From 8887fd4c2f75d92c1a1b24b752475533d718d932 Mon Sep 17 00:00:00 2001 From: postmannen Date: Thu, 2 Jun 2022 06:29:37 +0200 Subject: [PATCH] turned off escaping when saving acl to file, cleaned up acl debug to console, acl distribution and verification seems to work --- central_auth_acl_handling.go | 5 +++-- node_auth.go | 40 +++++++++++++++++++++--------------- process.go | 18 ++++++---------- processes.go | 4 ++-- requests_acl.go | 14 ++++++------- 5 files changed, 41 insertions(+), 40 deletions(-) diff --git a/central_auth_acl_handling.go b/central_auth_acl_handling.go index 613f9de..b618eae 100644 --- a/central_auth_acl_handling.go +++ b/central_auth_acl_handling.go @@ -307,6 +307,7 @@ func (c *centralAuth) generateACLsForAllNodes() error { // a.schemaMain.mu.Lock() // defer a.schemaMain.mu.Unlock() enc := json.NewEncoder(fh) + enc.SetEscapeHTML(false) enc.Encode(c.accessLists.schemaMain.ACLMap) if err != nil { er := fmt.Errorf("error: generateACLsForAllNodes: encoding json to file failed: %v, err: %v", c.accessLists.schemaMain.ACLMapFilePath, err) @@ -353,7 +354,7 @@ func (c *centralAuth) generateACLsForAllNodes() error { // cbor marshal the data of the ACL map to store for the host node. cb, err := cbor.Marshal(m) if err != nil { - er := fmt.Errorf("error: failed to generate cbor for host in schemaGenerated: %v", err) + er := fmt.Errorf("error: generateACLsForAllNodes: failed to generate cbor for host in schemaGenerated: %v", err) log.Printf("%v\n", er) os.Exit(1) } @@ -364,7 +365,7 @@ func (c *centralAuth) generateACLsForAllNodes() error { b, err := cbor.Marshal(sns) if err != nil { - err := fmt.Errorf("error: authSchema, json for hash: %v", err) + err := fmt.Errorf("error: generateACLsForAllNodes: failed to generate cbor for hash: %v", err) log.Printf("%v\n", err) return [32]byte{} } diff --git a/node_auth.go b/node_auth.go index 4406916..a8332bb 100644 --- a/node_auth.go +++ b/node_auth.go @@ -146,15 +146,21 @@ func (n *nodeAcl) saveToFile() error { n.mu.Lock() defer n.mu.Unlock() - b, err := json.Marshal(n.aclAndHash) + + enc := json.NewEncoder(fh) + enc.SetEscapeHTML(false) + enc.Encode(n.aclAndHash) + + // HERE + // b, err := json.Marshal(n.aclAndHash) if err != nil { return err } - _, err = fh.Write(b) - if err != nil { - return err - } + // _, err = fh.Write(b) + // if err != nil { + // return err + // } return nil } @@ -373,11 +379,9 @@ func (n *nodeAuth) readKeyFile(keyFile string) (ed2519key []byte, b64Key []byte, // verifySignature func (n *nodeAuth) verifySignature(m Message) bool { - log.Printf(" * DEBUG: verifySignature, method: %v\n", m.Method) - // NB: Only enable signature checking for REQCliCommand for now. if m.Method != REQCliCommand { - log.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n") + log.Printf(" * DEBUG: verifySignature,not REQCliCommand and will not do signature check, method: %v\n", m.Method) return true } @@ -410,11 +414,9 @@ func (n *nodeAuth) verifySignature(m Message) bool { // verifyAcl func (n *nodeAuth) verifyAcl(m Message) bool { - log.Printf(" * DEBUG: verifyAcl, method: %v\n", m.Method) - // NB: Only enable acl checking for REQCliCommand for now. if m.Method != REQCliCommand { - log.Printf(" * DEBUG: verifyAcl: WAS OTHER THAN CLI COMMAND\n") + log.Printf(" * DEBUG: verifyAcl: not REQCliCommand and will not do acl check, method: %v\n", m.Method) return true } @@ -426,21 +428,25 @@ func (n *nodeAuth) verifyAcl(m Message) bool { cmdMap, ok := n.nodeAcl.aclAndHash.Acl[m.FromNode] if !ok { - log.Printf(" * DEBUG: verifyAcl: The fromNode was not found in the acl\n") + log.Printf(" * DEBUG: verifyAcl: The fromNode=%v was not found in the acl\n", m.FromNode) return false } + _, ok = cmdMap[command("*")] + if ok { + log.Printf(" * DEBUG: verifyAcl: The acl said \"*\", all commands allowed from node=%v\n", m.FromNode) + return true + } + _, ok = cmdMap[command(argsStringified)] if !ok { - log.Printf(" * DEBUG: verifyAcl: The command was NOT FOUND in the acl\n") + log.Printf(" * DEBUG: verifyAcl: The command=%v was NOT FOUND in the acl\n", m.MethodArgs) return false } - log.Printf(" * DEBUG: verifyAcl: The command was FOUND in the acl\n") + log.Printf(" * DEBUG: The command was FOUND in the acl, verifyAcl, result: %v, fromNode: %v, method: %v\n", ok, m.FromNode, m.Method) - log.Printf(" * DEBUG: verifyAcl, result: %v, fromNode: %v, method: %v\n", ok, m.FromNode, m.Method) - - return ok + return true } // argsToString takes args in the format of []string and returns a string. diff --git a/process.go b/process.go index fecdd1b..008f090 100644 --- a/process.go +++ b/process.go @@ -583,17 +583,14 @@ func (p process) verifySigOrAclFlag(message Message) bool { // If no checking enabled we should just allow the message. case !p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck: - log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=false, EnableAclCheck=false\n") - log.Printf(" * DEBUG: no checking at all is enabled, allow the message\n") + log.Printf(" * DEBUG: verify acl/sig: no acl or signature checking at all is enabled, ALLOW the message, method=%v\n", message.Method) doHandler = true // If only sig check enabled, and sig OK, we should allow the message. case p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck: - log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=false\n") - log.Printf(" * DEBUG: only signature checking enabled, allow the message if sigOK\n") - sigOK := p.nodeAuth.verifySignature(message) - log.Printf("info: sigOK=%v, method %v\n", sigOK, message.Method) + + log.Printf(" * DEBUG: verify acl/sig: Only signature checking enabled, ALLOW the message if sigOK, sigOK=%v, method %v\n", sigOK, message.Method) if sigOK { doHandler = true @@ -601,13 +598,10 @@ func (p process) verifySigOrAclFlag(message Message) bool { // If both sig and acl check enabled, and sig and acl OK, we should allow the message. case p.nodeAuth.configuration.EnableSignatureCheck && p.nodeAuth.configuration.EnableAclCheck: - log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=true\n") - log.Printf(" * DEBUG: both signature and acl checking enabled, allow the message if sigOK and aclOK\n") - sigOK := p.nodeAuth.verifySignature(message) - log.Printf("info: sigOK=%v, method=%v\n", sigOK, message.Method) aclOK := p.nodeAuth.verifyAcl(message) - log.Printf("info: aclOK=%v\n", aclOK) + + log.Printf(" * DEBUG: verify acl/sig:both signature and acl checking enabled, allow the message if sigOK and aclOK, or method is not REQCliCommand, sigOK=%v, aclOK=%v, method=%v\n", sigOK, aclOK, message.Method) if sigOK && aclOK { doHandler = true @@ -616,7 +610,7 @@ func (p process) verifySigOrAclFlag(message Message) bool { // none of the verification options matched, we should keep the default value // of doHandler=false, so the handler is not done. default: - log.Printf(" * DEBUG: verify acl/sig: None of the verify flags matched, not doing handler for message\n") + log.Printf(" * DEBUG: verify acl/sig: None of the verify flags matched, not doing handler for message, method=%v\n", message.Method) } return doHandler diff --git a/processes.go b/processes.go index 3dd3dda..6def926 100644 --- a/processes.go +++ b/processes.go @@ -347,7 +347,7 @@ func (s startup) pubREQKeysRequestUpdate(p process) { // and update with new keys back. proc.nodeAuth.publicKeys.mu.Lock() - fmt.Printf("\n ----> publisher REQKeysRequestUpdate: sending our current hash: %v\n\n", []byte(proc.nodeAuth.publicKeys.keysAndHash.Hash[:])) + fmt.Printf(" ----> publisher REQKeysRequestUpdate: sending our current hash: %v\n", []byte(proc.nodeAuth.publicKeys.keysAndHash.Hash[:])) m := Message{ FileName: "publickeysget.log", @@ -402,7 +402,7 @@ func (s startup) pubREQAclRequestUpdate(p process) { // and update with new keys back. proc.nodeAuth.nodeAcl.mu.Lock() - fmt.Printf("\n ----> publisher REQAclRequestUpdate: sending our current hash: %v\n\n", []byte(proc.nodeAuth.nodeAcl.aclAndHash.Hash[:])) + fmt.Printf(" ----> publisher REQAclRequestUpdate: sending our current hash: %v\n", []byte(proc.nodeAuth.nodeAcl.aclAndHash.Hash[:])) m := Message{ FileName: "aclRequestUpdate.log", diff --git a/requests_acl.go b/requests_acl.go index afdfb7e..545670a 100644 --- a/requests_acl.go +++ b/requests_acl.go @@ -21,10 +21,10 @@ func (m methodREQAclRequestUpdate) getKind() Event { // Handler to get all acl's from a central server. func (m methodREQAclRequestUpdate) handler(proc process, message Message, node string) ([]byte, error) { - inf := fmt.Errorf("<--- subscriber methodREQAclRequestUpdate received from: %v, and the data which is the nodes current acl hash containing: %v", message.FromNode, message.MethodArgs) + inf := fmt.Errorf("<--- subscriber methodREQAclRequestUpdate received from: %v, hash data = %v", message.FromNode, message.Data) proc.errorKernel.logConsoleOnlyIfDebug(inf, proc.configuration) - fmt.Printf("\n --- subscriber methodREQAclRequestUpdate: the message brought to handler : %+v\n", message) + // fmt.Printf("\n --- subscriber methodREQAclRequestUpdate: the message brought to handler : %+v\n", message) // Get a context with the timeout specified in message.MethodTimeout. ctx, _ := getContextForMethodTimeout(proc.ctx, message) @@ -63,19 +63,19 @@ func (m methodREQAclRequestUpdate) handler(proc process, message Message, node s // // TODO: PROBLEM: The existing generated acl's are not loaded when starting, or not stored at all. //} - fmt.Printf(" ---- subscriber methodREQAclRequestUpdate: got acl hash from NODE=%v, HASH=%v\n", message.FromNode, message.Data) + log.Printf(" ---- subscriber methodREQAclRequestUpdate: got acl hash from NODE=%v, HASH data =%v\n", message.FromNode, message.Data) // Check if the received hash is the same as the one currently active, // If it is the same we exit the handler immediately. hash32 := proc.centralAuth.accessLists.schemaGenerated.GeneratedACLsMap[message.FromNode].Hash hash := hash32[:] - fmt.Printf("\n ---- subscriber methodREQAclRequestUpdate: on central hash32=%v\n\n", hash32) + log.Printf("---- subscriber methodREQAclRequestUpdate: the central acl hash=%v\n", hash32) if bytes.Equal(hash, message.Data) { - fmt.Printf("\n ---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAVE EQUAL ACL HASH, NOTHING TO DO, EXITING HANDLER\n\n") + log.Printf("---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAVE EQUAL ACL HASH, NOTHING TO DO, EXITING HANDLER\n") return } - fmt.Printf("\n ---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAD NOT EQUAL ACL, PREPARING TO SEND NEW VERSION OF Acl\n\n") + log.Printf("---- subscriber methodREQAclRequestUpdate: NODE AND CENTRAL HAD NOT EQUAL ACL, PREPARING TO SEND NEW VERSION OF Acl\n") // Generate JSON for Message.Data @@ -92,7 +92,7 @@ func (m methodREQAclRequestUpdate) handler(proc process, message Message, node s log.Fatalf("%v\n", er) } - fmt.Printf("\n ----> subscriber methodREQAclRequestUpdate: SENDING ACL'S TO NODE=%v, serializedAndHash=%+v\n", message.FromNode, hdh) + fmt.Printf(" ----> subscriber methodREQAclRequestUpdate: SENDING ACL'S TO NODE=%v, serializedAndHash=%+v\n", message.FromNode, hdh) newReplyMessage(proc, message, js) }()