vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-01 18:19:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
safing-portmaster/spn/cabin/identity.go
Daniel Hååvi 80664d1a27
Restructure modules (#1572) 
* Move portbase into monorepo

* Add new simple module mgr

* [WIP] Switch to new simple module mgr

* Add StateMgr and more worker variants

* [WIP] Switch more modules

* [WIP] Switch more modules

* [WIP] swtich more modules

* [WIP] switch all SPN modules

* [WIP] switch all service modules

* [WIP] Convert all workers to the new module system

* [WIP] add new task system to module manager

* [WIP] Add second take for scheduling workers

* [WIP] Add FIXME for bugs in new scheduler

* [WIP] Add minor improvements to scheduler

* [WIP] Add new worker scheduler

* [WIP] Fix more bug related to new module system

* [WIP] Fix start handing of the new module system

* [WIP] Improve startup process

* [WIP] Fix minor issues

* [WIP] Fix missing subsystem in settings

* [WIP] Initialize managers in constructor

* [WIP] Move module event initialization to constrictors

* [WIP] Fix setting for enabling and disabling the SPN module

* [WIP] Move API registeration into module construction

* [WIP] Update states mgr for all modules

* [WIP] Add CmdLine operation support

* Add state helper methods to module group and instance

* Add notification and module status handling to status package

* Fix starting issues

* Remove pilot widget and update security lock to new status data

* Remove debug logs

* Improve http server shutdown

* Add workaround for cleanly shutting down firewall+netquery

* Improve logging

* Add syncing states with notifications for new module system

* Improve starting, stopping, shutdown; resolve FIXMEs/TODOs

* [WIP] Fix most unit tests

* Review new module system and fix minor issues

* Push shutdown and restart events again via API

* Set sleep mode via interface

* Update example/template module

* [WIP] Fix spn/cabin unit test

* Remove deprecated UI elements

* Make log output more similar for the logging transition phase

* Switch spn hub and observer cmds to new module system

* Fix log sources

* Make worker mgr less error prone

* Fix tests and minor issues

* Fix observation hub

* Improve shutdown and restart handling

* Split up big connection.go source file

* Move varint and dsd packages to structures repo

* Improve expansion test

* Fix linter warnings

* Fix interception module on windows

* Fix linter errors

---------

Co-authored-by: Vladimir Stoilov <vladimir@safing.io>
2024-08-09 18:15:48 +03:00

311 lines
7.6 KiB
Go
Raw Blame History

package cabin
import (
"context"
"errors"
"fmt"
"time"
"github.com/safing/jess"
"github.com/safing/jess/tools"
"github.com/safing/portmaster/base/database/record"
"github.com/safing/portmaster/base/info"
"github.com/safing/portmaster/base/log"
"github.com/safing/portmaster/spn/conf"
"github.com/safing/portmaster/spn/hub"
)
const (
// DefaultIDKeyScheme is the default jess tool for creating ID keys.
DefaultIDKeyScheme = "Ed25519"
// DefaultIDKeySecurityLevel is the default security level for creating ID keys.
DefaultIDKeySecurityLevel = 256 // Ed25519 security level is fixed, setting is ignored.
)
// Identity holds the identity of a Hub.
type Identity struct {
record.Base
ID string
Map string
Hub *hub.Hub
Signet *jess.Signet
ExchKeys map[string]*ExchKey
infoExportCache []byte
statusExportCache []byte
}
// Lock locks the Identity through the Hub lock.
func (id *Identity) Lock() {
id.Hub.Lock()
}
// Unlock unlocks the Identity through the Hub lock.
func (id *Identity) Unlock() {
id.Hub.Unlock()
}
// ExchKey holds the private information of a HubKey.
type ExchKey struct {
Created time.Time
Expires time.Time
key *jess.Signet
tool *tools.Tool
}
// CreateIdentity creates a new identity.
func CreateIdentity(ctx context.Context, mapName string) (*Identity, error) {
id := &Identity{
Map: mapName,
ExchKeys: make(map[string]*ExchKey),
}
// create signet
signet, recipient, err := hub.CreateHubSignet(DefaultIDKeyScheme, DefaultIDKeySecurityLevel)
if err != nil {
return nil, err
}
id.Signet = signet
id.ID = signet.ID
id.Hub = &hub.Hub{
ID: id.ID,
Map: mapName,
PublicKey: recipient,
}
// initial maintenance routine
_, err = id.MaintainAnnouncement(nil, true)
if err != nil {
return nil, fmt.Errorf("failed to initialize announcement: %w", err)
}
_, err = id.MaintainStatus([]*hub.Lane{}, new(int), nil, true)
if err != nil {
return nil, fmt.Errorf("failed to initialize status: %w", err)
}
return id, nil
}
// MaintainAnnouncement maintains the Hub's Announcenemt and returns whether
// there was a change that should be communicated to other Hubs.
// If newInfo is nil, it will be derived from configuration.
func (id *Identity) MaintainAnnouncement(newInfo *hub.Announcement, selfcheck bool) (changed bool, err error) {
id.Lock()
defer id.Unlock()
// Populate new info with data.
if newInfo == nil {
newInfo = getPublicHubInfo()
}
newInfo.ID = id.Hub.ID
if id.Hub.Info != nil {
newInfo.Timestamp = id.Hub.Info.Timestamp
}
if !newInfo.Equal(id.Hub.Info) {
changed = true
}
if changed {
// Update timestamp.
newInfo.Timestamp = time.Now().Unix()
}
if changed || selfcheck {
// Export new data.
newInfoData, err := newInfo.Export(id.signingEnvelope())
if err != nil {
return false, fmt.Errorf("failed to export: %w", err)
}
// Apply the status as all other Hubs would in order to check if it's valid.
_, _, _, err = hub.ApplyAnnouncement(id.Hub, newInfoData, conf.MainMapName, conf.MainMapScope, true)
if err != nil {
return false, fmt.Errorf("failed to apply new announcement: %w", err)
}
id.infoExportCache = newInfoData
// Save message to hub message storage.
err = hub.SaveHubMsg(id.ID, conf.MainMapName, hub.MsgTypeAnnouncement, newInfoData)
if err != nil {
log.Warningf("spn/cabin: failed to save own new/updated announcement of %s: %s", id.ID, err)
}
}
return changed, nil
}
// MaintainStatus maintains the Hub's Status and returns whether there was a change that should be communicated to other Hubs.
func (id *Identity) MaintainStatus(lanes []*hub.Lane, load *int, flags []string, selfcheck bool) (changed bool, err error) {
id.Lock()
defer id.Unlock()
// Create a new status or make a copy of the status for editing.
var newStatus *hub.Status
if id.Hub.Status != nil {
newStatus = id.Hub.Status.Copy()
} else {
newStatus = &hub.Status{}
}
// Update software version.
if newStatus.Version != info.Version() {
newStatus.Version = info.Version()
changed = true
}
// Update keys.
keysChanged, err := id.MaintainExchKeys(newStatus, time.Now())
if err != nil {
return false, fmt.Errorf("failed to maintain keys: %w", err)
}
if keysChanged {
changed = true
}
// Update lanes.
if lanes != nil && !hub.LanesEqual(newStatus.Lanes, lanes) {
newStatus.Lanes = lanes
changed = true
}
// Update load.
if load != nil && newStatus.Load != *load {
newStatus.Load = *load
changed = true
}
// Update flags.
if !hub.FlagsEqual(newStatus.Flags, flags) {
newStatus.Flags = flags
changed = true
}
// Update timestamp if something changed.
if changed {
newStatus.Timestamp = time.Now().Unix()
}
if changed || selfcheck {
// Export new data.
newStatusData, err := newStatus.Export(id.signingEnvelope())
if err != nil {
return false, fmt.Errorf("failed to export: %w", err)
}
// Apply the status as all other Hubs would in order to check if it's valid.
_, _, _, err = hub.ApplyStatus(id.Hub, newStatusData, conf.MainMapName, conf.MainMapScope, true)
if err != nil {
return false, fmt.Errorf("failed to apply new status: %w", err)
}
id.statusExportCache = newStatusData
// Save message to hub message storage.
err = hub.SaveHubMsg(id.ID, conf.MainMapName, hub.MsgTypeStatus, newStatusData)
if err != nil {
log.Warningf("spn/cabin: failed to save own new/updated status: %s", err)
}
}
return changed, nil
}
// MakeOfflineStatus creates and signs an offline status message.
func (id *Identity) MakeOfflineStatus() (offlineStatusExport []byte, err error) {
// Make offline status.
newStatus := &hub.Status{
Timestamp: time.Now().Unix(),
Version: info.Version(),
Flags: []string{hub.FlagOffline},
}
// Export new data.
newStatusData, err := newStatus.Export(id.signingEnvelope())
if err != nil {
return nil, fmt.Errorf("failed to export: %w", err)
}
return newStatusData, nil
}
func (id *Identity) signingEnvelope() *jess.Envelope {
env := jess.NewUnconfiguredEnvelope()
env.SuiteID = jess.SuiteSignV1
env.Senders = []*jess.Signet{id.Signet}
return env
}
// ExportAnnouncement serializes and signs the Announcement.
func (id *Identity) ExportAnnouncement() ([]byte, error) {
id.Lock()
defer id.Unlock()
if id.infoExportCache == nil {
return nil, errors.New("announcement not exported")
}
return id.infoExportCache, nil
}
// ExportStatus serializes and signs the Status.
func (id *Identity) ExportStatus() ([]byte, error) {
id.Lock()
defer id.Unlock()
if id.statusExportCache == nil {
return nil, errors.New("status not exported")
}
return id.statusExportCache, nil
}
// SignHubMsg signs a data blob with the identity's private key.
func (id *Identity) SignHubMsg(data []byte) ([]byte, error) {
return hub.SignHubMsg(data, id.signingEnvelope(), false)
}
// GetSignet returns the private exchange key with the given ID.
func (id *Identity) GetSignet(keyID string, recipient bool) (*jess.Signet, error) {
if recipient {
return nil, errors.New("cabin.Identity only serves private keys")
}
id.Lock()
defer id.Unlock()
key, ok := id.ExchKeys[keyID]
if !ok {
return nil, errors.New("the requested key does not exist")
}
if time.Now().After(key.Expires) || key.key == nil {
return nil, errors.New("the requested key has expired")
}
return key.key, nil
}
func (ek *ExchKey) toHubKey() (*hub.Key, error) {
if ek.key == nil {
return nil, errors.New("no key")
}
// export public key
rcpt, err := ek.key.AsRecipient()
if err != nil {
return nil, err
}
err = rcpt.StoreKey()
if err != nil {
return nil, err
}
// repackage
return &hub.Key{
Scheme: rcpt.Scheme,
Key: rcpt.Key,
Expires: ek.Expires.Unix(),
}, nil
}
Reference in a new issue View git blame Copy permalink