[minor] Add ONLYVERIFYPUBKEY global to bypass verification of ACLs if set to true.

2017-02-06 18:22:07 -05:00 · 2017-02-06 18:22:07 -05:00 · 9ad057e229
--- a/action.go
+++ b/action.go
@ -343,7 +343,7 @@ func (a Action) String() (str string, err error) {
 // permission is found, the default one `default` is used.
 // The first permission that is found to apply to an operation, but
 // doesn't allow the operation to run, will fail the verification globally
-func (a Action) VerifyACL(acl ACL, keyring io.Reader, verifyACLs bool) (err error) {
+func (a Action) VerifyACL(acl ACL, keyring io.Reader, onlyVerifyPubKey bool) (err error) {
 	// first, verify all signatures and get a list of PGP
 	// fingerprints of the signers
 	var fingerprints []string
@ -372,7 +372,7 @@ func (a Action) VerifyACL(acl ACL, keyring io.Reader, verifyACLs bool) (err erro
 		return errors.New("No valid fingerprints found.")
 	}

-	if !verifyACLs {
+	if onlyVerifyPubKey {
 		return
 	}

--- a/conf/mig-agent-conf.go.inc
+++ b/conf/mig-agent-conf.go.inc
@ -91,6 +91,9 @@ var HEARTBEATFREQ time.Duration = 300 * time.Second
 // timeout after which a module run is killed
 var MODULETIMEOUT time.Duration = 300 * time.Second

+// if true, only the investigator's public key is verified on actions and not ACLs.
+var ONLYVERIFYPUBKEY = false
+
 // Control modules permissions by PGP keys
 var AGENTACL = [...]string{
 	`{
--- a/conf/mig-agent.cfg.inc
+++ b/conf/mig-agent.cfg.inc
@ -51,6 +51,9 @@
    ; if true, persistent modules will not be executed by the agent
    ; nopersistmods = off

+    ; if true, only the investigator's public key is verified on actions and not ACLs.
+    onlyVerifyPubKey = false
+
 [certs]
    ca  = "/path/to/ca/cert"
    cert= "/path/to/client/cert"
--- a/mig-agent/config.go
+++ b/mig-agent/config.go
@ -34,7 +34,7 @@ type config struct {
 		NoPersistMods    bool
 		PersistConfigDir string
 		ExtraPrivacyMode bool
-		VerifyAcls       bool
+		OnlyVerifyPubKey bool
 	}
 	Certs struct {
 		Ca, Cert, Key string
@ -124,8 +124,8 @@ type globals struct {
 	// timeout after which a module run is killed
 	moduleTimeout time.Duration

-	// Whether or not to verify investigators' permissions when issuing an action
-	verifyAcls bool
+	// if true, only the investigator's public key is verified on actions and not ACLs.
+	onlyVerifyPubKey bool

 	// Not supported by config
 	// Control modules permissions by PGP keys
@ -168,7 +168,7 @@ func newGlobals() *globals {
 		socket:             SOCKET,
 		heartBeatFreq:      HEARTBEATFREQ,
 		moduleTimeout:      MODULETIMEOUT,
-		verifyAcls:         VERIFYACLS,
+		onlyVerifyPubKey:   ONLYVERIFYPUBKEY,
 		caCert:             CACERT,
 		agentCert:          AGENTCERT,
 		agentKey:           AGENTKEY,
@ -202,7 +202,7 @@ func (g globals) parseConfig(config config) error {
 	g.loggingConf = config.Logging
 	g.amqBroker = config.Agent.Relay
 	g.apiURL = config.Agent.Api
-	g.verifyAcls = config.Agent.VerifyAcls
+	g.onlyVerifyPubKey = config.Agent.OnlyVerifyPubKey
 	if config.Agent.Proxies != "" {
 		g.proxies = strings.Split(config.Agent.Proxies, ",")
 	}
@ -266,7 +266,7 @@ func (g globals) apply() {
 	SOCKET = g.socket
 	HEARTBEATFREQ = g.heartBeatFreq
 	MODULETIMEOUT = g.moduleTimeout
-	VERIFYACLS = g.verifyAcls
+	ONLYVERIFYPUBKEY = g.onlyVerifyPubKey
 	CACERT = g.caCert
 	AGENTCERT = g.agentCert
 	AGENTKEY = g.agentKey
--- a/mig-agent/configuration.go
+++ b/mig-agent/configuration.go
@ -91,8 +91,8 @@ var HEARTBEATFREQ time.Duration = 300 * time.Second
 // timeout after which a module run is killed
 var MODULETIMEOUT time.Duration = 300 * time.Second

-// Whether or not to verify investigators' permissions when issuing an action
-var VERIFYACLS = true
+// if true, only the investigator's public key is verified on actions and not ACLs.
+var ONLYVERIFYPUBKEY = false

 // Control modules permissions by PGP keys
 var AGENTACL = [...]string{