method)
|
||||
|
||||
log.Printf(" * DEBUG: verifyAcl, result: %v, fromNode: %v, method: %v\n", ok, m.FromNode, m.Method)
|
||||
|
||||
return ok
|
||||
return true
|
||||
}
|
||||
|
||||
// argsToString takes args in the format of []string and returns a string.
|
||||
|
|
|
|||
18
process.go
18
process.go
|
|
@ -583,17 +583,14 @@ func (p process) verifySigOrAclFlag(message Message) bool {
|
|||
|
||||
// If no checking enabled we should just allow the message.
|
||||
case !p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
|
||||
log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=false, EnableAclCheck=false\n")
|
||||
log.Printf(" * DEBUG: no checking at all is enabled, allow the message\n")
|
||||
log.Printf(" * DEBUG: verify acl/sig: no acl or signature checking at all is enabled, ALLOW the message, method=%v\n", message.Method)
|
||||
doHandler = true
|
||||
|
||||
// If only sig check enabled, and sig OK, we should allow the message.
|
||||
case p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
|
||||
log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=false\n")
|
||||
log.Printf(" * DEBUG: only signature checking enabled, allow the message if sigOK\n")
|
||||
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
log.Printf("info: sigOK=%v, method %v\n", sigOK, message.Method)
|
||||
|
||||
log.Printf(" * DEBUG: verify acl/sig: Only signature checking enabled, ALLOW the message if sigOK, sigOK=%v, method %v\n", sigOK, message.Method)
|
||||
|
||||
if sigOK {
|
||||
doHandler = true
|
||||
|
|
@ -601,13 +598,10 @@ func (p process) verifySigOrAclFlag(message Message) bool {
|
|||
|
||||
// If both sig and acl check enabled, and sig and acl OK, we should allow the message.
|
||||
case p.nodeAuth.configuration.EnableSignatureCheck && p.nodeAuth.configuration.EnableAclCheck:
|
||||
log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=true\n")
|
||||
log.Printf(" * DEBUG: both signature and acl checking enabled, allow the message if sigOK and aclOK\n")
|
||||
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
log.Printf("info: sigOK=%v, method=%v\n", sigOK, message.Method)
|
||||
aclOK := p.nodeAuth.verifyAcl(message)
|
||||
log.Printf("info: aclOK=%v\n", aclOK)
|
||||
|
||||
log.Printf(" * DEBUG: verify acl/sig:both signature and acl checking enabled, allow the message if sigOK and aclOK, or method is not REQCliCommand, sigOK=%v, aclOK=%v, method=%v\n", sigOK, aclOK, message.Method)
|
||||
|
||||
if sigOK && aclOK {
|
||||
doHandler = true
|
||||
|
|
@ -616,7 +610,7 @@ func (p process) verifySigOrAclFlag(message Message) bool {
|
|||
// none of the verification options matched, we should keep the default value
|
||||
// of doHandler=false, so the handler is not done.
|
||||
default:
|
||||
log.Printf(" * DEBUG: verify acl/sig: None of the verify flags matched, not doing handler for message\n")
|
||||
log.Printf(" * DEBUG: verify acl/sig: None of the verify flags matched, not doing handler for message, method=%v\n", message.Method)
|
||||
}
|
||||
|
||||
return doHandler
|
||||
|
|
|
|||
|
|
@ -347,7 +347,7 @@ func (s startup) pubREQKeysRequestUpdate(p process) {
|
|||
// and update with new keys back.
|
||||
|
||||
proc.nodeAuth.publicKeys.mu.Lock()
|
||||
fmt.Printf("\n ----> publisher REQKeysRequestUpdate: sending our current hash: %v\n\n", []byte(proc.nodeAuth.publicKeys.keysAndHash.Hash[:]))
|
||||
fmt.Printf(" ----> publisher REQKeysRequestUpdate: sending our current hash: %v\n", []byte(proc.nodeAuth.publicKeys.keysAndHash.Hash[:]))
|
||||
|
||||
m := Message{
|
||||
FileName: "publickeysget.log",
|
||||
|
|
@ -402,7 +402,7 @@ func (s startup) pubREQAclRequestUpdate(p process) {
|
|||
// and update with new keys back.
|
||||
|
||||
proc.nodeAuth.nodeAcl.mu.Lock()
|
||||
fmt.Printf("\n ----> publisher REQAclRequestUpdate: sending our current hash: %v\n\n", []byte(proc.nodeAuth.nodeAcl.aclAndHash.Hash[:]))
|
||||
fmt.Printf(" ----> publisher REQAclRequestUpdate: sending our current hash: %v\n", []byte(proc.nodeAuth.nodeAcl.aclAndHash.Hash[:]))
|
||||
|
||||
m := Message{
|
||||
FileName: "aclRequestUpdate.log",
|
||||
|
|
|
|||
|
|
@ -21,10 +21,10 @@ func (m methodREQAclRequestUpdate) getKind() Event {
|
|||
|
||||
// Handler to get all acl's from a central server.
|
||||
func (m methodREQAclRequestUpdate) handler(proc process, message Message, node string) ([]byte, error) {
|
||||
inf := fmt.Errorf("<--- subscriber methodREQAclRequestUpdate received from: %v, and the data which is the nodes current acl hash containing: %v", message.FromNode, message.MethodArgs)
|
||||
inf := fmt.Errorf("<--- subscriber methodREQAclRequestUpdate received from: %v, hash data = %v", message.FromNode, message.Data)
|
||||
proc.errorKernel.logConsoleOnlyIfDebug(inf, proc.configuration)
|
||||
|
||||
fmt.Printf("\n --- subscriber methodREQAclRequestUpdate: the message brought to handler : %+v\n", message)
|
||||
// fmt.Printf("\n --- subscriber methodREQAclRequestUpdate: the message brought to handler : %+v\n", message)
|
||||
|
||||
// Get a context with the timeout specified in message.MethodTimeout.
|
||||
ctx, _ := getContextForMethodTimeout(proc.ctx, message)
|
||||
|
|
@ -63,19 +63,19 @@ func (m methodREQAclRequestUpdate) handler(proc process, message Message, node s
|
|||
// // TODO: PROBLEM: The existing generated acl's are not loaded when starting, or not stored at all.
|
||||
//}
|
||||
|
||||
fmt.Printf(" ---- subscriber methodREQAclRequestUpdate: got acl hash from NODE=%v, HASH=%v\n", message.FromNode, message.Data)
|
||||
log.Printf(" ---- subscriber methodREQAclRequestUpdate: got acl hash from NODE=%v, HASH data =%v\n", message.FromNode, message.Data)
|
||||
|
||||
// Check if the received hash is the same as the one currently active,
|
||||
// If it is the same we exit the handler immediately.
|
||||
hash32 := proc.centralAuth.accessLists.schemaGenerated.GeneratedACLsMap[message.FromNode].Hash
|
||||
hash := hash32[:]
|
||||
fmt.Printf("\n ---- subscriber methodREQAclRequestUpdate: on central hash32=%v\n\n", hash32)
|
||||
log.Printf("---- subscriber methodREQAclRequestUpdate: the central acl hash=%v\n", hash32)
|
||||
if bytes.Equal(hash, message.Data) {
|
||||
fmt.Printf("\n ---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAVE EQUAL ACL HASH, NOTHING TO DO, EXITING HANDLER\n\n")
|
||||
log.Printf("---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAVE EQUAL ACL HASH, NOTHING TO DO, EXITING HANDLER\n")
|
||||
return
|
||||
}
|
||||
|
||||
fmt.Printf("\n ---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAD NOT EQUAL ACL, PREPARING TO SEND NEW VERSION OF Acl\n\n")
|
||||
log.Printf("---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAD NOT EQUAL ACL, PREPARING TO SEND NEW VERSION OF Acl\n")
|
||||
|
||||
// Generate JSON for Message.Data
|
||||
|
||||
|
|
@ -92,7 +92,7 @@ func (m methodREQAclRequestUpdate) handler(proc process, message Message, node s
|
|||
log.Fatalf("%v\n", er)
|
||||
}
|
||||
|
||||
fmt.Printf("\n ----> subscriber methodREQAclRequestUpdate: SENDING ACL'S TO NODE=%v, serializedAndHash=%+v\n", message.FromNode, hdh)
|
||||
fmt.Printf(" ----> subscriber methodREQAclRequestUpdate: SENDING ACL'S TO NODE=%v, serializedAndHash=%+v\n", message.FromNode, hdh)
|
||||
|
||||
newReplyMessage(proc, message, js)
|
||||
}()
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue