From 4864d6abb025fa5c0fd4b52e81ccb0c09553da50 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Tue, 25 Oct 2022 11:26:44 -0400 Subject: [PATCH] Add mechanism to extend authentication to remote networks This allows user to designate certain networks to be treated as if they were local. This enables the initial token grant to be allowed to a remote network. This still requires that the api be armed (which should generally be a narrow window of opportunity) and that the request be privileged, it just allows remote networks to be elevated to be as trusted as local. --- confluent_server/confluent/credserver.py | 50 +++++++++++++++++++++++- confluent_server/confluent/sockapi.py | 1 + 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/credserver.py b/confluent_server/confluent/credserver.py index 89c536db..8484e326 100644 --- a/confluent_server/confluent/credserver.py +++ b/confluent_server/confluent/credserver.py @@ -25,6 +25,10 @@ import hashlib import hmac import os import struct +import ctypes +import ctypes.util + +libc = ctypes.CDLL(ctypes.util.find_library('c')) # cred grant tlvs: # 0, 0 - null @@ -36,6 +40,50 @@ import struct # 6, len, hmac - hmac of crypted key using shared secret for long-haul support # 128, len, len, key - sealed key +_semitrusted = [] + +def read_authnets(cfgpath): + with open(cfgpath, 'r') as cfgin: + _semitrusted = [] + for line in cfgin.readlines: + line = line.split('#', 1)[0].strip() + if '/' not in line: + continue + subnet, prefix = line.split('/') + _semitrusted.append((subnet, prefix)) + + +def watch_trusted(): + while True: + watcher = libc.inotify_init1(os.O_NONBLOCK) + cfgpath = '/etc/confluent/auth_nets' + if not os.path.exists(cfgpath): + with open(cfgpath, 'w') as cfgout: + cfgout.write( + '# This is a list of networks in addition to local\n' + '# networks to allow grant of initial deployment token,\n' + '# when a node has deployment API armed\n') + read_authnets(cfgpath) + if libc.inotify_add_watch(watcher, cfgpath, 0xcc2) <= -1: + eventlet.sleep(15) + continue + select.select((watcher,), (), (), 86400) + try: + os.read(watcher, 1024) + except Exception: + pass + os.close(watcher) + + + +def address_is_somewhat_trusted(address): + for authnet in _semitrusted: + if netutil.ip_on_same_subnet(address, authnet[0], authnet[1]): + return True + if netutil.address_is_local(address): + return True + return False + class CredServer(object): def __init__(self): self.cfm = cfm.ConfigManager(None) @@ -60,7 +108,7 @@ class CredServer(object): elif tlv[1]: client.recv(tlv[1]) if not hmackey: - if not netutil.address_is_local(peer[0]): + if not address_is_somewhat_trusted(peer[0]): client.close() return apimats = self.cfm.get_node_attributes(nodename, diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py index 341f1973..d7cd0736 100644 --- a/confluent_server/confluent/sockapi.py +++ b/confluent_server/confluent/sockapi.py @@ -496,6 +496,7 @@ class SockApi(object): self.start_remoteapi() else: eventlet.spawn_n(self.watch_for_cert) + eventlet.spawn_n(credserver.watch_trusted) eventlet.spawn_n(self.watch_resolv) self.unixdomainserver = eventlet.spawn(_unixdomainhandler)