Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: policy service beta #1315

Merged
merged 53 commits into from
Sep 5, 2024
Merged

feat: policy service beta #1315

merged 53 commits into from
Sep 5, 2024

Conversation

gkc
Copy link
Contributor

@gkc gkc commented Sep 5, 2024

- What I did

  • new BETA policy binary, npp_atserver: fetches its rules from atServer as persistent store
  • new BETA binary, np_admin: exposes an API via http for setting policy rules & seeing policy info, events etc
  • new BETA webapp bundled with np_admin to provide a simple illustrative UI

Note that this is still only alpha quality but the intention is that will be beta quality in our 5.7.0 release

- How I did it
See commits

- How to verify it

  • Tests pass
  • multibuild and dockerfile.package work as intended

TODO in subsequent PRs

  • take up an at_client.AtRpc enhancement
  • add concrete types for events, logs etc rather than json/map nonsense
  • add permitOpen to the NPAAuthCheckRequest so we can have policy be able to know if a request should be denied when no matching permitOpen found
  • refactor: rename all the NPA/npa classes/files/directories to NPP/npp
  • UI refactoring - split into pieces, reduce duplicate code
  • UI<->API enhancements re events, logs etc
  • Documentation
  • Postgres impl

gkc added 30 commits July 18, 2024 13:33
@gkc
feat: (initial sane commit): file-based policy service; policy servic…
000d62d 
…e supplies a permitOpen list

- made daemonAtsigns injectable via npa bootstrapper
- added permitOpen to NPAAuthCheckResponse
- renamed `SshnpdImpl.isFromAuthorizedAtsign` to `authCheck` and have it return an NPAAuthCheckResponse
- use the NPAAuthCheckResponse to further check authorization for npt requests. After the SshnpdImpl checks its own permitOpen list, it will now also check the permitOpen list returned by the npa policy service. This enables nice single-jump-box configurations where the jump-box daemon could have permitOpen "*:*" but individual client atSigns may be restricted to "my_host:3389" or "*:22" or whatever is appropriate
- added policy binary to the buildArchive and buildBinaries scripts, and to the multibuild.yaml workflow definition
@gkc
chore: ran dart format; cleaned an 'unused function' lint
168bc5b
@gkc
refactor: renamed policy.dart to npa_file.dart
d1aa276 
fix: fixed a couple of small bugs uncovered during first road-test
@gkc
feat: some normalization of the yaml structure by adding userGroups
0d67c65
@gkc
docs: corrected code comments
206ea45
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
24a5631 
…cy-service
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
090ff36 
…cy-service
@gkc
interim commit
7b263a5
@gkc
interim commit
e46f0c7
@gkc
UI & API are good
8b380c4
@gkc
doc: added some more comments to npa_file.dart
2b86e67
@gkc
feat: completed policy UI, policy API and policy service (npp) using …
080cf29 
…atServer for persistence
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
cb58e29 
…cy-service

# Conflicts:
#	packages/dart/sshnoports/pubspec.lock
@gkc
build: Remove at_client dependency override, use published version 3.1.0
6a2955b
@gkc
build: Remove at_client dependency override, use published version 3.1.0
3af7dbb
@gkc
feat: Added support for "-p $policy_atsign" to installation scripts
8d6edfb 
- universal.sh
- shell/install.sh
- shell/headless/sshnpd.sh
- shell/launchd/com.atsign.sshnpd.plist
- shell/systemd/sshnpd.service
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
ad167ad 
…cy-service
@gkc
build: updated buildArchive script to include the admin API and webapp
ba80840
@gkc
build: updated multibuild.yaml to include the npp binary, and the adm…
40a7beb 
…in API & webapp
@gkc
build: fixed syntax in multibuild.yaml
58aca59
@gkc
build: fixed syntax in multibuild.yaml
5e9334d
@gkc
build: don't run build_runner for the admin_api
c6a01fb
@gkc
build: correct output path for compilation of admin_api
37baa91
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
3bc7a1c 
…cy-service
@gkc
feat: sshnpd, if using a policy service, pings it periodically
9c743b5
@gkc
refactor: SshnpdImpl: have _shareUsername() use _notify()
b8dda7b
@gkc
fix: SshnpdImpl: when sending heartbeat to policy, set ttln correctly
2bfab25
@gkc
chore: lint
33bb4c3
@gkc
feat: NPAImpl now sends notifications to its loggingAtsign (currently…
ce287e4 
… this is just the same atSign as the policy service itself) with details of every request received and the decision that was made
@gkc
feat: expose log events via the policy admin API
1be9c68
gkc and others added 18 commits September 4, 2024 13:39
@gkc
feat: (interim): Added event streaming to the UI/API
bea419a
@gkc
feat: policy dashboard UI tweaking
4544d1c
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
43cc538 
…cy-service
@XavierChanth
ci: add policy to other_build in multibuild
bf67971 
Had to change docker context from a nested folder to the root of the
repo.
@XavierChanth
fix: node is node
a1269fe
@XavierChanth
Merge branch 'feat/file-based-policy-service' into ci-policy-docker-b…
2d8ef68 
…uild
@XavierChanth
fix: install npm not nodejs
6d70e14
@gkc
Merge pull request #1310 from atsign-foundation/ci-policy-docker-build
6a5779d
@XavierChanth
fix: don't include dist in path
a25c579
@gkc
Merge pull request #1311 from atsign-foundation/ci-policy-docker-build
357131d
@cpswan
build(deps): Update dependabot for new Dockerfile location
374e2b1
@gkc
fix: use urls relative to /
de9e1bb
@gkc
build: prep for merge
ccdb4f0 
- rename admin_api/bin/admin_api.dart to np_admin.dart (standardize on np prefix for our binaries)
- rename sshnoports/bin/npa_file.dart to npp_file.dart (npp for NoPortsPolicy)
- rename sshnoports/bin/npp.dart to npp_atserver.dart
- update multibuild.yaml
  - reflect the renames from above
  - put the np_admin and npp_atserver binaries into sshnp/beta, and the admin webapp files into sshnp/beta/web
  - add npp_file, npp_atserver and np_admin to the list of binaries for MacOS code signing
- update Dockerfile.package
  - reflect the renames from above
  - put the np_admin and npp_atserver binaries into sshnp/beta, and the admin webapp files into sshnp/beta/web
@gkc
Merge remote-tracking branch 'origin/trunk' into feat/file-based-poli…
32ef698 
…cy-service
@gkc
chore: removed stuff that shouldn't have been committed
73591b5
@gkc
fix: ugh, typo
20c5928
@gkc
Merge pull request #1313 from atsign-foundation/cpswan-dockerfile-mul…
de0dfc1 
…tibuild

build(deps): Update dependabot for new Dockerfile location
@XavierChanth
fix: remove link from dockerfile
699a9c2
@gkc gkc requested a review from XavierChanth September 5, 2024 14:32
@XavierChanth
Copy link
Member

Started a multibuild here: https://github.com/atsign-foundation/noports/actions/runs/10723158846

@XavierChanth XavierChanth merged commit 113f46d into trunk Sep 5, 2024
22 checks passed
@XavierChanth
Copy link
Member

Cutting a release (from trunk): https://github.com/atsign-foundation/noports/releases/tag/v5.7.0-alpha-5

@gkc gkc deleted the feat-policy-service-beta branch September 6, 2024 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XavierChanth XavierChanth XavierChanth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gkc @XavierChanth @cpswan