Merge pull request #1962 from gravitl/GRA-1024/mq_dyn_sec_refactor

Gra 1024/mq dyn sec refactor

controllers/hosts.go

@@ -100,16 +100,6 @@ func updateHost(w http.ResponseWriter, r *http.Request) {
 		logic.UpdateHostRelay(currHost.ID.String(), currHost.RelayedHosts, newHost.RelayedHosts)
 	}
 
-	newNetworks := logic.GetHostNetworks(newHost.ID.String())
-	if len(newNetworks) > 0 {
-		if err = mq.ModifyClient(&mq.MqClient{
-			ID:       currHost.ID.String(),
-			Text:     currHost.Name,
-			Networks: newNetworks,
-		}); err != nil {
-			logger.Log(0, r.Header.Get("user"), "failed to update host networks roles in DynSec:", err.Error())
-		}
-	}
 	// publish host update through MQ
 	if err := mq.HostUpdate(&models.HostUpdate{
 		Action: models.UpdateHost,
@@ -215,16 +205,6 @@ func addHostToNetwork(w http.ResponseWriter, r *http.Request) {
 	}); err != nil {
 		logger.Log(0, r.Header.Get("user"), "failed to update host to join network:", hostid, network, err.Error())
 	}
-	networks := logic.GetHostNetworks(currHost.ID.String())
-	if len(networks) > 0 {
-		if err = mq.ModifyClient(&mq.MqClient{
-			ID:       currHost.ID.String(),
-			Text:     currHost.Name,
-			Networks: networks,
-		}); err != nil {
-			logger.Log(0, r.Header.Get("user"), "failed to update host networks roles in DynSec:", hostid, err.Error())
-		}
-	}
 
 	logger.Log(2, r.Header.Get("user"), fmt.Sprintf("added host %s to network %s", currHost.Name, network))
 	w.WriteHeader(http.StatusOK)

controllers/network.go

@@ -362,10 +362,6 @@ func deleteNetwork(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := mq.DeleteNetworkRole(network); err != nil {
-		logger.Log(0, fmt.Sprintf("failed to remove network DynSec role: %v", err.Error()))
-	}
-
 	logger.Log(1, r.Header.Get("user"), "deleted network", network)
 	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode("success")
@@ -413,11 +409,6 @@ func createNetwork(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err = mq.CreateNetworkRole(network.NetID); err != nil {
-		logger.Log(0, r.Header.Get("user"), "failed to create network DynSec role:",
-			err.Error())
-	}
-
 	if err = logic.AddDefaultHostsToNetwork(network.NetID, servercfg.GetServer()); err != nil {
 		logger.Log(0, fmt.Sprintf("failed to add default hosts to network [%v]: %v",
 			network.NetID, err.Error()))

controllers/node.go

@@ -593,16 +593,6 @@ func createNode(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 			logic.UpdateHost(&data.Host, host) // update the in memory struct values
-			networks := logic.GetHostNetworks(data.Host.ID.String())
-			if err := mq.ModifyClient(&mq.MqClient{
-				ID:       data.Host.ID.String(),
-				Text:     data.Host.Name,
-				Networks: networks,
-			}); err != nil {
-				logger.Log(0, fmt.Sprintf("failed to modify DynSec client: %v", err.Error()))
-				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
-				return
-			}
 
 		} else {
 			logger.Log(0, "error creating host", err.Error())
@@ -971,12 +961,6 @@ func deleteNode(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	host, err := logic.GetHost(node.HostID.String())
-	if err != nil {
-		logger.Log(0, "error retrieving host for node", node.ID.String(), err.Error())
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
-		return
-	}
 	if r.Header.Get("ismaster") != "yes" {
 		username := r.Header.Get("user")
 		if username != "" && !doesUserOwnNode(username, params["network"], nodeid) {
@@ -990,16 +974,7 @@ func deleteNode(w http.ResponseWriter, r *http.Request) {
 	}
 	logic.ReturnSuccessResponse(w, r, nodeid+" deleted.")
 	logger.Log(1, r.Header.Get("user"), "Deleted node", nodeid, "from network", params["network"])
-	if fromNode { // update networks for host mq client
-		currNets := logic.GetHostNetworks(host.ID.String())
-		if len(currNets) > 0 {
-			mq.ModifyClient(&mq.MqClient{
-				ID:       host.ID.String(),
-				Text:     host.Name,
-				Networks: currNets,
-			})
-		}
-	} else { // notify node change
+	if !fromNode { // notify node change
 		runUpdates(&node, false)
 	}
 	go func() { // notify of peer change

mq/dynsec.go

@@ -180,7 +180,6 @@ func Configure() error {
 		exporterMQClient.Iterations = 101
 		exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
 		dynConfig.Clients = append(dynConfig.Clients, exporterMQClient)
-		dynConfig.Roles = append(dynConfig.Roles, exporterMQRole)
 	}
 	data, err := json.MarshalIndent(dynConfig, "", " ")
 	if err != nil {

mq/dynsec_clients.go

@@ -8,46 +8,9 @@ type MqClient struct {
 	Networks []string
 }
 
-// ModifyClient - modifies an existing client's network roles
-func ModifyClient(client *MqClient) error {
-
-	roles := []MqDynSecRole{
-		{
-			Rolename: HostGenericRole,
-			Priority: -1,
-		},
-		{
-			Rolename: getHostRoleName(client.ID),
-			Priority: -1,
-		},
-	}
-
-	for i := range client.Networks {
-		roles = append(roles, MqDynSecRole{
-			Rolename: client.Networks[i],
-			Priority: -1,
-		},
-		)
-	}
-
-	event := MqDynsecPayload{
-		Commands: []MqDynSecCmd{
-			{
-				Command:  ModifyClientCmd,
-				Username: client.ID,
-				Textname: client.Text,
-				Roles:    roles,
-				Groups:   make([]MqDynSecGroup, 0),
-			},
-		},
-	}
-
-	return publishEventToDynSecTopic(event)
-}
-
 // DeleteMqClient - removes a client from the DynSec system
 func DeleteMqClient(hostID string) error {
-	deleteHostRole(hostID)
+
 	event := MqDynsecPayload{
 		Commands: []MqDynSecCmd{
 			{
@@ -62,29 +25,6 @@ func DeleteMqClient(hostID string) error {
 // CreateMqClient - creates an MQ DynSec client
 func CreateMqClient(client *MqClient) error {
 
-	err := createHostRole(client.ID)
-	if err != nil {
-		return err
-	}
-	roles := []MqDynSecRole{
-		{
-			Rolename: HostGenericRole,
-			Priority: -1,
-		},
-		{
-			Rolename: getHostRoleName(client.ID),
-			Priority: -1,
-		},
-	}
-
-	for i := range client.Networks {
-		roles = append(roles, MqDynSecRole{
-			Rolename: client.Networks[i],
-			Priority: -1,
-		},
-		)
-	}
-
 	event := MqDynsecPayload{
 		Commands: []MqDynSecCmd{
 			{
@@ -92,8 +32,13 @@ func CreateMqClient(client *MqClient) error {
 				Username: client.ID,
 				Password: client.Password,
 				Textname: client.Text,
-				Roles:    roles,
-				Groups:   make([]MqDynSecGroup, 0),
+				Roles: []MqDynSecRole{
+					{
+						Rolename: genericRole,
+						Priority: -1,
+					},
+				},
+				Groups: make([]MqDynSecGroup, 0),
 			},
 		},
 	}

mq/dynsec_helper.go

@@ -1,9 +1,7 @@
 package mq
 
 import (
-	"encoding/json"
 	"errors"
-	"fmt"
 	"time"
 
 	mqtt "github.com/eclipse/paho.mqtt.golang"
@@ -13,14 +11,8 @@ import (
 const (
 	// constant for admin role
 	adminRole = "admin"
-	// constant for server role
-	serverRole = "server"
-	// constant for exporter role
-	exporterRole = "exporter"
-	// constant for node role
-	NodeRole = "node"
-	// HostGenericRole constant for host role
-	HostGenericRole = "host"
+	// constant for generic role
+	genericRole = "generic"
 
 	// const for dynamic security file
 	dynamicSecurityFile = "dynamic-security.json"
@@ -50,7 +42,7 @@ var (
 				Iterations: 0,
 				Roles: []clientRole{
 					{
-						Rolename: serverRole,
+						Rolename: genericRole,
 					},
 				},
 			},
@@ -62,14 +54,9 @@ var (
 				Acls:     fetchAdminAcls(),
 			},
 			{
-				Rolename: serverRole,
-				Acls:     fetchServerAcls(),
+				Rolename: genericRole,
+				Acls:     fetchGenericAcls(),
 			},
-			{
-				Rolename: HostGenericRole,
-				Acls:     fetchNodeAcls(),
-			},
-			exporterMQRole,
 		},
 		DefaultAcl: defaultAccessAcl{
 			PublishClientSend:    false,
@@ -87,31 +74,12 @@ var (
 		Iterations: 101,
 		Roles: []clientRole{
 			{
-				Rolename: exporterRole,
+				Rolename: genericRole,
 			},
 		},
 	}
-	exporterMQRole = role{
-		Rolename: exporterRole,
-		Acls:     fetchExporterAcls(),
-	}
 )
 
-// DynListCLientsCmdResp - struct for list clients response from MQ
-type DynListCLientsCmdResp struct {
-	Responses []struct {
-		Command string          `json:"command"`
-		Error   string          `json:"error"`
-		Data    ListClientsData `json:"data"`
-	} `json:"responses"`
-}
-
-// ListClientsData - struct for list clients data
-type ListClientsData struct {
-	Clients    []string `json:"clients"`
-	TotalCount int      `json:"totalCount"`
-}
-
 // GetAdminClient - fetches admin client of the MQ
 func GetAdminClient() (mqtt.Client, error) {
 	opts := mqtt.NewClientOptions()
@@ -128,311 +96,21 @@ func GetAdminClient() (mqtt.Client, error) {
 	return mqclient, connecterr
 }
 
-// ListClients -  to list all clients in the MQ
-func ListClients(client mqtt.Client) (ListClientsData, error) {
-	respChan := make(chan mqtt.Message, 10)
-	defer close(respChan)
-	command := "listClients"
-	resp := ListClientsData{}
-	msg := MqDynsecPayload{
-		Commands: []MqDynSecCmd{
-			{
-				Command: command,
-			},
-		},
-	}
-	client.Subscribe("$CONTROL/dynamic-security/v1/response", 2, mqtt.MessageHandler(func(c mqtt.Client, m mqtt.Message) {
-		respChan <- m
-	}))
-	defer client.Unsubscribe()
-	d, _ := json.Marshal(msg)
-	token := client.Publish("$CONTROL/dynamic-security/v1", 2, true, d)
-	if !token.WaitTimeout(30) || token.Error() != nil {
-		var err error
-		if token.Error() == nil {
-			err = errors.New("connection timeout")
-		} else {
-			err = token.Error()
-		}
-		return resp, err
-	}
-
-	for m := range respChan {
-		msg := DynListCLientsCmdResp{}
-		json.Unmarshal(m.Payload(), &msg)
-		for _, mI := range msg.Responses {
-			if mI.Command == command {
-				return mI.Data, nil
-			}
-		}
-	}
-	return resp, errors.New("resp not found")
-}
-
-// fetches host related acls
-func fetchHostAcls(hostID string) []Acl {
+// genericAcls - fetches generice role related acls
+func fetchGenericAcls() []Acl {
 	return []Acl{
-		{
-			AclType:  "publishClientReceive",
-			Topic:    fmt.Sprintf("peers/host/%s/#", hostID),
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    fmt.Sprintf("host/update/%s/#", hostID),
-			Priority: -1,
-			Allow:    true,
-		},
 		{
 			AclType:  "publishClientSend",
-			Topic:    fmt.Sprintf("host/serverupdate/%s", hostID),
-			Priority: -1,
-			Allow:    true,
-		},
-	}
-}
-
-// FetchNetworkAcls - fetches network acls
-func FetchNetworkAcls(network string) []Acl {
-	return []Acl{
-		{
-			AclType:  "publishClientReceive",
-			Topic:    fmt.Sprintf("update/%s/#", network),
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    fmt.Sprintf("peers/%s/#", network),
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    fmt.Sprintf("proxy/%s/#", network),
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "subscribePattern",
-			Topic:    "#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "unsubscribePattern",
-			Topic:    "#",
-			Priority: -1,
-			Allow:    true,
-		},
-	}
-}
-
-// DeleteNetworkRole - deletes a network role from DynSec system
-func DeleteNetworkRole(network string) error {
-	// Deletes the network role from MQ
-	event := MqDynsecPayload{
-		Commands: []MqDynSecCmd{
-			{
-				Command:  DeleteRoleCmd,
-				RoleName: network,
-			},
-		},
-	}
-
-	return publishEventToDynSecTopic(event)
-}
-
-func deleteHostRole(hostID string) error {
-	// Deletes the hostID role from MQ
-	event := MqDynsecPayload{
-		Commands: []MqDynSecCmd{
-			{
-				Command:  DeleteRoleCmd,
-				RoleName: getHostRoleName(hostID),
-			},
-		},
-	}
-
-	return publishEventToDynSecTopic(event)
-}
-
-// CreateNetworkRole - createss a network role from DynSec system
-func CreateNetworkRole(network string) error {
-	// Create Role with acls for the network
-	event := MqDynsecPayload{
-		Commands: []MqDynSecCmd{
-			{
-				Command:  CreateRoleCmd,
-				RoleName: network,
-				Textname: "Network wide role with Acls for nodes",
-				Acls:     FetchNetworkAcls(network),
-			},
-		},
-	}
-
-	return publishEventToDynSecTopic(event)
-}
-
-// creates role for the host with ID.
-func createHostRole(hostID string) error {
-	// Create Role with acls for the host
-	event := MqDynsecPayload{
-		Commands: []MqDynSecCmd{
-			{
-				Command:  CreateRoleCmd,
-				RoleName: getHostRoleName(hostID),
-				Textname: "host role with Acls for hosts",
-				Acls:     fetchHostAcls(hostID),
-			},
-		},
-	}
-
-	return publishEventToDynSecTopic(event)
-}
-
-func getHostRoleName(hostID string) string {
-	return fmt.Sprintf("host-%s", hostID)
-}
-
-// serverAcls - fetches server role related acls
-func fetchServerAcls() []Acl {
-	return []Acl{
-		{
-			AclType:  "publishClientSend",
-			Topic:    "peers/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "proxy/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "peers/host/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "update/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "metrics_exporter",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "host/update/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    "ping/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    "update/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    "signal/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientReceive",
-			Topic:    "metrics/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "subscribePattern",
-			Topic:    "#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "unsubscribePattern",
 			Topic:    "#",
 			Priority: -1,
 			Allow:    true,
 		},
 		{
 			AclType:  "publishClientReceive",
-			Topic:    "host/serverupdate/#",
-			Priority: -1,
-			Allow:    true,
-		},
-	}
-}
-
-// fetchNodeAcls - fetches node related acls
-func fetchNodeAcls() []Acl {
-	// keeping node acls generic as of now.
-	return []Acl{
-
-		{
-			AclType:  "publishClientSend",
-			Topic:    "signal/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "update/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "ping/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "publishClientSend",
-			Topic:    "metrics/#",
-			Priority: -1,
-			Allow:    true,
-		},
-		{
-			AclType:  "subscribePattern",
 			Topic:    "#",
 			Priority: -1,
 			Allow:    true,
 		},
-		{
-			AclType:  "unsubscribePattern",
-			Topic:    "#",
-			Priority: -1,
-			Allow:    true,
-		},
-	}
-}
-
-// fetchExporterAcls - fetch exporter role related acls
-func fetchExporterAcls() []Acl {
-	return []Acl{
-		{
-			AclType:  "publishClientReceive",
-			Topic:    "metrics_exporter",
-			Allow:    true,
-			Priority: -1,
-		},
 		{
 			AclType:  "subscribePattern",
 			Topic:    "#",