dynsec_helper.go 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370
  1. package mq
  2. import (
  3. "errors"
  4. "fmt"
  5. "time"
  6. mqtt "github.com/eclipse/paho.mqtt.golang"
  7. "github.com/gravitl/netmaker/servercfg"
  8. )
  9. const (
  10. // constant for admin role
  11. adminRole = "admin"
  12. // constant for generic role
  13. genericRole = "generic"
  14. // const for dynamic security file
  15. dynamicSecurityFile = "dynamic-security.json"
  16. )
  17. var (
  18. // default configuration of dynamic security
  19. dynConfigInI = dynJSON{
  20. Clients: []client{
  21. {
  22. Username: mqAdminUserName,
  23. TextName: "netmaker admin user",
  24. Password: "",
  25. Salt: "",
  26. Iterations: 0,
  27. Roles: []clientRole{
  28. {
  29. Rolename: adminRole,
  30. },
  31. },
  32. },
  33. {
  34. Username: mqNetmakerServerUserName,
  35. TextName: "netmaker server user",
  36. Password: "",
  37. Salt: "",
  38. Iterations: 0,
  39. Roles: []clientRole{
  40. {
  41. Rolename: genericRole,
  42. },
  43. },
  44. },
  45. exporterMQClient,
  46. },
  47. Roles: []role{
  48. {
  49. Rolename: adminRole,
  50. Acls: fetchAdminAcls(),
  51. },
  52. {
  53. Rolename: genericRole,
  54. Acls: fetchServerAcls(), //TODO fetch generic acls
  55. },
  56. },
  57. DefaultAcl: defaultAccessAcl{
  58. PublishClientSend: false,
  59. PublishClientReceive: true,
  60. Subscribe: false,
  61. Unsubscribe: true,
  62. },
  63. }
  64. exporterMQClient = client{
  65. Username: mqExporterUserName,
  66. TextName: "netmaker metrics exporter",
  67. Password: "",
  68. Salt: "",
  69. Iterations: 101,
  70. Roles: []clientRole{
  71. {
  72. Rolename: genericRole,
  73. },
  74. },
  75. }
  76. )
  77. // GetAdminClient - fetches admin client of the MQ
  78. func GetAdminClient() (mqtt.Client, error) {
  79. opts := mqtt.NewClientOptions()
  80. setMqOptions(mqAdminUserName, servercfg.GetMqAdminPassword(), opts)
  81. mqclient := mqtt.NewClient(opts)
  82. var connecterr error
  83. if token := mqclient.Connect(); !token.WaitTimeout(MQ_TIMEOUT*time.Second) || token.Error() != nil {
  84. if token.Error() == nil {
  85. connecterr = errors.New("connect timeout")
  86. } else {
  87. connecterr = token.Error()
  88. }
  89. }
  90. return mqclient, connecterr
  91. }
  92. // fetches host related acls
  93. func fetchHostAcls(hostID string) []Acl {
  94. return []Acl{
  95. {
  96. AclType: "publishClientReceive",
  97. Topic: fmt.Sprintf("peers/host/%s/#", hostID),
  98. Priority: -1,
  99. Allow: true,
  100. },
  101. {
  102. AclType: "publishClientReceive",
  103. Topic: fmt.Sprintf("host/update/%s/#", hostID),
  104. Priority: -1,
  105. Allow: true,
  106. },
  107. {
  108. AclType: "publishClientSend",
  109. Topic: fmt.Sprintf("host/serverupdate/%s", hostID),
  110. Priority: -1,
  111. Allow: true,
  112. },
  113. }
  114. }
  115. // FetchNetworkAcls - fetches network acls
  116. func FetchNetworkAcls(network string) []Acl {
  117. return []Acl{
  118. {
  119. AclType: "publishClientReceive",
  120. Topic: fmt.Sprintf("update/%s/#", network),
  121. Priority: -1,
  122. Allow: true,
  123. },
  124. {
  125. AclType: "publishClientReceive",
  126. Topic: fmt.Sprintf("peers/%s/#", network),
  127. Priority: -1,
  128. Allow: true,
  129. },
  130. {
  131. AclType: "publishClientReceive",
  132. Topic: fmt.Sprintf("proxy/%s/#", network),
  133. Priority: -1,
  134. Allow: true,
  135. },
  136. {
  137. AclType: "subscribePattern",
  138. Topic: "#",
  139. Priority: -1,
  140. Allow: true,
  141. },
  142. {
  143. AclType: "unsubscribePattern",
  144. Topic: "#",
  145. Priority: -1,
  146. Allow: true,
  147. },
  148. }
  149. }
  150. // serverAcls - fetches server role related acls
  151. func fetchServerAcls() []Acl {
  152. return []Acl{
  153. {
  154. AclType: "publishClientSend",
  155. Topic: "peers/#",
  156. Priority: -1,
  157. Allow: true,
  158. },
  159. {
  160. AclType: "publishClientSend",
  161. Topic: "proxy/#",
  162. Priority: -1,
  163. Allow: true,
  164. },
  165. {
  166. AclType: "publishClientSend",
  167. Topic: "peers/host/#",
  168. Priority: -1,
  169. Allow: true,
  170. },
  171. {
  172. AclType: "publishClientSend",
  173. Topic: "update/#",
  174. Priority: -1,
  175. Allow: true,
  176. },
  177. {
  178. AclType: "publishClientSend",
  179. Topic: "metrics_exporter",
  180. Priority: -1,
  181. Allow: true,
  182. },
  183. {
  184. AclType: "publishClientSend",
  185. Topic: "host/update/#",
  186. Priority: -1,
  187. Allow: true,
  188. },
  189. {
  190. AclType: "publishClientReceive",
  191. Topic: "ping/#",
  192. Priority: -1,
  193. Allow: true,
  194. },
  195. {
  196. AclType: "publishClientReceive",
  197. Topic: "update/#",
  198. Priority: -1,
  199. Allow: true,
  200. },
  201. {
  202. AclType: "publishClientReceive",
  203. Topic: "signal/#",
  204. Priority: -1,
  205. Allow: true,
  206. },
  207. {
  208. AclType: "publishClientReceive",
  209. Topic: "metrics/#",
  210. Priority: -1,
  211. Allow: true,
  212. },
  213. {
  214. AclType: "subscribePattern",
  215. Topic: "#",
  216. Priority: -1,
  217. Allow: true,
  218. },
  219. {
  220. AclType: "unsubscribePattern",
  221. Topic: "#",
  222. Priority: -1,
  223. Allow: true,
  224. },
  225. {
  226. AclType: "publishClientReceive",
  227. Topic: "host/serverupdate/#",
  228. Priority: -1,
  229. Allow: true,
  230. },
  231. }
  232. }
  233. // fetchNodeAcls - fetches node related acls
  234. func fetchNodeAcls() []Acl {
  235. // keeping node acls generic as of now.
  236. return []Acl{
  237. {
  238. AclType: "publishClientSend",
  239. Topic: "signal/#",
  240. Priority: -1,
  241. Allow: true,
  242. },
  243. {
  244. AclType: "publishClientSend",
  245. Topic: "update/#",
  246. Priority: -1,
  247. Allow: true,
  248. },
  249. {
  250. AclType: "publishClientSend",
  251. Topic: "ping/#",
  252. Priority: -1,
  253. Allow: true,
  254. },
  255. {
  256. AclType: "publishClientSend",
  257. Topic: "metrics/#",
  258. Priority: -1,
  259. Allow: true,
  260. },
  261. {
  262. AclType: "subscribePattern",
  263. Topic: "#",
  264. Priority: -1,
  265. Allow: true,
  266. },
  267. {
  268. AclType: "unsubscribePattern",
  269. Topic: "#",
  270. Priority: -1,
  271. Allow: true,
  272. },
  273. }
  274. }
  275. // fetchExporterAcls - fetch exporter role related acls
  276. func fetchExporterAcls() []Acl {
  277. return []Acl{
  278. {
  279. AclType: "publishClientReceive",
  280. Topic: "metrics_exporter",
  281. Allow: true,
  282. Priority: -1,
  283. },
  284. {
  285. AclType: "subscribePattern",
  286. Topic: "#",
  287. Priority: -1,
  288. Allow: true,
  289. },
  290. {
  291. AclType: "unsubscribePattern",
  292. Topic: "#",
  293. Priority: -1,
  294. Allow: true,
  295. },
  296. }
  297. }
  298. // fetchAdminAcls - fetches admin role related acls
  299. func fetchAdminAcls() []Acl {
  300. return []Acl{
  301. {
  302. AclType: "publishClientSend",
  303. Topic: "$CONTROL/dynamic-security/#",
  304. Priority: -1,
  305. Allow: true,
  306. },
  307. {
  308. AclType: "publishClientReceive",
  309. Topic: "$CONTROL/dynamic-security/#",
  310. Priority: -1,
  311. Allow: true,
  312. },
  313. {
  314. AclType: "subscribePattern",
  315. Topic: "$CONTROL/dynamic-security/#",
  316. Priority: -1,
  317. Allow: true,
  318. },
  319. {
  320. AclType: "publishClientReceive",
  321. Topic: "$SYS/#",
  322. Priority: -1,
  323. Allow: true,
  324. },
  325. {
  326. AclType: "subscribePattern",
  327. Topic: "$SYS/#",
  328. Priority: -1,
  329. Allow: true,
  330. },
  331. {
  332. AclType: "publishClientReceive",
  333. Topic: "#",
  334. Priority: -1,
  335. Allow: true,
  336. },
  337. {
  338. AclType: "subscribePattern",
  339. Topic: "#",
  340. Priority: -1,
  341. Allow: true,
  342. },
  343. {
  344. AclType: "unsubscribePattern",
  345. Topic: "#",
  346. Priority: -1,
  347. Allow: true,
  348. },
  349. {
  350. AclType: "publishClientSend",
  351. Topic: "#",
  352. Priority: -1,
  353. Allow: true,
  354. },
  355. }
  356. }