mirrors/ctrl
1
0
Fork 0
mirror of https://github.com/postmannen/ctrl.git synced 2025-03-31 01:24:31 +00:00
Code Activity

added map for methods to do signature checking on

Browse source
This commit is contained in:
postmannen 2025-01-09 10:00:03 +01:00
parent 9a0fe9ae7a
commit e78e913be0
2 changed files with 22 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
node_auth.go
View file

@ -391,9 +391,24 @@ func (n *nodeAuth) readKeyFile(keyFile string) (ed2519key []byte, b64Key []byte,
// verifySignature // verifySignature
func (n *nodeAuth) verifySignature(m Message) bool { func (n *nodeAuth) verifySignature(m Message) bool {
// NB: Only enable signature checking for REQCliCommand for now. signatureCheckMap := map[Method]struct{}{
if m.Method != CliCommand { OpProcessList: {},
er := fmt.Errorf("verifySignature: not REQCliCommand and will not do signature check, method: %v", m.Method) OpProcessStart: {},
OpProcessStop: {},
CliCommand: {},
CliCommandCont: {},
TailFile: {},
HttpGet: {},
CopySrc: {},
Console: {},
File: {},
FileAppend: {},
}
// If the method is not found in the map, we return that the signature
// was verified to true to allow the method to be executed.
if _, ok := signatureCheckMap[m.Method]; !ok {
er := fmt.Errorf("verifySignature: will not do signature check for method: %v", m.Method)
n.errorKernel.logInfo(er) n.errorKernel.logInfo(er)
return true return true
} }

7
process.go
View file

@ -505,7 +505,7 @@ func (p process) callHandler(message Message, thisNode string) {
doHandler = true doHandler = true
} }
er = fmt.Errorf("callHandler: Only signature checking enabled, ALLOW the message if sigOK, sigOK=%v, method %v", sigOK, message.Method) er = fmt.Errorf("callHandler: Only signature checking enabled, sigOK=%v, method %v", sigOK, message.Method)
// If both sig and acl check enabled, and sig and acl OK, we should allow the message. // If both sig and acl check enabled, and sig and acl OK, we should allow the message.
case conf.EnableSignatureCheck && conf.EnableAclCheck: case conf.EnableSignatureCheck && conf.EnableAclCheck:
@ -515,7 +515,7 @@ func (p process) callHandler(message Message, thisNode string) {
doHandler = true doHandler = true
} }
er = fmt.Errorf("callHandler:both signature and acl checking enabled, allow the message if sigOK and aclOK, sigOK=%v, aclOK=%v, method=%v", sigOK, aclOK, message.Method) er = fmt.Errorf("callHandler:both signature and acl checking enabled, sigOK=%v, aclOK=%v, method=%v", sigOK, aclOK, message.Method)
default: default:
er = fmt.Errorf("callHandler: None of the verify flags matched, not doing handler for message, method=%v", message.Method) er = fmt.Errorf("callHandler: None of the verify flags matched, not doing handler for message, method=%v", message.Method)
@ -528,8 +528,9 @@ func (p process) callHandler(message Message, thisNode string) {
executeHandler(p, message, thisNode) executeHandler(p, message, thisNode)
case false: case false:
// ACL/Signature checking failed. // ACL/Signature checking failed.
er := fmt.Errorf("error: subscriberHandler: ACL were verified not-OK, doing nothing") er := fmt.Errorf("error: subscriberHandler: ACL or Signature were verified not-OK, doing nothing")
p.errorKernel.errSend(p, message, er, logWarning) p.errorKernel.errSend(p, message, er, logWarning)
fmt.Printf("\n *** DEBUG: %v\n\n", er)
} }
}() }()