mirror of
https://github.com/postmannen/ctrl.git
synced 2025-03-31 01:24:31 +00:00
restructured callHandler method, and fixed so not yet allowed keys are printed in the errors
This commit is contained in:
postmannen
parent
aba926f74a
commit
b5561b9e55
2 changed files with 52 additions and 59 deletions
|
|
@ -132,6 +132,7 @@ func (c *centralAuth) addPublicKey(proc process, msg Message) {
|
|||
return
|
||||
}
|
||||
|
||||
notAckedNodes := []Node{}
|
||||
c.pki.nodeNotAckedPublicKeys.mu.Lock()
|
||||
// existingNotAckedKey, ok := c.pki.nodeNotAckedPublicKeys.KeyMap[msg.FromNode]
|
||||
// // We only want to send one notification to the error kernel about new key detection,
|
||||
|
|
@ -143,9 +144,14 @@ func (c *centralAuth) addPublicKey(proc process, msg Message) {
|
|||
// }
|
||||
|
||||
c.pki.nodeNotAckedPublicKeys.KeyMap[msg.FromNode] = msg.Data
|
||||
|
||||
for k := range c.pki.nodeNotAckedPublicKeys.KeyMap {
|
||||
notAckedNodes = append(notAckedNodes, k)
|
||||
}
|
||||
|
||||
c.pki.nodeNotAckedPublicKeys.mu.Unlock()
|
||||
|
||||
er := fmt.Errorf("info: new public key for node: %v. Key needs to be authorized by operator to be allowed into the system by using the keysAllow method", msg.FromNode)
|
||||
er := fmt.Errorf("addPublicKey: key(s) needs to be allowed by operator for nodes: %v", notAckedNodes)
|
||||
c.pki.errorKernel.infoSend(proc, msg, er)
|
||||
c.pki.errorKernel.logInfo(er)
|
||||
}
|
||||
|
|
|
|||
103
process.go
103
process.go
|
|
@ -449,7 +449,7 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
|
|||
|
||||
//var err error
|
||||
|
||||
_ = p.callHandler(message, thisNode)
|
||||
p.callHandler(message, thisNode)
|
||||
|
||||
// Send a confirmation message back to the publisher to ACK that the
|
||||
// message was received by the subscriber. The reply should be sent
|
||||
|
|
@ -473,7 +473,7 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
|
|||
}
|
||||
|
||||
// We do not send reply messages for EventNACL, so we can discard the output.
|
||||
_ = p.callHandler(message, thisNode)
|
||||
p.callHandler(message, thisNode)
|
||||
|
||||
default:
|
||||
er := fmt.Errorf("info: did not find that specific type of event: %#v", p.subject.Method)
|
||||
|
|
@ -483,20 +483,56 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
|
|||
}
|
||||
|
||||
// callHandler will call the handler for the Request type defined in the message.
|
||||
// If checking signatures and/or acl's are enabled the signatures they will be
|
||||
// verified, and if OK the handler is called.
|
||||
func (p process) callHandler(message Message, thisNode string) []byte {
|
||||
// If checking signatures and/or acl's are enabled the signatures will be verified,
|
||||
// and if OK the handler is called.
|
||||
func (p process) callHandler(message Message, thisNode string) {
|
||||
//out := []byte{}
|
||||
|
||||
// Call the handler if ACL/signature checking returns true.
|
||||
// If the handler is to be called in a scheduled manner, we we take care of that too.
|
||||
go func() {
|
||||
switch p.verifySigOrAclFlag(message) {
|
||||
// ----
|
||||
conf := p.nodeAuth.configuration
|
||||
doHandler := false
|
||||
var er error
|
||||
|
||||
switch {
|
||||
|
||||
// If no checking enabled we should just allow the message.
|
||||
case !conf.EnableSignatureCheck && !conf.EnableAclCheck:
|
||||
doHandler = true
|
||||
|
||||
// If only sig check enabled, and sig OK, we should allow the message.
|
||||
case conf.EnableSignatureCheck && !conf.EnableAclCheck:
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
|
||||
er = fmt.Errorf("callHandler: Only signature checking enabled, ALLOW the message if sigOK, sigOK=%v, method %v", sigOK, message.Method)
|
||||
|
||||
if sigOK {
|
||||
doHandler = true
|
||||
}
|
||||
|
||||
// If both sig and acl check enabled, and sig and acl OK, we should allow the message.
|
||||
case conf.EnableSignatureCheck && conf.EnableAclCheck:
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
aclOK := p.nodeAuth.verifyAcl(message)
|
||||
|
||||
er = fmt.Errorf("callHandler:both signature and acl checking enabled, allow the message if sigOK and aclOK, sigOK=%v, aclOK=%v, method=%v", sigOK, aclOK, message.Method)
|
||||
|
||||
if sigOK && aclOK {
|
||||
doHandler = true
|
||||
}
|
||||
|
||||
default:
|
||||
er = fmt.Errorf("callHandler: None of the verify flags matched, not doing handler for message, method=%v", message.Method)
|
||||
}
|
||||
|
||||
// ----
|
||||
|
||||
p.errorKernel.logDebug(er)
|
||||
|
||||
switch doHandler {
|
||||
case true:
|
||||
|
||||
executeHandler(p, message, thisNode)
|
||||
|
||||
case false:
|
||||
// ACL/Signature checking failed.
|
||||
er := fmt.Errorf("error: subscriberHandler: ACL were verified not-OK, doing nothing")
|
||||
|
|
@ -505,7 +541,6 @@ func (p process) callHandler(message Message, thisNode string) []byte {
|
|||
}
|
||||
}()
|
||||
|
||||
return []byte{}
|
||||
}
|
||||
|
||||
// executeHandler will call the handler for the Request type defined in the message.
|
||||
|
|
@ -593,54 +628,6 @@ func executeHandler(p process, message Message, thisNode string) {
|
|||
}
|
||||
}
|
||||
|
||||
// verifySigOrAclFlag will do signature and/or acl checking based on which of
|
||||
// those features are enabled, and then call the handler.
|
||||
// The handler will also be called if neither signature or acl checking is enabled
|
||||
// since it is up to the subscriber to decide if it want to use the auth features
|
||||
// or not.
|
||||
func (p process) verifySigOrAclFlag(message Message) bool {
|
||||
doHandler := false
|
||||
|
||||
switch {
|
||||
|
||||
// If no checking enabled we should just allow the message.
|
||||
case !p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
|
||||
//log.Printf(" * DEBUG: verify acl/sig: no acl or signature checking at all is enabled, ALLOW the message, method=%v\n", message.Method)
|
||||
doHandler = true
|
||||
|
||||
// If only sig check enabled, and sig OK, we should allow the message.
|
||||
case p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
|
||||
er := fmt.Errorf("verifySigOrAclFlag: verify acl/sig: Only signature checking enabled, ALLOW the message if sigOK, sigOK=%v, method %v", sigOK, message.Method)
|
||||
p.errorKernel.logDebug(er)
|
||||
|
||||
if sigOK {
|
||||
doHandler = true
|
||||
}
|
||||
|
||||
// If both sig and acl check enabled, and sig and acl OK, we should allow the message.
|
||||
case p.nodeAuth.configuration.EnableSignatureCheck && p.nodeAuth.configuration.EnableAclCheck:
|
||||
sigOK := p.nodeAuth.verifySignature(message)
|
||||
aclOK := p.nodeAuth.verifyAcl(message)
|
||||
|
||||
er := fmt.Errorf("verifySigOrAclFlag: verify acl/sig:both signature and acl checking enabled, allow the message if sigOK and aclOK, or method is not REQCliCommand, sigOK=%v, aclOK=%v, method=%v", sigOK, aclOK, message.Method)
|
||||
p.errorKernel.logDebug(er)
|
||||
|
||||
if sigOK && aclOK {
|
||||
doHandler = true
|
||||
}
|
||||
|
||||
// none of the verification options matched, we should keep the default value
|
||||
// of doHandler=false, so the handler is not done.
|
||||
default:
|
||||
er := fmt.Errorf("verifySigOrAclFlag: verify acl/sig: None of the verify flags matched, not doing handler for message, method=%v", message.Method)
|
||||
p.errorKernel.logDebug(er)
|
||||
}
|
||||
|
||||
return doHandler
|
||||
}
|
||||
|
||||
// SubscribeMessage will register the Nats callback function for the specified
|
||||
// nats subject. This allows us to receive Nats messages for a given subject
|
||||
// on a node.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue