summaryrefslogtreecommitdiff
path: root/controller/EmbeddedNetworkController.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'controller/EmbeddedNetworkController.cpp')
-rw-r--r--controller/EmbeddedNetworkController.cpp173
1 files changed, 72 insertions, 101 deletions
diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 72d47622..0f342fa5 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -35,6 +35,7 @@
#include <memory>
#include "../include/ZeroTierOne.h"
+#include "../version.h"
#include "../node/Constants.hpp"
#include "EmbeddedNetworkController.hpp"
@@ -430,7 +431,7 @@ EmbeddedNetworkController::EmbeddedNetworkController(Node *node,const char *dbPa
_startTime(OSUtils::now()),
_running(true),
_lastDumpedStatus(0),
- _db(dbPath),
+ _db(dbPath,this),
_node(node)
{
}
@@ -638,26 +639,14 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
if (newAuth != OSUtils::jsonBool(member["authorized"],false)) {
member["authorized"] = newAuth;
member[((newAuth) ? "lastAuthorizedTime" : "lastDeauthorizedTime")] = now;
-
- json ah;
- ah["a"] = newAuth;
- ah["by"] = "api";
- ah["ts"] = now;
- ah["ct"] = json();
- ah["c"] = json();
- member["authHistory"].push_back(ah);
+ if (newAuth) {
+ member["lastAuthorizedCredentialType"] = "api";
+ member["lastAuthorizedCredential"] = json();
+ }
// Member is being de-authorized, so spray Revocation objects to all online members
- if (!newAuth) {
- Revocation rev((uint32_t)_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
- rev.sign(_signingId);
-
- Mutex::Lock _l(_memberStatus_m);
- for(auto i=_memberStatus.begin();i!=_memberStatus.end();++i) {
- if ((i->first.networkId == nwid)&&(i->second.online(now)))
- _node->ncSendRevocation(Address(i->first.nodeId),rev);
- }
- }
+ if (!newAuth)
+ onNetworkMemberDeauthorize(nwid,address);
}
}
@@ -724,14 +713,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
json &revj = member["revision"];
member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL);
_db.saveNetworkMember(nwid,address,member);
-
- // Push update to member if online
- try {
- Mutex::Lock _l(_memberStatus_m);
- _MemberStatus &ms = _memberStatus[_MemberStatusKey(nwid,address)];
- if ((ms.online(now))&&(ms.lastRequestMetaData))
- request(nwid,InetAddress(),0,ms.identity,ms.lastRequestMetaData);
- } catch ( ... ) {}
+ onNetworkMemberUpdate(nwid,address);
}
_addMemberNonPersistedFields(nwid,address,member,now);
@@ -896,22 +878,15 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
if (b.count("authTokens")) {
json &authTokens = b["authTokens"];
- if (authTokens.is_array()) {
- json nat = json::array();
- for(unsigned long i=0;i<authTokens.size();++i) {
- json &token = authTokens[i];
- if (token.is_object()) {
- std::string tstr = token["token"];
- if (tstr.length() > 0) {
- json t = json::object();
- t["token"] = tstr;
- t["expires"] = OSUtils::jsonInt(token["expires"],0ULL);
- t["maxUsesPerMember"] = OSUtils::jsonInt(token["maxUsesPerMember"],0ULL);
- nat.push_back(t);
- }
- }
+ if (authTokens.is_object()) {
+ json nat;
+ for(json::iterator t(authTokens.begin());t!=authTokens.end();++t) {
+ if ((t.value().is_number())&&(t.value() >= 0))
+ nat[t.key()] = t.value();
}
network["authTokens"] = nat;
+ } else {
+ network["authTokens"] = {{}};
}
}
@@ -991,13 +966,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
json &revj = network["revision"];
network["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL);
_db.saveNetwork(nwid,network);
-
- // Send an update to all members of the network that are online
- Mutex::Lock _l(_memberStatus_m);
- for(auto i=_memberStatus.begin();i!=_memberStatus.end();++i) {
- if ((i->first.networkId == nwid)&&(i->second.online(now))&&(i->second.lastRequestMetaData))
- request(nwid,InetAddress(),0,i->second.identity,i->second.lastRequestMetaData);
- }
+ onNetworkUpdate(nwid);
}
JSONDB::NetworkSummaryInfo ns;
@@ -1155,6 +1124,42 @@ void EmbeddedNetworkController::handleRemoteTrace(const ZT_RemoteTrace &rt)
}
}
+void EmbeddedNetworkController::onNetworkUpdate(const uint64_t networkId)
+{
+ // Send an update to all members of the network that are online
+ const uint64_t now = OSUtils::now();
+ Mutex::Lock _l(_memberStatus_m);
+ for(auto i=_memberStatus.begin();i!=_memberStatus.end();++i) {
+ if ((i->first.networkId == networkId)&&(i->second.online(now))&&(i->second.lastRequestMetaData))
+ request(networkId,InetAddress(),0,i->second.identity,i->second.lastRequestMetaData);
+ }
+}
+
+void EmbeddedNetworkController::onNetworkMemberUpdate(const uint64_t networkId,const uint64_t memberId)
+{
+ // Push update to member if online
+ try {
+ Mutex::Lock _l(_memberStatus_m);
+ _MemberStatus &ms = _memberStatus[_MemberStatusKey(networkId,memberId)];
+ if ((ms.online(OSUtils::now()))&&(ms.lastRequestMetaData))
+ request(networkId,InetAddress(),0,ms.identity,ms.lastRequestMetaData);
+ } catch ( ... ) {}
+}
+
+void EmbeddedNetworkController::onNetworkMemberDeauthorize(const uint64_t networkId,const uint64_t memberId)
+{
+ const uint64_t now = OSUtils::now();
+ Revocation rev((uint32_t)_node->prng(),networkId,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(memberId),Revocation::CREDENTIAL_TYPE_COM);
+ rev.sign(_signingId);
+ {
+ Mutex::Lock _l(_memberStatus_m);
+ for(auto i=_memberStatus.begin();i!=_memberStatus.end();++i) {
+ if ((i->first.networkId == networkId)&&(i->second.online(now)))
+ _node->ncSendRevocation(Address(i->first.nodeId),rev);
+ }
+ }
+}
+
void EmbeddedNetworkController::threadMain()
throw()
{
@@ -1195,7 +1200,7 @@ void EmbeddedNetworkController::threadMain()
first = false;
});
}
- OSUtils::ztsnprintf(tmp,sizeof(tmp),"],\"clock\":%llu,\"startTime\":%llu,\"uptime\":%llu}",(unsigned long long)now,(unsigned long long)_startTime,(unsigned long long)(now - _startTime));
+ OSUtils::ztsnprintf(tmp,sizeof(tmp),"],\"clock\":%llu,\"startTime\":%llu,\"uptime\":%llu,\"vMajor\":%d,\"vMinor\":%d,\"vRev\":%d}",(unsigned long long)now,(unsigned long long)_startTime,(unsigned long long)(now - _startTime),ZEROTIER_ONE_VERSION_MAJOR,ZEROTIER_ONE_VERSION_MINOR,ZEROTIER_ONE_VERSION_REVISION);
st.append(tmp);
_db.writeRaw("status",st);
}
@@ -1268,56 +1273,29 @@ void EmbeddedNetworkController::_request(
}
// Determine whether and how member is authorized
- const char *authorizedBy = (const char *)0;
+ bool authorized = false;
bool autoAuthorized = false;
json autoAuthCredentialType,autoAuthCredential;
if (OSUtils::jsonBool(member["authorized"],false)) {
- authorizedBy = "memberIsAuthorized";
+ authorized = true;
} else if (!OSUtils::jsonBool(network["private"],true)) {
- authorizedBy = "networkIsPublic";
- json &ahist = member["authHistory"];
- if ((!ahist.is_array())||(ahist.size() == 0))
- autoAuthorized = true;
+ authorized = true;
+ autoAuthorized = true;
+ autoAuthCredentialType = "public";
} else {
char presentedAuth[512];
if (metaData.get(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_AUTH,presentedAuth,sizeof(presentedAuth)) > 0) {
presentedAuth[511] = (char)0; // sanity check
-
- // Check for bearer token presented by member
if ((strlen(presentedAuth) > 6)&&(!strncmp(presentedAuth,"token:",6))) {
const char *const presentedToken = presentedAuth + 6;
-
- json &authTokens = network["authTokens"];
- if (authTokens.is_array()) {
- for(unsigned long i=0;i<authTokens.size();++i) {
- json &token = authTokens[i];
- if (token.is_object()) {
- const uint64_t expires = OSUtils::jsonInt(token["expires"],0ULL);
- const uint64_t maxUses = OSUtils::jsonInt(token["maxUsesPerMember"],0ULL);
- std::string tstr = OSUtils::jsonString(token["token"],"");
-
- if (((expires == 0ULL)||(expires > now))&&(tstr == presentedToken)) {
- bool usable = (maxUses == 0);
- if (!usable) {
- uint64_t useCount = 0;
- json &ahist = member["authHistory"];
- if (ahist.is_array()) {
- for(unsigned long j=0;j<ahist.size();++j) {
- json &ah = ahist[j];
- if ((OSUtils::jsonString(ah["ct"],"") == "token")&&(OSUtils::jsonString(ah["c"],"") == tstr)&&(OSUtils::jsonBool(ah["a"],false)))
- ++useCount;
- }
- }
- usable = (useCount < maxUses);
- }
- if (usable) {
- authorizedBy = "token";
- autoAuthorized = true;
- autoAuthCredentialType = "token";
- autoAuthCredential = tstr;
- }
- }
- }
+ json authTokens(network["authTokens"]);
+ json &tokenExpires = authTokens[presentedToken];
+ if (tokenExpires.is_number()) {
+ if ((tokenExpires == 0)||(tokenExpires > now)) {
+ authorized = true;
+ autoAuthorized = true;
+ autoAuthCredentialType = "token";
+ autoAuthCredential = presentedToken;
}
}
}
@@ -1325,23 +1303,16 @@ void EmbeddedNetworkController::_request(
}
// If we auto-authorized, update member record
- if ((autoAuthorized)&&(authorizedBy)) {
+ if ((autoAuthorized)&&(authorized)) {
member["authorized"] = true;
member["lastAuthorizedTime"] = now;
-
- json ah;
- ah["a"] = true;
- ah["by"] = authorizedBy;
- ah["ts"] = now;
- ah["ct"] = autoAuthCredentialType;
- ah["c"] = autoAuthCredential;
- member["authHistory"].push_back(ah);
-
+ member["lastAuthorizedCredentialType"] = autoAuthCredentialType;
+ member["lastAuthorizedCredential"] = autoAuthCredential;
json &revj = member["revision"];
member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL);
}
- if (authorizedBy) {
+ if (authorized) {
// Update version info and meta-data if authorized and if this is a genuine request
if (requestPacketId) {
const uint64_t vMajor = metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MAJOR_VERSION,0);
@@ -1420,7 +1391,7 @@ void EmbeddedNetworkController::_request(
if (rtt.length() == 10) {
nc->remoteTraceTarget = Address(Utils::hexStrToU64(rtt.c_str()));
} else {
- nc->remoteTraceTarget = _signingId.address();
+ nc->remoteTraceTarget.zero();
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-25 23:49:31 +0000