diff --git a/action.go b/action.go index 5f0863ab..8997f6f4 100644 --- a/action.go +++ b/action.go @@ -343,7 +343,7 @@ func (a Action) String() (str string, err error) { // permission is found, the default one `default` is used. // The first permission that is found to apply to an operation, but // doesn't allow the operation to run, will fail the verification globally -func (a Action) VerifyACL(acl ACL, keyring io.Reader, verifyACLs bool) (err error) { +func (a Action) VerifyACL(acl ACL, keyring io.Reader, onlyVerifyPubKey bool) (err error) { // first, verify all signatures and get a list of PGP // fingerprints of the signers var fingerprints []string @@ -372,7 +372,7 @@ func (a Action) VerifyACL(acl ACL, keyring io.Reader, verifyACLs bool) (err erro return errors.New("No valid fingerprints found.") } - if !verifyACLs { + if onlyVerifyPubKey { return } diff --git a/conf/mig-agent-conf.go.inc b/conf/mig-agent-conf.go.inc index b2dbee72..cf9b3667 100644 --- a/conf/mig-agent-conf.go.inc +++ b/conf/mig-agent-conf.go.inc @@ -91,6 +91,9 @@ var HEARTBEATFREQ time.Duration = 300 * time.Second // timeout after which a module run is killed var MODULETIMEOUT time.Duration = 300 * time.Second +// if true, only the investigator's public key is verified on actions and not ACLs. +var ONLYVERIFYPUBKEY = false + // Control modules permissions by PGP keys var AGENTACL = [...]string{ `{ diff --git a/conf/mig-agent.cfg.inc b/conf/mig-agent.cfg.inc index e32d2f83..819e67f6 100644 --- a/conf/mig-agent.cfg.inc +++ b/conf/mig-agent.cfg.inc @@ -51,6 +51,9 @@ ; if true, persistent modules will not be executed by the agent ; nopersistmods = off + ; if true, only the investigator's public key is verified on actions and not ACLs. + onlyVerifyPubKey = false + [certs] ca = "/path/to/ca/cert" cert= "/path/to/client/cert" diff --git a/mig-agent/config.go b/mig-agent/config.go index 5a744ad6..87fc2112 100644 --- a/mig-agent/config.go +++ b/mig-agent/config.go @@ -34,7 +34,7 @@ type config struct { NoPersistMods bool PersistConfigDir string ExtraPrivacyMode bool - VerifyAcls bool + OnlyVerifyPubKey bool } Certs struct { Ca, Cert, Key string @@ -124,8 +124,8 @@ type globals struct { // timeout after which a module run is killed moduleTimeout time.Duration - // Whether or not to verify investigators' permissions when issuing an action - verifyAcls bool + // if true, only the investigator's public key is verified on actions and not ACLs. + onlyVerifyPubKey bool // Not supported by config // Control modules permissions by PGP keys @@ -168,7 +168,7 @@ func newGlobals() *globals { socket: SOCKET, heartBeatFreq: HEARTBEATFREQ, moduleTimeout: MODULETIMEOUT, - verifyAcls: VERIFYACLS, + onlyVerifyPubKey: ONLYVERIFYPUBKEY, caCert: CACERT, agentCert: AGENTCERT, agentKey: AGENTKEY, @@ -202,7 +202,7 @@ func (g globals) parseConfig(config config) error { g.loggingConf = config.Logging g.amqBroker = config.Agent.Relay g.apiURL = config.Agent.Api - g.verifyAcls = config.Agent.VerifyAcls + g.onlyVerifyPubKey = config.Agent.OnlyVerifyPubKey if config.Agent.Proxies != "" { g.proxies = strings.Split(config.Agent.Proxies, ",") } @@ -266,7 +266,7 @@ func (g globals) apply() { SOCKET = g.socket HEARTBEATFREQ = g.heartBeatFreq MODULETIMEOUT = g.moduleTimeout - VERIFYACLS = g.verifyAcls + ONLYVERIFYPUBKEY = g.onlyVerifyPubKey CACERT = g.caCert AGENTCERT = g.agentCert AGENTKEY = g.agentKey diff --git a/mig-agent/configuration.go b/mig-agent/configuration.go index 5addf395..cf9b3667 100644 --- a/mig-agent/configuration.go +++ b/mig-agent/configuration.go @@ -91,8 +91,8 @@ var HEARTBEATFREQ time.Duration = 300 * time.Second // timeout after which a module run is killed var MODULETIMEOUT time.Duration = 300 * time.Second -// Whether or not to verify investigators' permissions when issuing an action -var VERIFYACLS = true +// if true, only the investigator's public key is verified on actions and not ACLs. +var ONLYVERIFYPUBKEY = false // Control modules permissions by PGP keys var AGENTACL = [...]string{