add config-level support for protecting storage buckets and creating authoritarian relationship between peers

Author: mintyleaf

cmd/util.go

@@ -14,6 +14,7 @@ limitations under the License.
 package cmd
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -321,6 +322,11 @@ var CommonFlags []cli.Flag = []cli.Flag{
 		Usage:   "Enable peerguard. (Experimental)",
 		EnvVars: []string{"PEERGUARD"},
 	},
+	&cli.StringFlag{
+		Name:    "privkey",
+		Usage:   "Use fixed base64 <- protobuf encoded privkey. (Experimental)",
+		EnvVars: []string{"EDGEVPNPRIVKEY"},
+	},
 	&cli.BoolFlag{
 		Name:    "privkey-cache",
 		Usage:   "Enable privkey caching. (Experimental)",
@@ -495,31 +501,39 @@ func cliToOpts(c *cli.Context) ([]node.Option, []vpn.Option, *logger.Logger) {
 		}
 	}
 
-	// Check if we have any privkey identity cached already
-	if c.Bool("privkey-cache") {
-		keyFile := filepath.Join(c.String("privkey-cache-dir"), "privkey")
-		dat, err := os.ReadFile(keyFile)
-		if err == nil && len(dat) > 0 {
-			llger.Info("Reading key from", keyFile)
-
-			nc.Privkey = dat
+	if c.String("privkey") != "" {
+		raw, err := base64.StdEncoding.DecodeString(c.String("privkey"))
+		if err != nil {
+			checkErr(fmt.Errorf("failed to decode privkey: %v", err))
 		} else {
-			// generate, write
-			llger.Info("Generating private key and saving it locally for later use in", keyFile)
+			nc.Privkey = raw
+		}
+	} else {
+		// Check if we have any privkey identity cached already
+		if c.Bool("privkey-cache") {
+			keyFile := filepath.Join(c.String("privkey-cache-dir"), "privkey")
+			dat, err := os.ReadFile(keyFile)
+			if err == nil && len(dat) > 0 {
+				llger.Info("Reading key from", keyFile)
+				nc.Privkey = dat
+			} else {
+				// generate, write
+				llger.Info("Generating private key and saving it locally for later use in", keyFile)
 
-			privkey, err := node.GenPrivKey(0)
-			checkErr(err)
+				privkey, err := node.GenPrivKey(0)
+				checkErr(err)
 
-			r, err := crypto.MarshalPrivateKey(privkey)
-			checkErr(err)
+				r, err := crypto.MarshalPrivateKey(privkey)
+				checkErr(err)
 
-			err = os.MkdirAll(c.String("privkey-cache-dir"), 0600)
-			checkErr(err)
+				err = os.MkdirAll(c.String("privkey-cache-dir"), 0600)
+				checkErr(err)
 
-			err = os.WriteFile(keyFile, r, 0600)
-			checkErr(err)
+				err = os.WriteFile(keyFile, r, 0600)
+				checkErr(err)
 
-			nc.Privkey = r
+				nc.Privkey = r
+			}
 		}
 	}
 

config.yml

@@ -0,0 +1,20 @@
+otp:
+  dht:
+    interval: 360
+    key: YVMwYeeoIJ9yGQeuRNHY3wigEhDEisAPcbt0L30vQ3q
+    length: 43
+  crypto:
+    interval: 360
+    key: 0Yu91JT1WPmWtmmrFD5tWrSzeyhLUVFWyiEXzIezcyz
+    length: 43
+room: k9xRlX6brHxKMAWhGgvsuoiwq4fcNyNtA7JQivZBYm7
+rendezvous: tFMpGqtqtFHckVt62FCklh9xqjTi9upKWCmXNrNBCpL
+mdns: NG8LRHaJTRnR0tbOGgr73oQTZqvKEn0kllXQr5SfKDs
+max_message_size: 20971520
+
+trusted_peer_ids:
+  - 12D3KooWQi1XDFy1Ntv5WXLYJWbuFy1zbXM3F6jc4DUJKtaoZPpC
+protected_store_key:
+  - trustzone
+  - trustzoneAuth
+  - initialOwner

pkg/blockchain/ledger.go

@@ -21,6 +21,8 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
+	"maps"
+	"slices"
 	"sync"
 	"time"
 
@@ -35,6 +37,10 @@ type Ledger struct {
 	blockchain Store
 
 	channel io.Writer
+
+	skipVerify         bool
+	trustedPeerIDS     []string
+	protectedStoreKeys []string
 }
 
 type Store interface {
@@ -59,6 +65,16 @@ func (l *Ledger) newGenesis() {
 	l.blockchain.Add(genesisBlock)
 }
 
+func (l *Ledger) SkipVerify() {
+	l.skipVerify = true
+}
+func (l *Ledger) SetTrustedPeerIDS(ids []string) {
+	l.trustedPeerIDS = ids
+}
+func (l *Ledger) SetProtectedStoreKeys(keys []string) {
+	l.protectedStoreKeys = keys
+}
+
 // Syncronizer starts a goroutine which
 // writes the blockchain to the  periodically
 func (l *Ledger) Syncronizer(ctx context.Context, t time.Duration) {
@@ -123,8 +139,17 @@ func (l *Ledger) Update(f *Ledger, h *hub.Message, c chan *hub.Message) (err err
 		return
 	}
 
+	if len(l.protectedStoreKeys) > 0 && !slices.Contains(l.trustedPeerIDS, h.SenderID) {
+		for _, key := range l.protectedStoreKeys {
+			if !maps.Equal(l.blockchain.Last().Storage[key], block.Storage[key]) {
+				err = errors.Wrapf(err, "unauthorized attempt to write to protected bucket: %s", key)
+				return
+			}
+		}
+	}
+
 	l.Lock()
-	if block.Index > l.blockchain.Len() {
+	if l.skipVerify || block.Index > l.blockchain.Len() {
 		l.blockchain.Add(*block)
 	}
 	l.Unlock()
@@ -350,12 +375,14 @@ func (l *Ledger) Index() int {
 func (l *Ledger) writeData(s map[string]map[string]Data) {
 	newBlock := l.blockchain.Last().NewBlock(s)
 
-	if newBlock.IsValid(l.blockchain.Last()) {
-		l.Lock()
-		l.blockchain.Add(newBlock)
-		l.Unlock()
+	if !l.skipVerify && !newBlock.IsValid(l.blockchain.Last()) {
+		return
 	}
 
+	l.Lock()
+	l.blockchain.Add(newBlock)
+	l.Unlock()
+
 	bytes, err := json.Marshal(l.blockchain.Last())
 	if err != nil {
 		log.Println(err)

pkg/node/config.go

@@ -76,6 +76,9 @@ type Config struct {
 
 	Sealer    Sealer
 	PeerGater Gater
+
+	TrustedPeerIDS     []string
+	ProtectedStoreKeys []string
 }
 
 type Gater interface {

pkg/node/connection.go

@@ -20,6 +20,7 @@ import (
 	"io"
 	mrand "math/rand"
 	"net"
+	"slices"
 
 	internalCrypto "github.com/mudler/edgevpn/pkg/crypto"
 
@@ -253,6 +254,21 @@ func (e *Node) handleEvents(ctx context.Context, inputChannel chan *hub.Message,
 				continue
 			}
 
+			// If we have enabled trusted arbiter peers
+			if len(e.config.TrustedPeerIDS) > 0 && e.host.ID().String() != m.SenderID {
+				// If we are not the trusted one
+				if !slices.Contains(e.config.TrustedPeerIDS, e.host.ID().String()) {
+					// If incoming message is not from trusted one
+					if !slices.Contains(e.config.TrustedPeerIDS, m.SenderID) {
+						e.config.Logger.Warnf("%s gated room message from %s - not present in trusted peer IDS", e.host.ID(), m.SenderID)
+						continue
+					} else {
+						// If we a non-trusted peer, and we receive a meesage from the trusted one - disable peerGater
+						peerGater = false
+					}
+				}
+			}
+
 			if peerGater {
 				if e.config.PeerGater != nil && e.config.PeerGater.Gate(e, peer.ID(m.SenderID)) {
 					e.config.Logger.Warnf("gated message from %s", m.SenderID)

pkg/node/node.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"slices"
 	"sync"
 	"time"
 
@@ -112,6 +113,25 @@ func (e *Node) Start(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+
+	// Set the handler when we receive messages
+	// The ledger needs to read them and update the internal blockchain
+	e.config.Handlers = append(e.config.Handlers, ledger.Update)
+
+	e.config.Logger.Info("Starting EdgeVPN network")
+
+	// Startup libp2p network
+	err = e.startNetwork(ctx)
+	if err != nil {
+		return err
+	}
+
+	if len(e.config.TrustedPeerIDS) > 0 && !slices.Contains(e.config.TrustedPeerIDS, e.host.ID().String()) {
+		ledger.SkipVerify()
+	}
+	ledger.SetTrustedPeerIDS(e.config.TrustedPeerIDS)
+	ledger.SetProtectedStoreKeys(e.config.ProtectedStoreKeys)
+
 	// For testing purposes, can be included into the config opts routine as init known public key
 	if os.Getenv("PEERGATE_PUBLIC") != "" {
 		publicStr := os.Getenv("PEERGATE_PUBLIC")
@@ -123,20 +143,9 @@ func (e *Node) Start(ctx context.Context) error {
 		}
 
 		for k, v := range publicMap {
-			ledger.Persist(ctx, 5*time.Second, 20*time.Second, "trustzoneAuth", k, v)
+			ledger.Persist(ctx, 5*time.Second, 20*time.Second, protocol.TrustZoneAuthKey, k, v)
 		}
-	}
-
-	// Set the handler when we receive messages
-	// The ledger needs to read them and update the internal blockchain
-	e.config.Handlers = append(e.config.Handlers, ledger.Update)
-
-	e.config.Logger.Info("Starting EdgeVPN network")
-
-	// Startup libp2p network
-	err = e.startNetwork(ctx)
-	if err != nil {
-		return err
+		ledger.Persist(ctx, 5*time.Second, 20*time.Second, "initialOwner", e.host.ID().String(), "")
 	}
 
 	// Send periodically messages to the channel with our blockchain content

pkg/node/options.go

@@ -259,6 +259,9 @@ type YAMLConnectionConfig struct {
 	Rendezvous     string `yaml:"rendezvous"`
 	MDNS           string `yaml:"mdns"`
 	MaxMessageSize int    `yaml:"max_message_size"`
+
+	TrustedPeerIDS     []string `yaml:"trusted_peer_ids"`
+	ProtectedStoreKeys []string `yaml:"protected_store_keys"`
 }
 
 // Base64 returns the base64 string representation of the connection
@@ -301,6 +304,8 @@ func (y YAMLConnectionConfig) copy(mdns, dht bool, cfg *Config, d *discovery.DHT
 	}
 	cfg.SealKeyLength = y.OTP.Crypto.Length
 	cfg.MaxMessageSize = y.MaxMessageSize
+	cfg.TrustedPeerIDS = y.TrustedPeerIDS
+	cfg.ProtectedStoreKeys = y.ProtectedStoreKeys
 }
 
 const defaultKeyLength = 43

pkg/trustzone/authprovider/ecdsa/provider.go

@@ -93,6 +93,7 @@ func (e *ECDSA521) Challenger(inTrustZone bool, c node.Config, n *node.Node, b *
 		msg := hub.NewMessage("challenge")
 		msg.Annotations = make(map[string]interface{})
 		msg.Annotations["sigs"] = string(signature)
+		msg.SenderID = n.Host().ID().String()
 		n.PublishMessage(msg)
 		return
 	}

test.sh

@@ -1,21 +1,30 @@
 #!/bin/bash
 
-keys=($(go run main.go peergater ecdsa-genkey | cut -d: -f2- ))
-PRIVKEY=${keys[0]}
-PUBKEY=${keys[1]}
+main_keys=($(go run main.go peergater ecdsa-genkey | cut -d: -f2- ))
+client_keys=($(go run main.go peergater ecdsa-genkey | cut -d: -f2- ))
+MAIN_PRIVKEY=${main_keys[0]}
+MAIN_PUBKEY=${main_keys[1]}
+CLIENT_PRIVKEY=${client_keys[0]}
+CLIENT_PUBKEY=${client_keys[1]}
 
 # export EDGEVPNDHTANNOUNCEMADDRS=/ip4/.../tcp/.../p2p/...
-export EDGEVPNCONFIG=~/config.yml
+export EDGEVPNCONFIG=config.yml
 export EDGEVPNPEERGATEINTERVAL=10
+export EDGEVPNPRIVKEY='CAESQOV82ydHYcTFqyjf6fE6Zrdr9aH97GwGODEWm9HmELv73T55KPBrW5n3D29Df7b+DjH1zVzqUa1cgpTBHiEBdgk='
 export PEERGATE=true
 export PEERGUARD=true
 export PEERGATE_AUTOCLEAN=true
-export PEERGATE_AUTH='{ "ecdsa" : { "private_key": "'$PRIVKEY'" } }'
-export PEERGATE_PUBLIC='{ "ecdsa_1": "'$PUBKEY'" }'
+export PEERGATE_AUTH='{ "ecdsa" : { "private_key": "'$MAIN_PRIVKEY'" } }'
+export PEERGATE_PUBLIC='{ "ecdsa_main": "'$MAIN_PUBKEY'", "ecdsa_client": "'$CLIENT_PUBKEY'" }'
 
 # killall main is a bad idea, but that worked on my machine
 sudo -E bash -c "
-  IFACE=\"utun10\" go run main.go api &
+  IFACE=\"utun10\"  go run main.go &
+  sleep 3
+
+  export -n EDGEVPNPRIVKEY
+  export PEERGATE_AUTH='{ \"ecdsa\" : { \"private_key\": \""$CLIENT_PRIVKEY"\" } }'
+  
   IFACE=\"utun11\" go run main.go
   killall main
 "