Add mechanism to extend authentication to remote networks

This allows user to designate certain networks to be treated as if they were local. This enables the initial token grant to be allowed to a remote network. This still requires that the api be armed (which should generally be a narrow window of opportunity) and that the request be privileged, it just allows remote networks to be elevated to be as trusted as local.
2024-11-22 17:43:14 +00:00 · 2022-10-25 11:26:44 -04:00 · 2022-10-25 11:26:44 -04:00 · 4864d6abb0
commit 4864d6abb0
parent 5794cd5d12
2 changed files with 50 additions and 1 deletions
--- a/confluent_server/confluent/credserver.py
+++ b/confluent_server/confluent/credserver.py
@ -25,6 +25,10 @@ import hashlib
 import hmac
 import os
 import struct
+import ctypes
+import ctypes.util
+
+libc = ctypes.CDLL(ctypes.util.find_library('c'))

 # cred grant tlvs:
 # 0, 0 - null
@ -36,6 +40,50 @@ import struct
 # 6, len, hmac - hmac of crypted key using shared secret for long-haul support
 # 128, len, len, key - sealed key

+_semitrusted = []
+
+def read_authnets(cfgpath):
+    with open(cfgpath, 'r') as cfgin:
+            _semitrusted = []
+            for line in cfgin.readlines:
+                line = line.split('#', 1)[0].strip()
+                if '/' not in line:
+                    continue
+                subnet, prefix = line.split('/')
+                _semitrusted.append((subnet, prefix))
+
+
+def watch_trusted():
+    while True:
+        watcher = libc.inotify_init1(os.O_NONBLOCK)
+        cfgpath = '/etc/confluent/auth_nets'
+        if not os.path.exists(cfgpath):
+            with open(cfgpath, 'w') as cfgout:
+                cfgout.write(
+                    '# This is a list of networks in addition to local\n'
+                    '# networks to allow grant of initial deployment token,\n'
+                    '# when a node has deployment API armed\n')
+        read_authnets(cfgpath)
+        if libc.inotify_add_watch(watcher, cfgpath, 0xcc2) <= -1:
+            eventlet.sleep(15)
+            continue
+        select.select((watcher,), (), (), 86400)
+        try:
+            os.read(watcher, 1024)
+        except Exception:
+            pass
+        os.close(watcher)
+
+
+
+def address_is_somewhat_trusted(address):
+    for authnet in _semitrusted:
+        if netutil.ip_on_same_subnet(address, authnet[0], authnet[1]):
+            return True
+    if netutil.address_is_local(address):
+        return True
+    return False
+
 class CredServer(object):
    def __init__(self):
        self.cfm = cfm.ConfigManager(None)
@ -60,7 +108,7 @@ class CredServer(object):
            elif tlv[1]:
                client.recv(tlv[1])
            if not hmackey:
-                if not netutil.address_is_local(peer[0]):
+                if not address_is_somewhat_trusted(peer[0]):
                    client.close()
                    return
                apimats = self.cfm.get_node_attributes(nodename,
--- a/confluent_server/confluent/sockapi.py
+++ b/confluent_server/confluent/sockapi.py
@ -496,6 +496,7 @@ class SockApi(object):
            self.start_remoteapi()
        else:
            eventlet.spawn_n(self.watch_for_cert)
+        eventlet.spawn_n(credserver.watch_trusted)
        eventlet.spawn_n(self.watch_resolv)
        self.unixdomainserver = eventlet.spawn(_unixdomainhandler)