-
Notifications
You must be signed in to change notification settings - Fork 291
/
security_rpc.go
96 lines (81 loc) · 2.59 KB
/
security_rpc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
//
// (C) Copyright 2019-2022 Intel Corporation.
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
package server
import (
"context"
"crypto"
"fmt"
"path/filepath"
"google.golang.org/protobuf/proto"
"github.com/daos-stack/daos/src/control/drpc"
"github.com/daos-stack/daos/src/control/lib/daos"
"github.com/daos-stack/daos/src/control/logging"
"github.com/daos-stack/daos/src/control/security"
"github.com/daos-stack/daos/src/control/security/auth"
)
// SecurityModule is the security drpc module struct
type SecurityModule struct {
log logging.Logger
config *security.TransportConfig
}
// NewSecurityModule creates a new security module with a transport config
func NewSecurityModule(log logging.Logger, tc *security.TransportConfig) *SecurityModule {
return &SecurityModule{
log: log,
config: tc,
}
}
func (m *SecurityModule) processValidateCredentials(body []byte) ([]byte, error) {
req := &auth.ValidateCredReq{}
err := proto.Unmarshal(body, req)
if err != nil {
return nil, drpc.UnmarshalingPayloadFailure()
}
cred := req.Cred
if cred == nil || cred.GetToken() == nil || cred.GetVerifier() == nil {
m.log.Error("malformed credential")
return m.validateRespWithStatus(daos.InvalidInput)
}
var key crypto.PublicKey
if m.config.AllowInsecure {
key = nil
} else {
certName := fmt.Sprintf("%s.crt", cred.Origin)
certPath := filepath.Join(m.config.ClientCertDir, certName)
cert, err := security.LoadCertificate(certPath)
if err != nil {
m.log.Errorf("loading certificate %s failed: %v", certPath, err)
return m.validateRespWithStatus(daos.NoCert)
}
key = cert.PublicKey
}
// Check our verifier
err = auth.VerifyToken(key, cred.GetToken(), cred.GetVerifier().GetData())
if err != nil {
m.log.Errorf("cred verification failed: %v", err)
return m.validateRespWithStatus(daos.NoPermission)
}
resp := &auth.ValidateCredResp{Token: cred.Token}
responseBytes, err := proto.Marshal(resp)
if err != nil {
return nil, drpc.MarshalingFailure()
}
return responseBytes, nil
}
func (m *SecurityModule) validateRespWithStatus(status daos.Status) ([]byte, error) {
return drpc.Marshal(&auth.ValidateCredResp{Status: int32(status)})
}
// HandleCall is the handler for calls to the SecurityModule
func (m *SecurityModule) HandleCall(_ context.Context, session *drpc.Session, method drpc.Method, body []byte) ([]byte, error) {
if method != drpc.MethodValidateCredentials {
return nil, drpc.UnknownMethodFailure()
}
return m.processValidateCredentials(body)
}
// ID will return Security module ID
func (m *SecurityModule) ID() drpc.ModuleID {
return drpc.ModuleSecurity
}