github.com/google/fleetspeak@v0.1.15-0.20240426164851-4f31f62c1aea/fleetspeak/src/server/authorizer/authorizer.go (about) 1 // Copyright 2017 Google Inc. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package authorizer defines interfaces and utility methods to validate and 16 // limit client communications. 17 package authorizer 18 19 import ( 20 "crypto/x509" 21 "net" 22 23 "github.com/google/fleetspeak/fleetspeak/src/common" 24 25 fspb "github.com/google/fleetspeak/fleetspeak/src/common/proto/fleetspeak" 26 ) 27 28 // ContactInfo contains information deducible from TLS negotiation and 29 // very basic analysis of the provided contact data. 30 type ContactInfo struct { 31 ID common.ClientID 32 ContactSize int // The size of the contact, in bytes. 33 ClientLabels []string // The client labels included in the contact. 34 } 35 36 // ClientInfo contains information known once the client has been 37 // looked up in the datastore. 38 type ClientInfo struct { 39 New bool // Whether the client is new. True if the client is not yet in our datastore. 40 Labels []*fspb.Label // The labels currently set for this client. 41 } 42 43 // SignatureInfo provides information about a signature included with 44 // the contact data. 45 type SignatureInfo struct { 46 // The certificate chain provided with the signature. 47 Certificate []*x509.Certificate 48 49 // The signature algorithm used. 50 Algorithm x509.SignatureAlgorithm 51 52 // True if the signature provided with the message could be verified against 53 // the first certificate in the chain. 54 // 55 // NOTE: The FS system only performs, and this bit only represents the result 56 // of a simple signature check against Certificate[0]. The Authorizer 57 // implementation is responsible for verifying every other aspect of chain. In 58 // particular, an Authorizer will typically want to verify that provided 59 // certificates really do chain together, that none of the certificates in it 60 // have been revoked, and that the final certificate in the chain is signed by 61 // a trusted authority. 62 Valid bool 63 } 64 65 // An Authorizer regulates communication with fleetspeak 66 // clients. Specific installations can implement it to perform 67 // application layer DOS protection and to check signatures provided 68 // by clients. 69 // 70 // The Allow methods will be called in sequence as the contact is 71 // analyzed and processed. The sooner a contact can be blocked, the 72 // less server resources are wasted. So any particular DOS mitigation 73 // strategy should be implemented in the first Allow method which has 74 // sufficient data. 75 // 76 // Note that Fleetspeak intentionally does not produce log messages or 77 // store information about blocked contacts. This minimizes the effect 78 // of a blocked DOS attack on the rest of the system, but means that 79 // an Authorizer is also responsible for any monitoring or analysis of 80 // such attacks. 81 type Authorizer interface { 82 // Allow1 is called when a network connection is opened. 83 // 84 // If it returns true, processing will continue, otherwise the 85 // connection will be immediately closed. 86 Allow1(net.Addr) bool 87 88 // Allow2 is called after basic analysis of the contact has been 89 // performed. 90 // 91 // If it returns true, processing will continue, otherwise 92 // processing will end and the client will receive an http 503 93 // or equivalent error code. 94 Allow2(net.Addr, ContactInfo) bool 95 96 // Allow3 is called after the datastore has been read to find 97 // basic information on the client. 98 // 99 // If it returns true, processing will continue, otherwise 100 // processing will end and the client will receive an http 503 101 // or equivalent error code. 102 Allow3(net.Addr, ContactInfo, ClientInfo) bool 103 104 // Allow4 is called immediately before actually saving and 105 // processing the messages provided by the client. 106 // 107 // When accept=true, all messages will have their 108 // validation_info field set to the returned string, and then 109 // they will be saved and processed. When accept=false, 110 // processing will end, nothing will be saved, and the client 111 // will receive an http 503 or equivalent error code. 112 Allow4(net.Addr, ContactInfo, ClientInfo, []SignatureInfo) (accept bool, vi *fspb.ValidationInfo) 113 } 114 115 // PermissiveAuthorizer is a trival Authorizer which permits all operations. 116 type PermissiveAuthorizer struct{} 117 118 // Allow1 implements Authorizer. 119 func (PermissiveAuthorizer) Allow1(net.Addr) bool { return true } 120 121 // Allow2 implements Authorizer. 122 func (PermissiveAuthorizer) Allow2(net.Addr, ContactInfo) bool { return true } 123 124 // Allow3 implements Authorizer. 125 func (PermissiveAuthorizer) Allow3(net.Addr, ContactInfo, ClientInfo) bool { return true } 126 127 // Allow4 implements Authorizer. 128 func (PermissiveAuthorizer) Allow4(net.Addr, ContactInfo, ClientInfo, []SignatureInfo) (bool, *fspb.ValidationInfo) { 129 return true, nil 130 }