add new host role with acls

mq/dynsec_clients.go

@@ -13,7 +13,7 @@ func ModifyClient(client *MqClient) error {
 
 	roles := []MqDynSecRole{
 		{
-			Rolename: HostRole,
+			Rolename: HostGenericRole,
 			Priority: -1,
 		},
 	}
@@ -57,9 +57,17 @@ func DeleteMqClient(hostID string) error {
 // CreateMqClient - creates an MQ DynSec client
 func CreateMqClient(client *MqClient) error {
 
+	err := createHostRole(client.ID)
+	if err != nil {
+		return err
+	}
 	roles := []MqDynSecRole{
 		{
-			Rolename: HostRole,
+			Rolename: HostGenericRole,
+			Priority: -1,
+		},
+		{
+			Rolename: getHostRoleName(client.ID),
 			Priority: -1,
 		},
 	}

mq/dynsec_helper.go

@@ -19,8 +19,8 @@ const (
 	exporterRole = "exporter"
 	// constant for node role
 	NodeRole = "node"
-	// HostRole constant for host role
-	HostRole = "host"
+	// HostGenericRole constant for host role
+	HostGenericRole = "host"
 
 	// const for dynamic security file
 	dynamicSecurityFile = "dynamic-security.json"
@@ -66,7 +66,7 @@ var (
 				Acls:     fetchServerAcls(),
 			},
 			{
-				Rolename: HostRole,
+				Rolename: HostGenericRole,
 				Acls:     fetchNodeAcls(),
 			},
 			exporterMQRole,
@@ -169,6 +169,18 @@ func ListClients(client mqtt.Client) (ListClientsData, error) {
 	return resp, errors.New("resp not found")
 }
 
+// fetches host related acls
+func fetchHostAcls(hostID string) []Acl {
+	return []Acl{
+		{
+			AclType:  "publishClientReceive",
+			Topic:    fmt.Sprintf("peers/host/%s", hostID),
+			Priority: -1,
+			Allow:    true,
+		},
+	}
+}
+
 // FetchNetworkAcls - fetches network acls
 func FetchNetworkAcls(network string) []Acl {
 	return []Acl{
@@ -237,6 +249,27 @@ func CreateNetworkRole(network string) error {
 	return publishEventToDynSecTopic(event)
 }
 
+// creates role for the host with ID.
+func createHostRole(hostID string) error {
+	// Create Role with acls for the host
+	event := MqDynsecPayload{
+		Commands: []MqDynSecCmd{
+			{
+				Command:  CreateRoleCmd,
+				RoleName: getHostRoleName(hostID),
+				Textname: "host  role with Acls for hosts",
+				Acls:     fetchHostAcls(hostID),
+			},
+		},
+	}
+
+	return publishEventToDynSecTopic(event)
+}
+
+func getHostRoleName(hostID string) string {
+	return fmt.Sprintf("host-%s", hostID)
+}
+
 // serverAcls - fetches server role related acls
 func fetchServerAcls() []Acl {
 	return []Acl{
@@ -252,6 +285,12 @@ func fetchServerAcls() []Acl {
 			Priority: -1,
 			Allow:    true,
 		},
+		{
+			AclType:  "publishClientSend",
+			Topic:    "peers/host/#",
+			Priority: -1,
+			Allow:    true,
+		},
 		{
 			AclType:  "publishClientSend",
 			Topic:    "update/#",
@@ -332,6 +371,12 @@ func fetchNodeAcls() []Acl {
 			Priority: -1,
 			Allow:    true,
 		},
+		{
+			AclType:  "publishClientReceive",
+			Topic:    "peers/host",
+			Priority: -1,
+			Allow:    true,
+		},
 		{
 			AclType:  "subscribePattern",
 			Topic:    "#",

mq/handlers.go

@@ -165,9 +165,13 @@ func UpdateMetrics(client mqtt.Client, msg mqtt.Message) {
 
 			if shouldUpdate {
 				logger.Log(2, "updating peers after node", currentNode.ID.String(), currentNode.Network, "detected connectivity issues")
-				if err = PublishSinglePeerUpdate(&currentNode); err != nil {
-					logger.Log(0, "failed to publish update after failover peer change for node", currentNode.ID.String(), currentNode.Network)
+				host, err := logic.GetHost(currentNode.HostID.String())
+				if err == nil {
+					if err = PublishSingleHostUpdate(host); err != nil {
+						logger.Log(0, "failed to publish update after failover peer change for node", currentNode.ID.String(), currentNode.Network)
+					}
 				}
+
 			}
 
 			logger.Log(1, "updated node metrics", id)

mq/publishers.go

@@ -19,15 +19,16 @@ func PublishPeerUpdate(network string, publishToSelf bool) error {
 	if !servercfg.IsMessageQueueBackend() {
 		return nil
 	}
-	networkNodes, err := logic.GetNetworkNodes(network)
+
+	hosts, err := logic.GetAllHosts()
 	if err != nil {
-		logger.Log(1, "err getting Network Nodes", err.Error())
+		logger.Log(1, "err getting all hosts", err.Error())
 		return err
 	}
-	for _, node := range networkNodes {
-		err = PublishSinglePeerUpdate(&node)
+	for _, host := range hosts {
+		err = PublishSingleHostUpdate(&host)
 		if err != nil {
-			logger.Log(1, "failed to publish peer update to node", node.ID.String(), "on network", node.Network, ":", err.Error())
+			logger.Log(1, "failed to publish peer update to host", host.ID.String(), ": ", err.Error())
 		}
 	}
 	return err
@@ -48,23 +49,19 @@ func PublishProxyPeerUpdate(node *models.Node) error {
 }
 
 // PublishSinglePeerUpdate --- determines and publishes a peer update to one node
-func PublishSinglePeerUpdate(node *models.Node) error {
-	host, err := logic.GetHost(node.HostID.String())
-	if err != nil {
-		return nil
-	}
+func PublishSingleHostUpdate(host *models.Host) error {
 
-	peerUpdate, err := logic.GetPeerUpdate(node, host)
+	peerUpdate, err := logic.GetPeerUpdateForHost(host)
 	if err != nil {
 		return err
 	}
 	if host.ProxyEnabled {
-		proxyUpdate, err := logic.GetPeersForProxy(node, false)
-		if err != nil {
-			return err
-		}
-		proxyUpdate.Action = proxy_models.AddNetwork
-		peerUpdate.ProxyUpdate = proxyUpdate
+		// proxyUpdate, err := logic.GetPeersForProxy(node, false)
+		// if err != nil {
+		// 	return err
+		// }
+		// proxyUpdate.Action = proxy_models.AddNetwork
+		// peerUpdate.ProxyUpdate = proxyUpdate
 
 	}
 
@@ -72,7 +69,7 @@ func PublishSinglePeerUpdate(node *models.Node) error {
 	if err != nil {
 		return err
 	}
-	return publish(node, fmt.Sprintf("peers/%s/%s", node.Network, node.ID), data)
+	return publish(host, "peers/host", data)
 }
 
 // PublishPeerUpdate --- publishes a peer update to all the peers of a node
@@ -99,7 +96,7 @@ func PublishExtPeerUpdate(node *models.Node) error {
 		}
 	}
 
-	if err = publish(node, fmt.Sprintf("peers/%s/%s", node.Network, node.ID), data); err != nil {
+	if err = publish(host, fmt.Sprintf("peers/%s/%s", node.Network, node.ID), data); err != nil {
 		return err
 	}
 	go PublishPeerUpdate(node.Network, false)
@@ -126,7 +123,7 @@ func NodeUpdate(node *models.Node) error {
 		logger.Log(2, "error marshalling node update ", err.Error())
 		return err
 	}
-	if err = publish(node, fmt.Sprintf("update/%s/%s", node.Network, node.ID), data); err != nil {
+	if err = publish(host, fmt.Sprintf("update/%s/%s", node.Network, node.ID), data); err != nil {
 		logger.Log(2, "error publishing node update to peer ", node.ID.String(), err.Error())
 		return err
 	}
@@ -156,7 +153,7 @@ func ProxyUpdate(proxyPayload *proxy_models.ProxyManagerPayload, node *models.No
 		logger.Log(2, "error marshalling node update ", err.Error())
 		return err
 	}
-	if err = publish(node, fmt.Sprintf("proxy/%s/%s", node.Network, node.ID), data); err != nil {
+	if err = publish(host, fmt.Sprintf("proxy/%s/%s", node.Network, node.ID), data); err != nil {
 		logger.Log(2, "error publishing proxy update to peer ", node.ID.String(), err.Error())
 		return err
 	}

mq/util.go

@@ -40,7 +40,7 @@ func decryptMsg(node *models.Node, msg []byte) ([]byte, error) {
 	return ncutils.DeChunk(msg, nodePubTKey, serverPrivTKey)
 }
 
-func encryptMsg(node *models.Node, msg []byte) ([]byte, error) {
+func encryptMsg(host *models.Host, msg []byte) ([]byte, error) {
 	// fetch server public key to be certain hasn't changed in transit
 	trafficKey, trafficErr := logic.RetrievePrivateTrafficKey()
 	if trafficErr != nil {
@@ -52,10 +52,6 @@ func encryptMsg(node *models.Node, msg []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	host, err := logic.GetHost(node.HostID.String())
-	if err != nil {
-		return nil, err
-	}
 	nodePubKey, err := ncutils.ConvertBytesToKey(host.TrafficKeyPublic)
 	if err != nil {
 		return nil, err
@@ -68,8 +64,8 @@ func encryptMsg(node *models.Node, msg []byte) ([]byte, error) {
 	return ncutils.Chunk(msg, nodePubKey, serverPrivKey)
 }
 
-func publish(node *models.Node, dest string, msg []byte) error {
-	encrypted, encryptErr := encryptMsg(node, msg)
+func publish(host *models.Host, dest string, msg []byte) error {
+	encrypted, encryptErr := encryptMsg(host, msg)
 	if encryptErr != nil {
 		return encryptErr
 	}