mirror of
https://github.com/postmannen/ctrl.git
synced 2024-12-14 12:37:31 +00:00
signature check working
This commit is contained in:
postmannen
parent
c354856696
commit
93c1ccda4b
3 changed files with 60 additions and 16 deletions
|
|
@ -378,6 +378,8 @@ func (n *nodeAuth) verifySignature(m Message) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
log.Printf(" * DEBUG: verifySignature: EnableSignatureCheck set to true\n")
|
||||
|
||||
// NB: Only enable signature checking for REQCliCommand for now.
|
||||
if m.Method != REQCliCommand {
|
||||
// fmt.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n")
|
||||
|
|
@ -386,9 +388,11 @@ func (n *nodeAuth) verifySignature(m Message) bool {
|
|||
|
||||
// Verify if the signature matches.
|
||||
argsStringified := argsToString(m.MethodArgs)
|
||||
ok := ed25519.Verify(n.SignPublicKey, []byte(argsStringified), m.ArgSignature)
|
||||
n.publicKeys.mu.Lock()
|
||||
ok := ed25519.Verify(n.publicKeys.keysAndHash.Keys[m.FromNode], []byte(argsStringified), m.ArgSignature)
|
||||
n.publicKeys.mu.Unlock()
|
||||
|
||||
fmt.Printf(" * DEBUG: verifySignature, result: %v, fromNode: %v, method: %v\n", ok, m.FromNode, m.Method)
|
||||
log.Printf("info: verifySignature, result: %v, fromNode: %v, method: %v\n", ok, m.FromNode, m.Method)
|
||||
|
||||
return ok
|
||||
}
|
||||
|
|
|
|||
46
process.go
46
process.go
|
|
@ -523,13 +523,41 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
|
|||
out := []byte{}
|
||||
var err error
|
||||
|
||||
if p.nodeAuth.verifySignature(message) {
|
||||
// Call the method handler for the specified method.
|
||||
// The verify functions will return true if the signature or acl is correct,
|
||||
// but will return false if the signature or acl is wrong.
|
||||
// They will also return true if the configuration flag for checking the acl
|
||||
// or the signature is set to false.
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
log.Printf("info: sigOK=%v\n", sigOK)
|
||||
aclOK := p.nodeAuth.verifyAcl(message)
|
||||
log.Printf("info: aclOK=%v\n", aclOK)
|
||||
|
||||
// We should allow to call the handler if either:
|
||||
// 1. signature and acl is OK for when acl verification is enabled.
|
||||
// 2. just signature is OK, if just signature checking is enabled.
|
||||
// 3. Since the verify functions return true if the verification is
|
||||
// disabled, the handler will be called if both are disabled.
|
||||
switch {
|
||||
case sigOK && aclOK || sigOK:
|
||||
log.Printf("info: subscriberHandler: signature and acl check successful: %v", err)
|
||||
out, err = mh.handler(p, message, thisNode)
|
||||
if err != nil {
|
||||
er := fmt.Errorf("error: subscriberHandler: handler method failed: %v", err)
|
||||
p.errorKernel.errSend(p, message, er)
|
||||
log.Printf("%v\n", er)
|
||||
}
|
||||
case sigOK && !aclOK:
|
||||
er := fmt.Errorf("error: subscriberHandler: acl check failed: %v", err)
|
||||
p.errorKernel.errSend(p, message, er)
|
||||
log.Printf("%v\n", er)
|
||||
case !sigOK && !aclOK:
|
||||
er := fmt.Errorf("error: subscriberHandler: signature and acl check failed: %v", err)
|
||||
p.errorKernel.errSend(p, message, er)
|
||||
log.Printf("%v\n", er)
|
||||
case !sigOK:
|
||||
er := fmt.Errorf("error: subscriberHandler: signature check failed: %v", err)
|
||||
p.errorKernel.errSend(p, message, er)
|
||||
log.Printf("%v\n", er)
|
||||
}
|
||||
|
||||
// Send a confirmation message back to the publisher
|
||||
|
|
@ -543,7 +571,19 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
|
|||
p.errorKernel.errSend(p, message, er)
|
||||
}
|
||||
|
||||
if p.nodeAuth.verifySignature(message) {
|
||||
// The verify functions will return true if the signature or acl is correct,
|
||||
// but will return false if the signature or acl is wrong.
|
||||
// They will also return true if the configuration flag for checking the acl
|
||||
// or the signature is set to false.
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
aclOK := p.nodeAuth.verifyAcl(message)
|
||||
|
||||
// We should allow to call the handler if either:
|
||||
// 1. signature and acl is OK for when acl verification is enabled.
|
||||
// 2. just signature is OK, if just signature checking is enabled.
|
||||
// 3. Since the verify functions return true if the verification is
|
||||
// disabled, the handler will be called if both are disabled.
|
||||
if sigOK && aclOK || sigOK {
|
||||
|
||||
_, err := mf.handler(p, message, thisNode)
|
||||
|
||||
|
|
|
|||
|
|
@ -54,14 +54,14 @@ func (m methodREQAclRequestUpdate) handler(proc process, message Message, node s
|
|||
defer proc.centralAuth.accessLists.schemaGenerated.mu.Unlock()
|
||||
|
||||
// DEBUGGING:
|
||||
{
|
||||
proc.centralAuth.accessLists.schemaMain.mu.Lock()
|
||||
fmt.Printf("\n --- DEBUGGING: subscriber methodREQAclRequestUpdate: schemaGenerated contains: %v\n\n", proc.centralAuth.accessLists.schemaGenerated)
|
||||
fmt.Printf("\n --- DEBUGGING: subscriber methodREQAclRequestUpdate: schemaMain contains: %v\n\n", proc.centralAuth.accessLists.schemaMain)
|
||||
proc.centralAuth.accessLists.schemaMain.mu.Unlock()
|
||||
|
||||
// TODO: PROBLEM: The existing generated acl's are not loaded when starting, or not stored at all.
|
||||
}
|
||||
//{
|
||||
// proc.centralAuth.accessLists.schemaMain.mu.Lock()
|
||||
// fmt.Printf("\n --- DEBUGGING: subscriber methodREQAclRequestUpdate: schemaGenerated contains: %v\n\n", proc.centralAuth.accessLists.schemaGenerated)
|
||||
// fmt.Printf("\n --- DEBUGGING: subscriber methodREQAclRequestUpdate: schemaMain contains: %v\n\n", proc.centralAuth.accessLists.schemaMain)
|
||||
// proc.centralAuth.accessLists.schemaMain.mu.Unlock()
|
||||
//
|
||||
// // TODO: PROBLEM: The existing generated acl's are not loaded when starting, or not stored at all.
|
||||
//}
|
||||
|
||||
fmt.Printf(" ---- subscriber methodREQAclRequestUpdate: got acl hash from NODE=%v, HASH=%v\n", message.FromNode, message.Data)
|
||||
|
||||
|
|
@ -81,9 +81,9 @@ func (m methodREQAclRequestUpdate) handler(proc process, message Message, node s
|
|||
|
||||
hdh := HostACLsSerializedWithHash{}
|
||||
hdh.Data = proc.centralAuth.accessLists.schemaGenerated.GeneratedACLsMap[message.FromNode].Data
|
||||
fmt.Printf("\n * DEBUGGING: before marshalling, hdh.Data=%v\n", hdh.Data)
|
||||
// fmt.Printf("\n * DEBUGGING: before marshalling, hdh.Data=%v\n", hdh.Data)
|
||||
hdh.Hash = proc.centralAuth.accessLists.schemaGenerated.GeneratedACLsMap[message.FromNode].Hash
|
||||
fmt.Printf("\n * DEBUGGING: before marshalling, hdh.Hash=%v\n\n", hdh.Hash)
|
||||
// fmt.Printf("\n * DEBUGGING: before marshalling, hdh.Hash=%v\n\n", hdh.Hash)
|
||||
|
||||
js, err := json.Marshal(hdh)
|
||||
if err != nil {
|
||||
|
|
@ -118,7 +118,7 @@ func (m methodREQAclDeliverUpdate) handler(proc process, message Message, node s
|
|||
inf := fmt.Errorf("<--- subscriber methodREQAclDeliverUpdate received from: %v, containing: %v", message.FromNode, message.Data)
|
||||
proc.errorKernel.logConsoleOnlyIfDebug(inf, proc.configuration)
|
||||
|
||||
fmt.Printf("\n --- subscriber methodREQAclRequestUpdate: the message received on handler : %+v\n\n", message)
|
||||
// fmt.Printf("\n --- subscriber methodREQAclRequestUpdate: the message received on handler : %+v\n\n", message)
|
||||
|
||||
// Get a context with the timeout specified in message.MethodTimeout.
|
||||
ctx, _ := getContextForMethodTimeout(proc.ctx, message)
|
||||
|
|
|
|||
Loading…
Reference in a new issue