dynsec.go 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
  1. package mq
  2. import (
  3. "crypto/sha512"
  4. "encoding/base64"
  5. "encoding/json"
  6. "errors"
  7. "fmt"
  8. "os"
  9. "time"
  10. mqtt "github.com/eclipse/paho.mqtt.golang"
  11. "github.com/gravitl/netmaker/functions"
  12. "github.com/gravitl/netmaker/logger"
  13. "github.com/gravitl/netmaker/logic"
  14. "github.com/gravitl/netmaker/netclient/ncutils"
  15. "github.com/gravitl/netmaker/servercfg"
  16. "golang.org/x/crypto/pbkdf2"
  17. )
  18. const DynamicSecSubTopic = "$CONTROL/dynamic-security/#"
  19. const DynamicSecPubTopic = "$CONTROL/dynamic-security/v1"
  20. var mqAdminClient mqtt.Client
  21. var (
  22. CreateClientCmd = "createClient"
  23. DisableClientCmd = "disableClient"
  24. DeleteClientCmd = "deleteClient"
  25. ModifyClientCmd = "modifyClient"
  26. )
  27. var (
  28. CreateRoleCmd = "createRole"
  29. DeleteRoleCmd = "deleteRole"
  30. )
  31. type dynJSON struct {
  32. Clients []client `json:"clients"`
  33. Roles []role `json:"roles"`
  34. DefaultAcl defaultAccessAcl `json:"defaultACLAccess"`
  35. }
  36. var (
  37. mqAdminUserName string = "Netmaker-Admin"
  38. mqNetmakerServerUserName string = "Netmaker-Server"
  39. mqExporterUserName string = "Netmaker-Exporter"
  40. )
  41. type clientRole struct {
  42. Rolename string `json:"rolename"`
  43. }
  44. type client struct {
  45. Username string `json:"username"`
  46. TextName string `json:"textName"`
  47. Password string `json:"password"`
  48. Salt string `json:"salt"`
  49. Iterations int `json:"iterations"`
  50. Roles []clientRole `json:"roles"`
  51. }
  52. type role struct {
  53. Rolename string `json:"rolename"`
  54. Acls []Acl `json:"acls"`
  55. }
  56. type defaultAccessAcl struct {
  57. PublishClientSend bool `json:"publishClientSend"`
  58. PublishClientReceive bool `json:"publishClientReceive"`
  59. Subscribe bool `json:"subscribe"`
  60. Unsubscribe bool `json:"unsubscribe"`
  61. }
  62. type dynCnf struct {
  63. Clients []client `json:"clients"`
  64. Roles []role `json:"roles"`
  65. DefaultACLAccess defaultAccessAcl `json:"defaultACLAccess"`
  66. }
  67. type MqDynSecGroup struct {
  68. Groupname string `json:"groupname"`
  69. Priority int `json:"priority"`
  70. }
  71. type MqDynSecRole struct {
  72. Rolename string `json:"rolename"`
  73. Priority int `json:"priority"`
  74. }
  75. type Acl struct {
  76. AclType string `json:"acltype"`
  77. Topic string `json:"topic"`
  78. Priority int `json:"priority,omitempty"`
  79. Allow bool `json:"allow"`
  80. }
  81. type MqDynSecCmd struct {
  82. Command string `json:"command"`
  83. Username string `json:"username"`
  84. Password string `json:"password"`
  85. RoleName string `json:"rolename,omitempty"`
  86. Acls []Acl `json:"acls,omitempty"`
  87. Clientid string `json:"clientid"`
  88. Textname string `json:"textname"`
  89. Textdescription string `json:"textdescription"`
  90. Groups []MqDynSecGroup `json:"groups"`
  91. Roles []MqDynSecRole `json:"roles"`
  92. }
  93. type DynSecAction struct {
  94. Payload MqDynsecPayload
  95. }
  96. type MqDynsecPayload struct {
  97. Commands []MqDynSecCmd `json:"commands"`
  98. }
  99. func encodePasswordToPBKDF2(password string, salt string, iterations int, keyLength int) string {
  100. binaryEncoded := pbkdf2.Key([]byte(password), []byte(salt), iterations, keyLength, sha512.New)
  101. return base64.StdEncoding.EncodeToString(binaryEncoded)
  102. }
  103. func Configure() error {
  104. if servercfg.Is_EE {
  105. dynConfig.Clients = append(dynConfig.Clients, exporterMQClient)
  106. dynConfig.Roles = append(dynConfig.Roles, exporterMQRole)
  107. }
  108. password := servercfg.GetMqAdminPassword()
  109. if password == "" {
  110. return errors.New("MQ admin password not provided")
  111. }
  112. for i, cI := range dynConfig.Clients {
  113. if cI.Username == mqAdminUserName || cI.Username == mqNetmakerServerUserName {
  114. salt := logic.RandomString(12)
  115. hashed := encodePasswordToPBKDF2(password, salt, 101, 64)
  116. cI.Password = hashed
  117. cI.Iterations = 101
  118. cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
  119. dynConfig.Clients[i] = cI
  120. } else if servercfg.Is_EE && cI.Username == mqExporterUserName {
  121. exporterPassword := servercfg.GetLicenseKey()
  122. salt := logic.RandomString(12)
  123. hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64)
  124. cI.Password = hashed
  125. cI.Iterations = 101
  126. cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt))
  127. dynConfig.Clients[i] = cI
  128. }
  129. }
  130. data, err := json.MarshalIndent(dynConfig, "", " ")
  131. if err != nil {
  132. return err
  133. }
  134. path := functions.GetNetmakerPath() + ncutils.GetSeparator() + dynamicSecurityFile
  135. return os.WriteFile(path, data, 0755)
  136. }
  137. func PublishEventToDynSecTopic(event DynSecAction) error {
  138. d, err := json.Marshal(event.Payload)
  139. if err != nil {
  140. return err
  141. }
  142. var connecterr error
  143. if token := mqAdminClient.Publish(DynamicSecPubTopic, 2, false, d); !token.WaitTimeout(MQ_TIMEOUT*time.Second) || token.Error() != nil {
  144. if token.Error() == nil {
  145. connecterr = errors.New("connect timeout")
  146. } else {
  147. connecterr = token.Error()
  148. }
  149. }
  150. return connecterr
  151. }
  152. func watchDynSecTopic(client mqtt.Client, msg mqtt.Message) {
  153. logger.Log(1, fmt.Sprintf("----->WatchDynSecTopic Message: %+v", string(msg.Payload())))
  154. }