summaryrefslogtreecommitdiff
path: root/components/authorize
diff options
context:
space:
mode:
Diffstat (limited to 'components/authorize')
-rw-r--r--components/authorize/src/authorize_keys.erl26
-rw-r--r--components/authorize/src/authorize_rpc.erl65
2 files changed, 52 insertions, 39 deletions
diff --git a/components/authorize/src/authorize_keys.erl b/components/authorize/src/authorize_keys.erl
index 834935e..1d205b6 100644
--- a/components/authorize/src/authorize_keys.erl
+++ b/components/authorize/src/authorize_keys.erl
@@ -11,7 +11,8 @@
save_cert/4]).
-export([get_certificates/0,
get_certificates/1]).
--export([validate_message/2]).
+-export([validate_message/2,
+ validate_service_call/2]).
-export([filter_by_service/2,
find_cert_by_service/1]).
-export([public_key_to_json/1,
@@ -106,6 +107,9 @@ authorize_jwt() ->
validate_message(JWT, Conn) ->
gen_server:call(?MODULE, {validate_message, JWT, Conn}).
+validate_service_call(Service, Conn) ->
+ gen_server:call(?MODULE, {validate_service_call, Service, Conn}).
+
get_certificates() ->
get_certificates(local).
@@ -176,6 +180,8 @@ handle_call_({save_keys, Keys, Conn}, _, S) ->
{reply, ok, S};
handle_call_({validate_message, JWT, Conn}, _, S) ->
{reply, validate_message_(JWT, Conn), S};
+handle_call_({validate_service_call, Svc, Conn}, _, S) ->
+ {reply, validate_service_call_(Svc, Conn), S};
handle_call_({save_cert, Cert, JWT, {IP, Port} = Conn, LogId}, _, S) ->
case process_cert_struct(Cert, JWT) of
invalid ->
@@ -223,6 +229,14 @@ certs_by_conn(Conn) ->
?debug("rough selection: ~p~n", [[{abbrev_bin(C),I} || {C,I} <- Certs]]),
[C || {C,V} <- Certs, check_validity(V, UTC)].
+cert_recs_by_conn(Conn) ->
+ ?debug("cert_recs_by_conn(~p)~n", [Conn]),
+ UTC = rvi_common:utc_timestamp(),
+ Certs = ets:select(?CERTS, [{ {{Conn,'_'}, '$1'},
+ [], ['$1'] }]),
+ ?debug("rough selection: ~p~n", [[abbrev_bin(C#cert.id) || C <- Certs]]),
+ [C || C <- Certs, check_validity(C#cert.validity, UTC)].
+
filter_by_service_(Services, Conn) ->
?debug("Filter: certs = ~p", [ets:tab2list(?CERTS)]),
Invoke = ets:select(?CERTS, [{ {{Conn,'_'}, #cert{invoke = '$1',
@@ -524,6 +538,16 @@ validate_message_1([{_,K}|T], JWT) ->
validate_message_1([], _) ->
error(invalid).
+validate_service_call_(Svc, Conn) ->
+ case lists:filter(fun(C) -> can_invoke(Svc, C) end, cert_recs_by_conn(Conn)) of
+ [] ->
+ invalid;
+ [#cert{id = ID}|_] ->
+ {ok, ID}
+ end.
+
+can_invoke(Svc, #cert{invoke = In}) ->
+ lists:any(fun(I) -> match_svc(I, Svc) end, In).
pp_key(#'RSAPrivateKey'{modulus = Mod, publicExponent = Pub}) ->
P = integer_to_binary(Pub),
diff --git a/components/authorize/src/authorize_rpc.erl b/components/authorize/src/authorize_rpc.erl
index 54a9657..c91b216 100644
--- a/components/authorize/src/authorize_rpc.erl
+++ b/components/authorize/src/authorize_rpc.erl
@@ -112,7 +112,7 @@ authorize_local_message(CompSpec, Service, Params) ->
rvi_common:request(authorize, ?MODULE, authorize_local_message,
[{service, Service},
{parameters, Params}],
- [status, signature], CompSpec).
+ [status], CompSpec).
authorize_remote_message(CompSpec, Service, Params) ->
?debug("authorize_rpc:authorize_remote_msg(): service: ~p ~n", [Service]),
@@ -301,17 +301,16 @@ handle_call({rvi, validate_authorization, [JWT, Certs, Conn | [_] = LogId] }, _F
handle_call({store_certs, [Certs, Conn | LogId]}, _From, State) ->
do_store_certs(Certs, Conn, LogId),
{reply, [ok], State};
-handle_call({rvi, authorize_local_message, [Service, Params | LogId] } = R, _From,
- #st{private_key = Key} = State) ->
+handle_call({rvi, authorize_local_message, [Service, _Params | LogId] } = R, _From, State) ->
?debug("authorize_rpc:handle_call(~p)~n", [R]),
case authorize_keys:find_cert_by_service(Service) of
- {ok, {ID, Cert}} ->
- Msg = Params ++ [{<<"certificate">>, Cert}],
- ?debug("authorize_rpc:authorize_local_message~nMsg = ~p~n",
- [authorize_keys:abbrev_payload(Msg)]),
- Sig = authorize_sig:encode_jwt(Msg, Key),
+ {ok, {ID, _Cert}} ->
+ %% Msg = Params ++ [{<<"certificate">>, Cert}],
+ %% ?debug("authorize_rpc:authorize_local_message~nMsg = ~p~n",
+ %% [authorize_keys:abbrev_payload(Msg)]),
+ %% Sig = authorize_sig:encode_jwt(Msg, Key),
log(LogId, "auth msg: Cert=~s", [authorize_keys:abbrev_bin(ID)]),
- {reply, [ok, Sig], State};
+ {reply, [ok], State};
_ ->
log(LogId, "NO CERTS for ~s", [Service]),
{reply, [ not_found ], State}
@@ -324,29 +323,19 @@ handle_call({rvi, authorize_remote_message, [_Service, Params | LogId]},
Timeout = proplists:get_value(timeout, Params),
SvcName = proplists:get_value(service_name, Params),
Parameters = proplists:get_value(parameters, Params),
- Signature = proplists:get_value(signature, Params),
?debug("authorize_rpc:authorize_remote_message(): remote_ip: ~p~n", [IP]),
?debug("authorize_rpc:authorize_remote_message(): remote_port: ~p~n", [Port]),
?debug("authorize_rpc:authorize_remote_message(): timeout: ~p~n", [Timeout]),
?debug("authorize_rpc:authorize_remote_message(): service_name: ~p~n", [SvcName]),
?debug("authorize_rpc:authorize_remote_message(): parameters: ~p~n", [Parameters]),
- ?debug("authorize_rpc:authorize_remote_message(): signature: ~40s~n", [Signature]),
- case authorize_keys:validate_message(
- iolist_to_binary(Signature), {IP, Port}) of
+ case authorize_keys:validate_service_call(SvcName, {IP, Port}) of
invalid ->
- log(LogId, "signature INVALID", []),
+ log(LogId, "remote msg REJECTED", []),
{reply, [ not_found ], State};
- Msg ->
- case check_msg([{"timeout", Timeout},
- {"service_name", SvcName},
- {"parameters", Parameters}], Msg) of
- ok ->
- log(LogId, "params verified", []),
- {reply, [ok], State};
- {error, {mismatch, Bad}} ->
- log(LogId, "params MISMATCH: ~p", [Bad]),
- {reply, [not_found], State}
- end
+ {ok, CertID} ->
+ ?debug("validated Cert ID=~p", [CertID]),
+ log(LogId, "remote msg allowed: Cert=~s", [CertID]),
+ {reply, [ok], State}
end;
handle_call({rvi, filter_by_service, [Services, Conn | _LogId]}, _From, State) ->
@@ -417,8 +406,8 @@ log([ID], Fmt, Args) ->
log(_, _, _) ->
ok.
-check_msg(Checks, Params) ->
- check_msg(Checks, Params, []).
+%% check_msg(Checks, Params) ->
+%% check_msg(Checks, Params, []).
%% {ok, Timeout1} = rvi_common:get_json_element(["timeout"], Msg),
%% {ok, SvcName1} = rvi_common:get_json_element(["service_name"], Msg),
@@ -438,14 +427,14 @@ check_msg(Checks, Params) ->
%% end
%% end;
-check_msg([], _, []) ->
- ok;
-check_msg([{Key, Expect}|T], Msg, Acc) ->
- case rvi_common:get_json_element([Key], Msg) of
- {ok, Expect} ->
- check_msg(T, Msg, Acc);
- _ ->
- check_msg(T, Msg, [Key|Acc])
- end;
-check_msg([], _, [_|_] = Acc) ->
- {error, {mismatch, lists:reverse(Acc)}}.
+%% check_msg([], _, []) ->
+%% ok;
+%% check_msg([{Key, Expect}|T], Msg, Acc) ->
+%% case rvi_common:get_json_element([Key], Msg) of
+%% {ok, Expect} ->
+%% check_msg(T, Msg, Acc);
+%% _ ->
+%% check_msg(T, Msg, [Key|Acc])
+%% end;
+%% check_msg([], _, [_|_] = Acc) ->
+%% {error, {mismatch, lists:reverse(Acc)}}.
View Lorry Controller Status