Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Feed
iopsys
Commits
01eab5c7
Commit
01eab5c7
authored
Dec 01, 2022
by
Roman Azarenko
Browse files
Revert "sulu: Role based access control"
This reverts commit
ec653370
.
parent
1bab072a
Changes
22
Hide whitespace changes
Inline
Side-by-side
sulu-builder/Makefile
View file @
01eab5c7
...
...
@@ -152,26 +152,7 @@ define Package/${PKG_NAME}/install
ifeq
($(CONFIG_PACKAGE_skopeo)$(CONFIG_PACKAGE_umoci),yy)
$(CP)
$(PKG_BUILD_DIR)/build/src/config/widgets/lcm-store.json
$(1)/sulu/config/widgets/
endif
$(INSTALL_DIR)
$(1)/etc/config
$(INSTALL_BIN)
./files/etc/config/sulu
$(1)/etc/config/sulu
$(INSTALL_DIR)
$(1)/etc/init.d
$(INSTALL_BIN)
./files/etc/init.d/sulu
$(1)/etc/init.d/sulu
$(INSTALL_DIR)
$(1)/etc/mosquitto/conf.d/
$(INSTALL_DATA)
./files/etc/mosquitto/conf.d/obuspa.conf
$(1)/etc/mosquitto/conf.d/
$(INSTALL_DATA)
./files/etc/mosquitto/conf.d/sulu.conf
$(1)/etc/mosquitto/conf.d/
$(INSTALL_DATA)
./files/etc/mosquitto/sulu.password
$(1)/etc/mosquitto/sulu.password
$(INSTALL_DIR)
$(1)/etc/nginx/conf.d
$(INSTALL_DATA)
./files/etc/nginx/conf.d/sulu.conf
$(1)/etc/nginx/conf.d/
$(INSTALL_DIR)
$(1)/etc/sulu
$(INSTALL_DATA)
./files/etc/sulu/roles.json
$(1)/etc/sulu/
$(INSTALL_BIN)
./files/etc/sulu/sulu.sh
$(1)/etc/sulu/
$(INSTALL_DIR)
$(1)/etc/uci-defaults
$(INSTALL_BIN)
./files/etc/uci-defaults/99-fix-sulu-config
$(1)/etc/uci-defaults/
$(CP)
./files/*
$(1)/
endef
$(eval
$(call
BuildPackage,${PKG_NAME}))
...
...
sulu-builder/files/etc/config/sulu
deleted
100644 → 0
View file @
1bab072a
config global 'global'
option enabled '1'
option enable_system_credentials '1'
option role_based_access '1'
list user 'admin'
list user 'user'
sulu-builder/files/etc/init.d/sulu
View file @
01eab5c7
#!/bin/sh /etc/rc.common
USE_PROCD
=
1
START
=
99
STOP
=
0
1
STOP
=
1
0
.
/lib/functions.sh
.
/etc/sulu/sulu.sh
USE_PROCD
=
1
log
()
{
echo
"
${
@
}
"
|logger
-t
sulu.init
-p
debug
}
validate_sulu_global_section
()
{
uci_validate_section sulu global global
\
'enabled:bool:1'
\
'enable_system_credentials:bool:1'
\
'role_based_access:bool:0'
}
start_service
()
{
local
enabled enable_system_credentials role_based_access
config_load sulu
procd_open_instance sulu
validate_sulu_global_section
||
return
0
;
# append sulu connection injection
if
[
"
${
enabled
}
"
-eq
"0"
]
;
then
procd_close_instance
return
0
fi
configure_sulu
"
${
enable_system_credentials
}
"
"
${
role_based_access
}
"
1
update_nginx_config
"
${
enabled
}
"
procd_close_instance
}
reload_service
()
{
...
...
@@ -45,5 +23,5 @@ reload_service() {
service_triggers
()
{
procd_add_
reload
_trigger
"
sulu"
procd_add_
config
_trigger
"
config.change"
"obuspa"
/etc/init.d/sulu reload
}
sulu-builder/files/etc/mosquitto/conf.d/sulu.conf
View file @
01eab5c7
listener
9001
protocol
websockets
plugin
/
usr
/
lib
/
mosquitto_auth_shadow
.
so
require_certificate
false
allow_anonymous
false
sulu-builder/files/etc/mosquitto/sulu.password
deleted
100644 → 0
View file @
1bab072a
admin:$6$OmM9kU/lYct3KJ9j$iP0WK4ezEtRm8+EAggNp7WbJFoWO0p7IUdI0v/hr1WcVHyfFAC30Pb8Csn7GqwwqI2dcmnDOAITnimo2VNe6ug==
sulu-builder/files/etc/nginx/conf.d/sulu.conf
deleted
100644 → 0
View file @
1bab072a
server
{
listen
8080
;
listen
[::]:
8080
;
server_name
_
sulu
;
root
/
sulu
;
location
/
config
/ {
autoindex
on
;
if
($
request_method
=
'OPTIONS'
) {
add_header
'Access-Control-Allow-Origin'
'*'
;
add_header
'Access-Control-Allow-Methods'
'GET, POST, OPTIONS'
;
add_header
'Access-Control-Allow-Headers'
'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'
;
add_header
'Access-Control-Max-Age'
1728000
;
add_header
'Content-Type'
'text/plain; charset=utf-8'
;
add_header
'Content-Length'
0
;
return
204
;
}
if
($
request_method
=
'GET'
) {
add_header
'Access-Control-Allow-Origin'
'*'
always
;
add_header
'Access-Control-Allow-Methods'
'GET, POST, OPTIONS'
always
;
add_header
'Access-Control-Allow-Headers'
'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'
always
;
add_header
'Access-Control-Expose-Headers'
'Content-Length,Content-Range'
always
;
}
}
}
sulu-builder/files/etc/nginx/conf.d/sulu.locations
0 → 100644
View file @
01eab5c7
location /config/ {
autoindex on;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
}
}
sulu-builder/files/etc/sulu/roles.json
deleted
100644 → 0
View file @
1bab072a
{
"roles"
:
[
{
"name"
:
"admin"
,
"permission"
:
[
{
"object"
:
"Device."
,
"perm"
:
[
"PERMIT_ALL"
]
}
]
},
{
"name"
:
"user"
,
"permission"
:
[
{
"object"
:
"Device."
,
"perm"
:
[
"PERMIT_GET"
,
"PERMIT_GET_INST"
,
"PERMIT_OBJ_INFO"
,
"PERMIT_CMD_INFO"
]
},
{
"object"
:
"Device.LocalAgent.Subscription."
,
"perm"
:
[
"PERMIT_GET"
,
"PERMIT_GET_INST"
,
"PERMIT_OBJ_INFO"
,
"PERMIT_CMD_INFO"
,
"PERMIT_ADD"
,
"PERMIT_SET"
,
"PERMIT_DEL"
]
},
{
"object"
:
"Device.WiFi."
,
"perm"
:
[
"PERMIT_GET"
,
"PERMIT_GET_INST"
,
"PERMIT_OBJ_INFO"
,
"PERMIT_CMD_INFO"
,
"PERMIT_OPER"
,
"PERMIT_SUBS_VAL_CHANGE"
,
"PERMIT_SUBS_OBJ_ADD"
,
"PERMIT_SUBS_OBJ_DEL"
,
"PERMIT_SUBS_EVT_OPER_COMP"
]
},
{
"object"
:
"Device.DNS."
,
"perm"
:
[
"PERMIT_GET"
,
"PERMIT_GET_INST"
,
"PERMIT_OBJ_INFO"
,
"PERMIT_CMD_INFO"
,
"PERMIT_OPER"
,
"PERMIT_SUBS_VAL_CHANGE"
,
"PERMIT_SUBS_OBJ_ADD"
,
"PERMIT_SUBS_OBJ_DEL"
,
"PERMIT_SUBS_EVT_OPER_COMP"
]
},
{
"object"
:
"Device.IP."
,
"perm"
:
[
"PERMIT_GET"
,
"PERMIT_GET_INST"
,
"PERMIT_OBJ_INFO"
,
"PERMIT_CMD_INFO"
,
"PERMIT_OPER"
,
"PERMIT_SUBS_VAL_CHANGE"
,
"PERMIT_SUBS_OBJ_ADD"
,
"PERMIT_SUBS_OBJ_DEL"
,
"PERMIT_SUBS_EVT_OPER_COMP"
]
}
]
},
{
"name"
:
"undefined-1"
},
{
"name"
:
"undefined-2"
},
{
"name"
:
"undefined-3"
},
{
"name"
:
"undefined-4"
}
]
}
sulu-builder/files/etc/sulu/sulu.sh
deleted
100644 → 0
View file @
1bab072a
#!/bin/sh
.
/lib/functions.sh
SULU_CONFIG
=
"/sulu/config/connectionConfig.json"
ACL_FILE
=
"/tmp/sulu/mqtt.acl"
MB_SULU_CONF
=
"/etc/mosquitto/conf.d/sulu.conf"
_RESTART_SERVICES
=
"0"
mkdir
-p
/tmp/sulu/
function
slog
()
{
echo
"
$*
"
|logger
-t
sulu.init
-p
debug
}
function
_get_agent_id
()
{
local
oui serial endpointid
endpointid
=
"
$(
uci_get obuspa localagent EndpointID
)
"
if
[
-z
"
${
endpointid
}
"
]
;
then
oui
=
"
$(
db
-q
get device.deviceinfo.ManufacturerOUI
)
"
serial
=
"
$(
db
-q
get device.deviceinfo.SerialNumber
)
"
echo
"
${
oui
}
-
${
serial
}
"
else
echo
"
$(
echo
"
${
endpointid
/
::/,
}
"
|cut
-d
","
-f
2
)
"
fi
}
function
_get_endpoint_id
()
{
local
oui serial endpointid
endpointid
=
"
$(
uci_get obuspa localagent EndpointID
)
"
if
[
-z
"
${
endpointid
}
"
]
;
then
oui
=
"
$(
db
-q
get device.deviceinfo.ManufacturerOUI
)
"
serial
=
"
$(
db
-q
get device.deviceinfo.SerialNumber
)
"
echo
"os::
${
oui
}
-
${
serial
}
"
else
echo
"
${
endpointid
}
"
fi
}
function
_get_sulu_users
()
{
echo
"
$(
uci
-q
get sulu.global.user
)
"
}
function
generate_sulu_conn_config
()
{
local
rbac
users
rbac
=
"
${
1
}
"
users
=
"
$(
_get_sulu_users
)
"
json_init
;
if
[
"
${
rbac
}
"
-eq
"1"
]
;
then
json_add_string
'currentConnection'
'rbac'
;
else
json_add_string
'currentConnection'
'main'
;
fi
json_add_object
'connections'
;
json_add_object
'rbac'
;
json_add_string
'toId'
"
$(
_get_endpoint_id
)
"
;
json_add_int
'port'
9001
;
json_add_string
'protocol'
'ws'
;
json_add_array
'auth'
;
json_close_array
;
json_add_object
'overrides'
;
for
f
in
${
users
}
;
do
json_add_object
"
${
f
}
"
;
json_add_string
'fromId'
"self::sulu-
${
f
}
"
;
json_add_string
'publishEndpoint'
"/usp/
$(
_get_agent_id
)
/
${
f
}
/endpoint"
;
json_add_string
'subscribeEndpoint'
"/usp/
$(
_get_agent_id
)
/
${
f
}
/controller"
;
json_close_object
;
done
json_close_object
;
json_close_object
;
# add the default connection
json_add_object
'main'
;
json_add_string
'fromId'
'proto::interop-usp-controller'
;
json_add_string
'toId'
"
$(
_get_endpoint_id
)
"
;
json_add_int
'port'
9001
;
json_add_string
'protocol'
'ws'
;
json_add_string
'publishEndpoint'
"/usp/endpoint"
;
json_add_string
'subscribeEndpoint'
"/usp/controller"
;
json_add_array
'auth'
;
json_close_array
;
json_close_object
;
json_close_object
;
json_dump
>
${
SULU_CONFIG
}
}
function
set_sulu_connection_mode
()
{
local
rbac profile config
rbac
=
"
${
1
}
"
profile
=
"
$(
jq
'.currentConnection'
${
SULU_CONFIG
}
)
"
if
[
"
$rbac
"
-eq
"1"
-a
"
${
profile
}
"
==
"
\"
main
\"
"
]
;
then
config
=
"
$(
jq
'.currentConnection = "rbac"'
${
SULU_CONFIG
}
)
"
echo
"
${
config
}
"
>
${
SULU_CONFIG
}
elif
[
"
$rbac
"
-eq
"0"
-a
"
${
profile
}
"
==
"
\"
rbac
\"
"
]
;
then
config
=
"
$(
jq
'.currentConnection = "main"'
${
SULU_CONFIG
}
)
"
echo
"
${
config
}
"
>
${
SULU_CONFIG
}
fi
}
function
_update_obuspa_config
()
{
local
restart
restart
=
0
if
!
uci_get obuspa localmqtt
>
/dev/null 2>&1
;
then
uci_add obuspa mqtt localmqtt
uci_set obuspa localmqtt BrokerAddress
"127.0.0.1"
uci_set obuspa localmqtt BrokerPort
"1883"
uci_set obuspa localmqtt TransportProtocol
"TCP/IP"
restart
=
1
fi
if
!
uci_get obuspa agent_mtp
>
/dev/null 2>&1
;
then
uci_add obuspa mtp agent_mtp
uci_set obuspa agent_mtp Protocol
"MQTT"
uci_set obuspa agent_mtp ResponseTopicConfigured
"/usp/endpoint"
uci_set obuspa agent_mtp mqtt
"localmqtt"
restart
=
1
fi
if
!
uci_get obuspa localcontroller
>
/dev/null 2>&1
;
then
uci_add obuspa controller localcontroller
uci_set obuspa localcontroller EndpointID
"proto::interop-usp-controller"
uci_set obuspa localcontroller Protocol
"MQTT"
uci_set obuspa localcontroller Topic
"/usp/controller"
uci_set obuspa localcontroller mqtt
"localmqtt"
uci_set obuspa localcontroller assigned_role_name
"full_access"
restart
=
1
fi
return
"
${
restart
}
"
}
function
_remove_obuspa_config
()
{
local
restart
restart
=
0
if
[
"
$(
uci_get obuspa localmqtt
)
"
==
"mqtt"
]
;
then
uci_remove obuspa localmqtt
restart
=
1
fi
if
[
"
$(
uci_get obuspa agent_mtp
)
"
==
"mtp"
]
;
then
uci_remove obuspa agent_mtp
restart
=
1
fi
if
[
"
$(
uci_get obuspa localcontroller
)
"
==
"controller"
]
;
then
uci_remove obuspa localcontroller
restart
=
1
fi
return
"
${
restart
}
"
}
function
_update_obuspa_config_rbac
()
{
local
agent
users
restart
agent
=
"
$(
_get_agent_id
)
"
users
=
"
$(
_get_sulu_users
)
"
restart
=
0
for
f
in
${
users
}
;
do
local
sec
# Add mqtt
sec
=
"mqtt_sulu_
${
f
}
"
if
!
uci_get obuspa mqtt
${
sec
}
>
/dev/null 2>&1
;
then
uci_add obuspa mqtt
${
sec
}
uci_set obuspa
${
sec
}
BrokerAddress
"127.0.0.1"
uci_set obuspa
${
sec
}
BrokerPort
"1883"
uci_set obuspa
${
sec
}
TransportProtocol
"TCP/IP"
restart
=
1
fi
# Add mtp
sec
=
"mtp_sulu_
${
f
}
"
if
!
uci_get obuspa mtp
${
sec
}
>
/dev/null 2>&1
;
then
uci_add obuspa mtp
${
sec
}
uci_set obuspa
${
sec
}
Protocol
"MQTT"
uci_set obuspa
${
sec
}
ResponseTopicConfigured
"/usp/
${
agent
}
/
${
f
}
/endpoint"
uci_set obuspa
${
sec
}
mqtt
"mqtt_sulu_
$f
"
restart
=
1
fi
# Add controller
sec
=
"controller_sulu_
${
f
}
"
if
!
uci_get obuspa controller
${
sec
}
>
/dev/null 2>&1
;
then
uci_add obuspa controller
${
sec
}
uci_set obuspa
${
sec
}
EndpointID
"self::sulu-
${
f
}
"
uci_set obuspa
${
sec
}
Protocol
"MQTT"
uci_set obuspa
${
sec
}
Topic
"/usp/
${
agent
}
/
${
f
}
/controller"
uci_set obuspa
${
sec
}
mqtt
"mqtt_sulu_
$f
"
uci_set obuspa
${
sec
}
assigned_role_name
"
$f
"
restart
=
1
fi
done
if
[
-f
"/etc/sulu/roles.json"
]
;
then
uci_set obuspa global role_file
"/etc/sulu/roles.json"
fi
return
"
${
restart
}
"
}
function
_remove_sulu_sec
()
{
local
sec
if
[[
"
${
1
}
"
==
*
"_sulu_"
*
]]
;
then
uci_remove obuspa
${
1
}
return
1
fi
return
0
}
function
_remove_obuspa_config_rbac
()
{
local
restart
restart
=
0
config_foreach _remove_sulu_sec mqtt
restart
=
"
$((
restart
+
$?
))
"
config_foreach _remove_sulu_sec mtp
restart
=
"
$((
restart
+
$?
))
"
config_foreach _remove_sulu_sec controller
restart
=
"
$((
restart
+
$?
))
"
uci_set obuspa global role_file
""
return
"
${
restart
}
"
}
function
_create_acl
()
{
local
agentid rbac
users
rbac
=
"
${
1
:-
0
}
"
[
-f
"
${
ACL_FILE
}
"
]
&&
rm
-f
"
${
ACL_FILE
}
"
if
[
"
${
rbac
}
"
-eq
"0"
]
;
then
return
0
;
fi
agentid
=
"
$(
_get_agent_id
)
"
users
=
"
$(
_get_sulu_users
)
"
for
f
in
${
users
}
;
do
echo
"user
${
f
}
"
>>
${
ACL_FILE
}
echo
"topic read /usp/
${
agentid
}
/
${
f
}
/controller/reply-to/#"
>>
${
ACL_FILE
}
echo
"topic write /usp/
${
agentid
}
/
${
f
}
/endpoint/#"
>>
${
ACL_FILE
}
echo
"topic read /usp/
${
agentid
}
/
${
f
}
/controller/#"
>>
${
ACL_FILE
}
echo
""
>>
${
ACL_FILE
}
done
}
function
update_mosquitto_broker_config
()
{
local
system_cred rbac restart
system_cred
=
"
${
1
}
"
rbac
=
"
${
2
}
"
restart
=
0
if
[
"
${
system_cred
}
"
-eq
"1"
]
;
then
if
grep
-q
"password_file "
${
MB_SULU_CONF
}
;
then
sed
-i
'/password_file /d'
${
MB_SULU_CONF
}
restart
=
1
fi
if
!
grep
-q
"plugin .*mosquitto_auth_shadow.so"
${
MB_SULU_CONF
}
;
then
echo
"plugin /usr/lib/mosquitto_auth_shadow.so"
>>
${
MB_SULU_CONF
}
restart
=
1
fi
else
if
grep
-q
'plugin .*mosquitto_auth_shadow.so'
${
MB_SULU_CONF
}
;
then
sed
-i
'/plugin .*mosquitto_auth_shadow.so/d'
${
MB_SULU_CONF
}
restart
=
1
fi
if
!
grep
-q
"password_file /etc/mosquitto/sulu.password"
${
MB_SULU_CONF
}
;
then
echo
"password_file /etc/mosquitto/sulu.password"
>>
${
MB_SULU_CONF
}
restart
=
1
fi
fi
if
[
"
${
rbac
}
"
-eq
"1"
]
;
then
_create_acl
"
${
rbac
}
"
if
!
grep
-q
"acl_file
${
ACL_FILE
}
"
${
MB_SULU_CONF
}
;
then
echo
"acl_file
${
ACL_FILE
}
"
>>
${
MB_SULU_CONF
}
restart
=
1
fi
else
if
grep
-q
"acl_file
${
ACL_FILE
}
"
${
MB_SULU_CONF
}
;
then
sed
-i
'/acl_file /d'
${
MB_SULU_CONF
}
restart
=
1
fi
fi
if
[
"
${
_RESTART_SERVICES
}
"
-eq
"1"
-a
"
${
restart
}
"
-eq
"1"
]
;
then
slog
"Restarting mqtt broker..."
/etc/init.d/mosquitto restart &
fi
}
function
update_obuspa_config
()
{
local
rbac restart
rbac
=
"
${
1
}
"
restart
=
0
uci_load obuspa
if
[
"
${
rbac
}
"
-eq
"1"
]
;
then
_remove_obuspa_config
restart
=
"
$((
restart
+
$?
))
"
_update_obuspa_config_rbac
restart
=
"
$((
restart
+
$?
))
"
else
_remove_obuspa_config_rbac
restart
=
"
$((
restart
+
$?
))
"
_update_obuspa_config
restart
=
"
$((
restart
+
$?
))
"
fi
uci_commit obuspa
if
[
"
${
_RESTART_SERVICES
}
"
-eq
"1"
-a
"
${
restart
}
"
-gt
"0"
]
;
then
slog
"Restarting obuspa..."
ubus call uci commit
'{"config":"obuspa"}'
fi
}
function
update_nginx_config
()
{
local
enabled restart
restart
=
0
enabled
=
"
${
1
:-
0
}
"
if
[
"
${
enabled
}
"
-eq
"1"
]
;
then
if
[
!
-f
"/etc/nginx/conf.d/sulu.conf"
]
;
then
cp
/etc/sulu/nginx.conf /etc/nginx/conf.d/sulu.conf
restart
=
1
fi
else
if
[
-f
"/etc/nginx/conf.d/sulu.conf"
]
;
then
rm
-f
/etc/nginx/conf.d/sulu.conf
restart
=
1
fi
fi
if
[
"
${
_RESTART_SERVICES
}
"
-eq
"1"
-a
"
${
restart
}
"
-eq
"1"
]
;
then
slog
"Restarting nginx..."
ubus call uci commit
'{"config":"nginx"}'
fi
}
function
configure_sulu
()
{
local
sys_cred rbac restart
sys_cred
=
"
${
1
}
"
rbac
=
"
${
2
}
"
restart
=
"
${
3
:-
0
}
"
if
[
-z
"
${
sys_cred
}
"
-o
-z
"
${
rbac
}
"
]
;
then
slog
"Invalid inputs"
return
0
fi
_RESTART_SERVICES
=
"
${
restart
}
"
update_mosquitto_broker_config
"
${
sys_cred
}
"
"
${
rbac
}
"
set_sulu_connection_mode
"
${
rbac
}