bairdo / gasket Goto Github PK

Gasket is a system that provides authentication and authorisation to the https://github.com/faucetsdn/faucet network controller.

Shell 1.13% Python 98.87%

faucet

gasket's People

Contributors

Stargazers

Watchers

Forkers

louisbarron cglewis sorinros

gasket's Issues

learn mac-port at authentication time when using link022 hostapd

If a client authenticates with hostapd on the link022 ap, gasket will not know where the host is until it has been seen by the switch. but seeing as it knows which hostapd it came from we do actually know which switch port it is on.

Only actually signal faucet if config has changed.

it looks like the main loop is signalling faucet every time, however most of these is premetheus learning.
Could also do something about prometheus learning (if its already learnt its not really being learnt).

Test hostapd udp socket

(unix socket is tested).

When gasket doesnt shutdown cleanly, hostapd sockets still send.

if the hostapd sockets have not closed they will still be sent. this is messy if using the socket bind port option as gasket will receive duplicate messages.

related to #18

hostapd socket timeout occaasionally.

possibly when faucet has not started up yet

hub: uncaught exception: Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ryu/lib/hub.py", line 60, in _launch
    return func(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/gasket/auth_app.py", line 158, in run
    self._init_unsolicited_socket()
  File "/usr/lib/python3.6/site-packages/gasket/auth_app.py", line 90, in _init_unsolicited_socket
    self.logger)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 286, in unsolicited_socket_udp
    s = request_socket_udp(host, port, bind_address, bind_port, hsoc_type, timeout, logger)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 273, in request_socket_udp
    return HostapdCtrlUDP(addrinfo[0], addrinfo[4], bind_address, bind_port, hsoc_type, timeout, logger)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 232, in __init__
    self.connect(sockaddr)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 243, in connect
    c = self.get_cookie()
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 258, in get_cookie
    return str(self.request('GET_COOKIE'))
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 38, in request
    return self.receive(size=4096)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 156, in receive
    return str(self.soc.recv(size))
  File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 354, in recv
    return self._recv_loop(self.fd.recv, b'', bufsize, flags)
  File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 348, in _recv_loop
    self._read_trampoline()
  File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 319, in _read_trampoline
    timeout_exc=socket.timeout("timed out"))
  File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 203, in _trampoline
    mark_as_closed=self._mark_as_closed)
  File "/usr/lib/python3.6/site-packages/eventlet/hubs/__init__.py", line 162, in trampoline
    return hub.switch()
  File "/usr/lib/python3.6/site-packages/eventlet/hubs/hub.py", line 294, in switch
    return self.greenlet.switch()
socket.timeout: timed out

Allow configuring of VLAN

Configure port's VLAN on user (de)auth.
Allow user's traffic to be put in a VLAN.

Reload config on sighup

what will happen to already authed users?

a) auth stays exactly the same.
b) auth removed
c) auth reapplied with new details. (e.g. if rules.yaml changed user is still authed but the acls may change)

a or c seem preferable.

Link State Events

When a port goes down clients on that port should have to re authenticate.

Tidy up logging

logging is a mess with things that dont need to be logged, that were used when debugging.

use correct log levels for messages that are still useful.

readme travis icon

capitalise the b in bairdo

Tie authentication to IP address

as well as MAC & port.

But how get the IP associated with the user?

captive portal knows it at auth time.
1X doesn't.
add a mirror rule or something to learn the IP address (from clients view). (remove rule once learnt. perhaps add a rule that checks if it changes.).
mirror dhcp from dhcp server.
tie in with a dhcp server? - probably safest, but might force user(admin) to only use one specific dhcp server.

Allow authentication to occur over multiple ports

e.g. WiFi do not want someone to have to authenticate everytime they move AP.

Maybe useful where the NFV hostapd is providing the authentication instead of the AP (as with link022).

docker start script

docker/runauth.sh This seems kind of messy.

Perhaps have gasket catch the signals. and another flag for the base config stuff (starting fresh or not).

In fact whether we start fresh or not should be decided by the user. so add an option for that (passing env variables in docker??)

how would docker restart mode work then - if wanted to keep the current rules after a crash?

Multiple Hostapd control sockets should be supported.

Each hostapd socket only receives messages for one interface on the hostapd machine.

With the link022 stuff there can be multiple SSIDs (NICs), but we can only listen to one.

Also implies allowing multiple hostapd NFV servers.

when killing gasket (and ryu) shutdown hostapd ctrl sockets gracefully.

see ryu_app.close()

tests

Think some features might not be tested.

applying to named ports (not auth_port) #86
multiple hostapds. and where hostapd is only managing one port. or many ports. or many hostapds managing the same ports. #87

Test where system has multiple hostapds

and where hostapd is only managing one port. or many ports. or many hostapds managing the same ports.

Allow any radius attribute to be used as acl list

remove the hardcoded "AccessAccept:Vendor-Specific:%d:%d"
auth_app.py:117

allow a user specified attribute to be used. e.g. filter-id. vlan vid. anything.

Reconsider ACL naming scheme

port_<dp_name>_<port_number>

~~Maybe also use faucet's new acl_in syntax (list)~~

~~acls_in: [1x_to_hostapd, some_user_defined_port_rules, authentications_for_dp_1_port_3, all_to_hostapd]~~ #89

and then create a script to generate these acls/faucet conf.
e.g. auth.yaml
hostapd-mac: 44:44:44:44:44:44 #90

base-acls.yaml contains the 'some_user_defined_port_rules' and nothing else.
so auth.yaml + base-acls.yaml = faucet.yaml (+ faucet-acl.yaml)

RADIUS Access-Reject

e.g. if rejected put mac into a quarantine VLAN (only access very limited number of services) or similar.

or
direct to a captive portal

Allow rules to be inserted at multiple positions (priorities) in base-acls.yaml

e.g.

p1 group rules
1x redir
security acls
p5 group rules
drop all

users in p1 (admins) might want to override security acls.
security acls = no telnet, etc

Use hostapd internal RADIUS server for attribute saving

There is no intention to fix this anytime soon.

Currently only external radius servers can be used if radius attributes need to be saved.

Off memory the issue might be that hostapd receives a packet (off the network) for external servers.
so perhaps we are processing it too early or something.
Maybe (idk) the internal radius server is handled internally by hostapd (and not on the network - localhost)

add delete ovs-docker port to docs

ovs-docker del-port s1 eth3 gasket_hostapd_1

Readme.docker.md

enable ipv6 on localhost in tests.

docker/runtests.sh

before ping6 ...

sysctl -w net.ipv6.conf.lo.disable_ipv6=0

Run gasket in its own docker container.

can signal faucet container via the docker unix socket.

mount /var/run/docker.sock

Monitoring exporting.

whos logged on,
where?
everything possible.

start with a framework.

handle hostapd event CTRL-EVENT-TERMINATING.

caused when hostapd is reloaded.

perhaps:

close sockets
reconnect - expect timeout to occur.

Reduce number of ping retries in tests.

run gasket under separate ryu-manager

have the switch connect to multiple controllers (faucet and gasket) on different ports.

exception handling

exceptions are not really printed in the logs

faucet 1.6.12

the Prometheus output changed and broke a regex

faucet 1.6.10

faucet 1.7

etc/ryu/faucet -> etc/faucet

remove hostapd from dockerfile.auth

hostapd has its own container now.

Rule Timeouts

VUW policy language has rules timeout.

Cleanup config parsing

use faucet config parser like hostapd_conf.py for everything (provides defaults and errors out as needed)

authorised port_acl should match with vlan as well.

user logs on (via link022) and is assigned to vlan by hostapd (based on what ssid was used).
The current acl does not specify the vlan, so it might be possible for the same mac to appear on a different vlan on the same port and be allowed through when it should be dropped. (we've gained access to a vlan we shouldn't be in).

This relates to issue #38
I'm thinking add an auth-vlan value.

3 ways to 'learn' the vlan a host is/should be on:

add to hostapd user mib what ssid or vlan user is on. (link022)
radius saving option (wired) #38
learnt vlan (wired) (spoofable/timing attack). could possibly use option 1.

Allow tests to run concurrently. and not serial

Only install rules if user active on switch. Remove when inactive.

In the case of WiFi in particular using a Captive Portal. A client may be authenticated for a long time - months/years. However they may not be on campus or even near certain access points, so there is no point having rules associated with that user installed on the switch.

In theory there is no reason it should be limited to Captive Portal.

May also be desirable to implement where nearby access points have the rules added to improve re-connection delays (Alex Deng's work).

Hostapd event messages not recevied after a while.

After some time hostapd control interface messages no longer get received by gasket.

packet capture gasket docker.
packet capture controller.

problem is likely with the port forwarding/ping to keep firewall open.

(Z) wifi

run pylint in tests. (its not running)
actually de lint latest changes

pr 03 21:53:50-617 link023-1ssid DEBUG    waiting for receive
Apr 03 21:53:54-384 link023-2ssid DEBUG    request is "COOKIE=c61f340e380446d0 PING"
Apr 03 21:53:54-622 link023-1ssid DEBUG    request is "COOKIE=7d1a941757f2b2fe PING"
Apr 03 21:53:58-388 link023-2ssid DEBUG    ping timed out.
Apr 03 21:53:58-388 link023-2ssid INFO     Connection to hostapd lost. Retrying to connect
Apr 03 21:53:58-389 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:53:58-627 link023-1ssid DEBUG    ping timed out.
Apr 03 21:53:58-629 link023-1ssid INFO     Connection to hostapd lost. Retrying to connect
Apr 03 21:53:58-630 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:02-395 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:02-395 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:02-636 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:02-637 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:06-401 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:06-402 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:06-642 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:06-643 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:10-408 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:10-649 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:12-411 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:12-652 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:16-417 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:16-418 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:16-658 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:16-658 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:20-424 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:20-424 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:20-664 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:20-665 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:24-428 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:24-671 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:26-431 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:26-674 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:30-436 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:30-437 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:30-679 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:30-680 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:34-443 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:34-463 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:34-686 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:34-687 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:38-469 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:38-693 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:40-472 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:40-696 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:54:44-478 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
...
Apr 03 21:55:34-579 link023-2ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:55:34-771 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:55:36-582 link023-2ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:55:36-774 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:55:37-85 link023-2ssid ERROR    OSError exception in run. self.stop has not been set.
Apr 03 21:55:37-86 link023-2ssid ERROR    [Errno 111] Connection refused
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 56, in run
    data = str(self.unsolicited_sock.receive())
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
    return self.soc.recv(size).decode()
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 58, in run
    self.request_sock.ping()
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 147, in ping
    if not self.soc and self.reconnect(self.ifname):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 326, in reconnect
    if not self.open_connection(ifname):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 362, in open_connection
    cookie = self.get_cookie()
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 381, in get_cookie
    return self.request('GET_COOKIE')
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 39, in request
    return self.receive(size=4096)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
    return self.soc.recv(size).decode()
ConnectionRefusedError: [Errno 111] Connection refused
Apr 03 21:55:40-779 link023-1ssid DEBUG    Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:55:40-780 link023-1ssid DEBUG    request is "GET_COOKIE"
Apr 03 21:55:40-784 link023-1ssid ERROR    OSError exception in run. self.stop has not been set.
Apr 03 21:55:40-786 link023-1ssid ERROR    [Errno 111] Connection refused
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 56, in run
    data = str(self.unsolicited_sock.receive())
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
    return self.soc.recv(size).decode()
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 58, in run
    self.request_sock.ping()
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 147, in ping
    if not self.soc and self.reconnect(self.ifname):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 326, in reconnect
    if not self.open_connection(ifname):
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 362, in open_connection
    cookie = self.get_cookie()
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 381, in get_cookie
    return self.request('GET_COOKIE')
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 39, in request
    return self.receive(size=4096)
  File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
    return self.soc.recv(size).decode()
ConnectionRefusedError: [Errno 111] Connection refused