Revert "sulu: Role based access control"

This reverts commit ec653370.

Revert "sulu: Role based access control"
01eab5c7 · Roman Azarenko · 1bab072a · 01eab5c7 · 1bab072a · 01eab5c7
Commit 01eab5c7 authored 2 years ago by Roman Azarenko
--- a/sulu-builder/Makefile
+++ b/sulu-builder/Makefile
@@ -152,26 +152,7 @@ define Package/${PKG_NAME}/install
 ifeq ($(CONFIG_PACKAGE_skopeo)$(CONFIG_PACKAGE_umoci),yy)
 	$(CP) $(PKG_BUILD_DIR)/build/src/config/widgets/lcm-store.json $(1)/sulu/config/widgets/
 endif
-	$(INSTALL_DIR) $(1)/etc/config
+	$(CP) ./files/* $(1)/
-	$(INSTALL_BIN) ./files/etc/config/sulu $(1)/etc/config/sulu
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/etc/init.d/sulu $(1)/etc/init.d/sulu
-	$(INSTALL_DIR) $(1)/etc/mosquitto/conf.d/
-	$(INSTALL_DATA) ./files/etc/mosquitto/conf.d/obuspa.conf $(1)/etc/mosquitto/conf.d/
-	$(INSTALL_DATA) ./files/etc/mosquitto/conf.d/sulu.conf $(1)/etc/mosquitto/conf.d/
-	$(INSTALL_DATA) ./files/etc/mosquitto/sulu.password $(1)/etc/mosquitto/sulu.password
-	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
-	$(INSTALL_DATA) ./files/etc/nginx/conf.d/sulu.conf $(1)/etc/nginx/conf.d/
-	$(INSTALL_DIR) $(1)/etc/sulu
-	$(INSTALL_DATA) ./files/etc/sulu/roles.json $(1)/etc/sulu/
-	$(INSTALL_BIN) ./files/etc/sulu/sulu.sh $(1)/etc/sulu/
-	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(INSTALL_BIN) ./files/etc/uci-defaults/99-fix-sulu-config $(1)/etc/uci-defaults/
 endef
 $(eval $(call BuildPackage,${PKG_NAME}))

--- a/sulu-builder/files/etc/config/sulu
+++ b/sulu-builder/files/etc/config/sulu
-config global 'global'
-	option enabled '1'
-	option enable_system_credentials '1'
-	option role_based_access '1'
-	list user 'admin'
-	list user 'user'
--- a/sulu-builder/files/etc/init.d/sulu
+++ b/sulu-builder/files/etc/init.d/sulu
 #!/bin/sh /etc/rc.common
-USE_PROCD=1
 START=99
-STOP=01
+STOP=10
-. /lib/functions.sh
+USE_PROCD=1
-. /etc/sulu/sulu.sh
 log() {
 	echo "${@}"|logger -t sulu.init -p debug
 }
-validate_sulu_global_section()
-{
-	uci_validate_section sulu global global \
-		'enabled:bool:1' \
-		'enable_system_credentials:bool:1' \
-		'role_based_access:bool:0'
-}
 start_service() {
-	local enabled enable_system_credentials role_based_access
-	config_load sulu
 	procd_open_instance sulu
-	validate_sulu_global_section || return 0;
 	# append sulu connection injection
-	if [ "${enabled}" -eq "0" ]; then
-		procd_close_instance
-		return 0
-	fi
-	configure_sulu "${enable_system_credentials}" "${role_based_access}" 1
-	update_nginx_config "${enabled}"
 	procd_close_instance
 }
 reload_service() {
@@ -45,5 +23,5 @@ reload_service() {
 service_triggers()
 {
-	procd_add_reload_trigger "sulu"
+	procd_add_config_trigger "config.change" "obuspa" /etc/init.d/sulu reload
 }
--- a/sulu-builder/files/etc/mosquitto/conf.d/sulu.conf
+++ b/sulu-builder/files/etc/mosquitto/conf.d/sulu.conf
 listener 9001
 protocol websockets
+plugin /usr/lib/mosquitto_auth_shadow.so
 require_certificate false
 allow_anonymous false
--- a/sulu-builder/files/etc/mosquitto/sulu.password
+++ b/sulu-builder/files/etc/mosquitto/sulu.password
-admin:$6$OmM9kU/lYct3KJ9j$iP0WK4ezEtRm8+EAggNp7WbJFoWO0p7IUdI0v/hr1WcVHyfFAC30Pb8Csn7GqwwqI2dcmnDOAITnimo2VNe6ug==
--- a/sulu-builder/files/etc/nginx/conf.d/sulu.conf
+++ b/sulu-builder/files/etc/nginx/conf.d/sulu.conf
-server {
-        listen 8080;
-        listen [::]:8080;
-        server_name _sulu;
-        root /sulu;
-        location /config/ {
-                autoindex on;
-                if ($request_method = 'OPTIONS') {
-                        add_header 'Access-Control-Allow-Origin' '*';
-                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-                        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-                        add_header 'Access-Control-Max-Age' 1728000;
-                        add_header 'Content-Type' 'text/plain; charset=utf-8';
-                        add_header 'Content-Length' 0;
-                        return 204;
-                }
-                if ($request_method = 'GET') {
-                        add_header 'Access-Control-Allow-Origin' '*' always;
-                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-                        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
-                        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
-                }
-        }
-}
--- a/sulu-builder/files/etc/nginx/conf.d/sulu.locations
+++ b/sulu-builder/files/etc/nginx/conf.d/sulu.locations
+location /config/ {
+	autoindex on;
+	if ($request_method = 'OPTIONS') {
+		add_header 'Access-Control-Allow-Origin' '*';
+		add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+		add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+		add_header 'Access-Control-Max-Age' 1728000;
+		add_header 'Content-Type' 'text/plain; charset=utf-8';
+		add_header 'Content-Length' 0;
+		return 204;
+	}
+	if ($request_method = 'GET') {
+		add_header 'Access-Control-Allow-Origin' '*' always;
+		add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+		add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
+		add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+	}
+}
--- a/sulu-builder/files/etc/sulu/roles.json
+++ b/sulu-builder/files/etc/sulu/roles.json
-{
-  "roles": [
-    {
-      "name": "admin",
-      "permission": [
-        {
-          "object": "Device.",
-          "perm": [
-            "PERMIT_ALL"
-          ]
-        }
-      ]
-    },
-    {
-      "name": "user",
-      "permission": [
-        {
-          "object": "Device.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO"
-          ]
-        },
-        {
-          "object": "Device.LocalAgent.Subscription.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_ADD",
-            "PERMIT_SET",
-            "PERMIT_DEL"
-          ]
-        },
-        {
-          "object": "Device.WiFi.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_OPER",
-            "PERMIT_SUBS_VAL_CHANGE",
-            "PERMIT_SUBS_OBJ_ADD",
-            "PERMIT_SUBS_OBJ_DEL",
-            "PERMIT_SUBS_EVT_OPER_COMP"
-          ]
-        },
-        {
-          "object": "Device.DNS.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_OPER",
-            "PERMIT_SUBS_VAL_CHANGE",
-            "PERMIT_SUBS_OBJ_ADD",
-            "PERMIT_SUBS_OBJ_DEL",
-            "PERMIT_SUBS_EVT_OPER_COMP"
-          ]
-        },
-        {
-          "object": "Device.IP.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_OPER",
-            "PERMIT_SUBS_VAL_CHANGE",
-            "PERMIT_SUBS_OBJ_ADD",
-            "PERMIT_SUBS_OBJ_DEL",
-            "PERMIT_SUBS_EVT_OPER_COMP"
-          ]
-        }
-      ]
-    },
-    {
-      "name": "undefined-1"
-    },
-    {
-      "name": "undefined-2"
-    },
-    {
-      "name": "undefined-3"
-    },
-    {
-      "name": "undefined-4"
-    }
-  ]
-}
--- a/sulu-builder/files/etc/sulu/sulu.sh
+++ b/sulu-builder/files/etc/sulu/sulu.sh
-#!/bin/sh
-. /lib/functions.sh
-SULU_CONFIG="/sulu/config/connectionConfig.json"
-ACL_FILE="/tmp/sulu/mqtt.acl"
-MB_SULU_CONF="/etc/mosquitto/conf.d/sulu.conf"
-_RESTART_SERVICES="0"
-mkdir -p /tmp/sulu/
-function slog()
-{
-	echo "$*" |logger -t sulu.init -p debug
-}
-function _get_agent_id()
-{
-        local oui serial endpointid
-	endpointid="$(uci_get obuspa localagent EndpointID)"
-	if [ -z "${endpointid}" ]; then
-		oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
-		serial="$(db -q get device.deviceinfo.SerialNumber)"
-		echo "${oui}-${serial}"
-	else
-		echo "$(echo "${endpointid/::/,}"|cut -d "," -f 2)"
-	fi
-}
-function _get_endpoint_id()
-{
-        local oui serial endpointid
-	endpointid="$(uci_get obuspa localagent EndpointID)"
-	if [ -z "${endpointid}" ]; then
-		oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
-		serial="$(db -q get device.deviceinfo.SerialNumber)"
-		echo "os::${oui}-${serial}"
-	else
-		echo "${endpointid}"
-	fi
-}
-function _get_sulu_users()
-{
-	echo "$(uci -q get sulu.global.user)"
-}
-function generate_sulu_conn_config()
-{
-	local rbac users
-	rbac="${1}"
-	users="$(_get_sulu_users)"
-	json_init;
-	if [ "${rbac}" -eq "1" ]; then
-		json_add_string 'currentConnection' 'rbac';
-	else
-		json_add_string 'currentConnection' 'main';
-	fi
-	json_add_object 'connections';
-		json_add_object 'rbac';
-		json_add_string 'toId' "$(_get_endpoint_id)";
-		json_add_int 'port' 9001;
-		json_add_string 'protocol' 'ws';
-			json_add_array 'auth';
-			json_close_array;
-			json_add_object 'overrides';
-			for f in ${users}; do
-				json_add_object "${f}";
-				json_add_string 'fromId' "self::sulu-${f}";
-				json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${f}/endpoint";
-				json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${f}/controller";
-				json_close_object;
-			done
-			json_close_object;
-		json_close_object;
-		# add the default connection
-		json_add_object 'main';
-		json_add_string 'fromId' 'proto::interop-usp-controller';
-		json_add_string 'toId' "$(_get_endpoint_id)";
-		json_add_int 'port' 9001;
-		json_add_string 'protocol' 'ws';
-		json_add_string 'publishEndpoint' "/usp/endpoint";
-		json_add_string 'subscribeEndpoint' "/usp/controller";
-			json_add_array 'auth';
-			json_close_array;
-		json_close_object;
-	json_close_object;
-	json_dump > ${SULU_CONFIG}
-}
-function set_sulu_connection_mode()
-{
-	local rbac profile config
-	rbac="${1}"
-	profile="$(jq '.currentConnection' ${SULU_CONFIG})"
-	if [ "$rbac" -eq "1" -a "${profile}" == "\"main\"" ]; then
-		config="$(jq '.currentConnection = "rbac"' ${SULU_CONFIG})"
-		echo "${config}" > ${SULU_CONFIG}
-	elif [ "$rbac" -eq "0" -a "${profile}" == "\"rbac\"" ]; then
-		config="$(jq '.currentConnection = "main"' ${SULU_CONFIG})"
-		echo "${config}" > ${SULU_CONFIG}
-	fi
-}
-function _update_obuspa_config()
-{
-	local restart
-	restart=0
-	if ! uci_get obuspa localmqtt >/dev/null 2>&1; then
-		uci_add obuspa mqtt localmqtt
-		uci_set obuspa localmqtt BrokerAddress "127.0.0.1"
-		uci_set obuspa localmqtt BrokerPort "1883"
-		uci_set obuspa localmqtt TransportProtocol "TCP/IP"
-		restart=1
-	fi
-	if ! uci_get obuspa agent_mtp >/dev/null 2>&1; then
-		uci_add obuspa mtp agent_mtp
-		uci_set obuspa agent_mtp Protocol "MQTT"
-		uci_set obuspa agent_mtp ResponseTopicConfigured "/usp/endpoint"
-		uci_set obuspa agent_mtp mqtt "localmqtt"
-		restart=1
-	fi
-	if ! uci_get obuspa localcontroller >/dev/null 2>&1; then
-		uci_add obuspa controller localcontroller
-		uci_set obuspa localcontroller EndpointID "proto::interop-usp-controller"
-		uci_set obuspa localcontroller Protocol "MQTT"
-		uci_set obuspa localcontroller Topic "/usp/controller"
-		uci_set obuspa localcontroller mqtt "localmqtt"
-		uci_set obuspa localcontroller assigned_role_name "full_access"
-		restart=1
-	fi
-	return "${restart}"
-}
-function _remove_obuspa_config()
-{
-	local restart
-	restart=0
-	if [ "$(uci_get obuspa localmqtt)" == "mqtt" ]; then
-		uci_remove obuspa localmqtt
-		restart=1
-	fi
-	if [ "$(uci_get obuspa agent_mtp)" == "mtp" ]; then
-		uci_remove obuspa agent_mtp
-		restart=1
-	fi
-	if [ "$(uci_get obuspa localcontroller)" == "controller" ]; then
-		uci_remove obuspa localcontroller
-		restart=1
-	fi
-	return "${restart}"
-}
-function _update_obuspa_config_rbac() {
-	local agent users restart
-	agent="$(_get_agent_id)"
-	users="$(_get_sulu_users)"
-	restart=0
-	for f in ${users}; do
-		local sec
-		# Add mqtt
-		sec="mqtt_sulu_${f}"
-		if ! uci_get obuspa mqtt ${sec} >/dev/null 2>&1; then
-			uci_add obuspa mqtt ${sec}
-			uci_set obuspa ${sec} BrokerAddress "127.0.0.1"
-			uci_set obuspa ${sec} BrokerPort "1883"
-			uci_set obuspa ${sec} TransportProtocol "TCP/IP"
-			restart=1
-		fi
-		# Add mtp
-		sec="mtp_sulu_${f}"
-		if ! uci_get obuspa mtp ${sec} >/dev/null 2>&1; then
-			uci_add obuspa mtp ${sec}
-			uci_set obuspa ${sec} Protocol "MQTT"
-			uci_set obuspa ${sec} ResponseTopicConfigured "/usp/${agent}/${f}/endpoint"
-			uci_set obuspa ${sec} mqtt "mqtt_sulu_$f"
-			restart=1
-		fi
-		# Add controller
-		sec="controller_sulu_${f}"
-		if ! uci_get obuspa controller ${sec} >/dev/null 2>&1; then
-			uci_add obuspa controller ${sec}
-			uci_set obuspa ${sec} EndpointID "self::sulu-${f}"
-			uci_set obuspa ${sec} Protocol "MQTT"
-			uci_set obuspa ${sec} Topic "/usp/${agent}/${f}/controller"
-			uci_set obuspa ${sec} mqtt "mqtt_sulu_$f"
-			uci_set obuspa ${sec} assigned_role_name "$f"
-			restart=1
-		fi
-	done
-	if [ -f "/etc/sulu/roles.json" ]; then
-		uci_set obuspa global role_file "/etc/sulu/roles.json"
-	fi
-	return "${restart}"
-}
-function _remove_sulu_sec()
-{
-	local sec
-	if [[ "${1}" == *"_sulu_"* ]]; then
-		uci_remove obuspa ${1}
-		return 1
-	fi
-	return 0
-}
-function _remove_obuspa_config_rbac()
-{
-	local restart
-	restart=0
-	config_foreach _remove_sulu_sec mqtt
-	restart="$(( restart + $? ))"
-	config_foreach _remove_sulu_sec mtp
-	restart="$(( restart + $? ))"
-	config_foreach _remove_sulu_sec controller
-	restart="$(( restart + $? ))"
-	uci_set obuspa global role_file ""
-	return "${restart}"
-}
-function _create_acl() {
-        local agentid rbac users
-	rbac="${1:-0}"
-        [ -f "${ACL_FILE}" ] && rm -f "${ACL_FILE}"
-	if [ "${rbac}" -eq "0" ]; then
-		return 0;
-	fi
-        agentid="$(_get_agent_id)"
-	users="$(_get_sulu_users)"
-        for f in ${users}; do
-                echo "user ${f}" >> ${ACL_FILE}
-                echo "topic read  /usp/${agentid}/${f}/controller/reply-to/#" >> ${ACL_FILE}
-                echo "topic write /usp/${agentid}/${f}/endpoint/#" >> ${ACL_FILE}
-                echo "topic read  /usp/${agentid}/${f}/controller/#" >> ${ACL_FILE}
-                echo "" >> ${ACL_FILE}
-        done
-}
-function update_mosquitto_broker_config()
-{
-	local system_cred rbac restart
-	system_cred="${1}"
-	rbac="${2}"
-	restart=0
-	if [ "${system_cred}" -eq "1" ]; then
-		if grep -q "password_file " ${MB_SULU_CONF}; then
-			sed -i '/password_file /d' ${MB_SULU_CONF}
-			restart=1
-		fi
-		if ! grep -q "plugin .*mosquitto_auth_shadow.so" ${MB_SULU_CONF}; then
-			echo "plugin /usr/lib/mosquitto_auth_shadow.so" >> ${MB_SULU_CONF}
-			restart=1
-		fi
-	else
-		if grep -q 'plugin .*mosquitto_auth_shadow.so' ${MB_SULU_CONF}; then
-			sed -i '/plugin .*mosquitto_auth_shadow.so/d' ${MB_SULU_CONF}
-			restart=1
-		fi
-		if ! grep -q "password_file /etc/mosquitto/sulu.password" ${MB_SULU_CONF}; then
-			echo "password_file /etc/mosquitto/sulu.password" >> ${MB_SULU_CONF}
-			restart=1
-		fi
-	fi
-	if [ "${rbac}" -eq "1" ]; then
-		_create_acl "${rbac}"
-		if ! grep -q "acl_file ${ACL_FILE}" ${MB_SULU_CONF}; then
-			echo "acl_file ${ACL_FILE}" >> ${MB_SULU_CONF}
-			restart=1
-		fi
-	else
-		if grep -q "acl_file ${ACL_FILE}" ${MB_SULU_CONF}; then
-			sed -i '/acl_file /d' ${MB_SULU_CONF}
-			restart=1
-		fi
-	fi
-	if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -eq "1" ]; then
-		slog "Restarting mqtt broker..."
-		/etc/init.d/mosquitto restart &
-	fi
-}
-function update_obuspa_config()
-{
-	local rbac restart
-	rbac="${1}"
-	restart=0
-	uci_load obuspa
-	if [ "${rbac}" -eq "1" ]; then
-		_remove_obuspa_config
-		restart="$(( restart + $? ))"
-		_update_obuspa_config_rbac
-		restart="$(( restart + $? ))"
-	else
-		_remove_obuspa_config_rbac
-		restart="$(( restart + $? ))"
-		_update_obuspa_config
-		restart="$(( restart + $? ))"
-	fi
-	uci_commit obuspa
-	if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -gt "0" ]; then
-		slog "Restarting obuspa..."
-		ubus call uci commit '{"config":"obuspa"}'
-	fi
-}
-function update_nginx_config()
-{
-	local enabled restart
-	restart=0
-	enabled="${1:-0}"
-	if [ "${enabled}" -eq "1" ]; then
-		if [ ! -f "/etc/nginx/conf.d/sulu.conf" ]; then
-			cp  /etc/sulu/nginx.conf /etc/nginx/conf.d/sulu.conf
-			restart=1
-		fi
-	else
-		if [ -f "/etc/nginx/conf.d/sulu.conf" ]; then
-			rm -f /etc/nginx/conf.d/sulu.conf
-			restart=1
-		fi
-	fi
-	if [  "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -eq "1" ]; then
-		slog "Restarting nginx..."
-		ubus call uci commit '{"config":"nginx"}'
-	fi
-}
-function configure_sulu()
-{
-	local sys_cred rbac restart
-	sys_cred="${1}"
-	rbac="${2}"
-	restart="${3:-0}"
-	if [ -z "${sys_cred}" -o -z "${rbac}" ]; then
-		slog "Invalid inputs"
-		return 0
-	fi
-	_RESTART_SERVICES="${restart}"
-	update_mosquitto_broker_config "${sys_cred}" "${rbac}"
-	set_sulu_connection_mode "${rbac}"
-	update_obuspa_config "${rbac}"
-}
--- a/sulu-builder/files/etc/uci-defaults/90-sulu-set-nginx-conf
+++ b/sulu-builder/files/etc/uci-defaults/90-sulu-set-nginx-conf
+mkdir -p /tmp/sulu
+uci -q get nginx._sulu && exit 0
+uci -q set nginx._sulu=server
+uci -q add_list nginx._sulu.listen='8080'
+uci -q add_list nginx._sulu.listen='[::]:8080'
+uci -q set nginx._sulu.root='/sulu'
+uci -q set nginx._sulu.server_name='_sulu'
+uci -q add_list nginx._sulu.include='conf.d/sulu.locations'
--- a/sulu-builder/files/etc/uci-defaults/99-fix-sulu-config
+++ b/sulu-builder/files/etc/uci-defaults/99-fix-sulu-config
-#!/bin/sh
-. /etc/sulu/sulu.sh
-config_load sulu
-config_get enable_system_credentials global enable_system_credentials 1
-config_get role_based_access global role_based_access 0
-config_get enabled global enabled 0
-configure_sulu "${enable_system_credentials}" "${role_based_access}" 0
-update_nginx_config "${enabled}"
-generate_sulu_conn_config "${role_based_access}"
--- a/sulu/Makefile
+++ b/sulu/Makefile
@@ -35,7 +35,11 @@ define Package/sulu/description
 endef
 define Package/sulu/install
+	$(INSTALL_DIR) $(1)/sulu
+	$(INSTALL_DIR) $(1)/sulu/config
 	$(INSTALL_DIR) $(1)/sulu/config/widgets
+	$(INSTALL_DIR) $(1)/etc/nginx/
+	$(INSTALL_DIR) $(1)/etc/mosquitto/conf.d/
 	$(CP) $(PKG_BUILD_DIR)/dist/* $(1)/sulu
 	$(CP) $(PKG_BUILD_DIR)/config/*.json $(1)/sulu/config
 	$(CP) $(PKG_BUILD_DIR)/config/widgets/diagnostics.json $(1)/sulu/config/widgets/
@@ -43,26 +47,7 @@ define Package/sulu/install
 ifeq ($(CONFIG_PACKAGE_skopeo)$(CONFIG_PACKAGE_umoci),yy)
 	$(CP) $(PKG_BUILD_DIR)/config/widgets/lcm-store.json $(1)/sulu/config/widgets/
 endif
-	$(INSTALL_DIR) $(1)/etc/config
+	$(CP) ./files/* $(1)/
-	$(INSTALL_BIN) ./files/etc/config/sulu $(1)/etc/config/sulu
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/etc/init.d/sulu $(1)/etc/init.d/sulu
-	$(INSTALL_DIR) $(1)/etc/mosquitto/conf.d/
-	$(INSTALL_DATA) ./files/etc/mosquitto/conf.d/obuspa.conf $(1)/etc/mosquitto/conf.d/
-	$(INSTALL_DATA) ./files/etc/mosquitto/conf.d/sulu.conf $(1)/etc/mosquitto/conf.d/
-	$(INSTALL_DATA) ./files/etc/mosquitto/sulu.password $(1)/etc/mosquitto/sulu.password
-	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
-	$(INSTALL_DATA) ./files/etc/nginx/conf.d/sulu.conf $(1)/etc/nginx/conf.d/
-	$(INSTALL_DIR) $(1)/etc/sulu
-	$(INSTALL_DATA) ./files/etc/sulu/roles.json $(1)/etc/sulu/
-	$(INSTALL_BIN) ./files/etc/sulu/sulu.sh $(1)/etc/sulu/
-	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(INSTALL_BIN) ./files/etc/uci-defaults/99-fix-sulu-config $(1)/etc/uci-defaults/
 endef
 $(eval $(call BuildPackage,sulu))

--- a/sulu/files/etc/config/sulu
+++ b/sulu/files/etc/config/sulu
-config global 'global'
-	option enabled '1'
-	option enable_system_credentials '1'
-	option role_based_access '1'
-	list user 'admin'
-	list user 'user'
--- a/sulu/files/etc/init.d/sulu
+++ b/sulu/files/etc/init.d/sulu
 #!/bin/sh /etc/rc.common
-USE_PROCD=1
 START=99
-STOP=01
+STOP=10
-. /lib/functions.sh
+USE_PROCD=1
-. /etc/sulu/sulu.sh
 log() {
 	echo "${@}"|logger -t sulu.init -p debug
 }
-validate_sulu_global_section()
-{
-	uci_validate_section sulu global global \
-		'enabled:bool:1' \
-		'enable_system_credentials:bool:1' \
-		'role_based_access:bool:0'
-}
 start_service() {
-	local enabled enable_system_credentials role_based_access
-	config_load sulu
 	procd_open_instance sulu
-	validate_sulu_global_section || return 0;
 	# append sulu connection injection
-	if [ "${enabled}" -eq "0" ]; then
-		procd_close_instance
-		return 0
-	fi
-	configure_sulu "${enable_system_credentials}" "${role_based_access}" 1
-	update_nginx_config "${enabled}"
 	procd_close_instance
 }
 reload_service() {
@@ -45,5 +23,5 @@ reload_service() {
 service_triggers()
 {
-	procd_add_reload_trigger "sulu"
+	procd_add_config_trigger "config.change" "obuspa" /etc/init.d/sulu reload
 }
--- a/sulu/files/etc/mosquitto/conf.d/sulu.conf
+++ b/sulu/files/etc/mosquitto/conf.d/sulu.conf
 listener 9001
 protocol websockets
+plugin /usr/lib/mosquitto_auth_shadow.so
 require_certificate false
 allow_anonymous false
--- a/sulu/files/etc/mosquitto/sulu.password
+++ b/sulu/files/etc/mosquitto/sulu.password
-admin:$6$OmM9kU/lYct3KJ9j$iP0WK4ezEtRm8+EAggNp7WbJFoWO0p7IUdI0v/hr1WcVHyfFAC30Pb8Csn7GqwwqI2dcmnDOAITnimo2VNe6ug==
--- a/sulu/files/etc/nginx/conf.d/sulu.conf
+++ b/sulu/files/etc/nginx/conf.d/sulu.conf
-server {
-        listen 8080;
-        listen [::]:8080;
-        server_name _sulu;
-        root /sulu;
-        location /config/ {
-                autoindex on;
-                if ($request_method = 'OPTIONS') {
-                        add_header 'Access-Control-Allow-Origin' '*';
-                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-                        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-                        add_header 'Access-Control-Max-Age' 1728000;
-                        add_header 'Content-Type' 'text/plain; charset=utf-8';
-                        add_header 'Content-Length' 0;
-                        return 204;
-                }
-                if ($request_method = 'GET') {
-                        add_header 'Access-Control-Allow-Origin' '*' always;
-                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-                        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
-                        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
-                }
-        }
-}
--- a/sulu/files/etc/nginx/conf.d/sulu.locations
+++ b/sulu/files/etc/nginx/conf.d/sulu.locations
+location /config/ {
+	autoindex on;
+	if ($request_method = 'OPTIONS') {
+		add_header 'Access-Control-Allow-Origin' '*';
+		add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+		add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+		add_header 'Access-Control-Max-Age' 1728000;
+		add_header 'Content-Type' 'text/plain; charset=utf-8';
+		add_header 'Content-Length' 0;
+		return 204;
+	}
+	if ($request_method = 'GET') {
+		add_header 'Access-Control-Allow-Origin' '*' always;
+		add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+		add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
+		add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+	}
+}
--- a/sulu/files/etc/sulu/roles.json
+++ b/sulu/files/etc/sulu/roles.json
-{
-  "roles": [
-    {
-      "name": "admin",
-      "permission": [
-        {
-          "object": "Device.",
-          "perm": [
-            "PERMIT_ALL"
-          ]
-        }
-      ]
-    },
-    {
-      "name": "user",
-      "permission": [
-        {
-          "object": "Device.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO"
-          ]
-        },
-        {
-          "object": "Device.LocalAgent.Subscription.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_ADD",
-            "PERMIT_SET",
-            "PERMIT_DEL"
-          ]
-        },
-        {
-          "object": "Device.WiFi.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_OPER",
-            "PERMIT_SUBS_VAL_CHANGE",
-            "PERMIT_SUBS_OBJ_ADD",
-            "PERMIT_SUBS_OBJ_DEL",
-            "PERMIT_SUBS_EVT_OPER_COMP"
-          ]
-        },
-        {
-          "object": "Device.DNS.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_OPER",
-            "PERMIT_SUBS_VAL_CHANGE",
-            "PERMIT_SUBS_OBJ_ADD",
-            "PERMIT_SUBS_OBJ_DEL",
-            "PERMIT_SUBS_EVT_OPER_COMP"
-          ]
-        },
-        {
-          "object": "Device.IP.",
-          "perm": [
-            "PERMIT_GET",
-            "PERMIT_GET_INST",
-            "PERMIT_OBJ_INFO",
-            "PERMIT_CMD_INFO",
-            "PERMIT_OPER",
-            "PERMIT_SUBS_VAL_CHANGE",
-            "PERMIT_SUBS_OBJ_ADD",
-            "PERMIT_SUBS_OBJ_DEL",
-            "PERMIT_SUBS_EVT_OPER_COMP"
-          ]
-        }
-      ]
-    },
-    {
-      "name": "undefined-1"
-    },
-    {
-      "name": "undefined-2"
-    },
-    {
-      "name": "undefined-3"
-    },
-    {
-      "name": "undefined-4"
-    }
-  ]
-}
--- a/sulu/files/etc/sulu/sulu.sh
+++ b/sulu/files/etc/sulu/sulu.sh
-#!/bin/sh
-. /lib/functions.sh
-SULU_CONFIG="/sulu/config/connectionConfig.json"
-ACL_FILE="/tmp/sulu/mqtt.acl"
-MB_SULU_CONF="/etc/mosquitto/conf.d/sulu.conf"
-_RESTART_SERVICES="0"
-mkdir -p /tmp/sulu/
-function slog()
-{
-	echo "$*" |logger -t sulu.init -p debug
-}
-function _get_agent_id()
-{
-        local oui serial endpointid
-	endpointid="$(uci_get obuspa localagent EndpointID)"
-	if [ -z "${endpointid}" ]; then
-		oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
-		serial="$(db -q get device.deviceinfo.SerialNumber)"
-		echo "${oui}-${serial}"
-	else
-		echo "$(echo "${endpointid/::/,}"|cut -d "," -f 2)"
-	fi
-}
-function _get_endpoint_id()
-{
-        local oui serial endpointid
-	endpointid="$(uci_get obuspa localagent EndpointID)"
-	if [ -z "${endpointid}" ]; then
-		oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
-		serial="$(db -q get device.deviceinfo.SerialNumber)"
-		echo "os::${oui}-${serial}"
-	else
-		echo "${endpointid}"
-	fi
-}
-function _get_sulu_users()
-{
-	echo "$(uci -q get sulu.global.user)"
-}
-function generate_sulu_conn_config()
-{
-	local rbac users
-	rbac="${1}"
-	users="$(_get_sulu_users)"
-	json_init;
-	if [ "${rbac}" -eq "1" ]; then
-		json_add_string 'currentConnection' 'rbac';
-	else
-		json_add_string 'currentConnection' 'main';
-	fi
-	json_add_object 'connections';
-		json_add_object 'rbac';
-		json_add_string 'toId' "$(_get_endpoint_id)";
-		json_add_int 'port' 9001;
-		json_add_string 'protocol' 'ws';
-			json_add_array 'auth';
-			json_close_array;
-			json_add_object 'overrides';
-			for f in ${users}; do
-				json_add_object "${f}";
-				json_add_string 'fromId' "self::sulu-${f}";
-				json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${f}/endpoint";
-				json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${f}/controller";
-				json_close_object;
-			done
-			json_close_object;
-		json_close_object;
-		# add the default connection
-		json_add_object 'main';
-		json_add_string 'fromId' 'proto::interop-usp-controller';
-		json_add_string 'toId' "$(_get_endpoint_id)";
-		json_add_int 'port' 9001;
-		json_add_string 'protocol' 'ws';
-		json_add_string 'publishEndpoint' "/usp/endpoint";
-		json_add_string 'subscribeEndpoint' "/usp/controller";
-			json_add_array 'auth';
-			json_close_array;
-		json_close_object;
-	json_close_object;
-	json_dump > ${SULU_CONFIG}
-}
-function set_sulu_connection_mode()
-{
-	local rbac profile config
-	rbac="${1}"
-	profile="$(jq '.currentConnection' ${SULU_CONFIG})"
-	if [ "$rbac" -eq "1" -a "${profile}" == "\"main\"" ]; then
-		config="$(jq '.currentConnection = "rbac"' ${SULU_CONFIG})"
-		echo "${config}" > ${SULU_CONFIG}
-	elif [ "$rbac" -eq "0" -a "${profile}" == "\"rbac\"" ]; then
-		config="$(jq '.currentConnection = "main"' ${SULU_CONFIG})"
-		echo "${config}" > ${SULU_CONFIG}
-	fi
-}
-function _update_obuspa_config()
-{
-	local restart
-	restart=0
-	if ! uci_get obuspa localmqtt >/dev/null 2>&1; then
-		uci_add obuspa mqtt localmqtt
-		uci_set obuspa localmqtt BrokerAddress "127.0.0.1"
-		uci_set obuspa localmqtt BrokerPort "1883"
-		uci_set obuspa localmqtt TransportProtocol "TCP/IP"
-		restart=1
-	fi
-	if ! uci_get obuspa agent_mtp >/dev/null 2>&1; then
-		uci_add obuspa mtp agent_mtp
-		uci_set obuspa agent_mtp Protocol "MQTT"
-		uci_set obuspa agent_mtp ResponseTopicConfigured "/usp/endpoint"
-		uci_set obuspa agent_mtp mqtt "localmqtt"
-		restart=1
-	fi
-	if ! uci_get obuspa localcontroller >/dev/null 2>&1; then
-		uci_add obuspa controller localcontroller
-		uci_set obuspa localcontroller EndpointID "proto::interop-usp-controller"
-		uci_set obuspa localcontroller Protocol "MQTT"
-		uci_set obuspa localcontroller Topic "/usp/controller"
-		uci_set obuspa localcontroller mqtt "localmqtt"
-		uci_set obuspa localcontroller assigned_role_name "full_access"
-		restart=1
-	fi
-	return "${restart}"
-}
-function _remove_obuspa_config()
-{
-	local restart
-	restart=0
-	if [ "$(uci_get obuspa localmqtt)" == "mqtt" ]; then
-		uci_remove obuspa localmqtt
-		restart=1
-	fi
-	if [ "$(uci_get obuspa agent_mtp)" == "mtp" ]; then
-		uci_remove obuspa agent_mtp
-		restart=1
-	fi
-	if [ "$(uci_get obuspa localcontroller)" == "controller" ]; then
-		uci_remove obuspa localcontroller
-		restart=1
-	fi
-	return "${restart}"
-}
-function _update_obuspa_config_rbac() {
-	local agent users restart
-	agent="$(_get_agent_id)"
-	users="$(_get_sulu_users)"
-	restart=0
-	for f in ${users}; do
-		local sec
-		# Add mqtt
-		sec="mqtt_sulu_${f}"
-		if ! uci_get obuspa mqtt ${sec} >/dev/null 2>&1; then
-			uci_add obuspa mqtt ${sec}
-			uci_set obuspa ${sec} BrokerAddress "127.0.0.1"
-			uci_set obuspa ${sec} BrokerPort "1883"
-			uci_set obuspa ${sec} TransportProtocol "TCP/IP"
-			restart=1
-		fi
-		# Add mtp
-		sec="mtp_sulu_${f}"
-		if ! uci_get obuspa mtp ${sec} >/dev/null 2>&1; then
-			uci_add obuspa mtp ${sec}
-			uci_set obuspa ${sec} Protocol "MQTT"
-			uci_set obuspa ${sec} ResponseTopicConfigured "/usp/${agent}/${f}/endpoint"
-			uci_set obuspa ${sec} mqtt "mqtt_sulu_$f"
-			restart=1
-		fi
-		# Add controller
-		sec="controller_sulu_${f}"
-		if ! uci_get obuspa controller ${sec} >/dev/null 2>&1; then
-			uci_add obuspa controller ${sec}
-			uci_set obuspa ${sec} EndpointID "self::sulu-${f}"
-			uci_set obuspa ${sec} Protocol "MQTT"
-			uci_set obuspa ${sec} Topic "/usp/${agent}/${f}/controller"
-			uci_set obuspa ${sec} mqtt "mqtt_sulu_$f"
-			uci_set obuspa ${sec} assigned_role_name "$f"
-			restart=1
-		fi
-	done
-	if [ -f "/etc/sulu/roles.json" ]; then
-		uci_set obuspa global role_file "/etc/sulu/roles.json"
-	fi
-	return "${restart}"
-}
-function _remove_sulu_sec()
-{
-	local sec
-	if [[ "${1}" == *"_sulu_"* ]]; then
-		uci_remove obuspa ${1}
-		return 1
-	fi
-	return 0
-}
-function _remove_obuspa_config_rbac()
-{
-	local restart
-	restart=0
-	config_foreach _remove_sulu_sec mqtt
-	restart="$(( restart + $? ))"
-	config_foreach _remove_sulu_sec mtp
-	restart="$(( restart + $? ))"
-	config_foreach _remove_sulu_sec controller
-	restart="$(( restart + $? ))"
-	uci_set obuspa global role_file ""
-	return "${restart}"
-}
-function _create_acl() {
-        local agentid rbac users
-	rbac="${1:-0}"
-        [ -f "${ACL_FILE}" ] && rm -f "${ACL_FILE}"
-	if [ "${rbac}" -eq "0" ]; then
-		return 0;
-	fi
-        agentid="$(_get_agent_id)"
-	users="$(_get_sulu_users)"
-        for f in ${users}; do
-                echo "user ${f}" >> ${ACL_FILE}
-                echo "topic read  /usp/${agentid}/${f}/controller/reply-to/#" >> ${ACL_FILE}
-                echo "topic write /usp/${agentid}/${f}/endpoint/#" >> ${ACL_FILE}
-                echo "topic read  /usp/${agentid}/${f}/controller/#" >> ${ACL_FILE}
-                echo "" >> ${ACL_FILE}
-        done
-}
-function update_mosquitto_broker_config()
-{
-	local system_cred rbac restart
-	system_cred="${1}"
-	rbac="${2}"
-	restart=0
-	if [ "${system_cred}" -eq "1" ]; then
-		if grep -q "password_file " ${MB_SULU_CONF}; then
-			sed -i '/password_file /d' ${MB_SULU_CONF}
-			restart=1
-		fi
-		if ! grep -q "plugin .*mosquitto_auth_shadow.so" ${MB_SULU_CONF}; then
-			echo "plugin /usr/lib/mosquitto_auth_shadow.so" >> ${MB_SULU_CONF}
-			restart=1
-		fi
-	else
-		if grep -q 'plugin .*mosquitto_auth_shadow.so' ${MB_SULU_CONF}; then
-			sed -i '/plugin .*mosquitto_auth_shadow.so/d' ${MB_SULU_CONF}
-			restart=1
-		fi
-		if ! grep -q "password_file /etc/mosquitto/sulu.password" ${MB_SULU_CONF}; then
-			echo "password_file /etc/mosquitto/sulu.password" >> ${MB_SULU_CONF}
-			restart=1
-		fi
-	fi
-	if [ "${rbac}" -eq "1" ]; then
-		_create_acl "${rbac}"
-		if ! grep -q "acl_file ${ACL_FILE}" ${MB_SULU_CONF}; then
-			echo "acl_file ${ACL_FILE}" >> ${MB_SULU_CONF}
-			restart=1
-		fi
-	else
-		if grep -q "acl_file ${ACL_FILE}" ${MB_SULU_CONF}; then
-			sed -i '/acl_file /d' ${MB_SULU_CONF}
-			restart=1
-		fi
-	fi
-	if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -eq "1" ]; then
-		slog "Restarting mqtt broker..."
-		/etc/init.d/mosquitto restart &
-	fi
-}
-function update_obuspa_config()
-{
-	local rbac restart
-	rbac="${1}"
-	restart=0
-	uci_load obuspa
-	if [ "${rbac}" -eq "1" ]; then
-		_remove_obuspa_config
-		restart="$(( restart + $? ))"
-		_update_obuspa_config_rbac
-		restart="$(( restart + $? ))"
-	else
-		_remove_obuspa_config_rbac
-		restart="$(( restart + $? ))"
-		_update_obuspa_config
-		restart="$(( restart + $? ))"
-	fi
-	uci_commit obuspa
-	if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -gt "0" ]; then
-		slog "Restarting obuspa..."
-		ubus call uci commit '{"config":"obuspa"}'
-	fi
-}
-function update_nginx_config()
-{
-	local enabled restart
-	restart=0
-	enabled="${1:-0}"
-	if [ "${enabled}" -eq "1" ]; then
-		if [ ! -f "/etc/nginx/conf.d/sulu.conf" ]; then
-			cp  /etc/sulu/nginx.conf /etc/nginx/conf.d/sulu.conf
-			restart=1
-		fi
-	else
-		if [ -f "/etc/nginx/conf.d/sulu.conf" ]; then
-			rm -f /etc/nginx/conf.d/sulu.conf
-			restart=1
-		fi
-	fi
-	if [  "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -eq "1" ]; then
-		slog "Restarting nginx..."
-		ubus call uci commit '{"config":"nginx"}'
-	fi
-}
-function configure_sulu()
-{
-	local sys_cred rbac restart
-	sys_cred="${1}"
-	rbac="${2}"
-	restart="${3:-0}"
-	if [ -z "${sys_cred}" -o -z "${rbac}" ]; then
-		slog "Invalid inputs"
-		return 0
-	fi
-	_RESTART_SERVICES="${restart}"
-	update_mosquitto_broker_config "${sys_cred}" "${rbac}"
-	set_sulu_connection_mode "${rbac}"
-	update_obuspa_config "${rbac}"
-}