Commit 01eab5c7 authored by Roman Azarenko's avatar Roman Azarenko
Browse files

Revert "sulu: Role based access control"

This reverts commit ec653370.
parent 1bab072a
......@@ -152,26 +152,7 @@ define Package/${PKG_NAME}/install
ifeq ($(CONFIG_PACKAGE_skopeo)$(CONFIG_PACKAGE_umoci),yy)
$(CP) $(PKG_BUILD_DIR)/build/src/config/widgets/lcm-store.json $(1)/sulu/config/widgets/
endif
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_BIN) ./files/etc/config/sulu $(1)/etc/config/sulu
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/etc/init.d/sulu $(1)/etc/init.d/sulu
$(INSTALL_DIR) $(1)/etc/mosquitto/conf.d/
$(INSTALL_DATA) ./files/etc/mosquitto/conf.d/obuspa.conf $(1)/etc/mosquitto/conf.d/
$(INSTALL_DATA) ./files/etc/mosquitto/conf.d/sulu.conf $(1)/etc/mosquitto/conf.d/
$(INSTALL_DATA) ./files/etc/mosquitto/sulu.password $(1)/etc/mosquitto/sulu.password
$(INSTALL_DIR) $(1)/etc/nginx/conf.d
$(INSTALL_DATA) ./files/etc/nginx/conf.d/sulu.conf $(1)/etc/nginx/conf.d/
$(INSTALL_DIR) $(1)/etc/sulu
$(INSTALL_DATA) ./files/etc/sulu/roles.json $(1)/etc/sulu/
$(INSTALL_BIN) ./files/etc/sulu/sulu.sh $(1)/etc/sulu/
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/etc/uci-defaults/99-fix-sulu-config $(1)/etc/uci-defaults/
$(CP) ./files/* $(1)/
endef
$(eval $(call BuildPackage,${PKG_NAME}))
......
config global 'global'
option enabled '1'
option enable_system_credentials '1'
option role_based_access '1'
list user 'admin'
list user 'user'
#!/bin/sh /etc/rc.common
USE_PROCD=1
START=99
STOP=01
STOP=10
. /lib/functions.sh
. /etc/sulu/sulu.sh
USE_PROCD=1
log() {
echo "${@}"|logger -t sulu.init -p debug
}
validate_sulu_global_section()
{
uci_validate_section sulu global global \
'enabled:bool:1' \
'enable_system_credentials:bool:1' \
'role_based_access:bool:0'
}
start_service() {
local enabled enable_system_credentials role_based_access
config_load sulu
procd_open_instance sulu
validate_sulu_global_section || return 0;
# append sulu connection injection
if [ "${enabled}" -eq "0" ]; then
procd_close_instance
return 0
fi
configure_sulu "${enable_system_credentials}" "${role_based_access}" 1
update_nginx_config "${enabled}"
procd_close_instance
}
reload_service() {
......@@ -45,5 +23,5 @@ reload_service() {
service_triggers()
{
procd_add_reload_trigger "sulu"
procd_add_config_trigger "config.change" "obuspa" /etc/init.d/sulu reload
}
listener 9001
protocol websockets
plugin /usr/lib/mosquitto_auth_shadow.so
require_certificate false
allow_anonymous false
admin:$6$OmM9kU/lYct3KJ9j$iP0WK4ezEtRm8+EAggNp7WbJFoWO0p7IUdI0v/hr1WcVHyfFAC30Pb8Csn7GqwwqI2dcmnDOAITnimo2VNe6ug==
server {
listen 8080;
listen [::]:8080;
server_name _sulu;
root /sulu;
location /config/ {
autoindex on;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
}
}
}
location /config/ {
autoindex on;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
}
}
{
"roles": [
{
"name": "admin",
"permission": [
{
"object": "Device.",
"perm": [
"PERMIT_ALL"
]
}
]
},
{
"name": "user",
"permission": [
{
"object": "Device.",
"perm": [
"PERMIT_GET",
"PERMIT_GET_INST",
"PERMIT_OBJ_INFO",
"PERMIT_CMD_INFO"
]
},
{
"object": "Device.LocalAgent.Subscription.",
"perm": [
"PERMIT_GET",
"PERMIT_GET_INST",
"PERMIT_OBJ_INFO",
"PERMIT_CMD_INFO",
"PERMIT_ADD",
"PERMIT_SET",
"PERMIT_DEL"
]
},
{
"object": "Device.WiFi.",
"perm": [
"PERMIT_GET",
"PERMIT_GET_INST",
"PERMIT_OBJ_INFO",
"PERMIT_CMD_INFO",
"PERMIT_OPER",
"PERMIT_SUBS_VAL_CHANGE",
"PERMIT_SUBS_OBJ_ADD",
"PERMIT_SUBS_OBJ_DEL",
"PERMIT_SUBS_EVT_OPER_COMP"
]
},
{
"object": "Device.DNS.",
"perm": [
"PERMIT_GET",
"PERMIT_GET_INST",
"PERMIT_OBJ_INFO",
"PERMIT_CMD_INFO",
"PERMIT_OPER",
"PERMIT_SUBS_VAL_CHANGE",
"PERMIT_SUBS_OBJ_ADD",
"PERMIT_SUBS_OBJ_DEL",
"PERMIT_SUBS_EVT_OPER_COMP"
]
},
{
"object": "Device.IP.",
"perm": [
"PERMIT_GET",
"PERMIT_GET_INST",
"PERMIT_OBJ_INFO",
"PERMIT_CMD_INFO",
"PERMIT_OPER",
"PERMIT_SUBS_VAL_CHANGE",
"PERMIT_SUBS_OBJ_ADD",
"PERMIT_SUBS_OBJ_DEL",
"PERMIT_SUBS_EVT_OPER_COMP"
]
}
]
},
{
"name": "undefined-1"
},
{
"name": "undefined-2"
},
{
"name": "undefined-3"
},
{
"name": "undefined-4"
}
]
}
#!/bin/sh
. /lib/functions.sh
SULU_CONFIG="/sulu/config/connectionConfig.json"
ACL_FILE="/tmp/sulu/mqtt.acl"
MB_SULU_CONF="/etc/mosquitto/conf.d/sulu.conf"
_RESTART_SERVICES="0"
mkdir -p /tmp/sulu/
function slog()
{
echo "$*" |logger -t sulu.init -p debug
}
function _get_agent_id()
{
local oui serial endpointid
endpointid="$(uci_get obuspa localagent EndpointID)"
if [ -z "${endpointid}" ]; then
oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
serial="$(db -q get device.deviceinfo.SerialNumber)"
echo "${oui}-${serial}"
else
echo "$(echo "${endpointid/::/,}"|cut -d "," -f 2)"
fi
}
function _get_endpoint_id()
{
local oui serial endpointid
endpointid="$(uci_get obuspa localagent EndpointID)"
if [ -z "${endpointid}" ]; then
oui="$(db -q get device.deviceinfo.ManufacturerOUI)"
serial="$(db -q get device.deviceinfo.SerialNumber)"
echo "os::${oui}-${serial}"
else
echo "${endpointid}"
fi
}
function _get_sulu_users()
{
echo "$(uci -q get sulu.global.user)"
}
function generate_sulu_conn_config()
{
local rbac users
rbac="${1}"
users="$(_get_sulu_users)"
json_init;
if [ "${rbac}" -eq "1" ]; then
json_add_string 'currentConnection' 'rbac';
else
json_add_string 'currentConnection' 'main';
fi
json_add_object 'connections';
json_add_object 'rbac';
json_add_string 'toId' "$(_get_endpoint_id)";
json_add_int 'port' 9001;
json_add_string 'protocol' 'ws';
json_add_array 'auth';
json_close_array;
json_add_object 'overrides';
for f in ${users}; do
json_add_object "${f}";
json_add_string 'fromId' "self::sulu-${f}";
json_add_string 'publishEndpoint' "/usp/$(_get_agent_id)/${f}/endpoint";
json_add_string 'subscribeEndpoint' "/usp/$(_get_agent_id)/${f}/controller";
json_close_object;
done
json_close_object;
json_close_object;
# add the default connection
json_add_object 'main';
json_add_string 'fromId' 'proto::interop-usp-controller';
json_add_string 'toId' "$(_get_endpoint_id)";
json_add_int 'port' 9001;
json_add_string 'protocol' 'ws';
json_add_string 'publishEndpoint' "/usp/endpoint";
json_add_string 'subscribeEndpoint' "/usp/controller";
json_add_array 'auth';
json_close_array;
json_close_object;
json_close_object;
json_dump > ${SULU_CONFIG}
}
function set_sulu_connection_mode()
{
local rbac profile config
rbac="${1}"
profile="$(jq '.currentConnection' ${SULU_CONFIG})"
if [ "$rbac" -eq "1" -a "${profile}" == "\"main\"" ]; then
config="$(jq '.currentConnection = "rbac"' ${SULU_CONFIG})"
echo "${config}" > ${SULU_CONFIG}
elif [ "$rbac" -eq "0" -a "${profile}" == "\"rbac\"" ]; then
config="$(jq '.currentConnection = "main"' ${SULU_CONFIG})"
echo "${config}" > ${SULU_CONFIG}
fi
}
function _update_obuspa_config()
{
local restart
restart=0
if ! uci_get obuspa localmqtt >/dev/null 2>&1; then
uci_add obuspa mqtt localmqtt
uci_set obuspa localmqtt BrokerAddress "127.0.0.1"
uci_set obuspa localmqtt BrokerPort "1883"
uci_set obuspa localmqtt TransportProtocol "TCP/IP"
restart=1
fi
if ! uci_get obuspa agent_mtp >/dev/null 2>&1; then
uci_add obuspa mtp agent_mtp
uci_set obuspa agent_mtp Protocol "MQTT"
uci_set obuspa agent_mtp ResponseTopicConfigured "/usp/endpoint"
uci_set obuspa agent_mtp mqtt "localmqtt"
restart=1
fi
if ! uci_get obuspa localcontroller >/dev/null 2>&1; then
uci_add obuspa controller localcontroller
uci_set obuspa localcontroller EndpointID "proto::interop-usp-controller"
uci_set obuspa localcontroller Protocol "MQTT"
uci_set obuspa localcontroller Topic "/usp/controller"
uci_set obuspa localcontroller mqtt "localmqtt"
uci_set obuspa localcontroller assigned_role_name "full_access"
restart=1
fi
return "${restart}"
}
function _remove_obuspa_config()
{
local restart
restart=0
if [ "$(uci_get obuspa localmqtt)" == "mqtt" ]; then
uci_remove obuspa localmqtt
restart=1
fi
if [ "$(uci_get obuspa agent_mtp)" == "mtp" ]; then
uci_remove obuspa agent_mtp
restart=1
fi
if [ "$(uci_get obuspa localcontroller)" == "controller" ]; then
uci_remove obuspa localcontroller
restart=1
fi
return "${restart}"
}
function _update_obuspa_config_rbac() {
local agent users restart
agent="$(_get_agent_id)"
users="$(_get_sulu_users)"
restart=0
for f in ${users}; do
local sec
# Add mqtt
sec="mqtt_sulu_${f}"
if ! uci_get obuspa mqtt ${sec} >/dev/null 2>&1; then
uci_add obuspa mqtt ${sec}
uci_set obuspa ${sec} BrokerAddress "127.0.0.1"
uci_set obuspa ${sec} BrokerPort "1883"
uci_set obuspa ${sec} TransportProtocol "TCP/IP"
restart=1
fi
# Add mtp
sec="mtp_sulu_${f}"
if ! uci_get obuspa mtp ${sec} >/dev/null 2>&1; then
uci_add obuspa mtp ${sec}
uci_set obuspa ${sec} Protocol "MQTT"
uci_set obuspa ${sec} ResponseTopicConfigured "/usp/${agent}/${f}/endpoint"
uci_set obuspa ${sec} mqtt "mqtt_sulu_$f"
restart=1
fi
# Add controller
sec="controller_sulu_${f}"
if ! uci_get obuspa controller ${sec} >/dev/null 2>&1; then
uci_add obuspa controller ${sec}
uci_set obuspa ${sec} EndpointID "self::sulu-${f}"
uci_set obuspa ${sec} Protocol "MQTT"
uci_set obuspa ${sec} Topic "/usp/${agent}/${f}/controller"
uci_set obuspa ${sec} mqtt "mqtt_sulu_$f"
uci_set obuspa ${sec} assigned_role_name "$f"
restart=1
fi
done
if [ -f "/etc/sulu/roles.json" ]; then
uci_set obuspa global role_file "/etc/sulu/roles.json"
fi
return "${restart}"
}
function _remove_sulu_sec()
{
local sec
if [[ "${1}" == *"_sulu_"* ]]; then
uci_remove obuspa ${1}
return 1
fi
return 0
}
function _remove_obuspa_config_rbac()
{
local restart
restart=0
config_foreach _remove_sulu_sec mqtt
restart="$(( restart + $? ))"
config_foreach _remove_sulu_sec mtp
restart="$(( restart + $? ))"
config_foreach _remove_sulu_sec controller
restart="$(( restart + $? ))"
uci_set obuspa global role_file ""
return "${restart}"
}
function _create_acl() {
local agentid rbac users
rbac="${1:-0}"
[ -f "${ACL_FILE}" ] && rm -f "${ACL_FILE}"
if [ "${rbac}" -eq "0" ]; then
return 0;
fi
agentid="$(_get_agent_id)"
users="$(_get_sulu_users)"
for f in ${users}; do
echo "user ${f}" >> ${ACL_FILE}
echo "topic read /usp/${agentid}/${f}/controller/reply-to/#" >> ${ACL_FILE}
echo "topic write /usp/${agentid}/${f}/endpoint/#" >> ${ACL_FILE}
echo "topic read /usp/${agentid}/${f}/controller/#" >> ${ACL_FILE}
echo "" >> ${ACL_FILE}
done
}
function update_mosquitto_broker_config()
{
local system_cred rbac restart
system_cred="${1}"
rbac="${2}"
restart=0
if [ "${system_cred}" -eq "1" ]; then
if grep -q "password_file " ${MB_SULU_CONF}; then
sed -i '/password_file /d' ${MB_SULU_CONF}
restart=1
fi
if ! grep -q "plugin .*mosquitto_auth_shadow.so" ${MB_SULU_CONF}; then
echo "plugin /usr/lib/mosquitto_auth_shadow.so" >> ${MB_SULU_CONF}
restart=1
fi
else
if grep -q 'plugin .*mosquitto_auth_shadow.so' ${MB_SULU_CONF}; then
sed -i '/plugin .*mosquitto_auth_shadow.so/d' ${MB_SULU_CONF}
restart=1
fi
if ! grep -q "password_file /etc/mosquitto/sulu.password" ${MB_SULU_CONF}; then
echo "password_file /etc/mosquitto/sulu.password" >> ${MB_SULU_CONF}
restart=1
fi
fi
if [ "${rbac}" -eq "1" ]; then
_create_acl "${rbac}"
if ! grep -q "acl_file ${ACL_FILE}" ${MB_SULU_CONF}; then
echo "acl_file ${ACL_FILE}" >> ${MB_SULU_CONF}
restart=1
fi
else
if grep -q "acl_file ${ACL_FILE}" ${MB_SULU_CONF}; then
sed -i '/acl_file /d' ${MB_SULU_CONF}
restart=1
fi
fi
if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -eq "1" ]; then
slog "Restarting mqtt broker..."
/etc/init.d/mosquitto restart &
fi
}
function update_obuspa_config()
{
local rbac restart
rbac="${1}"
restart=0
uci_load obuspa
if [ "${rbac}" -eq "1" ]; then
_remove_obuspa_config
restart="$(( restart + $? ))"
_update_obuspa_config_rbac
restart="$(( restart + $? ))"
else
_remove_obuspa_config_rbac
restart="$(( restart + $? ))"
_update_obuspa_config
restart="$(( restart + $? ))"
fi
uci_commit obuspa
if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -gt "0" ]; then
slog "Restarting obuspa..."
ubus call uci commit '{"config":"obuspa"}'
fi
}
function update_nginx_config()
{
local enabled restart
restart=0
enabled="${1:-0}"
if [ "${enabled}" -eq "1" ]; then
if [ ! -f "/etc/nginx/conf.d/sulu.conf" ]; then
cp /etc/sulu/nginx.conf /etc/nginx/conf.d/sulu.conf
restart=1
fi
else
if [ -f "/etc/nginx/conf.d/sulu.conf" ]; then
rm -f /etc/nginx/conf.d/sulu.conf
restart=1
fi
fi
if [ "${_RESTART_SERVICES}" -eq "1" -a "${restart}" -eq "1" ]; then
slog "Restarting nginx..."
ubus call uci commit '{"config":"nginx"}'
fi
}
function configure_sulu()
{
local sys_cred rbac restart
sys_cred="${1}"
rbac="${2}"
restart="${3:-0}"
if [ -z "${sys_cred}" -o -z "${rbac}" ]; then
slog "Invalid inputs"
return 0
fi
_RESTART_SERVICES="${restart}"
update_mosquitto_broker_config "${sys_cred}" "${rbac}"
set_sulu_connection_mode "${rbac}