From 8fc6cb3cd97c9eb6dfed13967db4854f3a93e16f Mon Sep 17 00:00:00 2001 From: TungHoang Date: Mon, 5 Dec 2022 10:44:27 +0100 Subject: [PATCH] Persist ACL policies via Raft * Use RaftLog to handle policy persistence on the cluster * Add DeprecationWarning for file-based authorization method * Add `AddPolicy`, `RevokePolicy` and `ListPolicy` endpoints to handle ACL policy changes. --- documentation/authentication_authorization.md | 110 +- documentation/configuration.md | 4 +- go.mod | 5 + go.sum | 46 +- server/api.go | 107 ++ server/api_test.go | 442 ++++- server/authz.go | 16 + server/configs/certs/ca-cert.pem | 64 +- server/configs/certs/ca-cert.srl | 2 +- server/configs/certs/ca-key.pem | 100 +- server/configs/certs/cert_maker/gen.sh | 18 +- server/configs/certs/client/client-cert.pem | 34 - server/configs/certs/client/client-key.pem | 52 - server/configs/certs/client/client-req.pem | 28 - .../client/client-root/client-root-cert.pem | 34 + .../client/client-root/client-root-key.pem | 52 + .../client/client-root/client-root-req.pem | 28 + .../certs/client/client1/client1-cert.pem | 34 + .../certs/client/client1/client1-key.pem | 52 + .../certs/client/client1/client1-req.pem | 29 + server/configs/certs/server/server-cert.pem | 64 +- server/configs/certs/server/server-key.pem | 100 +- server/configs/certs/server/server-req.pem | 46 +- server/configs/tls-authz-on-raft.yaml | 15 + server/fsm.go | 65 + server/fsm_test.go | 83 + server/metadata.go | 127 ++ server/metadata_test.go | 287 ++++ server/propagation.go | 24 + server/protocol/internal.pb.go | 1428 ++++++++++++++--- server/protocol/internal.proto | 23 + server/server.go | 50 +- server/server_test.go | 2 +- 33 files changed, 2926 insertions(+), 645 deletions(-) delete mode 100644 server/configs/certs/client/client-cert.pem delete mode 100644 server/configs/certs/client/client-key.pem delete mode 100644 server/configs/certs/client/client-req.pem create mode 100644 server/configs/certs/client/client-root/client-root-cert.pem create mode 100644 server/configs/certs/client/client-root/client-root-key.pem create mode 100644 server/configs/certs/client/client-root/client-root-req.pem create mode 100644 server/configs/certs/client/client1/client1-cert.pem create mode 100644 server/configs/certs/client/client1/client1-key.pem create mode 100644 server/configs/certs/client/client1/client1-req.pem create mode 100644 server/configs/tls-authz-on-raft.yaml diff --git a/documentation/authentication_authorization.md b/documentation/authentication_authorization.md index ad6e3300..fc0eaca4 100644 --- a/documentation/authentication_authorization.md +++ b/documentation/authentication_authorization.md @@ -62,6 +62,10 @@ Liftbridge identifies clients thanks to TLS certificates. Thus, in order to use See the [above section](#authentication) to properly enable authentication. +### (Deprecated) Use a file to store ACL policies + +*Storing ACL policies in simple CSV file is deprecated, as it creates many problems from administration view point. I.e: The same policy file must be guaranteed to be consistent accross all servers in the cluster* + In order to define permissions for clients on specific resources, a `model.conf` file and a `policy.csv` file is required. The `model.conf` file will define the ACL based authorization models. The `policy.csv` serves as a local file-based storage for authorization policies. Currently polices are not yet synchronized or persisted automatically acrosss Liftbridge cluster. Support for this may be provided in the future. Refer to the `tls` settings in @@ -81,6 +85,8 @@ tls: ``` +*NOTE*: if `client.authz.model` or `client.authz.policy` configurations are not declared, the [default authorization behavior](./authentication_authorization.md#persist-acl-policies-directly-on-the-cluster) will be used. + Inside `model.conf`, an ACL based models should be defined, as ```conf @@ -124,12 +130,110 @@ In this example, `client1` is authorized to perform a set of actions on stream ` - In order to use `cursor`, the client must also have permissions on stream `__cursors`. - `policy.csv` is the local file to store authorization policy. A corrupted file may result in API fails to server requests (due to policy configuration errors), or API crashes ( if the `policy.csv` is totally corrupted). -As mentioned, currently Liftbridge does not sync policies acrosss server nodes in the cluster, so the permission is given local on the given server node. To add/remove a policy, the `policy.csv` file has to be modified manually. Liftbridge currently does not reload the file on the flight. +With this method of authorization, Liftbridge does not sync policies acrosss server nodes in the cluster, so the permission is given local on the given server node. To add/remove a policy, the `policy.csv` file has to be modified manually. Liftbridge currently does not reload the file on the flight. -### Permission reload After a modification in `policy.csv` file, to signal Liftbridge to take into account the changes, it is required to perform one of the following actions: - Restart the server completely ( cold reload) -- Send a `SIGHUP` signal to the server's running process to signal a reload of authorization policy (hot reload). Liftbridge handles `SIGHUP` signal to reload safely permissions without restarting. \ No newline at end of file +- Send a `SIGHUP` signal to the server's running process to signal a reload of authorization policy (hot reload). Liftbridge handles `SIGHUP` signal to reload safely permissions without restarting. + +### Persist ACL policies directly on the cluster +This is the default behavior if you have `tls.client.authz.enabled` set to `true`. + + +All ACL policies, once added to the cluster, will be persisted durably with Raft log. The mechanism is consistent with the way Liftbridge handles metadata information about the cluster (e.g: ISR, Stream Creation ...) + +When an ACL policy is added, it will be committed to Raft log, and each participating server will make sure that the ACL policy is applied locally in the Finite State Machine (FSM), which effectively applies the policy to the server. + +From administration viewpoint, as Liftbridge handles and abstracts all the complex operations behind the scence, administrator can be sure about the high level of consistency in authorization permissions on the cluster. + +An example of the configuration on server side for authorization +```yaml +tls: + key: ./configs/certs/server/server-key.pem + cert: ./configs/certs/server/server-cert.pem + client.auth.enabled: true + client.auth.ca: ./configs/certs/ca-cert.pem + client.authz.enabled: true +``` + +In order to add/revoke or list ACL permissions, by default, a client has to connect to the cluster as `root`. I.e: the client key and certificate must be generated for username `root`. The following requests are used to Add/Revoke or List policies: + +```golang +// Create Liftbridge client. + addrs := []string{"localhost:9292"} + // Connect with TLS for Root user + certPool := x509.NewCertPool() + ca, err := ioutil.ReadFile("./configs/certs/ca-cert.pem") + if err != nil { + panic(err) + } + certPool.AppendCertsFromPEM(ca) + certificate, err := tls.LoadX509KeyPair("./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + if err != nil { + panic(err) + } + config := &tls.Config{ + ServerName: "localhost", + Certificates: []tls.Certificate{certificate}, + RootCAs: certPool, + } + + client, err := lift.Connect(addrs, lift.TLSConfig(config)) + if err != nil { + panic(err) + } + defer client.Close() + + ctx := context.Background() + err = client.AddPolicy(ctx, "client1", "foo", "Subscribe") + if err != nil { + fmt.Print("FetchMetadata") + panic(err) + } + err = client.RevokePolicy(ctx, "client1", "foo", "CreateStream") + if err != nil { + fmt.Print("CreateStream") + + panic(err) + } + + policies, _ := client.ListPolicy(context.Background()) + + for _, policy := range policies { + fmt.Println(policy.UserId, policy.ResourceId, policy.Action) + } + +``` + +The client can connect to any available server in the cluster to perform `AddPolicy`, `RevokePolicy` and `ListPolicy` requests. The request is propagated all over the cluster automatically. + +A basic client needs the following permission to perform most of the functionalites on the cluster + + +```csv +client1, *, FetchMetadata +client1, foo, CreateStream +client1, foo, DeleteStream +client1, foo, PauseStream +client1, foo, Subscribe +client1, foo, PublishToSubject +client1, foo, Publish +client1, __cursors, Publish +client1, foo, SetStreamReadonly +client1, foo, FetchPartitionMetadata +client1, foo, SetCursor +client1, foo, FetchCursor +``` + +In this example, `client1` is authorized to perform a set of actions on stream `foo`. + +If client needs the permissions to use `AddPolicy`, `RevokePolicy` and `ListPolicy`, the following ACL policies should be added + +``` +client1, *, AddPolicy +client1, *, RevokePolicy +client1, *, ListPolicy +``` \ No newline at end of file diff --git a/documentation/configuration.md b/documentation/configuration.md index 544feced..4a84060a 100644 --- a/documentation/configuration.md +++ b/documentation/configuration.md @@ -133,8 +133,8 @@ the setting in the configuration file and the CLI flag if it exists. | tls.client.auth.enabled | | Enforce client-side authentication via certificate. | bool | false | | tls.client.auth.ca | | The CA certificate file to use when authenticating clients. | string | | | tls.client.authz.enabled | | Enable ACL authorization on streams. | bool | false | -| tls.client.authz.model | | ACL authorization configuration model. See [Casbin ACL example](https://github.com/casbin/casbin#examples) | string | | -| tls.client.authz.policy | | ACL authorization policy defenition file. See [Casbin ACL example](https://github.com/casbin/casbin#examples) | string | | +| tls.client.authz.model | | (Deprecated) See [authorization docs.](./authentication_authorization.md#deprecated-use-a-file-to-store-acl-policies) ACL authorization configuration model. See [Casbin ACL example](https://github.com/casbin/casbin#examples) | string | | +| tls.client.authz.policy | | (Deprecated) See [authorization docs.](./authentication_authorization.md#deprecated-use-a-file-to-store-acl-policies) ACL authorization policy defenition file. See [Casbin ACL example](https://github.com/casbin/casbin#examples) | string | | | logging.level | level, l | The logging level. | string | info | [debug, info, warn, error] | | logging.recovery | | Log messages resulting from the replay of the Raft log on server recovery. | bool | false | | | logging.raft | | Enables logging in the Raft subsystem. | bool | false | | diff --git a/go.mod b/go.mod index 9d5bbd65..cde0909d 100644 --- a/go.mod +++ b/go.mod @@ -72,3 +72,8 @@ require ( gopkg.in/yaml.v2 v2.3.0 // indirect gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect ) + +replace ( + github.com/liftbridge-io/go-liftbridge/v2 v2.2.1-0.20220311002120-3d391a19ff0e => /Users/tunghoang/Documents/Code/go-liftbridge/v2 + github.com/liftbridge-io/liftbridge-api v1.9.0 => /Users/tunghoang/Documents/Code/liftbridge-api +) diff --git a/go.sum b/go.sum index b84c91a4..9f556c16 100644 --- a/go.sum +++ b/go.sum @@ -76,9 +76,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -99,8 +98,7 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= @@ -164,8 +162,9 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -272,17 +271,10 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/liftbridge-io/go-liftbridge/v2 v2.2.1-0.20220311002120-3d391a19ff0e h1:l/PyeLH3bTkmEJDoTnJ+xdgJ6CtpCNWQV26hYYB+q7U= -github.com/liftbridge-io/go-liftbridge/v2 v2.2.1-0.20220311002120-3d391a19ff0e/go.mod h1:S1uuZVBDDrVOJe5cKpwtteMOTSks1tj0FrSx6AnGiyg= -github.com/liftbridge-io/liftbridge-api v1.7.2-0.20220311001744-a030bbfca925/go.mod h1:VKUkozs5yuD0jcJH8cALCPV1WdmncwXgkv8wX/ay35g= -github.com/liftbridge-io/liftbridge-api v1.8.1-0.20220316175059-41803e2366cd h1:eegGFtv6qk7srklH9CRQ0UfJ2RHjr3BLWi5QtfOsXZU= -github.com/liftbridge-io/liftbridge-api v1.8.1-0.20220316175059-41803e2366cd/go.mod h1:VKUkozs5yuD0jcJH8cALCPV1WdmncwXgkv8wX/ay35g= -github.com/liftbridge-io/liftbridge-api v1.9.0 h1:tw8TcRqu6fUQMolfBHeUQ0McAQtHcH2vgm91SrAAQSQ= -github.com/liftbridge-io/liftbridge-api v1.9.0/go.mod h1:VKUkozs5yuD0jcJH8cALCPV1WdmncwXgkv8wX/ay35g= +github.com/liftbridge-io/liftbridge-api v1.8.0/go.mod h1:VKUkozs5yuD0jcJH8cALCPV1WdmncwXgkv8wX/ay35g= github.com/liftbridge-io/nats-on-a-log v0.0.0-20200818183806-bb17516cf3a3 h1:O4mg1NEmukgY8hxen3grrG5RY34LadMTzpbjf8kM2tA= github.com/liftbridge-io/nats-on-a-log v0.0.0-20200818183806-bb17516cf3a3/go.mod h1:wmIIYVq+psahPlB1rvtTkGiltdihsKJbqwE1DkIPwj4= github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= @@ -324,7 +316,6 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A= github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM= github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= -github.com/nats-io/jwt v0.3.2 h1:+RB5hMpXUUA2dfxuhBTEkMOrYmM+gKIZYS1KjSostMI= github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= github.com/nats-io/jwt/v2 v2.2.1-0.20220113022732-58e87895b296 h1:vU9tpM3apjYlLLeY23zRWJ9Zktr5jp+mloR942LEOpY= github.com/nats-io/jwt/v2 v2.2.1-0.20220113022732-58e87895b296/go.mod h1:0tqz9Hlu6bCBFLWAASKhE5vUA4c24L9KPUUgvwumE/k= @@ -530,10 +521,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220526153639-5463443f8c37/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -595,15 +583,11 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220111092808-5a964db01320/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86 h1:A9i04dxx7Cribqbs8jf3FQLogkL/CV2YN7hj9KWJCkc= -golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2 h1:wM1k/lXfpc5HdkJJyW9GELpd8ERGdnh8sMGL6Gzq3Ho= golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -615,7 +599,6 @@ golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5f golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -731,9 +714,7 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20220201184016-50beb8ab5c44/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220314164441-57ef72a4c106 h1:ErU+UA6wxadoU8nWrsy5MZUVBs75K17zUCsUCIfrXCE= -google.golang.org/genproto v0.0.0-20220314164441-57ef72a4c106/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= +google.golang.org/genproto v0.0.0-20220527130721-00d5c0f3be58/go.mod h1:yKyY4AMRwFiC8yMMNaMi+RkCnjZJt9LoWuvhXjMs+To= google.golang.org/genproto v0.0.0-20220909194730-69f6226f97e5 h1:ngtP8S8JkBWfJACT9cmj5eTkS9tIWPQI5leBz/7Bq/c= google.golang.org/genproto v0.0.0-20220909194730-69f6226f97e5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= @@ -753,10 +734,7 @@ google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.45.0 h1:NEpgUqV3Z+ZjkqMsxMg11IaDrXY4RY6CQukSGK0uI1M= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw= google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -771,8 +749,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= @@ -781,7 +759,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.57.0 h1:9unxIsFcTt4I55uWluz+UmL95q4kdJ0buvQ1ZIqVQww= @@ -807,7 +784,6 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= launchpad.net/gocheck v0.0.0-20140225173054-000000000087 h1:Izowp2XBH6Ya6rv+hqbceQyw/gSGoXfH/UPoTGduL54= -launchpad.net/gocheck v0.0.0-20140225173054-000000000087/go.mod h1:hj7XX3B/0A+80Vse0e+BUHsHMTEhd0O4cpUHr/e/BUM= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/server/api.go b/server/api.go index f723fc07..fb1ad6a2 100644 --- a/server/api.go +++ b/server/api.go @@ -252,6 +252,12 @@ func (a *apiServer) Subscribe(req *client.SubscribeRequest, out client.API_Subsc case <-closedC: return nil case m := <-msgC: + // Enforce authorization on stream of message + e := a.ensureAuthorizationPermission(out.Context(), req.Stream, "Subscribe") + if e != nil { + a.logger.Errorf("api: Failed to authorize call on resource: %v", e) + return e + } if err := out.Send(m); err != nil { return err } @@ -694,6 +700,107 @@ func (a *apiServer) ReportConsumerGroupCoordinator(ctx context.Context, req *cli return new(client.ReportConsumerGroupCoordinatorResponse), nil } +// AddPolicy adds an ACL authorization policy to the cluster. The policy is stored durably and replicated +// to all servers particpating in the cluster. +// As the operation is async in nature, it is recommended to veriy the result of the action with ListPolicy endpoint. +func (a *apiServer) AddPolicy(ctx context.Context, req *client.AddPolicyRequest) (*client.AddPolicyResponse, error) { + if req.Policy == nil { + return nil, status.Error(codes.InvalidArgument, "Invalid ACL policy") + } + + a.logger.Debugf("api: AddPolicy [userId=%s, resourceId=%s, action=%s]", + req.Policy.UserId, req.Policy.ResourceId, req.Policy.Action) + + // If the server to configured to use file-based authorization policies, this endpoint + // is not supported + if a.config.TLSClientAuthzModel != "" && a.config.TLSClientAuthzPolicy != "" { + return nil, status.Error(codes.FailedPrecondition, "Server is not configured to use this endpoint") + } + + // [NOTE]: AddPolicy call is an 'admin' level call, on all resources. + // To perform AddPolicy call, user must be either 'root' or have AddPolicy + // permission on all resources. + e := a.ensureAuthorizationPermission(ctx, "*", "AddPolicy") + if e != nil { + a.logger.Errorf("api: Failed to authorize call on resource: %v", e) + return nil, e + } + + if e := a.metadata.AddPolicy(ctx, &proto.AddPolicyOp{Policy: &proto.Policy{ + UserId: req.Policy.UserId, + ResourceId: req.Policy.ResourceId, + Action: req.Policy.Action}}); e != nil { + return nil, e.Err() + } + return &client.AddPolicyResponse{}, nil +} + +// RevokePolicy removes an existing ACL authorization policy to the cluster. As the operation is async in nature, +// it is recommended to veriy the result of the action with ListPolicy endpoint. +func (a *apiServer) RevokePolicy(ctx context.Context, req *client.RevokePolicyRequest) (*client.RevokePolicyResponse, error) { + if req.Policy == nil { + return nil, status.Error(codes.InvalidArgument, "Invalid ACL policy") + } + + a.logger.Debugf("api: AddPolicy [userId=%s, resourceId=%s, action=%s]", + req.Policy.UserId, req.Policy.ResourceId, req.Policy.Action) + + // If the server to configured to use file-based authorization policies, this endpoint + // is not supported + if a.config.TLSClientAuthzModel != "" && a.config.TLSClientAuthzPolicy != "" { + return nil, status.Error(codes.FailedPrecondition, "Server is not configured to use this endpoint") + } + + // [NOTE]: RevokePolicy call is an 'admin' level call, on all resources. + // To perform RevokePolicy call, user must be either 'root' or have RevokePolicy + // permission on all resources. + e := a.ensureAuthorizationPermission(ctx, "*", "RevokePolicy") + if e != nil { + a.logger.Errorf("api: Failed to authorize call on resource: %v", e) + return nil, e + } + + err := a.metadata.RevokePolicy(ctx, + &proto.RevokePolicyOp{Policy: &proto.Policy{ + UserId: req.Policy.UserId, + ResourceId: req.Policy.ResourceId, + Action: req.Policy.Action}}) + + if err != nil { + return nil, err.Err() + } + return &client.RevokePolicyResponse{}, nil +} + +// ListPolicy retrieves all existing ACL authorization policies from the cluster. +func (a *apiServer) ListPolicy(ctx context.Context, req *client.ListPolicyRequest) (*client.ListPolicyResponse, error) { + + a.logger.Debug("api: ListPolicy") + + // If the server to configured to use file-based authorization policies, this endpoint + // is not supported + if a.config.TLSClientAuthzModel != "" && a.config.TLSClientAuthzPolicy != "" { + return nil, status.Error(codes.FailedPrecondition, "Server is not configured to use this endpoint") + } + + // [NOTE]: ListPolicy call is an 'admin' level call, on all resources. + // To perform ListPolicy call, user must be either 'root' or have ListPolicy + // permission on all resources. + e := a.ensureAuthorizationPermission(ctx, "*", "ListPolicy") + if e != nil { + a.logger.Errorf("api: Failed to authorize call on resource: %v", e) + return nil, e + } + + policies, err := a.metadata.ListPolicy(ctx, req) + + if err != nil { + return nil, err.Err() + } + + return policies, nil +} + // isValidSubject indicates if the string is a valid NATS subject. func isValidSubject(subj string) bool { if strings.ContainsAny(subj, " \t\r\n") { diff --git a/server/api_test.go b/server/api_test.go index a996a553..415f549f 100644 --- a/server/api_test.go +++ b/server/api_test.go @@ -92,6 +92,7 @@ func TestCreateStreamPropagate(t *testing.T) { // Creating the same stream returns ErrStreamExists. err = client.CreateStream(context.Background(), "foo", "foo") require.Equal(t, lift.ErrStreamExists, err) + } // Ensure creating a stream fails when there is no known metadata leader. @@ -2188,22 +2189,7 @@ func TestAuthzWithGrantedResource(t *testing.T) { defer s1.Stop() getMetadataLeader(t, 10*time.Second, s1) - // Connect with TLS. - certPool := x509.NewCertPool() - ca, err := ioutil.ReadFile("./configs/certs/ca-cert.pem") - if err != nil { - panic(err) - } - certPool.AppendCertsFromPEM(ca) - certificate, err := tls.LoadX509KeyPair("./configs/certs/client/client-cert.pem", "./configs/certs/client/client-key.pem") - if err != nil { - panic(err) - } - config := &tls.Config{ - ServerName: "localhost", - Certificates: []tls.Certificate{certificate}, - RootCAs: certPool, - } + config := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") client, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(config)) require.NoError(t, err) defer client.Close() @@ -2273,23 +2259,7 @@ func TestAuthzWithDeniedResource(t *testing.T) { s1 := runServerWithConfig(t, s1Config) defer s1.Stop() getMetadataLeader(t, 10*time.Second, s1) - - // Connect with TLS. - certPool := x509.NewCertPool() - ca, err := ioutil.ReadFile("./configs/certs/ca-cert.pem") - if err != nil { - panic(err) - } - certPool.AppendCertsFromPEM(ca) - certificate, err := tls.LoadX509KeyPair("./configs/certs/client/client-cert.pem", "./configs/certs/client/client-key.pem") - if err != nil { - panic(err) - } - config := &tls.Config{ - ServerName: "localhost", - Certificates: []tls.Certificate{certificate}, - RootCAs: certPool, - } + config := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") client, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(config)) require.NoError(t, err) defer client.Close() @@ -2353,3 +2323,409 @@ func TestAuthzWithDeniedResource(t *testing.T) { require.Error(t, err) require.Contains(t, err.Error(), "The client is not authorized to call") } + +// TestAuthzOnIncompatibleServer ensures that a server which is configured to use file-based +// authorization will not support AddPolicy, RevokePolicy, ListPolicy api calls +func TestAuthzOnIncompatibleServer(t *testing.T) { + defer cleanupStorage(t) + + // Configure server with TLS. + s1Config, err := NewConfig("./configs/tls-authz.yaml") + require.NoError(t, err) + + // Overwrite DataDir with a temporary test DataDir + testConfig := getTestConfig("a", true, 5050) + s1Config.DataDir = testConfig.DataDir + + // Overwrite Cursor Stream Config. This is to test SetCursor and FetchCursor + s1Config.CursorsStream.Partitions = 1 + + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + getMetadataLeader(t, 10*time.Second, s1) + + config := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") + + client, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(config)) + require.NoError(t, err) + defer client.Close() + + // Add a policy using AddPolicy + err = client.AddPolicy(context.Background(), "a", "b", "read") + require.Error(t, err) + require.Contains(t, err.Error(), "Server is not configured to use this endpoint") + + // Revoke a policy using RevokePolicy + err = client.RevokePolicy(context.Background(), "a", "b", "read") + require.Error(t, err) + require.Contains(t, err.Error(), "Server is not configured to use this endpoint") + + // List policies using ListPolicy + _, err = client.ListPolicy(context.Background()) + require.Error(t, err) + require.Contains(t, err.Error(), "Server is not configured to use this endpoint") +} + +// TestAddPolicyWithRootUser ensures that root client can add ACL policies to the cluster +func TestAddPolicyWithRootUser(t *testing.T) { + defer cleanupStorage(t) + + // Configure server with TLS. + s1Config, err := NewConfig("./configs/tls-authz-on-raft.yaml") + require.NoError(t, err) + + // Overwrite DataDir with a temporary test DataDir + testConfig := getTestConfig("a", true, 5050) + s1Config.DataDir = testConfig.DataDir + + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + getMetadataLeader(t, 10*time.Second, s1) + + configNormalClient := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") + + // Connect with normal client + _, err = lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configNormalClient)) + + // Expect error when fetching metadata for connection + require.Error(t, err) + require.Contains(t, err.Error(), "The client is not authorized to call FetchMetadata on resource *") + + // Add necessary policies using AddPolicy using root user + configRoot := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + clientRoot, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configRoot)) + require.NoError(t, err) + defer clientRoot.Close() + err = clientRoot.AddPolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // Connect again to cluster using normal client + client, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configNormalClient)) + // Expect no error + require.NoError(t, err) + defer client.Close() +} + +// TestRevokePolicyWithRootUser ensures that root client can revoke ACL policies from cluster +func TestRevokePolicyWithRootUser(t *testing.T) { + defer cleanupStorage(t) + + // Configure server with TLS. + s1Config, err := NewConfig("./configs/tls-authz-on-raft.yaml") + require.NoError(t, err) + + // Overwrite DataDir with a temporary test DataDir + testConfig := getTestConfig("a", true, 5050) + s1Config.DataDir = testConfig.DataDir + + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + getMetadataLeader(t, 10*time.Second, s1) + + // Add necessary policies using AddPolicy using root user + configRoot := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + clientRoot, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configRoot)) + require.NoError(t, err) + defer clientRoot.Close() + err = clientRoot.AddPolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // Connect to the cluster using normal client + configNormalClient := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") + client, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configNormalClient)) + // Expect no error + require.NoError(t, err) + defer client.Close() + + // Revoke the given policy + err = clientRoot.RevokePolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // Connect with normal client + _, err = lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configNormalClient)) + // Expect error when fetching metadata for connection + require.Error(t, err) + require.Contains(t, err.Error(), "The client is not authorized to call FetchMetadata on resource *") +} + +// TestListPolicies ensures that client can retrieve all ACL policies from cluster +func TestListPolicies(t *testing.T) { + defer cleanupStorage(t) + + // Configure server with TLS. + s1Config, err := NewConfig("./configs/tls-authz-on-raft.yaml") + require.NoError(t, err) + + // Overwrite DataDir with a temporary test DataDir + testConfig := getTestConfig("a", true, 5050) + s1Config.DataDir = testConfig.DataDir + + // Overwrite Cursor Stream Config. This is to test SetCursor and FetchCursor + s1Config.CursorsStream.Partitions = 1 + + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + getMetadataLeader(t, 10*time.Second, s1) + + configRoot := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + clientRoot, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configRoot)) + require.NoError(t, err) + defer clientRoot.Close() + + // Add necessary policies using AddPolicy using root user + err = clientRoot.AddPolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // ListPolicies using root user + policies, err := clientRoot.ListPolicy(context.Background()) + + expectedPolicies := make(map[int32]*lift.ACLPolicy) + expectedPolicies[int32(0)] = &lift.ACLPolicy{ + UserId: "client1", ResourceId: "*", Action: "FetchMetadata"} + + // Expect the policy is present + require.NoError(t, err) + require.Equal(t, expectedPolicies, policies) +} + +// TestAddPolicyPropagate ensures that once an AddPolicy operation is successfully propagated all over the cluster, +// a client which connects to a random server can be authorized correctly +func TestAddPolicyPropagate(t *testing.T) { + defer cleanupStorage(t) + + // Run a server as bootstrap + s1Config, _ := NewConfig("./configs/tls-authz-on-raft.yaml") + // Overwrite configs with default test config + testConfig1 := getTestConfig("a", true, 0) + s1Config.DataDir = testConfig1.DataDir + s1Config.Host = testConfig1.Host + s1Config.Port = testConfig1.Port + s1Config.Clustering = testConfig1.Clustering + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + + // Run a second server + s2Config, _ := NewConfig("./configs/tls-authz-on-raft.yaml") + // Overwrite configs with default test config + testConfig2 := getTestConfig("b", false, 5051) + s2Config.DataDir = testConfig2.DataDir + s2Config.Host = testConfig2.Host + s2Config.Port = testConfig2.Port + s2Config.Clustering = testConfig2.Clustering + s2Config.EmbeddedNATS = testConfig2.EmbeddedNATS + s2 := runServerWithConfig(t, s2Config) + defer s2.Stop() + + // select leader + getMetadataLeader(t, 10*time.Second, s1, s2) + + // Given a normal client tries to FetchMetadata + configNormalClient := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") + _, err := lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(configNormalClient)) + // Expect permission denied error + require.Error(t, err) + require.Contains(t, err.Error(), "The client is not authorized to call FetchMetadata on resource *") + + config := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + client, err := lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(config)) + require.NoError(t, err) + defer client.Close() + + // Add necessary policies using AddPolicy using root user + err = client.AddPolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // Wait for a while until the cluster fully replicates the data + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 1, s1) + require.NoError(t, err) + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 1, s2) + require.NoError(t, err) + + // Client1 tries to FetchMetadata again + client1, err := lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(configNormalClient)) + + // Expect FetchMetadata policy is correct propagated to the cluster + require.NoError(t, err) + defer client1.Close() + +} + +// TestRevokePolicyPropagate ensures that once an RevokePolicy operation is successfully propagated all over the cluster, +// a client which connects to a random server can be authorized correctly +func TestRevokePolicyPropagate(t *testing.T) { + defer cleanupStorage(t) + + // Run a server as bootstrap + s1Config, _ := NewConfig("./configs/tls-authz-on-raft.yaml") + // Overwrite configs with default test config + testConfig1 := getTestConfig("a", true, 0) + s1Config.DataDir = testConfig1.DataDir + s1Config.Host = testConfig1.Host + s1Config.Port = testConfig1.Port + s1Config.Clustering = testConfig1.Clustering + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + + // Run a second server + s2Config, _ := NewConfig("./configs/tls-authz-on-raft.yaml") + // Overwrite configs with default test config + testConfig2 := getTestConfig("b", false, 5051) + s2Config.DataDir = testConfig2.DataDir + s2Config.Host = testConfig2.Host + s2Config.Port = testConfig2.Port + s2Config.Clustering = testConfig2.Clustering + s2Config.EmbeddedNATS = testConfig2.EmbeddedNATS + s2 := runServerWithConfig(t, s2Config) + defer s2.Stop() + + // select leader + getMetadataLeader(t, 10*time.Second, s1, s2) + + // Given a normal client tries to FetchMetadata + configNormalClient := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") + _, err := lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(configNormalClient)) + // Expect permission denied error + require.Error(t, err) + require.Contains(t, err.Error(), "The client is not authorized to call FetchMetadata on resource *") + + configRoot := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + clientRoot, err := lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(configRoot)) + require.NoError(t, err) + defer clientRoot.Close() + + // Add necessary policies using AddPolicy using root user + err = clientRoot.AddPolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // Wait for a while until the cluster fully replicates the data + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 1, s1) + require.NoError(t, err) + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 1, s2) + require.NoError(t, err) + + // Client1 tries to FetchMetadata again + client1, err := lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(configNormalClient)) + + // Expect FetchMetadata policy is correct propagated to the cluster + require.NoError(t, err) + defer client1.Close() + + // Revoke the policy + // Add necessary policies using AddPolicy using root user + err = clientRoot.RevokePolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + + // Wait for a while until the cluster fully replicates the data + waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 0, s1) + waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 0, s2) + + // Given a normal client tries to FetchMetadata + _, err = lift.Connect([]string{"localhost:5051"}, lift.TLSConfig(configNormalClient)) + // Expect permission denied error + require.Error(t, err) + require.Contains(t, err.Error(), "The client is not authorized to call FetchMetadata on resource *") + +} + +// TestRevokeSubscribeOnStream ensures that when a Subscribe policy is revoked, even an opening stream will +// throws an error. This is to test a scenario when: client 1 subscribes for messages -> pass, then Subscribe +// policy is revoked for client 1, when a new message is available, client 1 should receive an error +func TestRevokeSubscribeOnStream(t *testing.T) { + defer cleanupStorage(t) + + // Run a server as bootstrap + s1Config, _ := NewConfig("./configs/tls-authz-on-raft.yaml") + // Overwrite configs with default test config + testConfig1 := getTestConfig("a", true, 5050) + s1Config.DataDir = testConfig1.DataDir + s1Config.Host = testConfig1.Host + s1Config.Port = testConfig1.Port + s1Config.Clustering = testConfig1.Clustering + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + + getMetadataLeader(t, 10*time.Second, s1) + + // Set up permission for client 1 + configRoot := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client-root/client-root-cert.pem", "./configs/certs/client/client-root/client-root-key.pem") + clientRoot, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configRoot)) + require.NoError(t, err) + defer clientRoot.Close() + err = clientRoot.AddPolicy(context.Background(), "client1", "foo", "CreateStream") + require.NoError(t, err) + err = clientRoot.AddPolicy(context.Background(), "client1", "*", "FetchMetadata") + require.NoError(t, err) + err = clientRoot.AddPolicy(context.Background(), "client1", "foo", "Publish") + require.NoError(t, err) + err = clientRoot.AddPolicy(context.Background(), "client1", "foo", "Subscribe") + require.NoError(t, err) + + configNormalClient := setupTLSConfig("./configs/certs/ca-cert.pem", "./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") + client, err := lift.Connect([]string{"localhost:5050"}, lift.TLSConfig(configNormalClient)) + require.NoError(t, err) + defer client.Close() + + // Set up Pub/Sub for client1 + name := "foo" + subject := "foo" + err = client.CreateStream(context.Background(), subject, name) + require.NoError(t, err) + + ch1 := make(chan struct{}) + ch2 := make(chan struct{}) + err = client.Subscribe(context.Background(), name, func(msg *lift.Message, err error) { + if err != nil { + close(ch2) + } else { + close(ch1) + } + + }) + require.NoError(t, err) + + // Publish a message + _, err = client.Publish(context.Background(), name, []byte("hello")) + require.NoError(t, err) + + // Wait to receive initial messages. + select { + case <-ch1: + case <-time.After(10 * time.Second): + t.Fatal("Did not receive all expected messages") + } + + // Revoke Subscribe policy for client 1 + err = clientRoot.RevokePolicy(context.Background(), "client1", "foo", "Subscribe") + require.NoError(t, err) + + // Publish one more message. + _, err = client.Publish(context.Background(), name, []byte("hello")) + require.NoError(t, err) + + // Wait to receive an error. + select { + case <-ch2: + case <-time.After(10 * time.Second): + t.Fatal("Did not receive the expected error") + } + +} + +func setupTLSConfig(caCert, clientCert, clientKey string) *tls.Config { + certPool := x509.NewCertPool() + ca, err := ioutil.ReadFile(caCert) + if err != nil { + panic(err) + } + certPool.AppendCertsFromPEM(ca) + certificate, err := tls.LoadX509KeyPair(clientCert, clientKey) + if err != nil { + panic(err) + } + config := &tls.Config{ + ServerName: "localhost", + Certificates: []tls.Certificate{certificate}, + RootCAs: certPool, + } + return config +} diff --git a/server/authz.go b/server/authz.go index 1d6200df..d3bda6b5 100644 --- a/server/authz.go +++ b/server/authz.go @@ -9,6 +9,22 @@ import ( peer "google.golang.org/grpc/peer" ) +// Default ACL with superuser model for Casbin authorization. +// Ref: https://github.com/casbin/casbin/blob/master/examples/basic_with_root_model.conf +var DefaultACLAuthzModel string = ` +[request_definition] +r = sub, obj, act + +[policy_definition] +p = sub, obj, act + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +m = r.sub == p.sub && r.obj == p.obj && r.act == p.act || r.sub == "root" +` + // addUserContext parses client ID from context and set client ID in context func addUserContext(ctx context.Context) context.Context { p, ok := peer.FromContext(ctx) diff --git a/server/configs/certs/ca-cert.pem b/server/configs/certs/ca-cert.pem index b1b1236e..cb2d2bec 100644 --- a/server/configs/certs/ca-cert.pem +++ b/server/configs/certs/ca-cert.pem @@ -1,35 +1,33 @@ -----BEGIN CERTIFICATE----- -MIIGKzCCBBOgAwIBAgIUDDjsUMBjb2qd9QcnIOBHyl6nG7QwDQYJKoZIhvcNAQEL -BQAwgaQxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlPY2NpdGFuaWUxETAPBgNVBAcM -CFRvdWxvdXNlMRQwEgYDVQQKDAtUZWNoIFNjaG9vbDESMBAGA1UECwwJRWR1Y2F0 -aW9uMRowGAYDVQQDDBEqLnRlY2hzY2hvb2wuZ3VydTEoMCYGCSqGSIb3DQEJARYZ -dGVjaHNjaG9vbC5ndXJ1QGdtYWlsLmNvbTAeFw0yMjAzMjcxMzEzNDFaFw0zMjAz -MjQxMzEzNDFaMIGkMQswCQYDVQQGEwJGUjESMBAGA1UECAwJT2NjaXRhbmllMREw -DwYDVQQHDAhUb3Vsb3VzZTEUMBIGA1UECgwLVGVjaCBTY2hvb2wxEjAQBgNVBAsM -CUVkdWNhdGlvbjEaMBgGA1UEAwwRKi50ZWNoc2Nob29sLmd1cnUxKDAmBgkqhkiG -9w0BCQEWGXRlY2hzY2hvb2wuZ3VydUBnbWFpbC5jb20wggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDq2aoLOtHW5WPeQMQWw365IOXLO5yhTxyWRNnSESkw -V0Pkw8p1Q1x7gVEGjvLudPfi5pz/irXLifuDfbnQEiw8hInknTMFtMbUGuAFcMu/ -AQeoDRwaCzyDq6tbny7jMgmbr1EKUxFPYD0pMgEZ6andlfjePABKzVjQCgu/tZQg -AEwf7vnxTWc04oZZf0FGHB4aVkZFxrZmGptzKqnf6VXIQYXp3XoDEZlmCmZhmIod -Rc8P+SzyWZm8wJ8NhizL66aBHgItDEDzw9I+LUiHeyOS0X+srcb3mcNb1o+pRAo+ -o8o621Ey1yJmIz6EkJxvo9IvaWVGUoir4RVqzIbp3k4FGsEgP7z3K4HhvGU+Gsv8 -pXp2HgRwCmG9H9dC8gy2EVyoaxpOoPAsmUCH1lU36eJOFYzqtgFsMhE0jfrUCU7n -Pq+PTAaFEbfeyNKg3bVyWDwVP0qKl++PaoG1ZwR70y33kVJQeerMhjFZY10421P1 -oPpO43uToR26cwMRgzngQhXutIi7WIkgkxBPI5tiHcDNX8WiHXBNcFDKkPOn/rO1 -50khpfGc+hq4eaBAtDEBH+R9PLcYCXxe1WEXpG3UkZ0N2jFweooOdQXCwM040lWy -fbetBGc2a59Tp+UAe55VspOuWHF0fWzZpLjuzo3TAhTPngL+xkH0ZxVwPkQe8uCm -awIDAQABo1MwUTAdBgNVHQ4EFgQUVkz235XIc4ITxphuHJ4nAlAojhAwHwYDVR0j -BBgwFoAUVkz235XIc4ITxphuHJ4nAlAojhAwDwYDVR0TAQH/BAUwAwEB/zANBgkq -hkiG9w0BAQsFAAOCAgEA1U/Js68OyPUcUX+jFUSK12oHbvI5TA4YCYbFGIj1V74K -S9v5qHf5PhneM61sNiE1rqKSTn7RZ8Q7BtrI5mNKMjqVVK11JyjRpA7oMYZ0wISC -/SJsIXiFgOdwnompx5qNw0Ng7yDukdoOzebBG5Dj0knOPLoWLve8ebH5iOLR+OjL -vAFxT2x43QzXVFrLVfyo5OTC9eMRATe4ux5Zm5KVy5UaplH59T2/uuTzb74hUvN9 -PsgOYXwXXVP2m8Z33qro8+qk61iHn50z7PEDsDhqMkwGl6ASEr5+S3cWhoZRVXZq -2QzhJHgSu6MzRq6g0cNiCtcJgZqSvOhK+uVXR27utaB88ZzmUIdsJr9z8eXHTHYB -f+RcCDIRWA75TZI+k98Hzj2Y+MxJwUdMMYtv3QYMzOQX4OXP9+hwVxHwaVcVSvvA -xAcQDOYB5Us/NbH7Xa2Uejvo7P5fURz6PasmFoLVhVnNlBZ3RkoxFrz28PESGrzK -CTJ96eAc066CUkwElwpYOGZ7ofiEkMqrnPNwV0hZvA02jKGXFRND2bx6EloTtWGs -tqD2k949vB4mJNWwchadfKSNV7gZKWaFXLffGxu5YoZSobDgTIQnycmppjOjQ2kR -kUNH/ASpysVGwS9JjH+Y2jocHEOKsgd3FCoWqdqNHYxG3bBphe16cLODAF4ewZI= +MIIFxjCCA64CCQC2RY0mUtVrmDANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMC +RlIxEjAQBgNVBAgMCU9jY2l0YW5pZTERMA8GA1UEBwwIVG91bG91c2UxFDASBgNV +BAoMC1RlY2ggU2Nob29sMRIwEAYDVQQLDAlFZHVjYXRpb24xGjAYBgNVBAMMESou +dGVjaHNjaG9vbC5ndXJ1MSgwJgYJKoZIhvcNAQkBFhl0ZWNoc2Nob29sLmd1cnVA +Z21haWwuY29tMB4XDTIyMTEyNjA5NTEwN1oXDTMyMTEyMzA5NTEwN1owgaQxCzAJ +BgNVBAYTAkZSMRIwEAYDVQQIDAlPY2NpdGFuaWUxETAPBgNVBAcMCFRvdWxvdXNl +MRQwEgYDVQQKDAtUZWNoIFNjaG9vbDESMBAGA1UECwwJRWR1Y2F0aW9uMRowGAYD +VQQDDBEqLnRlY2hzY2hvb2wuZ3VydTEoMCYGCSqGSIb3DQEJARYZdGVjaHNjaG9v +bC5ndXJ1QGdtYWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +AJ12ZHrL46sN8vr1liwP3nAXE2n03YPkRrpl1O70LjqmtKopRgSIvJxKNQKr9U5f +TeRjCiKBru5neaVeeBFetNjz9IgHwXgHK2QcfNgfLizxojpVPU15lpGLF1ivqg9P +Hw/PsJynk7SknHTZBe3BqfSlH5MQ6BzV6zsUoOCSBqmNT7z4q6Qtcone9JnHUFlf +Ip4ImBr7D/JuHJU5kBVLpoVDnA7xye+r/NpBv1fR9BitgofSeB6UBaGfwi4a4qox +CA8BOjVxpZxwPNRUYjv5eumNIrzmJCKbffI1dRRLbKOrL+FelSxqz/wF3SZFLz8Y +WF92/pQwD26i343jI1FDn67y+09W8Dj+NLcDZoc7yBZeSBVMUNxLi8ngAGDaAVg2 +odpihaXT/YDs46zS12AJoCfda0X+a/NHPHbrG4RFY5tVl7OIgeRLCWdiNSG+lJEi +jJdHqylMgxiKEnywdL4J+N80YFCYgS/nTV/sWRVHN/DLD2rfp9Iy2Nhxa7le7mN5 +ZaitiZS6w+pYeVSAX3g9XA093ept4j1fPorTO1f5Ffm0vyEFo2dI5MWjBQjTe5rz +7RCM2dGjRr3ZHehnvKm6ZwzuQ3/PCoHUiWDmrC70oYO7vswEI59pGCW+ZOFdSIY5 +s52Ku9dXEOQwOpf6+qBrB4Xb8hVaVr9z297BcwY3p+0hAgMBAAEwDQYJKoZIhvcN +AQELBQADggIBACntk2TznPRlhrLw8Fuu+UNFoLSmF1JWR0ISHCkr0Ytv5foCVimB +LTmlChxTk70wv49Is1dLnu8M72H5mXtG29Q9OsGdg/N2+fv9cxWnpo3XyaUVrkOp +FxN0aPXwEJDw0LsRzwf5e+ZnVtag+W1NTwY9EQXA5FtYkEpqxHCJHiIRW4BUVOeT +THuKYfgPolQ2NWo/CoERxJbCB0sXpkQ4XgIGBVnHDXc3MjRE428XUHeosvC/NlNk +41Be/WYHuktev9RkKnhKFb8CKAIss/RgPbgR69spbMPZxe3iI1i7/h60sZ/BfMPg +sfLvswunGN0l/0t067RVutL5bLWD9Yk+l3T5K0fMcaMEuVOygQGng+JlCALQaeX9 +nRSR4RC0C0fKdmwZDhdMoGOxo89OvgiQ9d5dBcb9ihVvbZG8/zwLbcn3i5rD1/Ab +S//fxLcclpzhxhqYdJ1GuVSp295Xcb0TDxGzZyRnd9e50osN9GndqF6eyEd9NJAO +AFVLJwXqdjx84zZXN84G7l1dHuHOtogIcJnfPn0RyF23IB3U6yjZJYqtbIG1D8or +PYpAmp0T50iwQvjz/zdqdoQOFyFbWPBhYlzKrEul8xxE2DYfpa5fMaGlfS47BBIv +GUTCM6Wo3YcWbEB2v5XcEiKMvSBCPh0s37k//6pL7o7EHmkASdol55Hk -----END CERTIFICATE----- diff --git a/server/configs/certs/ca-cert.srl b/server/configs/certs/ca-cert.srl index 7846a861..62c4baaa 100644 --- a/server/configs/certs/ca-cert.srl +++ b/server/configs/certs/ca-cert.srl @@ -1 +1 @@ -6CD183238D13A1E750E9467A3C62FEA83000749D +9A0CD870A10D70EE diff --git a/server/configs/certs/ca-key.pem b/server/configs/certs/ca-key.pem index 3225b742..23ae65ca 100644 --- a/server/configs/certs/ca-key.pem +++ b/server/configs/certs/ca-key.pem @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDq2aoLOtHW5WPe -QMQWw365IOXLO5yhTxyWRNnSESkwV0Pkw8p1Q1x7gVEGjvLudPfi5pz/irXLifuD -fbnQEiw8hInknTMFtMbUGuAFcMu/AQeoDRwaCzyDq6tbny7jMgmbr1EKUxFPYD0p -MgEZ6andlfjePABKzVjQCgu/tZQgAEwf7vnxTWc04oZZf0FGHB4aVkZFxrZmGptz -Kqnf6VXIQYXp3XoDEZlmCmZhmIodRc8P+SzyWZm8wJ8NhizL66aBHgItDEDzw9I+ -LUiHeyOS0X+srcb3mcNb1o+pRAo+o8o621Ey1yJmIz6EkJxvo9IvaWVGUoir4RVq -zIbp3k4FGsEgP7z3K4HhvGU+Gsv8pXp2HgRwCmG9H9dC8gy2EVyoaxpOoPAsmUCH -1lU36eJOFYzqtgFsMhE0jfrUCU7nPq+PTAaFEbfeyNKg3bVyWDwVP0qKl++PaoG1 -ZwR70y33kVJQeerMhjFZY10421P1oPpO43uToR26cwMRgzngQhXutIi7WIkgkxBP -I5tiHcDNX8WiHXBNcFDKkPOn/rO150khpfGc+hq4eaBAtDEBH+R9PLcYCXxe1WEX -pG3UkZ0N2jFweooOdQXCwM040lWyfbetBGc2a59Tp+UAe55VspOuWHF0fWzZpLju -zo3TAhTPngL+xkH0ZxVwPkQe8uCmawIDAQABAoICAQCpDOuJT9rSzKaZypccJ7cl -fdfL9mol93OFe6QrwWybvoVBu+oVhNqikJCJnwahvZLeQtCKZge8ruNcYHkLnLk5 -CtLTvJCIr/tbnMjbQbl4ET64qk8rNCFoSn974Vb39gHSjl1QiEDymT0NVVBTnc5H -kfflyN0Q+0XN4x1X71XjvzMM3ZIPL392IwVAkQikdgL5RFcrTQHo94gkW3aSljzI -fNnvYRy97sI0IJJX+Fya+7A0OFIxVWwD4cfcDVRbqZJeaQJ5+NMcZT4GwcPuuiX+ -Pk2gOCr7+jQU/JrG5hJVysL8oPiPFytMyFvtQsdI2Wyn8j8TYr+8sbYf/X+0AvC2 -/Nr9Tbh7vN5OpZy/i+6l3fKRhfnRFRVX6gYGog4gjcqtiI3wKXWlIbND5eiZ+vMK -VTitjKGqnLq7KRqr+U57fPj3WJdk3VZ8wDj0TEEFn2bVWQRb5pL20cm5dIOkqk7N -xBnsr2Pdt0mxMq2J10r5UghGmUGjhp2lDWZ1kfDwLzxPexZNVWDOkXoMWsHmRdGQ -xF9B+vRjz97u12p5zSdq9815t1Qtw2GXIkzqyXuOObxJdP7cu9vR6lBtTdyCbI5g -QYrcgokcNf+EWKkivtSdzrXavMqNFYiW8qAlPurADbo+BTuCg18ogsCCwQbuuZqf -MEgy41UaHqTaG1kN80GM4QKCAQEA+ju0mJMzZ9O5/klBxkvuUo9QsdBUeyZAdoRf -rR8WsPDeasIrtIEeX+NYnlXIroVPvroskMiFzJdF0ZYduuGEQlL255H3x/eLLVgV -TQq+hCy5AWKKx7KHW29Yl0RpW9zOTNfQ41lLk9mPofmfi2a3LX3HLnwXH9zSl8hp -5heW4rWdZAPt7KQz2jvJEHAijgngvFW6Qo+KAJry+QJLdma1dZyyhO6isiXQ8/ik -hhvNuhSuqsX6wzFEDWIMkj2d0Ib6yKwUOa2Xgr7hQAldrkFI9DR7qOzY1zre+SbJ -lbKSdhSXgVo8LZHwKEyjmj4bfxZu0kJq4Y3ifq8619n0ca8m+wKCAQEA8EM0SXPJ -WLBrt3huso2Ug9//VJRnBFdx4HP1mC3VDppXlejl5NJC8nPSLFriXBXnSnupzggo -K4uifjdfWFxlpzikblaqReV/k0OwtCIjIZDRl8nl+kz9Lgyb6Sg38UWftCCK8b+j -3bKqL9aQZxPfY0pMTJKUvoCvtQG8OjAbhE6YjCGUg7Bqy/YF563DayPfAHAoqIiL -XgbCgmAy2kpG5Bi1UrhKc198SZ60XTz2jDD65J6uJ9HrP7dTy/xCDrhlY/SxOJDj -w/ZZJHCMzt/q0ZtSjcUqoPp85xkI5uMMNIt8JZmURvfXh6aKSSKNdUHOBemYss5L -VWBe9LXREpMjUQKCAQBNE/UGBlmQQsSI0lHjXeI0JhcKHozXPiofF5lM/0WDDT7F -jbfequMLUEEszGm7cC7nJfuyQUINig8khuPze6G8uEd7fxfezZ5eQkKVb5jNp+T4 -yzzKVHCjNoIIXjdB55rYSqX6UbgY+6vljbmaO/Jyncqrw+dvlhp8TGxqRpvgi2bG -tvsjqFSchUvit1e9fsdt28460HIGy7PKBe3us6ZzaugGUGdnDoT1kYJEGO5ewh4n -VkJuu48lvCz5Iueoots+0tqMBa+kw10o13m2wj9RkZUBrKsCaQzjnBH9/XplyuP8 -ISpmMwzRrQG78iOQGv3Z4EGB5q18rkcm0+ka14PfAoIBAQCTa2jluNnORVGSnZ6u -iBicYhC0wOoEy/LfmccTvOuBrkoXfXOx1yGkylQnSwyhG/9ywDYMaQzcyyzE7Qzf -lrH4zNR3r02C3bJNlbcSj++mZMl1rTgjQKIIY0w236qTq/i1+VHHy6KsITgzah/o -X1UuAySVx0rlKOim042+1k3L/L21HdWWh+S/iRFOelvxnWzzQ95uqnl5FAS9InGR -ZwngYxi+zL1B1VDZizt4CjPtCRCovoR1gmQqED6mZv3RMmtjzXwADUbzsnA336dG -ODZIrlkVC+mAJLIGymGf6ahPhVaDa5yDfwcMAK/Q+BZ74AidsBs1e0bV9+/LjtPd -5dJBAoIBAQCe/y7Z5iujLwP+XLnasKiDZqsK6wKUhu6Zw3K8Yv7wXD6/AWhTr6NL -RlsGLgyIH3grG8A6XLfbkSBJeZY82vEj4DghecIDe9je4y60Ah8NIjhwB7O8HTq3 -SCPcYAUNJaiXW4CQdMY7MzDultvx/YF4daWCsHo7jnezjALHjcmdyO7MQwWW2dfn -MLqCe394vwJuIPmNt+N+3Pcph32pKKXtVMzowSJCNT2eNQI3GVaXhZKLf5rzt+Yw -oudsbyb4QTIF9EMiuzzTXsg4U3kzcjPHpvmkbZuhmpMU5mxvYw9Hd5ENxeFZz47G -2P3PROE4cKO8sMWKoeYWFZ93soEVkYoi +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCddmR6y+OrDfL6 +9ZYsD95wFxNp9N2D5Ea6ZdTu9C46prSqKUYEiLycSjUCq/VOX03kYwoiga7uZ3ml +XngRXrTY8/SIB8F4BytkHHzYHy4s8aI6VT1NeZaRixdYr6oPTx8Pz7Ccp5O0pJx0 +2QXtwan0pR+TEOgc1es7FKDgkgapjU+8+KukLXKJ3vSZx1BZXyKeCJga+w/ybhyV +OZAVS6aFQ5wO8cnvq/zaQb9X0fQYrYKH0ngelAWhn8IuGuKqMQgPATo1caWccDzU +VGI7+XrpjSK85iQim33yNXUUS2yjqy/hXpUsas/8Bd0mRS8/GFhfdv6UMA9uot+N +4yNRQ5+u8vtPVvA4/jS3A2aHO8gWXkgVTFDcS4vJ4ABg2gFYNqHaYoWl0/2A7OOs +0tdgCaAn3WtF/mvzRzx26xuERWObVZeziIHkSwlnYjUhvpSRIoyXR6spTIMYihJ8 +sHS+CfjfNGBQmIEv501f7FkVRzfwyw9q36fSMtjYcWu5Xu5jeWWorYmUusPqWHlU +gF94PVwNPd3qbeI9Xz6K0ztX+RX5tL8hBaNnSOTFowUI03ua8+0QjNnRo0a92R3o +Z7ypumcM7kN/zwqB1Ilg5qwu9KGDu77MBCOfaRglvmThXUiGObOdirvXVxDkMDqX ++vqgaweF2/IVWla/c9vewXMGN6ftIQIDAQABAoICAEIA0YeDlZArDbHSZbtcf4H+ +uj2MzZmug1M4wjPTmNku7cXx/Q6DfoQIuwW+rNnIKy9TsHjcYUY/i4cc/TlSuH3E +bLjkf11fq/mP02kIUOO3+ad3+XVTRSEG66daIu+926hWB5Lyz4BGC+sS2WBa8HHD +EWQlDxafOLYQJItdynsh582vcssj3cIa+e7H1E9SCIGz2oZcvMeDDmoisdmrV0a/ +G1hMU7gqIJggPSODt0zs1i02tPEkXOPtwohu7pomaVlYy1yBocjcZzMdl/vJzJK/ +fVMvKPB0uyte6w+xuf01EaHncqImt73Ne3DCSVaqTsjdaUMWjjFzBkBEeJZkwTb8 +56zHNt+4nD7phBSu2gRKfccTsrOOQ4v7oMN5kVgzxjCI7ch4yqZGHtZivzJYptgk +YfSfcEVRoewMKq4kjBwIeTAKnWVpXsys0EK5oarWEdNQx/y+eC8BCFYpEpJd18kz +Srr878qn2KSjSBtXx8/KawAdxwmTIacqG7BvU4J9pWO13r9Dqysvehj02zKilmxN +ZrV/SSyXThXxgTvPKqWB/NQA5gqmdw9Nu1N1JWrt7M/AlPQ7WlBOkUfIW2lQ4zk0 +mwAz04Bf2P7AubznbJi548yRSsTth1oCJbKUu+tPpCeNgBREqxy5ZUcHxOoGF0K6 +SVVGpKtc0AexWzg4d4bRAoIBAQDQGrzvlCFbDN8BgfQad2gcSLvSS+FzXbH+0Rty +5OXlpwVO7m5WYJPbKwPF+benmaQ+5nXvZHoJUPgDXxr5Rxwerj+dgfkIZrxZE2p2 +iEemtGmOqJXVlcfbc/0MkvVZBPGtM9cO38Q3GHSvbauWn5cbZSSLOcMJrCkQGNHC +R//4Ly3Baq6rgS01hjPZto9cMoOgFN7tT/V2vDPm4r1VkFYorOzMBXZs6GbcrCjC +aJ7w2CMkdXNkzVEpJ14quqXjccr/OeWHHEB1H0gP4HuJKJrAcOec2YC7oQDq0o5h +OGwad8btZttlC1WDo/7lj7NNjpkM4YgEqKMr7lILt/Tfytp1AoIBAQDBs+QAUHtH +rnNf5vVhT5uRkjEVgfZ7yDKrfcz4p9mzBT98909JLJ+HVZh1Bvx80Mh+Q95/1e+9 +/NAxfQovshHJTP4g8VzSo4GipJEyLqHZI6iDLmEel/o4G3anJWXemtRKqqjcuFb1 +A8tb0G3DY9LW3MmgSNOtNlFt1ywiPxl5SvgZ2ChSk5dS2wsdjJNaPg8QnOlW0P+U +Y+k0wwOMIvkisI0XwsrEp2lrP7Zg92ZUEMiRAbN//ZRNnXKnz2gxPBSZSs8VZZ6Y +jfqElGMgYpcCBxLPkwwyBj/dhIG5ayznWmlyWOQU/ffS+Q7Fl6PsnrSjfSPkL36I +/47zv7sskfp9AoIBAAPJyNCvqJ/IrzKO1Au7SrjhFhIw8WyxMvFJiy9fPVQd4znZ +m0aVQXvG36216wLxCA1hEpqGALa0s58UFyCci8V/NIdAe3EMtbcFZHW961f8hsNj +DD80F8xF40BcWH0DWwblH7AUoLTEDDO5UltOkmicQbsLFSLS8Hhriz33I5C4AyQ3 +NfDHTDRiOgVnjlqGTOEYICq/vt8nc+ZrEDlDhF3/L9xS6SH4ZQ71T1SipOoLdTBP +twcJucV/AvbSKPzn8GMPAb+g4wd+x0gKtRT9GTwRkhXH29EOkD62EINyjH062vMt +YScIusjHrnctU31A8EZMwLYc/8Nn9jRiZ+G/BpUCggEBALyZ7j8MHezehAH1vCgi +vgOQR3B8mUVO2V823xOhQwvW6UlA95b09uNryUTxJ3hURVMDvCnWYVcoSIJXEEr+ +Y+kPqUTkHZAOmdOFzsYAt5/X42TPDMsgCQcGXpJCjJyhPmDxJ/e5GRn5ttDP8X/U +u15vnXYOUuSNRd3gK12w+JmsEEQBvskgYa/QDVOZI4QzdrGjRmM8ng2a9l9kHhkd +mFxZcReYl5vAsZk2cNqbKKxjpxXhhSfy/KpRymhwPy/pItlbCKT5y+EYJLtgS+Al +foj/4CXyNGakxRxnv3ONUix1UMSAnpt96QYncGWdz4M9x/6DgyXTxK2Zv1O/9Hxi +KnUCggEAbMX0SPjhXro18qKhQ7YWViS+Ez1S2Ttep7boHSpvgwhDbgIsTvsgZtsj +Gve6sNKKBKz2VqQ1wm4BLlpWSWaABajsCSt4nmusSgJomqnEk3asLwfObW5PcgPk +zF93tXNHlwleStuiYV+6ol4v1ilzrH0VDxSzhjAmNlHojqRLciDFtZyvJEcZTBlj +ceo4Lofy1+inLaXReRnITVda9yafyHw6YsPKFc5nmvkMxY+Ax21+XurvRCkdtTdA +TAhZFlAy4AGo/cPyO4O6tMcZ8CqI+8HgTVO5LYMTgHaXX5IPorbC2kaX4i9U5qQJ +4AEajdqPO8bBFkr5hJhImB3vO2njeA== -----END PRIVATE KEY----- diff --git a/server/configs/certs/cert_maker/gen.sh b/server/configs/certs/cert_maker/gen.sh index 5a85caec..8761cd5b 100755 --- a/server/configs/certs/cert_maker/gen.sh +++ b/server/configs/certs/cert_maker/gen.sh @@ -15,11 +15,19 @@ openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pe echo "Server's signed certificate" openssl x509 -in server-cert.pem -noout -text -# 4. Generate client's private key and certificate signing request (CSR) -openssl req -newkey rsa:4096 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=FR/ST=Alsace/L=Strasbourg/O=PC Client/OU=Computer/CN=client1/emailAddress=liftbridge@gmail.com" +# 4. Generate client1's private key and certificate signing request (CSR) +openssl req -newkey rsa:4096 -nodes -keyout client1-key.pem -out client1-req.pem -subj "/C=FR/ST=Alsace/L=Strasbourg/O=PC Client/OU=Computer/CN=client1/emailAddress=liftbridge_client1@gmail.com" + +# 5. Use CA's private key to sign client1's CSR and get back the signed certificate +openssl x509 -req -in client1-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client1-cert.pem -extfile client-ext.cnf + +# 6. Generate root client's private key and certificate signing request (CSR) +openssl req -newkey rsa:4096 -nodes -keyout client-root-key.pem -out client-root-req.pem -subj "/C=FR/ST=Alsace/L=Strasbourg/O=PC Client/OU=Computer/CN=root/emailAddress=liftbridge_root@gmail.com" + +# 7. Use CA's private key to sign root client's CSR and get back the signed certificate +openssl x509 -req -in client-root-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-root-cert.pem -extfile client-ext.cnf -# 5. Use CA's private key to sign client's CSR and get back the signed certificate -openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile client-ext.cnf echo "Client's signed certificate" -openssl x509 -in client-cert.pem -noout -text +openssl x509 -in client1-cert.pem -noout -text +openssl x509 -in client-root-cert.pem -noout -text \ No newline at end of file diff --git a/server/configs/certs/client/client-cert.pem b/server/configs/certs/client/client-cert.pem deleted file mode 100644 index 681d1eea..00000000 --- a/server/configs/certs/client/client-cert.pem +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIF4zCCA8ugAwIBAgIUbNGDI40ToedQ6UZ6PGL+qDAAdJ0wDQYJKoZIhvcNAQEL -BQAwgaQxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlPY2NpdGFuaWUxETAPBgNVBAcM -CFRvdWxvdXNlMRQwEgYDVQQKDAtUZWNoIFNjaG9vbDESMBAGA1UECwwJRWR1Y2F0 -aW9uMRowGAYDVQQDDBEqLnRlY2hzY2hvb2wuZ3VydTEoMCYGCSqGSIb3DQEJARYZ -dGVjaHNjaG9vbC5ndXJ1QGdtYWlsLmNvbTAeFw0yMjAzMjcxMzEzNDJaFw0zMjAz -MjQxMzEzNDJaMIGRMQswCQYDVQQGEwJGUjEPMA0GA1UECAwGQWxzYWNlMRMwEQYD -VQQHDApTdHJhc2JvdXJnMRIwEAYDVQQKDAlQQyBDbGllbnQxETAPBgNVBAsMCENv -bXB1dGVyMRAwDgYDVQQDDAdjbGllbnQxMSMwIQYJKoZIhvcNAQkBFhRsaWZ0YnJp -ZGdlQGdtYWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/n -CNxuyhslYyJEItNrMokJ5FVCaHy7Fl8UsZDwoU5C3GEMD2n4wYTaX7yetRuOFBPH -m7IyO57ZFgPOubnNDTQp5Ca6hZOoZTp46x9hc8+zLf/7DNM0O/PHWb58ornqcW9/ -a6fGeWTIFACRj0uXpg1mmwPGx6xlx9Dqx52zPO8dPZtv1i9FqQZvs2tn66mlHnVo -ENfJewX2dwMCRD6kAL9y878da5FzajO7evocnveSBa7S8i0zNocqJYmyvRBg7IWu -sUdXnUvQu6eRl2l3AWxFKYt6AtZb6zGr8YZou1v7ADGhhC33IMOOg4alhuw2Tp1h -z5WbsektO6MQ0n6dDVhM+7OSrX0oia/HopxjjrQZYBCChXv5IB0Fh6JHxH3MhiMe -rtHFxs606OeNF8x8fGQvxI6kfROs6WnJzw/TZQUkhoKer/qkHxiKz6NCK9MosZ5t -drjgOhed6WPNkE/KuA4c1EYXzvVY8CYFnWS9lhKr1v06rOuV7ksRWLnoC12WqkDR -6oDi0tU6u1m9IUkidBSAdtfX4ko15Au6hJgneezVMEin5Mix8wmqBb3h5vv9ddUG -sCWut5S00QOlBjGtIedWECtuODwgls2JpUcLMdtOMEVmYo1eJg10oXV4a6r5ZZE+ -TO2OQ8Pl7aUUMifzVU15OetO+iZLEP6QC0iA4YsZAgMBAAGjHjAcMBoGA1UdEQQT -MBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsFAAOCAgEAljMU3jJtSJnD -yzWh0fnF7N4VFqEXIBwhUPpRzLMxK+BqX8x3Ldqlb51qo/mAIjeVU8xEkRjaUHGp -rNf14DkLaHFfhQ2qmLbTdIpcvUcomdRBj8rtMPM9nzPgT8rLD229w8HTWY0ZFOkA -SOTyalp4eh0gKhJzrIHJPuYHbY5g9FsAcUDZTuy3zLpHjBJSXVM6ErMXd4dG6zsq -Fr0c+guMqZmg/NJOMAHsHq3ncojDVT3M8H9uSWnRlsBv8LoYmxIYVyGwONFKy01N -65dMhxZDM+OPsxdXzkX+y06V57ujbqPuuCojjt8ucNy6+nG0xk0DNf5ghaIoEpju -JRnkK91ykMiAqbD5z7HuDGNluX3OokwOGsVbub/bCNSkqwLAjEBdk3YKQyUu3Rrl -zNa6sbYJfyjitQQnsNP6/TvyhDVtT7s8n6JuVks22N89APBG22ph3kPv20NzeTUN -cHuCHHgLrIJi2NAOuiZPAsWbj4WKlz0aaiYNqPZuQX/ZwWb0s5hWbRB2bPpDsBcu -oHtNmR58XBPIqZGguS8aL9br09ypArKublh4f1tRW9j2jBgzyYC/nQ14iBnxJ7Av -J47txMfrPHmA95TUzw6+6qYh8ywhwigsvTS69C3AHw7RsameWblEfJXYI6cn5MGL -0ND9mgMWVfybVbRBQ8nKK1/VNAY9qR0= ------END CERTIFICATE----- diff --git a/server/configs/certs/client/client-key.pem b/server/configs/certs/client/client-key.pem deleted file mode 100644 index c042a8de..00000000 --- a/server/configs/certs/client/client-key.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC/5wjcbsobJWMi -RCLTazKJCeRVQmh8uxZfFLGQ8KFOQtxhDA9p+MGE2l+8nrUbjhQTx5uyMjue2RYD -zrm5zQ00KeQmuoWTqGU6eOsfYXPPsy3/+wzTNDvzx1m+fKK56nFvf2unxnlkyBQA -kY9Ll6YNZpsDxsesZcfQ6sedszzvHT2bb9YvRakGb7NrZ+uppR51aBDXyXsF9ncD -AkQ+pAC/cvO/HWuRc2ozu3r6HJ73kgWu0vItMzaHKiWJsr0QYOyFrrFHV51L0Lun -kZdpdwFsRSmLegLWW+sxq/GGaLtb+wAxoYQt9yDDjoOGpYbsNk6dYc+Vm7HpLTuj -ENJ+nQ1YTPuzkq19KImvx6KcY460GWAQgoV7+SAdBYeiR8R9zIYjHq7RxcbOtOjn -jRfMfHxkL8SOpH0TrOlpyc8P02UFJIaCnq/6pB8Yis+jQivTKLGebXa44DoXnelj -zZBPyrgOHNRGF871WPAmBZ1kvZYSq9b9Oqzrle5LEVi56AtdlqpA0eqA4tLVOrtZ -vSFJInQUgHbX1+JKNeQLuoSYJ3ns1TBIp+TIsfMJqgW94eb7/XXVBrAlrreUtNED -pQYxrSHnVhArbjg8IJbNiaVHCzHbTjBFZmKNXiYNdKF1eGuq+WWRPkztjkPD5e2l -FDIn81VNeTnrTvomSxD+kAtIgOGLGQIDAQABAoICAQCYuUjfDbkBA68yrSE+Otj8 -IQg8Jl67rbUvNGvgmvD1NNbo0U1PHC7/CUAaAADIjjlCSKCLn9i9Ia2YmCRNT3iL -pC8z90upaOIvN95/mfIuQT6Bs43QZIi2CVhN9ikXZxKiFrlZy+X+pBDvJujw0x7P -GXKS/dcZR+NPTBpTUjtTXWUTWF0QQBM10R3sg8cUuxlTfN+yrGGhLDYpCdvAMot5 -0gVUexiJqF3EEBfeB3soMmkdajpcaJ6j0ZIQVVSMPWbfOVlTGtJPbS57PK5Qu+pA -/YYDv7WUXZD/dgUA4EcD++16kj18y2mi2L+qIAAR62KDdD1dpoxfs6T7sL6lD153 -HObvtLWxdfr0nI2dwwmRcK4yueM9dUX40xKXJWVYHBb0vCCbn20hxIT6hhSIiXGu -ZswyQa7CKnfZ5xyTA/ywOwwVe5Yo3Q4/UeLH5MHfT0ikCd2a1Lc9fOopopj8GqaC -uRWQxAT+XuzXvLChllPUcCGPK5zbA/pJXr8+7y0PWHtGTbLlUi5H3w5QKUq+9loH -1fgp53BAH4tIAfi0zUVcisn1OxBhXBiWb5IGLeUuRUr1NzCbNZIR9iBl0ABOZKuI -FEVLAsDTP2BChodnYrp31ZEFHx+nC0LWcPWd5e8i4wLfJsA+kFMUF6VAOxqsJAfX -podDZMsIYTcq7GHGVbeD0QKCAQEA/OV7N4iqxrp0qg1QNt5mmwhCGvKJoKgA47rn -Q43QA8EpYPlYSvUknDoppz5asPrjLlFdZWYTlKNaIvOa3RjwXDkQlpiNJnqvuNgV -UtvhQHASmifoPtMc05y05I71BVhX3jsR42kJRO28zJ+dRkMtA+k7RmT0bORmj+OM -8HpzPtvW+StzjotUAaUp7jFnwzCMU8IsuumpaAuggE1LnuWP0F8Dq9CkeWsQoMF8 -AdMrcMP+a5565BsL7OT8AushdSDDVgAYrzNzGjvz+g7K8of0x3d7jwUx9WaTUMzZ -NhDIX3n5wevz39aCEW/EBvfND/a9ANntwFhTS7H+dicTI8Nk5QKCAQEAwkHuGwuB -EY1ykkuoTKKJoNcKgXretcSk1Ooska6QwnUEF5eVn6CSMydwx21/w5K0Bk+lgQg/ -ND7ps4mwiSibrqpHEj0XaeLNJ3VjdgVD9nX1u7r4TCU+CtwM/iqp96923v+38cFH -FSMkFRDj+7jWfVmAkgrONOVAMRjBNYcnvNwAJcA/5MpKOq5ScWVadVdXOr+OOF+N -MlSFfYE1Z+oOuzr7wh504XvDaujExOTJrjyRVbOULF9txRQOlNQLOOctWzoYqlED -8UvEasp8+CgxLkGQQIFtUeBFSK+zc/KowHYLBzE05EvymjCTHJifMCJ222tLaCEx -UX0MTiaxM5q+JQKCAQB+wEmsgMwPRH6aiIeuqHNGurHfLbZ7Fhk0CoZEnnwmlZa2 -quJs10cdIi2kTCVKVMSuf0tPOgUQV3siz3PL4ub9YgCFajo8kfsmqu6tE9Vm5YT9 -TIkji84D5aPodhoqLqgDkxmZIBjsOjeJW2qJP7v9HNV/p7O2LBeXgJYwJT9Dvw2U -3wlQ5VYaaPyGDK8T7m42wLiIifpFUqaEB7miDy6wYh7F65Gz5Ux1NeSASaWZJDKN -H+Y6E7A7cF063TxspxogLXYxwZisCmZy6x0ex7OQkbsU6Kasd1fYhINNjMXQzKK4 -ZhlaE/om4Ryf3W0i1ijOl2uJHvvIkZKXB2iZYSJdAoIBAEmBpzbmqIVaz9LZ/Cpb -itao6JnMQ7/mVDUZE5pgwvhCTTUcMAsCOLBQqVVdcu4vch29P7ROyZPchpRgcsPD -8P0sA867/UMdBmJ7AhLjtS7qvfy2qEQwB4UWdXgr7rsB02pYu2MortwpuvqZtJtI -+yjdmFAq9JKBeUPaySmXJgtJ+GhQkhziCyqfUiUEpDEoxqI9X/Sm+4fjAcxW+z2C -DOb+T8vJuJKmQXEP+X1D0akz1A7o8BXGWoQrrcTVZBW5LKmLl0/Dbkl9USrTymwg -0VNejdZK43IK+kyh57blSMPjJxMmpIwKzRdZcCFvAzW0pOMse5FAlifuuJxN+dm8 -IV0CggEAZ11U3sGvdwVEGBl++DBrxHrMnbZjxtBs0rk9V+ZwfmNPAs5XQb5H/cwd -VogY+8zQXxfcsiEO58+o6uT3p1N8RQMng7feZXmC1K0scqcw4GsywUfY/cqXqhMf -eO4aMUOhd9M+qHWQTeUt5fFnOVQ30KT3SsoofijCxBOSAojVi+XPyeAYgSgAdmuN -d2KJWNt4A084HXizX2UcfHnD0qcRz/0koY2hZId76U+Lx0XmRq0DXZjG5ys2RIRr -+FfT6iELVJWhF1MnsUwM7HW9gqV8YkVL6vKBCzEEByx1CmEtOFe7uBw1xZfv7pf3 -XBoHfFBiXCLFYxOh5LVnkvzPf71w3g== ------END PRIVATE KEY----- diff --git a/server/configs/certs/client/client-req.pem b/server/configs/certs/client/client-req.pem deleted file mode 100644 index 592d0013..00000000 --- a/server/configs/certs/client/client-req.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIE1zCCAr8CAQAwgZExCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZBbHNhY2UxEzAR -BgNVBAcMClN0cmFzYm91cmcxEjAQBgNVBAoMCVBDIENsaWVudDERMA8GA1UECwwI -Q29tcHV0ZXIxEDAOBgNVBAMMB2NsaWVudDExIzAhBgkqhkiG9w0BCQEWFGxpZnRi -cmlkZ2VAZ21haWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA -v+cI3G7KGyVjIkQi02syiQnkVUJofLsWXxSxkPChTkLcYQwPafjBhNpfvJ61G44U -E8ebsjI7ntkWA865uc0NNCnkJrqFk6hlOnjrH2Fzz7Mt//sM0zQ788dZvnyiuepx -b39rp8Z5ZMgUAJGPS5emDWabA8bHrGXH0OrHnbM87x09m2/WL0WpBm+za2frqaUe -dWgQ18l7BfZ3AwJEPqQAv3Lzvx1rkXNqM7t6+hye95IFrtLyLTM2hyolibK9EGDs -ha6xR1edS9C7p5GXaXcBbEUpi3oC1lvrMavxhmi7W/sAMaGELfcgw46DhqWG7DZO -nWHPlZux6S07oxDSfp0NWEz7s5KtfSiJr8einGOOtBlgEIKFe/kgHQWHokfEfcyG -Ix6u0cXGzrTo540XzHx8ZC/EjqR9E6zpacnPD9NlBSSGgp6v+qQfGIrPo0Ir0yix -nm12uOA6F53pY82QT8q4DhzURhfO9VjwJgWdZL2WEqvW/Tqs65XuSxFYuegLXZaq -QNHqgOLS1Tq7Wb0hSSJ0FIB219fiSjXkC7qEmCd57NUwSKfkyLHzCaoFveHm+/11 -1QawJa63lLTRA6UGMa0h51YQK244PCCWzYmlRwsx204wRWZijV4mDXShdXhrqvll -kT5M7Y5Dw+XtpRQyJ/NVTXk56076JksQ/pALSIDhixkCAwEAAaAAMA0GCSqGSIb3 -DQEBCwUAA4ICAQA5AmGzWS2t2X+cyHOl5MF/mLOY/M1lXNg08Aq5vT7U8PJta195 -B7tQcbRDK0hGloSjxanjZnM0O38c3l4mD68cCN1HfnQl29EOp+XP4hYJr9tzdu5l -Ej2NOSWmR6P1rn+DZrNqw1tepTerAogJfFEIAg21vkP/wUZPfzrqAcuSDNrzWgJ9 -qPBuWX+QnsEH7gf8MprVb3LHNcdZxuEN2sDuq30B3xfAef6rktO2SQnu7l6AAMht -YjRC03AmAvTsUpPXKPQZo0w0UzxXds08/6Dz9MUmfVIhAQ4+wLSQIb/fpIUG4+Tc -ZZH8rRgEJtVIA7MjDYrAG6sBkS2+g+e44skZxYDPdGdgZDEVaqv4/QqAeq2y7T4M -unrzbqE+Bu7vyx0HNQy25EQIjlORwYE3SP9ycWX5kb//wtn2pkvDcNYFJefiTt9c -JwMkEmYyvd8xjowimkh0Gw3QEfPh5sLTpAWOMH5RLPaMo6VoLOEmBj3MmVB/GoLA -9ntAjBXvpqGC5xXY2fPxIjTiDvx3FjlrYRnc07nAxtuvp77ZsRlCkNxDbB27Pz+z -WqVI6PJFgSBNj0HvDbbok0kW+nyX3pHJYnY4valZmWmxwkYdzL6D70N43z4b+FL7 -Vsq3bnxbogmCroFttmLB2DevPZ0BHNtEjDsUKawjuUxycaXiLMsx47wLIw== ------END CERTIFICATE REQUEST----- diff --git a/server/configs/certs/client/client-root/client-root-cert.pem b/server/configs/certs/client/client-root/client-root-cert.pem new file mode 100644 index 00000000..ee44f300 --- /dev/null +++ b/server/configs/certs/client/client-root/client-root-cert.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF2jCCA8KgAwIBAgIJAJoM2HChDXDuMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +VQQGEwJGUjESMBAGA1UECAwJT2NjaXRhbmllMREwDwYDVQQHDAhUb3Vsb3VzZTEU +MBIGA1UECgwLVGVjaCBTY2hvb2wxEjAQBgNVBAsMCUVkdWNhdGlvbjEaMBgGA1UE +AwwRKi50ZWNoc2Nob29sLmd1cnUxKDAmBgkqhkiG9w0BCQEWGXRlY2hzY2hvb2wu +Z3VydUBnbWFpbC5jb20wHhcNMjIxMTI2MDk1MTEwWhcNMzIxMTIzMDk1MTEwWjCB +kzELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkFsc2FjZTETMBEGA1UEBwwKU3RyYXNi +b3VyZzESMBAGA1UECgwJUEMgQ2xpZW50MREwDwYDVQQLDAhDb21wdXRlcjENMAsG +A1UEAwwEcm9vdDEoMCYGCSqGSIb3DQEJARYZbGlmdGJyaWRnZV9yb290QGdtYWls +LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALx7FONJyjJWNHTE +ZZW/Th/W1c71h+Lq9xk/lFqc/4NS8W4cstAxvsY43hgR4HVAW5QFGz4UOrLGgfgZ +EmDYx05EDgwz5KcKU3pITx6SAgsuE60cbcl3y8VwJirUlL6NcCiiRl6hdscB1mTz +mKuaMC3+Q+8MnHsIHmfxlL9PCyPC5qQ67dB3tKryj3nOiqNK4W9Vem9M35QFTZXY +fXJan8U4Oa2bQAFbwMT/A2SNdXOmvBVe6quxb+vPfF0DV5yiXDzO/ZQfbH7iC5F5 +FPlgC58A6hEMx9f9KzNgOuU8YXdjstaSrgi56CkaUw8p4x5iAFq9MYfD93ob2tOx +wUgzLdrjNLTwUZmVocMbxecJxQ9y7yFNF5XqtMomR/ylpR/VNW5lW88a7KvqXIGX +nFxAMkih26d6XM8CLV2w085lSsMj0gIy3iB5NMRUAF254BLWqwjRNSkG56jmCFvc +lUf6FRWz+7QEOjmHMfaWa91GfiaVAL85vV2zWsEb908Vttl/vCI23zVKSfA57sDQ +QL5gdivB1ZWNu9lAVUla96cGylez4PJw2ONDPPOCmMUujXNj2OmF8HqwmiD/tE4R +9Ycb+bUJYdhiJTrW2Ln+WNysupLqHglD7V6kYdLdWA/BoqmHXlWkiY/oz3afwutT +BGtVXP0JWz6K9Z7Y1+ErhCiKhmDpAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2Fs +aG9zdIcEAAAAADANBgkqhkiG9w0BAQsFAAOCAgEAPA36/8EfTS8i0uiCJUdG6Hq6 +rNWa3fpe+tMJCUHL+zMEjONiW+8zvFwFp3tmCz94GERHmSWqy7Y6brGHhJA6Km1h +j0wtKWdtFAtFuo7ufvwGaofOjJ0T5zKgs6XyNt13Mj9KDIIyqxvf24ZaasTHjgf3 +CyozJrjC77ZsutpP9exQ0WRL5jrsjZHi9/UIsoFdQGUXQoO9Mj0m696oirhVEHpU +dk8YfeQ1ag99WgVxmeoGHqtUsGySfHOVi8LJn2xsO59uZvvCRWWp0/vf5ZoiWnFS +3UASHe7n2Mos4pphMs0u1ErNAkS1sshthG7eW3BOKgT+MjPeeTqyP4IARraIg0ZN +XYvWCVp98iOXS0EI1GBQpnrfnbsIJzJzrbmLXH5u5P5mt5eIHQvyicpK+qRGvd6O +CjFE8kJiKy7ZjrhJ9Kn80PA5/7En+tZzoSWNZA8yBnT3v14F4Bdijd9WIWtiKsBL +xlzaiFW+oJ7h2yYpvQQdmcPVhkLbMCAfkyK5GRXYToD29biaoQxixfJhaZA3bJNL +E0y5dah6Clv+t0k4rBu6FUNUa97Bhu2HLASRGbOAHXEiK49+J2Aa3oO36Hikvwh8 +91bs/e6jrePdsdwXOooVBlpiU+bNGwHxyO/WiZIsnpKUvw4R/hndAnW1Bc2chAgb +p1tievg/h1hxTR9/4y8= +-----END CERTIFICATE----- diff --git a/server/configs/certs/client/client-root/client-root-key.pem b/server/configs/certs/client/client-root/client-root-key.pem new file mode 100644 index 00000000..db003f09 --- /dev/null +++ b/server/configs/certs/client/client-root/client-root-key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC8exTjScoyVjR0 +xGWVv04f1tXO9Yfi6vcZP5RanP+DUvFuHLLQMb7GON4YEeB1QFuUBRs+FDqyxoH4 +GRJg2MdORA4MM+SnClN6SE8ekgILLhOtHG3Jd8vFcCYq1JS+jXAookZeoXbHAdZk +85irmjAt/kPvDJx7CB5n8ZS/TwsjwuakOu3Qd7Sq8o95zoqjSuFvVXpvTN+UBU2V +2H1yWp/FODmtm0ABW8DE/wNkjXVzprwVXuqrsW/rz3xdA1ecolw8zv2UH2x+4guR +eRT5YAufAOoRDMfX/SszYDrlPGF3Y7LWkq4IuegpGlMPKeMeYgBavTGHw/d6G9rT +scFIMy3a4zS08FGZlaHDG8XnCcUPcu8hTReV6rTKJkf8paUf1TVuZVvPGuyr6lyB +l5xcQDJIodunelzPAi1dsNPOZUrDI9ICMt4geTTEVABdueAS1qsI0TUpBueo5ghb +3JVH+hUVs/u0BDo5hzH2lmvdRn4mlQC/Ob1ds1rBG/dPFbbZf7wiNt81SknwOe7A +0EC+YHYrwdWVjbvZQFVJWvenBspXs+DycNjjQzzzgpjFLo1zY9jphfB6sJog/7RO +EfWHG/m1CWHYYiU61ti5/ljcrLqS6h4JQ+1epGHS3VgPwaKph15VpImP6M92n8Lr +UwRrVVz9CVs+ivWe2NfhK4QoioZg6QIDAQABAoICAEYW8y6Oey161yjw++HS8Udv +ybSbo7ujqt3twcpshawdRQCwlWJMjWgDL7v9sd2IYEXMHFRai3V90kkjca0oD/2v +2xV4mrfvZBmeGCYDH9Vufgyq/Lyl2tYCHX9h7CpsSGAj8E0yeAwLR+HkoEp4HSCN +ZE/Z/brWyw/WS31U9IyI5uH9tAAI89t6NhaS0wVkTC7tt4j6Kk5OJorppcTHpJBf +lztS91tJ9oaLWoSjAiFOyLSdxmCwrDEhyFqCaqspyWknhC73/I22m5yuTTlrGQc4 +/NH4UbylPdJuH5iteoU+Qvv+Mc+26nmWe3qxFe9vfDhCENAu9LGo+BgvCvRBa/RN +h1RBpiWZFA3DFkzvqRtnr4bBDLv+OJq4kesCL87qTzwUwHJN5SYjuXw4cbAayV0B +m6ivDvb6oCZVLXlt+PR8VYQbxWXjm0Lf6wonkWSY9T1ckIBMok6jNTjQWR5hFzdf +TkDK4eY0cmULp5tEpbHCpVTKsBimfXjn71WmP8r2/ectjL9h44VgmbF23FNlJcM0 +h+028vcT2zPLPl6er8Gzb3oh8hR7qx5zvUpo90wyfMdMd58fXEN8qdiyCJ36jCSi +3cuYm216YebMxtnfIXWRAZD/w5ycIZUqHeJVi8lFxMG/WJqMnWB+vZXaI5dutKsj +1MfgH3P0WEJOTEKL6caxAoIBAQDiBNkJ5gD1t7BEUmVR91oc8Kg3bGIT2uj7nG3/ +FYi8bRFgrH8ksHEyY31sQ+dQ6eDw/nbQpGP17Jy1zGrs3t9T+jyWCBC+OALKUWcK +WgnwVDKP+XMtmNMXCYx1rz56xx9TerR8LMxaUyT1AbKuRc7Fts9FqgNlsMR+uEd1 +InQ1q6aPrLemY/XVJdgs/SGia6+wkqjLhKZBu4/aWVBS6/YyzaKzdTnYhQz04d5N +ObmAxSPk9x09fen7oPnwcpMuDjR1kJPpfinfy7kHklypqGxfubRneoMo3pm/W0Jg +EZJhyzi/eF1fl6e9ZSq7Bjj2ybx+Y0iJktdqYIDPNiRCtXUdAoIBAQDVe4NcExhP ++voHbHKU6xlBP7CCfPDwG42PrDPRpsL407mSXHGE+9klSMaizR9EakiWhdVXdwoA +x+m2eCqt9S/Gnr1PrUbgvPgK7doeO6b0P6PeKIKLZCqiw2XOjjwQDtD3OS3oDetU +AMjZMjX6hQUgfGqUjP/Vk+RgZyEH7+2C3Molm0rzSnA1YNIx3K2WFLutpdtdZ3Hy +198lJTx2WgMkZOyAWL5Kocb9W1Lssh2uFVbhJ/dj4qyMlfIYfC1tmSg/K1ueV3wh +vHnZxtcCOiIPlbuscro1JHCX67eyHMSRFfLod4VRaNSbm8YfMxHAIKGGEF2RdY9U +ihv2F5MbAw09AoIBAEBl4zU3zJQ2Z0nANFA7aviN9U/9WKCRogp20rx4dUJCzU2/ +OGbKwyX5RPZBDrp2OPpRdqcR/81FQo1mFh0xj25NAVA6MhMQwHLG6NYBO423X8S3 +7YJTZenNdbDeYq326E0PzDcJSJx/zirk9fVDvJuG793IiDlEOWhlty5/x563LrkH +HDiTiKrXopWG9jth9WgZEXETdY+LEnzDL+jAhKCLCM2bHAU+O6fWZ1GXnew7v3Nw +mWs44h8pCa3h51+a+oV40TwZD3NNh4XJxQ8uBtrrfaRyOsa9Tg9AwFPBDfVBQwUD +FY+0FT4YgilRp49hgYx9W2CfbzNHFcx0f7ZmH10CggEBALv14bRhw5g324hJvaDM +VhIS53AcXW6qc7s53O4MK8I1eEAbUH/L1mZzayDQBWWRRpPxBePalV4WpfnYV4uO +QyBXh0rtv2gEOUg2H0NbNiX7GmZxuG7OJJPmAm8Y4F0rDmV9XKPiDX6KqkxBXzFR +iTAPGy/r7Ry49+zBIF4Cq1X626i80ALhWWZF9wubxuJLIutDCp90gulTk876t/9k +RTv3+BsRB4piYfeUPrDUKjmp5DKdo724SEAHjX5tZvoGTV9A54vEbzCs54QNBCWb +1X1vUiwFX1mG2fOIwNX7aj5r2tE+2ozRBdB0GL5Dkq9ci5qkMh3uKeI/L1s/am/w +AekCggEBAI+lWVZimzwAbEMHkXJIid61H+aN0Vio5jo3aefZE0COTNp7y4sIObbm +izrCbH6FvNeHZmCRr2fHaYuVF8kffHVPTFuIR7SfIevQ0Bc7tb9AXwnPocTxge/S +VqGEbEKwZ4y567F9XFE0d/3pAiHOOzr+GjMDryD6lmnfQfJAB928QpS5I7S+eSgQ +tb4goN0GjLfU6oHnfvGpQt5Mg4BiASm69YgoBRq+qo7MXSBGbhsAJQ78NuAJKUuG +HIibMNHLeEoAcOQouk3k8Bivz7OXcEJAgM2gHINzc1RRsk8D3et0BI9cb5cFKRYL +fGCn8KAiUGoN7QNauffVujKzzS9bfVw= +-----END PRIVATE KEY----- diff --git a/server/configs/certs/client/client-root/client-root-req.pem b/server/configs/certs/client/client-root/client-root-req.pem new file mode 100644 index 00000000..9098b374 --- /dev/null +++ b/server/configs/certs/client/client-root/client-root-req.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIE2TCCAsECAQAwgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZBbHNhY2UxEzAR +BgNVBAcMClN0cmFzYm91cmcxEjAQBgNVBAoMCVBDIENsaWVudDERMA8GA1UECwwI +Q29tcHV0ZXIxDTALBgNVBAMMBHJvb3QxKDAmBgkqhkiG9w0BCQEWGWxpZnRicmlk +Z2Vfcm9vdEBnbWFpbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQC8exTjScoyVjR0xGWVv04f1tXO9Yfi6vcZP5RanP+DUvFuHLLQMb7GON4YEeB1 +QFuUBRs+FDqyxoH4GRJg2MdORA4MM+SnClN6SE8ekgILLhOtHG3Jd8vFcCYq1JS+ +jXAookZeoXbHAdZk85irmjAt/kPvDJx7CB5n8ZS/TwsjwuakOu3Qd7Sq8o95zoqj +SuFvVXpvTN+UBU2V2H1yWp/FODmtm0ABW8DE/wNkjXVzprwVXuqrsW/rz3xdA1ec +olw8zv2UH2x+4guReRT5YAufAOoRDMfX/SszYDrlPGF3Y7LWkq4IuegpGlMPKeMe +YgBavTGHw/d6G9rTscFIMy3a4zS08FGZlaHDG8XnCcUPcu8hTReV6rTKJkf8paUf +1TVuZVvPGuyr6lyBl5xcQDJIodunelzPAi1dsNPOZUrDI9ICMt4geTTEVABdueAS +1qsI0TUpBueo5ghb3JVH+hUVs/u0BDo5hzH2lmvdRn4mlQC/Ob1ds1rBG/dPFbbZ +f7wiNt81SknwOe7A0EC+YHYrwdWVjbvZQFVJWvenBspXs+DycNjjQzzzgpjFLo1z +Y9jphfB6sJog/7ROEfWHG/m1CWHYYiU61ti5/ljcrLqS6h4JQ+1epGHS3VgPwaKp +h15VpImP6M92n8LrUwRrVVz9CVs+ivWe2NfhK4QoioZg6QIDAQABoAAwDQYJKoZI +hvcNAQELBQADggIBACHTmVVlgz9HqMRrB5WrmAG2CYM1XkDEYmUaDRmaAyrGxpVA +WR9PQe+ituKckGgjokfzmtjeLI+SYDt4EtFxxccjPAC3mdFFwUD67Hya6x6iUzMn +xeLAeUutWZfFCPuSJbsckCvaBMaDgDelUYKyaBk9dd4863JzszZ7/wIDsoN8ZCSX +4XYyvJvBT5Yny8FYi0bhuxmeYXNvu6cw7xZ4KxXk+icVrGqXuU37Cr+EIBcROx0i +003S47QxOZK1zsxIH8ZvFLnWvQg/MmlP5aAklMMgQZkEQ9TXor+amjd1ZOeIpEzz +jhvmhTwapLIu6EOdwMBh/EsEvP7eIMNWtGVOwZMZ7+dxYVoeUP4BT9oqjxun6O2j +VEQHVvPkTZQTFVKBckamVekl7IB9rRGt1v763XwrRDiwdwDv3MPt7SsGrayJKJUX +0mhijecFD/psSOLe+VA5N66rXYcMeWbmvc7AzlFGDogGY7pnK8QYjDBjde2QNRfE +4h8VIujmWkC6otTgfqYH6vYRMsJ8esiTIzOLHFDLkdzkhcEB6okAOQZqWeOHXhO1 +Izkl7vljskHmdtHoTLP46P/2jXdoYNM1V+ZB0icxPNBTF7cYK+sJKGV4tRucXMEU +R4RUe4BWKVQkJP1/L2i/GkXw4KzmI4Ls3Hm0kHbqZc3WKMi8rujuQI8omw1Q +-----END CERTIFICATE REQUEST----- diff --git a/server/configs/certs/client/client1/client1-cert.pem b/server/configs/certs/client/client1/client1-cert.pem new file mode 100644 index 00000000..3778e821 --- /dev/null +++ b/server/configs/certs/client/client1/client1-cert.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF4DCCA8igAwIBAgIJAJoM2HChDXDtMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +VQQGEwJGUjESMBAGA1UECAwJT2NjaXRhbmllMREwDwYDVQQHDAhUb3Vsb3VzZTEU +MBIGA1UECgwLVGVjaCBTY2hvb2wxEjAQBgNVBAsMCUVkdWNhdGlvbjEaMBgGA1UE +AwwRKi50ZWNoc2Nob29sLmd1cnUxKDAmBgkqhkiG9w0BCQEWGXRlY2hzY2hvb2wu +Z3VydUBnbWFpbC5jb20wHhcNMjIxMTI2MDk1MTA5WhcNMzIxMTIzMDk1MTA5WjCB +mTELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkFsc2FjZTETMBEGA1UEBwwKU3RyYXNi +b3VyZzESMBAGA1UECgwJUEMgQ2xpZW50MREwDwYDVQQLDAhDb21wdXRlcjEQMA4G +A1UEAwwHY2xpZW50MTErMCkGCSqGSIb3DQEJARYcbGlmdGJyaWRnZV9jbGllbnQx +QGdtYWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANP8gNbe +wrTSIyuEh7PrZhCW1jC4vlBGYnbYsa9MSoXSWW/F4ElyUY7ov65KEPbO80l3hOjA +vNjqfqcYzKdJNgqZZ0ql6+t2u7LAAtSk1ril4l8ifSKFsO8Znby4Ct/38eU+eH5P +Dd9ZgPjVQGR5G/Is5wLamgZYYrPApkcYbaVqhXspmU07237xgA9XQIPu8l5aomVf +4gMQlX2lorE0xZTnlig0JoAzRtg9RBAiM40CUiA1d1eXVQH4v+ZT1ta+jdcVs6qH +B1yjg3oMr/zvOb7g5hF248xPFCO+Imo113U2xAd1HG+51edV+RVJCdeK7V3RDDgj +gLjQhoU9IQ61wUQBt7oBbooTIIiJRtuDh/2L1yAkEzCeopMEnKaY+r/rWfYpR1xZ +UHXB3uy0BmwSq2ukfmEWPyH/HLdguXA6O7GkDYryzfBkiQ47x8Q/5ncV++BmdASE +jjTylpZ4ogAITTalGqA+atQX7ZEt966vZcxRY/wzOTnz7fUbmqw2GvkQSe7K9ckz +UllUAkXFspy1I4m5TTYa7flonuKJ5SEqHnBEHtZebH9f5oKcD/u+9FqSn0UJlb+Y +6oDkgMuTlm2SJWzjankbn0Q/VbTvw9EmK9oGcwpXIpmpu5Bcuy9BWcBtc2NjtlpV +ToPE2DNq5YwSu/Afj4IJMYq5Qr0xIYMUWE8JAgMBAAGjHjAcMBoGA1UdEQQTMBGC +CWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsFAAOCAgEAMtfPUaVXMHq5s0dx +aRhYBTdIPZUauPgPHDIiCgytXw+XaXxUT8GnPIQ/NbHIkYTvjuNErVJBEYlAWAOS +gD+cpv0abzaBFgN4BC9YnmSIu7yuXQVJS/YGF1WJejfvvNZLH3TJ8g+qun5EcQvC +CGvJB1vG+m8pHuLznHfyWNAelg6GGWWuOQUc22PLq87gQoEFjc8oN3qBvfrg+pOv +pII1gZNV4VK9ee1NKCU8/5Bb+Rt4YFmUyNmlki1FJYgA2iry+Drn5QBZGRg2ws4W +NdN7E3AgR9XsseJtPBP1h9iQgy+Pf5TyuLl0m8P66yb9T9pthGANcrtMlQRIT6jg +x/TD5XOkT5KYk+bQiBEDSfj+HAHDt48cQ5mWWZpXkJqns48yUqm0F75dYyHzizIh +mV9HgaCkOmQFjaDC8V4JwHznUwAXziQVrm9ygVvarzbGLnJK2aIlWAYeuvgrWZv7 +A7wzrc5AO6/k5juPihYHPJk5F94JWieLm5p8Ev14DeR2jGuAuAJEX3S7LJfwl4Tm +d5s5msYgV+5y2wFd9n/emfjmJUV4iZNsWKRz8dxrdduTkxu+mrjqpCwggEzlx5SI +B5iyCIu3fL/4jaj2IMOOezVZsTbtc2oWE5mUlmojeGvDvnsBzMEpTXq7Mn0GeEvR +j+hkbRGHcKLD9wJp7Yzblev1UPE= +-----END CERTIFICATE----- diff --git a/server/configs/certs/client/client1/client1-key.pem b/server/configs/certs/client/client1/client1-key.pem new file mode 100644 index 00000000..6c92d527 --- /dev/null +++ b/server/configs/certs/client/client1/client1-key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT/IDW3sK00iMr +hIez62YQltYwuL5QRmJ22LGvTEqF0llvxeBJclGO6L+uShD2zvNJd4TowLzY6n6n +GMynSTYKmWdKpevrdruywALUpNa4peJfIn0ihbDvGZ28uArf9/HlPnh+Tw3fWYD4 +1UBkeRvyLOcC2poGWGKzwKZHGG2laoV7KZlNO9t+8YAPV0CD7vJeWqJlX+IDEJV9 +paKxNMWU55YoNCaAM0bYPUQQIjONAlIgNXdXl1UB+L/mU9bWvo3XFbOqhwdco4N6 +DK/87zm+4OYRduPMTxQjviJqNdd1NsQHdRxvudXnVfkVSQnXiu1d0Qw4I4C40IaF +PSEOtcFEAbe6AW6KEyCIiUbbg4f9i9cgJBMwnqKTBJymmPq/61n2KUdcWVB1wd7s +tAZsEqtrpH5hFj8h/xy3YLlwOjuxpA2K8s3wZIkOO8fEP+Z3FfvgZnQEhI408paW +eKIACE02pRqgPmrUF+2RLfeur2XMUWP8Mzk58+31G5qsNhr5EEnuyvXJM1JZVAJF +xbKctSOJuU02Gu35aJ7iieUhKh5wRB7WXmx/X+aCnA/7vvRakp9FCZW/mOqA5IDL +k5ZtkiVs42p5G59EP1W078PRJivaBnMKVyKZqbuQXLsvQVnAbXNjY7ZaVU6DxNgz +auWMErvwH4+CCTGKuUK9MSGDFFhPCQIDAQABAoICAA5fEPEAOxz9HgtGOdj1vX6k +azL0Y1qX2vcJq8ohlu/Jmeyc8p6oFGVm3A/Zz5qb3xx88NLCtkrSYvG7GazBpttD +GSCTbRISg5kTsV1vK2trO5SNhwQ/IgajqvDvXTVf3tNWz95oR517uOWlt27YUw+x +AZxM66JAfbiH9/3b5xsOxKvb3xvAUhoiDzd7B9Gp8l55MIdE39KrXicdgpEW7cox +hRmGp5GLaGMijCm319zYam7qkQOsK8Qtc/0OdAMs+fq56utFqjcaksBEee3g3f5V +yuMmNz1Tox7lNfoTWl8E7nc+9kWQyLKdPny17efh8EOq93Qa3BAreuMviL0xjz+I +b02j8scmqh4kvJ7GF9mnW4za1UdKuecpyDzJu5FuaXOES9a8YvhAFbjyldo/E4vi +r2XvTBQ0Km1uTWBAjS86Dw8XhWY+zjnbOvNlZPGJWn4A5f5YByweyrMAgxj5hZAA +KrR4xsfSjbxfOrP3yCa4bO8ao94eUHDunXG8WcVAZwEC+M95+oA4fTvxTMooekXt +xQ/6UZexf2R0Ll8P+cyjmVz+tdXshME6jlnBMxwEHGCqTvq2X8iic9EYd87AkvN1 +JMX0TpSIW/VZksDNT/Yp4985xf8vbr5ztVj7SpKXdDqTx+3Ogn1HH5vgvM2JI/Ac +V60J8A+oveEwf/Tf4oGxAoIBAQDxKxYkAUXtOECoLuxUYERaJWug1lL+BlMk9ZTN +HJR03B+xgXgCaY6rmaIARxDu8MTrRDaqHJcJOP00VIo5s7ox+u0Mqs8ePqerA9kO +oatltc9sqaYg78ec0IsMs82VwVIn4fOccS/l8vgzjWz2pJzmi3JEtPS+YQXBFj3y +Rfi5vLSmjSXhQWGsSVv31Dp6tFHa+fBwk/bhbcHUcCsPZxiZWkpmQVCem+kiLDOo +biTK8RgZ8vPicFvHrz6m/q0m3eb782I5vrzh5roocWJAuTTNzb9cRvvZqyzoY5qo +ugu/WlafpveR2y2oDSMH7cE4cLU6vOrrBNFfS5sIbdLsgME9AoIBAQDhBfsVz7sa +8b3Gi3zxWhjFiDUYdmttQsYktuG+etNdbyYrSt/GS8GhtaV90++DCtvVrK0PxXWv +Yq89zl3Lq2o1RLyEynfdG/q8DE8y3Mw/ZZ7s/9MuWXLtFz3EqFXKJ1FYtURQqR0P +YCBE2qjUzt6aSTXj+V2SSNDBOtTWjsl5oHKq5q6RgXw8hnjXN+WVY7qLldYX95it +Y1/EraTmSoXatNcZmOjmltf5e1vKavGpdymcvjiXgd2JWKKDyjaD9RGfxjG6YJ/b +Ppi9D1fnEyTMNIbAPy8aOTBvkkER4RwaqXDKmXbKHgPpsSKwe8f5nHU+1dpEFQIi +ns7SCPE3YIm9AoIBAQDGHCrX8OPMdsVGYyVoOpxroQnE2crbOb7bQZG23J9nT9wJ +KN24vZWhiVb2+2oBnm9lBGgTXeEEhngZoMjblbSCkipgmYACzF1XspV/23a82plG +HiaGL/K98uIG0T00o9YlRQulm6VJNEqHrsmv4pGxISQBJNVX/sOHVgoVFz229jlA +B/ryC498w9Z0wzY2ziHfzCmjkSjhDhSHuozk3j/q2az8SvM7F8BvffgBiFlZDKxL +xLRrcvkyE9dXvyXmI6s3lTs/TFxFBhAuYNXhbULfPQDRgM4qhN8jF49Yw1wbGM7H +35THkFD1F7WLMdfj0VJOqhogbZjAu47jYbQ+65XRAoIBAFdAvm9isSZtfiyygawE +R36wpgXqRRWEwtgRoc7+SV79bktzKPn2/gn6KUV1HHYvi7Z60lA/PLbZCSJqFqyW +twQYtxC2gWvXIY4xJ7SNMRWUDd/QAs8CGDIexPCwZTORs1U2VFsCeCYyG9EXCEgc +PuyMXr0bQFEssuV6LnVTwIPM1ym1cRMypj3B1rF9FySqGvdtDisU8rqowcW9nyc8 +1lJLtOxUAlsHOo+eaaU/ep0/e38vsznsPT64g6ueiSz5pe/SJg4i0VluGEOW43rS +TX5xD58T4OvGKSXaDCkmpIMiGH42q30LznCbItxT4uLC7COFQLENhFpwQbnnhcD3 +SfECggEBAOcbU18daWoLer7Txm/PUXKb+Y9vQKAY0Fv+UEM99LVo4QEqbzbacG9R +7YCjpOAMuUYlo16PsGPCjhlIzqu7ZKQP6Vmby49RXLluf0nY+FR4jiOaKw3ytH0+ +ugZuIr/fFCw0Ka6g8el95/44osajpqnTb+zroMQFTuzMyWIsHG3seXMZRSmKz4yr +WYl9vj3OYrFEYza4hputiCl6c/2d5/30/ul0HE1+WKEi5ONdYh3sN5911qbKM0/p +A/dwkKM6PXqW6cFD6vIVJdtQOIPqiGz1T7uLY0iBzG3c60NxJnH5HRxug565WKTY +D5CbZjHzu3rqqZ42JYRqFPx3/OoCbqs= +-----END PRIVATE KEY----- diff --git a/server/configs/certs/client/client1/client1-req.pem b/server/configs/certs/client/client1/client1-req.pem new file mode 100644 index 00000000..7f80c627 --- /dev/null +++ b/server/configs/certs/client/client1/client1-req.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIE3zCCAscCAQAwgZkxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZBbHNhY2UxEzAR +BgNVBAcMClN0cmFzYm91cmcxEjAQBgNVBAoMCVBDIENsaWVudDERMA8GA1UECwwI +Q29tcHV0ZXIxEDAOBgNVBAMMB2NsaWVudDExKzApBgkqhkiG9w0BCQEWHGxpZnRi +cmlkZ2VfY2xpZW50MUBnbWFpbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw +ggIKAoICAQDT/IDW3sK00iMrhIez62YQltYwuL5QRmJ22LGvTEqF0llvxeBJclGO +6L+uShD2zvNJd4TowLzY6n6nGMynSTYKmWdKpevrdruywALUpNa4peJfIn0ihbDv +GZ28uArf9/HlPnh+Tw3fWYD41UBkeRvyLOcC2poGWGKzwKZHGG2laoV7KZlNO9t+ +8YAPV0CD7vJeWqJlX+IDEJV9paKxNMWU55YoNCaAM0bYPUQQIjONAlIgNXdXl1UB ++L/mU9bWvo3XFbOqhwdco4N6DK/87zm+4OYRduPMTxQjviJqNdd1NsQHdRxvudXn +VfkVSQnXiu1d0Qw4I4C40IaFPSEOtcFEAbe6AW6KEyCIiUbbg4f9i9cgJBMwnqKT +BJymmPq/61n2KUdcWVB1wd7stAZsEqtrpH5hFj8h/xy3YLlwOjuxpA2K8s3wZIkO +O8fEP+Z3FfvgZnQEhI408paWeKIACE02pRqgPmrUF+2RLfeur2XMUWP8Mzk58+31 +G5qsNhr5EEnuyvXJM1JZVAJFxbKctSOJuU02Gu35aJ7iieUhKh5wRB7WXmx/X+aC +nA/7vvRakp9FCZW/mOqA5IDLk5ZtkiVs42p5G59EP1W078PRJivaBnMKVyKZqbuQ +XLsvQVnAbXNjY7ZaVU6DxNgzauWMErvwH4+CCTGKuUK9MSGDFFhPCQIDAQABoAAw +DQYJKoZIhvcNAQELBQADggIBAEVGftDeoQPX7psHj8uTwBgF08oXfe4hSoucNtac +yXo3cijUDdSylv2M2OUTgoRe/QG39+3/TCeoF3URQ2/DeAZHM5hEhgZilekDJKNA +7K9ehTvbWIlymod+m1o60ojWLnMbjmYWkkKwmC0mvvIORGTFBKM5Egf4vrbtEl4v +9tXasQZsv01ExlVnodWkXC60Ufv6TYkeVg0FCrgKCOqXYm+43H5LQMaLXgNV5Kuz +gRLXiMjm5xytZRXskdVDLjGJnyuNh2JEkrFVGTuFssVZtOGLlv5fzne8mgTOHOgv +cRWIzL+/XKnG0kAYABdBPtXJ1g0mSqytWeaCws5QVPkTlDS6uYxZ8Tdm5IXewPlw +WH1eVIJcCcReFGWos/TlIL8so1vHhp8mwEh0IHfV8BParg/c2AEIIt+FudSebxKu +NOFVb+YXJ24d5IAN3M7q8izghrK9H4jaXu5ZrGyu6432hcmJtLLl4tFdY7OZNs0V +cyVvC6K7TqrXBvyHLhYoId2ayD9QubTgQWJ3SDja6pcFSAZ8Vc+qyBq/HR39vlij +TczDoTFXbq+19Biuvja+i5wiL42iyK0978EwiOnMQrPULayL9ozh6gdjnHfK/zZX +ujF0vIJOVpbaHDYwrsAHTdWUShG6G/fOcH8CCOvVicl+MtQb255BXZv1/0FJTUbE +uAG0 +-----END CERTIFICATE REQUEST----- diff --git a/server/configs/certs/server/server-cert.pem b/server/configs/certs/server/server-cert.pem index dd0f00bd..30cc4d15 100644 --- a/server/configs/certs/server/server-cert.pem +++ b/server/configs/certs/server/server-cert.pem @@ -1,34 +1,34 @@ -----BEGIN CERTIFICATE----- -MIIF7DCCA9SgAwIBAgIUbNGDI40ToedQ6UZ6PGL+qDAAdJwwDQYJKoZIhvcNAQEL -BQAwgaQxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlPY2NpdGFuaWUxETAPBgNVBAcM -CFRvdWxvdXNlMRQwEgYDVQQKDAtUZWNoIFNjaG9vbDESMBAGA1UECwwJRWR1Y2F0 -aW9uMRowGAYDVQQDDBEqLnRlY2hzY2hvb2wuZ3VydTEoMCYGCSqGSIb3DQEJARYZ -dGVjaHNjaG9vbC5ndXJ1QGdtYWlsLmNvbTAeFw0yMjAzMjcxMzEzNDFaFw0zMjAz -MjQxMzEzNDFaMIGaMQswCQYDVQQGEwJGUjEWMBQGA1UECAwNSWxlIGRlIEZyYW5j -ZTEOMAwGA1UEBwwFUGFyaXMxEDAOBgNVBAoMB1BDIEJvb2sxETAPBgNVBAsMCENv -bXB1dGVyMRkwFwYDVQQDDBAqLmxpZnRicmlkZ2UuY29tMSMwIQYJKoZIhvcNAQkB -FhRsaWZ0YnJpZGdlQGdtYWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBAMkr6nn3TWXLcCOXxsUQTCVcgt9PDTjrarFUMFmKOKvKjwf+yrADJxmz -QSzrmNR6MG0DlaPNUlqmybniNpNn3yEG8Vd0T0/vYMFIMk/uoikDB0v6YSeNY9Yd -j1ZwFPfajvFWRJiRqieO56IyZei96cDDxA1afzkl3Tu/pA3YmkonIM20ZhFCtKkM -ktXNbZsmFKtp5lZvAJzsOoqc+bwt7gMZ8E8oT8o4D+nD4eqCw7BIJlSui4OiHcBD -gkUk1Ms5AUCHf08cDPkAPb4bw75fcFmiAKUXQBb3gmHOyPF928WTsILXDUM9M/Sz -gxj6mSoM4L5DK3KC6XpyfWr0Jgx1HxvhEEN+5op6X2UX4U9WIXzzJVsVLf9fbWq4 -6Uo7ZALO+EiUiRRtFFodC6Wn8FU3aaJGNjV3SYmiDZIqlxViQDq3Nb2Oyxy5oNON -Ys/i/t0DSfp0mmSnPWBXpn3gYZes5zdA6NySLnmj+QbGXCYw3OutpJZcZY+XyXri -6bslsntqZVOci5PEDkqT6MLSkW7YbYE7fU6YOytv7Qxj1ziskt2p12UUC4vuVsCB -gCHjoprpxlUlu5uFA/I9hyRNR8brWbPAL0OAc5BCT1MEGtN7xGm7ks8ZKFg5PoXb -ueSi/QpHqVBm8HdcoCBU/SxXsKpy6oy1bjzxonZv1HpMKCmTFgpnAgMBAAGjHjAc -MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsFAAOCAgEA -aCNWVnoOpT4knkreGE7GNsa1eYPqTEU+7rlBzHvHpoATfU+0YYSnydkb6zfDLXW0 -2a/529Tbx+tY3n9YrZuj52AoG7HnlI3D1krKfXRCX80bwOTqxdc8EryqyJi7DESh -SVJUHcKJM4sBq+uXQsUezMTkNq5/Y/lgW3nJ3eYGv3OGVVw+z8cnDuDjJGAmIAtG -bwsHXQUPSSn9TRPSrASM+8ZVbEtnpu1EioGrN08Xc41EzcpOjZY7JpeAeVMV4TZq -efT30luBT8TbUwEQiOk3ab8VAM9899IUo5z9Ndbfi1fmyUli+XiSwFnIH2V/r5sH -KEI6LfA/feo/lKhGamSvJeRiIc3vf2Mtl38WQnn9mat4ZTCPLFsjTI8wYMXy1KE2 -zH/+ZhE32ILzlk9u5nED01NzAJkfbUbXl6O4CfO2eiYv/NSUW0WoRX4W28aHRWxn -IK72Y2VGv6ShtKFNrTAmnezARJqZ5mkFUdaHCs0VTXGJh5eZv3c+lU878sCov3iH -jlwEgjqPw3/EwO64RAUauRYLHmUdUWFI6AHeXDXKpYxHY5oTml91cZUDT9yQ3Db2 -jlqGuO44BnM2Gh3txrH6iVEsOOQRNvc5+L5OwUCPM5j4/Y0crN612CIMnJYcSqLD -BCCS6laznpt+4hi+WgalcXPI2qm4opNrO5j1dCxDxmg= +MIIF4TCCA8mgAwIBAgIJAJoM2HChDXDsMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +VQQGEwJGUjESMBAGA1UECAwJT2NjaXRhbmllMREwDwYDVQQHDAhUb3Vsb3VzZTEU +MBIGA1UECgwLVGVjaCBTY2hvb2wxEjAQBgNVBAsMCUVkdWNhdGlvbjEaMBgGA1UE +AwwRKi50ZWNoc2Nob29sLmd1cnUxKDAmBgkqhkiG9w0BCQEWGXRlY2hzY2hvb2wu +Z3VydUBnbWFpbC5jb20wHhcNMjIxMTI2MDk1MTA5WhcNMzIxMTIzMDk1MTA5WjCB +mjELMAkGA1UEBhMCRlIxFjAUBgNVBAgMDUlsZSBkZSBGcmFuY2UxDjAMBgNVBAcM +BVBhcmlzMRAwDgYDVQQKDAdQQyBCb29rMREwDwYDVQQLDAhDb21wdXRlcjEZMBcG +A1UEAwwQKi5saWZ0YnJpZGdlLmNvbTEjMCEGCSqGSIb3DQEJARYUbGlmdGJyaWRn +ZUBnbWFpbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMYF0e +H9YoShCvmg6ObUM06aRdP1+GGpsyIUB0nLCFKMkHLFpgcxYkM3qXP+FfucoTt5of +MISGwfpOh5S/81N7nsa3PhfpPfMtECPydDgZx/GOD8qebuh4te/W5BDO5AuCNRei ++fmqzgjYkdl+lCvQNBNgyx9bFcb9GqIeQoW/b53EiEJvS6fKB5kKTopy0QiJ1Mit +vHOFGnaWUNwqWhKwz3rUaohRMrkVfzCDtQERzzZVKYZaBaZM8aVh3Y+jc+xBcvfg +1qIL4Fu5SZ3Kr/WnMEfdvQs7opel38PkEeEaqu8S75ECDbvtKxiLlsALD3XckEfH +Mxuhx97Ehv4YIM/vRSjE7rnwtE9IgOTv0KG4to0wOP3m94SSVliBfBWRnMh8SCtB +Yf2zHNdA0snCmfQ2PCJ35ajp6eRvM65O/CZdECY49mvZtynJZJ6YRJqhbJju3WEP +UWP2c7ThoT0gdTz969hCgq6HeXKxdxzgV8e+jXCt1sO1ypLIPTe62108IE9EcrYS +mypboDecNBIG0oOkJ1yTn33znfI7WAMaLWIbbjnRmWo0o0wSIufgvx0duofuQA8+ +O+Aa8228pZ+Tjb/iAbZh90WdKjEMJQiuC8gnGaDNikANG5zjN66rAn6YvfI2u1XN +5NtReaGa72k2nXenDkkTzhxJpQzCTFNB0ZMPyQIDAQABox4wHDAaBgNVHREEEzAR +gglsb2NhbGhvc3SHBAAAAAAwDQYJKoZIhvcNAQELBQADggIBAJlt1goPR4+ajqHA +Ggn9Mgr+NTP54KTAO9PN7e/4en6Sz14tqujHxzFq3eigIiOBfPYxdkwdxoR47uu3 +iMrOEKX4xJVwxUT9pNdusGOyq/YNnoJHinkRucGpCux/5NxbvTtMeHw924/POpO0 +rIkClJr2xZFO8cYFcDdBXiYhQTYK4QrT9DfPKVE+XSheejJp8SjkHD0fBCOCcpPN +Rl08/9IHjEsYJGwL+Yx4iXrgHZuQfb2VcRjsR7W+ycU1tnjNFz+3cV+dxGKtp9lw +gCW/pO/0OKSQTEHelC3WCca1kRAiVmmA01jDyPEeP8NjyUIZmzolmGxxnCDkWdNk +0++W1kea/atPS9Eri4rK6AIXQ5OMoXINgT28Qlof9wTgX+VPCg4iE6zxPofW6bJt +MahzZ9hLj/wCua9t8MqL59KOxCHcx8rPwmn+dzdiEWExb1TLA98UXcwCiN+oYf3y +dEoB/o0DwcrE4idpM+2OypcfV2gX4GAa29AxseCOc7FZZxV+6HnfE0DZjAOvuFs4 +v7UHdgcUabsyf3L32T4BfxB5iVlfm3+47cWZOFzXxqOPl9iOIo2aiREDIxXdafM4 +8i/3TsZHJnQhf8awfdC8LbYhDWKrz8r4hM5I4JbQHHs0BqU/HKEjSGwxq1hQ5mhu +itPPiocdIV385mGnjKLEPcpKzDRS -----END CERTIFICATE----- diff --git a/server/configs/certs/server/server-key.pem b/server/configs/certs/server/server-key.pem index c7ca5801..c45cff4e 100644 --- a/server/configs/certs/server/server-key.pem +++ b/server/configs/certs/server/server-key.pem @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDJK+p5901ly3Aj -l8bFEEwlXILfTw0462qxVDBZijiryo8H/sqwAycZs0Es65jUejBtA5WjzVJapsm5 -4jaTZ98hBvFXdE9P72DBSDJP7qIpAwdL+mEnjWPWHY9WcBT32o7xVkSYkaonjuei -MmXovenAw8QNWn85Jd07v6QN2JpKJyDNtGYRQrSpDJLVzW2bJhSraeZWbwCc7DqK -nPm8Le4DGfBPKE/KOA/pw+HqgsOwSCZUrouDoh3AQ4JFJNTLOQFAh39PHAz5AD2+ -G8O+X3BZogClF0AW94JhzsjxfdvFk7CC1w1DPTP0s4MY+pkqDOC+Qytygul6cn1q -9CYMdR8b4RBDfuaKel9lF+FPViF88yVbFS3/X21quOlKO2QCzvhIlIkUbRRaHQul -p/BVN2miRjY1d0mJog2SKpcVYkA6tzW9jsscuaDTjWLP4v7dA0n6dJpkpz1gV6Z9 -4GGXrOc3QOjcki55o/kGxlwmMNzrraSWXGWPl8l64um7JbJ7amVTnIuTxA5Kk+jC -0pFu2G2BO31OmDsrb+0MY9c4rJLdqddlFAuL7lbAgYAh46Ka6cZVJbubhQPyPYck -TUfG61mzwC9DgHOQQk9TBBrTe8Rpu5LPGShYOT6F27nkov0KR6lQZvB3XKAgVP0s -V7CqcuqMtW488aJ2b9R6TCgpkxYKZwIDAQABAoICAQCISJYKlnz6jz2i/zmLWyUa -0nderQE6JFIdW/l9T2RhDVKkifnqD9i3Una+5cSdfUG9OIZxd7Fo9EEJCrUKW34P -s9Jf+s2YS4Tyq+RZvkJhIkoZMMAMuX5/GXt3hWrPFmNsH5NNALGTJv7JJPdhGvd2 -vajdmwdBQeOEjKmpL6omvic89A+JdfVJ6Ni4uvib+Mpb7dw7heuWY3qtWPbegwcR -Vssz9Q1I4330Ud2Er52+mMJO8AhX3sXk8FcaXH9ERZQRkTmv8ELhlUY+ujR7jdBh -CJ0DOqMSbA8KD7qVzzvJt+oGWYYEnTvLdKlFjM+iayL+Aic25nUhnNpWUJxOKDIv -zw5blb/aMgvYXpUsAhJ7GjjOKqy8CuAqfhFzAoR/lw8HB9UKw17Y1lhYiI4uGnrM -YTc+5I5yqX9C5SoQ4YGYN3kClD9FqWsmUbBF1ViloM2BnZ4C1y/9UFpRH9XvgMHE -mHyRRakr4o0g6ZhPNfqumt6zgFtgfW2PJ3KZpJhq7nvc2vTqVvK7gcSbY8ykK4G3 -4c9c/46x+umQx3oRCwgGTOLU3ItQ+ipFNWuKdETiqAyh9t60EpcNZwhk08p5UGi0 -TFytTstJU184rJU/kDlMhEKuOzIGgSku6LDy+G+TBT6Iixe+LppRNr6KINcCTyWT -QEJNfwddUJEhUZc6essqsQKCAQEA7geyneZI90lxbYVWzmpfanG0NplVC8ZRd2c5 -Oykm95uHshvjp/pclhzxiKIGLHOc1IPvwKGLsUSBGGd8YxBlgXC47WbXI7kIyNnF -YGlTsSpXkGxXs5BP/LbgTu5FWfiMSPX0anTCQcqNaxyraqNJao9NGRhrKYNHpcyF -Cu7Ayoi7dF4R9sEQTcyO0y3Z9G1ma085Ppra8mgOhNhhQ4cxFaeYohsy4bOwbvCm -/YsPmuiA81oZWMvbRzVjUFVRQqYWFK3cAMUsLojQNsuItSkI6QoX1BZUrDzZ0vro -xMISmeRNF7Mr/EGZD2yUFPxgDsoZ02i/9zwK8B3H2soOR0WKRQKCAQEA2FveqXdE -WXpV/y4dsNX08trV43z5cFrUTe2tYyGx+I89gaM57IsbZlYGlTGl1zwM6rRQF+7Q -ldgXNxU8MHja+z+4BAmnSutbYubMpJD5wu9iP2l+5KUdi8DYMjxaI4FTHazODoxl -41uUONFYBs4j5XtDEGfD0nbiltuiQbsj7hFGzh0fwdsOxadsQpj8mPZFfAj1AkjE -CD28pry8moAbBw/+ottW1pQ8dg3/ud7QC5TDAWCagmopcpQQX6dqB5NhNnj84F/A -0G/HMyBszGQcw0UubmNiwKkPL/2MFHZiPeNgx2nNAZiR/YxwLcFoTeqsKd5iaYGl -JeNQsWnYiXeCuwKCAQEA3/0gaRP2H7Xd5ijuielxhnIfGq3paN4jdVAOfAx6ndCe -vc0eysh+7ceoxmFpm9TjhNvu9f9Ou+5x6OwhEfuw+UCA1O3Mj9IkYRUEdnhHCFWG -9uHtGY04p9/TbpMrccHBCTth1/etgUnBEEV3TS8A/CSDcZUX6oWeG3g8zg/kHfLT -K2sGToRY+kz/Ldxc2HVGRr7TaIVCeY/P8dTImkoSt4TxzcH4fImiApO1IKwGcEhQ -aC+l4HhdDUJBBaxzfltaNfVxLMxeih+2h4m6SHen6dvUloC5Bydv9uijt9vEs0ox -/ZZeUs/L38bWBnWDUwd9jAJrepTm2hO8KLew/gKDXQKCAQEAipsoZUar+eq+pxDj -IoOfPenl9qv8nPcDZb0rRAO1ITiava9VD236qq/X3cKFrQKif8XuPbbX1/cswDQR -cDgsiaNDfwq0KvHmhNC5L4BVEYYMWfV6vn3tFLgBiQVS9cYG+k7XX0igiWwE4/Vx -QELVilFSIHNpZy6UcPLZ2uRJ210kEC1mR+nPZ96fI3cg89lpoFGYrNLzCxiKAAOP -jCcfqYGcrrZ3xlYG+dZ0Cp5sh87QstQxh/T9ApNKfg0hhyLqt1wBHLkbLC0/30gZ -i0NjjdGHMl7nR+fGfAchs4Y339AIExh7plcYx+ctgpKSAMCjdNssDs1ogIJFErNt -bnuquwKCAQBCenkqa3hjamoqtTOIFPo0DOscfqQ0s/+I3RuvkrxCOOfPODqWs1CT -RxeJXAP8HFWJT3+hF5EMoyq3zLrmtCy+TmvbHI4UR7ckyl1s4VUbj8ngVlC+7lL4 -/bE1pf9HftbClEVmBoZJIotHeLR+th2dk8b2eCNriOreK3SQ7g59csrI0jW49PRu -gY2D4sOwi0fq6kPvDNxvi/KwaRvXmpgBZ36AxHRVbKEJ0Sb4Atd4SfhuUr+iNwEk -HyhtBimIJbhED6vz4aayJus66pCxxRRkY+7+fXhNIKQebTku9dCFQrHOD/XniX5i -VEFNqpMj7nrZYbt1xluD9OTTLrdfKVjX +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDMYF0eH9YoShCv +mg6ObUM06aRdP1+GGpsyIUB0nLCFKMkHLFpgcxYkM3qXP+FfucoTt5ofMISGwfpO +h5S/81N7nsa3PhfpPfMtECPydDgZx/GOD8qebuh4te/W5BDO5AuCNRei+fmqzgjY +kdl+lCvQNBNgyx9bFcb9GqIeQoW/b53EiEJvS6fKB5kKTopy0QiJ1MitvHOFGnaW +UNwqWhKwz3rUaohRMrkVfzCDtQERzzZVKYZaBaZM8aVh3Y+jc+xBcvfg1qIL4Fu5 +SZ3Kr/WnMEfdvQs7opel38PkEeEaqu8S75ECDbvtKxiLlsALD3XckEfHMxuhx97E +hv4YIM/vRSjE7rnwtE9IgOTv0KG4to0wOP3m94SSVliBfBWRnMh8SCtBYf2zHNdA +0snCmfQ2PCJ35ajp6eRvM65O/CZdECY49mvZtynJZJ6YRJqhbJju3WEPUWP2c7Th +oT0gdTz969hCgq6HeXKxdxzgV8e+jXCt1sO1ypLIPTe62108IE9EcrYSmypboDec +NBIG0oOkJ1yTn33znfI7WAMaLWIbbjnRmWo0o0wSIufgvx0duofuQA8+O+Aa8228 +pZ+Tjb/iAbZh90WdKjEMJQiuC8gnGaDNikANG5zjN66rAn6YvfI2u1XN5NtReaGa +72k2nXenDkkTzhxJpQzCTFNB0ZMPyQIDAQABAoICAAyW3wWNBn8i2NZIUh854crv +nX1U+whiuS6kV7kXMdRyB7gWZlbMoA+I0ENi3vorkqQWSjsjnPZEGqwds+8DCSBz +TmBZRdXLSCB9fwlfWVlVNK8AkAWkZVOSOXzuPY7RA1h49sTGSzfXSzoz+cbPT8ea +fZsXyA2vULukmVnt1RlOwdQqZJVAfsx2HVpCLksWT0VWQypYknEfiTCHOJivRbl4 +fmN5UH5X9oi5df6W9sLnFby3Oxxufqj8tahKop9585Kwh05lSkQbBOtr+nlSz3oG +AldJXtjEkjzYhNOWulwPLXzoHvGWcP4SCogGuDu2LxdwF8vQfSJBEpreieZolwZU +3cuSSiiTEJEEIE8datzjiWQpcyP+Zlg/1vtvsQPvnjkXvjAjJp2NhmCgBNs+Qkbh +pPRDuV1miFF/TVQRosmk8cc30ZUmeU0GWztnHelarD4r6IeUlEBi6frLKsy/WLbs +9EeLfRPJd9l0zLW4yzbGnGLc81qkcdDJNM337tnBL2JhFt6KuJAomDgCfKiCdseK +JiJUBwgUYKWE/1HlZFw9bZcIL3Ui2k69gE4htDC6jOx1ezsvGLf0TM4DncenqUod +Fw98WbYUdBoGnMy0WX8S2nFnX1SKLVybBfEBUj6czeIPzcdn4qC2DKJBxmbS8RPP +OarxQAJYTuSCWmdHZW0BAoIBAQD5iiy+gwIfMfQkyK0Qd9IF5M2FGWhJ/sS6E33/ +CIGDaMphfbHLLImBg8buTUkC+DVft0ONYZlaOHKs/MbtA7mMAUW3MuGDlySLGZk3 +d0dn8fKDCz8xLXolWwRKQY7I0i53VDIp5dzoWLBYIxRvyKj+6Qn0qbjlEAyB2+IY +JWPtYikNh0JsH3eEwWyAXvClU2JAEJTpIXvEsOmoj3u/GUtwtM03rX+MM8EeQMAN +teN0yO/bbOj6aQ6gOWXLoDqAjWxht7VRYjChbmOfu38pmX7HPScUOpUBlZjH2O4a +MC/aqX2RJiEYm/9qs1iS63SiL3pR9N5TJjZPnM6Z0BQwb9ApAoIBAQDRqt5x7ZI9 +Bj3uUjXU5roVyM8WGcwif7zbip/ChgQS5UMOe9o0irqf1TXjYK7pxPOc01XIu+yQ +k9LzdWRcEJyOxWA3f61u9mzQXydcMdfrkO2BKcXozNdLOHbat9lSRwcnM6/5HfCa +ovtvoIpugBgq9eLU1ZcxtF8VXk8LlZbhfprjvYRNypjzzemFnno8MvvmTYzPxGVe +kUo5o8GkvYQ5hPzpypMUuHYQUWqBcTgyPJ14wX2AoYgrlhpUFNPrNgZfrryqYNQT +8PusgIclQsvPqVNGOXlGO9/QgXWtcVrOlHKKxmU5smDKbB2OOqDbpRdYnN68aC6U +1e6sDL7LpLahAoIBAQCe/qAlvtlyQOTbLxW+AWpLIQ6l+JtPUknMebD091l1/iW8 +2laXKshuQiVVHt8fSkDPvLgI9B++sWq3t9OTnqTxhLoD0SKJMpsxGd1azuArZahs +QJVB40UJWiWwnna4k9rRY08XDQOk8yVg8vEJjGPJD3itcBqDsKcXcp9rXR9/V+Tq +Xr0+oQoJByj33gYcgLWANlB6/j+bAlHOeaWSDC7aIAkFqcEz9qHcgcscsUC8326c +c5c6Pgf4pLmsdWnxEKr21BNuSE7N/MTzOIb8XXW+wsMMi4r3WHbhFuIWw48qFoYQ +HqhFwteKB72u1uEYmYGpiIjDl/xQ24tzy3WhqwyJAoIBABzpT+Ur2kd57d5IDc4+ +xpgsaYnlosV7EcLAOclsC3HDlVyQ7YTjQFq73sNs2JG5q9ILPkAA0d0Z1TPnEyCy +1bPGOb9NZs/vQQ/2nwnSgbCk+mseJIE2hdWEgrckNN5olu7r7K8QVtYr9TnuTEhy +d2KtJ0sr7L5Y3eenaoTxaq3LdHZE8tJ7Rl4QHcxkDvzwFtYqCWm47jV9GVwbXZ9m +1q3Lzcg7O87WpMkZQPN6dkJPI3O8Up8DJzDDcPv5J0O+3mAhSzi/Q19AkqO10Wzs +6gfHlIkRccyigvlQcLaq89ealrTWKK0tELW49NZg9T90Y2S/tOMMBqhVW6Tz2Pdh +ziECggEBAPEGJKS95zZxBO5thbnYC0ztlEBBwWNm1x0JRiwfpNAL3vOOT8zql6aC +6s8JBm0ih3mKKCV0eLp2Av7ei2VZ7reCX+JzmK1MFnKaRbYNnQbuDLneXs+46MJ3 +K3uRP9uc7WUVbMJYYEmn3HQZb67RPp7pazF1sIjijdMn8MpWujPKqTbQ9qgxPtfQ +Ejj+5ea72wlFQSHTUzd3oMdfYZ6BwEdjf+kpz9bvH1H0CDLnkibkGdcwqyhiA6Ae +FTcQaL+xtBFTMtIN2Q0WpWhEZkE6x/UV5OYrSbjzkavf8SgTXmec+ZZO6uBVeD7v +3SYEL7ttYfDcPSeOdU1ArQd7PDQysuc= -----END PRIVATE KEY----- diff --git a/server/configs/certs/server/server-req.pem b/server/configs/certs/server/server-req.pem index f0c4804d..9ff76393 100644 --- a/server/configs/certs/server/server-req.pem +++ b/server/configs/certs/server/server-req.pem @@ -3,27 +3,27 @@ MIIE4DCCAsgCAQAwgZoxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1JbGUgZGUgRnJh bmNlMQ4wDAYDVQQHDAVQYXJpczEQMA4GA1UECgwHUEMgQm9vazERMA8GA1UECwwI Q29tcHV0ZXIxGTAXBgNVBAMMECoubGlmdGJyaWRnZS5jb20xIzAhBgkqhkiG9w0B CQEWFGxpZnRicmlkZ2VAZ21haWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A -MIICCgKCAgEAySvqefdNZctwI5fGxRBMJVyC308NOOtqsVQwWYo4q8qPB/7KsAMn -GbNBLOuY1HowbQOVo81SWqbJueI2k2ffIQbxV3RPT+9gwUgyT+6iKQMHS/phJ41j -1h2PVnAU99qO8VZEmJGqJ47nojJl6L3pwMPEDVp/OSXdO7+kDdiaSicgzbRmEUK0 -qQyS1c1tmyYUq2nmVm8AnOw6ipz5vC3uAxnwTyhPyjgP6cPh6oLDsEgmVK6Lg6Id -wEOCRSTUyzkBQId/TxwM+QA9vhvDvl9wWaIApRdAFveCYc7I8X3bxZOwgtcNQz0z -9LODGPqZKgzgvkMrcoLpenJ9avQmDHUfG+EQQ37minpfZRfhT1YhfPMlWxUt/19t -arjpSjtkAs74SJSJFG0UWh0LpafwVTdpokY2NXdJiaINkiqXFWJAOrc1vY7LHLmg -041iz+L+3QNJ+nSaZKc9YFemfeBhl6znN0Do3JIueaP5BsZcJjDc662kllxlj5fJ -euLpuyWye2plU5yLk8QOSpPowtKRbthtgTt9Tpg7K2/tDGPXOKyS3anXZRQLi+5W -wIGAIeOimunGVSW7m4UD8j2HJE1HxutZs8AvQ4BzkEJPUwQa03vEabuSzxkoWDk+ -hdu55KL9CkepUGbwd1ygIFT9LFewqnLqjLVuPPGidm/UekwoKZMWCmcCAwEAAaAA -MA0GCSqGSIb3DQEBCwUAA4ICAQBMzWOfKbrFFmtFTtGnkl2y1JsgAQ248Bi8UvKc -3Xsbtf2ZhwlIAvPXoN6p7snmshGw+V/Y54cc/Kirl9sl1ldK83pXXemzsCw6yzcp -tuthpediTWC++4SQ4p3SRx9dDe72wW+Etcl13nwjD1i29BB4IWMsAmmgdhg/nNTv -CVhWemypUgbmC6Lgtu7Bjd6laHLOnTlQWQGUO2xYXR4kQ/qIPyXNy5lI5Qu/jrkS -L4QJRBzC63ZT8UKnDqHjIh0LpoiXr3+Att8lCvu+Vg8oTHk6AlKoJiQ9Uw6jBbJz -E7OA20cgrMT37mOUIGClurp8+ezt0ZZozDNnWJ/AD3fVxWpMpuWuGJhGCy9CU0/b -X3TNlMMdhJmliCaFjfAOQa4DR8zOsjnGyT6FtKOISJXJ4o1gUPnzpQpW1PubjtnX -YaJWUy+Kag2abe5EhzjN5Kgexkc2eyn0iiiQJte1uMkYIgUioLDnYDD9VFA7gbU7 -KFCdmFyUKFOF7rjDY/eHIxNxHz3ST5FfoON1Hfk029tqOkt+Y3E6KXD/gvaiSdUb -RNe/LKJB9w/fFMicqVqgJiPPBlb7E0F5F2mLtQZD5KMSnVfIUppaKBzWOrekGcEN -/nguAl/VmDV1xruEi3NxK+Q3h0j6VIrzCS2ynyQMVvrV3Wkw3O0LOdRly9aL3d/x -QjzHgA== +MIICCgKCAgEAzGBdHh/WKEoQr5oOjm1DNOmkXT9fhhqbMiFAdJywhSjJByxaYHMW +JDN6lz/hX7nKE7eaHzCEhsH6ToeUv/NTe57Gtz4X6T3zLRAj8nQ4Gcfxjg/Knm7o +eLXv1uQQzuQLgjUXovn5qs4I2JHZfpQr0DQTYMsfWxXG/RqiHkKFv2+dxIhCb0un +ygeZCk6KctEIidTIrbxzhRp2llDcKloSsM961GqIUTK5FX8wg7UBEc82VSmGWgWm +TPGlYd2Po3PsQXL34NaiC+BbuUmdyq/1pzBH3b0LO6KXpd/D5BHhGqrvEu+RAg27 +7SsYi5bACw913JBHxzMbocfexIb+GCDP70UoxO658LRPSIDk79ChuLaNMDj95veE +klZYgXwVkZzIfEgrQWH9sxzXQNLJwpn0Njwid+Wo6enkbzOuTvwmXRAmOPZr2bcp +yWSemESaoWyY7t1hD1Fj9nO04aE9IHU8/evYQoKuh3lysXcc4FfHvo1wrdbDtcqS +yD03uttdPCBPRHK2EpsqW6A3nDQSBtKDpCdck599853yO1gDGi1iG2450ZlqNKNM +EiLn4L8dHbqH7kAPPjvgGvNtvKWfk42/4gG2YfdFnSoxDCUIrgvIJxmgzYpADRuc +4zeuqwJ+mL3yNrtVzeTbUXmhmu9pNp13pw5JE84cSaUMwkxTQdGTD8kCAwEAAaAA +MA0GCSqGSIb3DQEBCwUAA4ICAQCyHf8qEy3uRb+JT8BGoZF3hRqFNM7Nz4m19F/m +xPlzZ2pU+YAuYQ8PHqvo1Cnjq6lUK2dGMK0Pjpr1cqj1f1v1xtFpnRA405ReuNSl +xKn4DtbnhfvfpyfWxwi7cZSSlI/SiBsLdfPO1B++h2m1AuuUSt9ENiwLsUJwxwXx +aqQC9IU6XiTHE0uxERWoXz6tNx9LsuWMa/eclxyKndJIvirQLU2Nol40mRJvS3ok +MDQEeDlUbWjNwPAqfpLXuGEJZf6vBqLTXDxDEB4RGrSyRznDxwDoCqg58RiGyZoG +MiXjU+ydFf/KbpGXP2sV2cnzvixSLjE7tX7STMxsa0FSCw/1JG6XnpIwKams1lIC +5q6PjgURkZ6QtmaJv35xAPmtlr10H7ETm4iAvtKLHD6p7tdGZyQc4enDggmhiyrv +mQHEokFu0Gs5XhIliTtADIlw1KE91oRo/GDH+4Tnfjf8emvuDjkZtbhCFTN/UFT+ +yqUj2XrZvo205KipTv5OpN5PMW+Gwu6fNFZEPF99L79IM4B6e2xNDAIhhA/JR5cO +EfoaFJDvMNCG5VyUnd0RN30iV4VZzvxiixuqNswbUxfaFT0imX+N2xQCHPh6OiRc +GbeQGeU2Ha3rPNmc6rIvZGnSA/LUDiA/RWOLU18/H/Gd63wGa90U9LJKdSeJRSwW +lOxnIw== -----END CERTIFICATE REQUEST----- diff --git a/server/configs/tls-authz-on-raft.yaml b/server/configs/tls-authz-on-raft.yaml new file mode 100644 index 00000000..42083f40 --- /dev/null +++ b/server/configs/tls-authz-on-raft.yaml @@ -0,0 +1,15 @@ +host: 0.0.0.0 +port: 5050 +tls: + key: ./configs/certs/server/server-key.pem + cert: ./configs/certs/server/server-cert.pem + client.auth.enabled: true + client.auth.ca: ./configs/certs/ca-cert.pem + client.authz.enabled: true + +logging.level: error +clustering: + server.id: a + namespace: a + raft.bootstrap.seed: true +nats.embedded: true diff --git a/server/fsm.go b/server/fsm.go index 71f163ce..820eefc7 100644 --- a/server/fsm.go +++ b/server/fsm.go @@ -240,6 +240,25 @@ func (s *Server) apply(log *proto.RaftLog, index uint64, recovered bool) (interf } case proto.Op_PUBLISH_ACTIVITY: s.activity.SetLastPublishedRaftIndex(log.PublishActivityOp.RaftIndex) + case proto.Op_ADD_POLICY: + var ( + userID = log.AddPolicyOp.Policy.UserId + resourceID = log.AddPolicyOp.Policy.ResourceId + action = log.AddPolicyOp.Policy.Action + ) + + if err := s.applyAddPolicy(userID, resourceID, action); err != nil { + return nil, err + } + case proto.Op_REVOKE_POLICY: + var ( + userID = log.RevokePolicyOp.Policy.UserId + resourceID = log.RevokePolicyOp.Policy.ResourceId + action = log.RevokePolicyOp.Policy.Action + ) + if err := s.applyRevokePolicy(userID, resourceID, action); err != nil { + return nil, err + } default: return nil, fmt.Errorf("Unknown Raft operation: %s", log.Op) } @@ -607,3 +626,49 @@ func (s *Server) applyChangeConsumerGroupCoordinator(groupID, coordinator string s.logger.Debugf("fsm: Changed coordinator for consumer group %s to %s", groupID, coordinator) return nil } + +// applyAddPolicy add an ACL-style authorization policy to the existing authzEnforcer +// on the server +func (s *Server) applyAddPolicy(userID, resourceID, action string) error { + + // If authorization is not activated somehow, Raft replication must continue + // without throwing error or panic. Error thrown will block Raft replication process. + if s.authzEnforcer == nil { + s.logger.Warn("fsm: no authorization instance is initiated on this server") + return nil + } + + s.authzEnforcer.authzLock.Lock() + defer s.authzEnforcer.authzLock.Unlock() + + _, err := s.authzEnforcer.enforcer.AddPolicy(userID, resourceID, action) + + if err != nil { + return err + } + + return nil +} + +// applyRevokePolicy removes an existing ACL-style authorization policy from authzEnforcer +// on the server +func (s *Server) applyRevokePolicy(userID, resourceID, action string) error { + + // If authorization is not activated somehow, Raft replication must continue + // without throwing error or panic. Error thrown will block Raft replication process. + if s.authzEnforcer == nil { + s.logger.Warn("fsm: no authorization instance is initiated on this server") + return nil + } + + s.authzEnforcer.authzLock.Lock() + defer s.authzEnforcer.authzLock.Unlock() + + _, err := s.authzEnforcer.enforcer.RemovePolicy(userID, resourceID, action) + + if err != nil { + return err + } + + return nil +} diff --git a/server/fsm_test.go b/server/fsm_test.go index 8b4df448..8cf58b73 100644 --- a/server/fsm_test.go +++ b/server/fsm_test.go @@ -8,6 +8,7 @@ import ( "testing" "time" + "github.com/casbin/casbin/v2" lift "github.com/liftbridge-io/go-liftbridge/v2" "github.com/stretchr/testify/require" ) @@ -119,3 +120,85 @@ func TestTombstoneStreamsOnRestart(t *testing.T) { _, err = os.Stat(filepath.Join(s1Config.DataDir, "streams", "foo")) require.True(t, os.IsNotExist(err)) } + +// TestApplyAddPolicy ensures a policy can be added via FSM. +// FSM, upon receiving a Raft log related to policy, would attempt to apply +// the Raft opertation. +func TestApplyAddPolicy(t *testing.T) { + // Configure the server as a seed. + s1Config := getTestConfig("a", true, 5050) + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + + // Wait to elect self as leader. + getMetadataLeader(t, 10*time.Second, s1) + + // Monkey-patch authorization instance for metadata server + policyEnforcer, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + s1.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + + // Add policies via fsm + s1.applyAddPolicy("a", "b", "read") + + // Expect policy is added + policy := s1.authzEnforcer.enforcer.GetPolicy() + require.Equal(t, [][]string{{"a", "b", "read"}}, policy) +} + +// TestApplyAddPolicy ensures a policy can be revoked via FSM. +// FSM, upon receiving a Raft log related to policy, would attempt to apply +// the Raft opertation. +func TestApplyRevokePolicy(t *testing.T) { + // Configure the server as a seed. + s1Config := getTestConfig("a", true, 5050) + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + + // Wait to elect self as leader. + getMetadataLeader(t, 10*time.Second, s1) + + // Monkey-patch authorization instance for metadata server + policyEnforcer, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + + _, err = policyEnforcer.AddPolicies([][]string{{"a", "b", "read"}, {"c", "d", "write"}}) + require.NoError(t, err) + + s1.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + + // Revoke policy via fsm + s1.applyRevokePolicy("a", "b", "read") + + // Expect policy is revoked + policy := s1.authzEnforcer.enforcer.GetPolicy() + require.Equal(t, [][]string{{"c", "d", "write"}}, policy) +} + +// TestAddRevokePolicyNoFailure ensures that FSM will not throw panic or error +// when processing AddPolicy or RevokePolicy Raft log, even when the server +// does not have authorization enabled. Note: Normally, the server should be configured +// to have Authorization enabled to use this feature. However, in case it does not, it should +// not block the Raft replication protocol. +func TestAddRevokePolicyNoFailure(t *testing.T) { + // Configure the server as a seed. + s1Config := getTestConfig("a", true, 5050) + s1 := runServerWithConfig(t, s1Config) + defer s1.Stop() + + // Wait to elect self as leader. + getMetadataLeader(t, 10*time.Second, s1) + + // Monkey-patch authzEnforcer to be nil + s1.authzEnforcer = nil + + // Apply Raft log to AddPolicy + err := s1.applyAddPolicy("a", "b", "read") + // Expect no failure + require.NoError(t, err) + + // Apply Raft log to RevokePolicy + err = s1.applyRevokePolicy("a", "b", "read") + // Expect no failure + require.NoError(t, err) +} diff --git a/server/metadata.go b/server/metadata.go index 0736c782..283dcaca 100644 --- a/server/metadata.go +++ b/server/metadata.go @@ -939,6 +939,103 @@ func (m *metadataAPI) createConsumerGroup(ctx context.Context, req *proto.JoinCo return coordinator, nil } +// AddPolicy adds an ACL style authorization policy to the cluster. +// If the server is not the leader, the request will be propagated to the metadata leader +func (m *metadataAPI) AddPolicy(ctx context.Context, req *proto.AddPolicyOp) *status.Status { + // Forward the request if we're not the leader. + if !m.IsLeader() { + isLeader, st := m.propagateAddPolicy(ctx, req) + if st != nil { + return st + } + // If we have since become leader, continue on with the request. + if !isLeader { + return nil + } + } + + // Add policy request + op := &proto.RaftLog{ + Op: proto.Op_ADD_POLICY, + AddPolicyOp: req, + } + + // Wait on result of replication. + future, err := m.getRaft().applyOperation(ctx, op, func(op *proto.RaftLog) error { return nil }) + if err != nil { + code := codes.FailedPrecondition + return status.New(code, err.Error()) + } + if err := future.Error(); err != nil { + return status.Newf(codes.Internal, "Failed to add policy to cluster: %v", err.Error()) + } + + return nil +} + +// RevokePolicy removes an ACL style authorization policy to the cluster. +// If the server is not the leader, the request will be propagated to the metadata leader +func (m *metadataAPI) RevokePolicy(ctx context.Context, req *proto.RevokePolicyOp) *status.Status { + // Forward the request if we're not the leader. + if !m.IsLeader() { + isLeader, st := m.propagateRevokePolicy(ctx, req) + if st != nil { + return st + } + // If we have since become leader, continue on with the request. + if !isLeader { + return nil + } + } + + // Revoke policy request + op := &proto.RaftLog{ + Op: proto.Op_REVOKE_POLICY, + RevokePolicyOp: req, + } + + // Wait on result of replication. + future, err := m.getRaft().applyOperation(ctx, op, func(op *proto.RaftLog) error { return nil }) + if err != nil { + code := codes.FailedPrecondition + return status.New(code, err.Error()) + } + if err := future.Error(); err != nil { + return status.Newf(codes.Internal, "Failed to remove policy from cluster: %v", err.Error()) + } + + return nil +} + +// ListPolicy returns all existing ACL policies from the cluster. +func (m *metadataAPI) ListPolicy(ctx context.Context, req *client.ListPolicyRequest) (*client.ListPolicyResponse, *status.Status) { + resp := &client.ListPolicyResponse{Policies: make(map[int32]*client.ACLPolicy)} + + if m.Server.authzEnforcer == nil { + m.logger.Debug("metadata: no authorization instance is initiated on this server") + return resp, status.New(codes.FailedPrecondition, "no authorization instance is initiated on this server") + } + + m.Server.authzEnforcer.authzLock.RLock() + defer m.Server.authzEnforcer.authzLock.RUnlock() + + policies := m.Server.authzEnforcer.enforcer.GetPolicy() + + for i, policy := range policies { + + // A correctly formatted policy should be an array of 3 element, in a strict order: User, Resource, Action. + // Normally, if the policy is added or revoked via metadata's api, this should not happen. + if len(policy) != 3 { + m.logger.Warn("Policy is not correctly formatted", policy) + continue + } + + resp.Policies[int32(i)] = &client.ACLPolicy{ + UserId: policy[0], ResourceId: policy[1], Action: policy[2]} + } + return resp, nil +} + // AddConsumerGroup adds the given consumer group to the metadata store. It // returns an error if a consumer group with the same ID already exists. func (m *metadataAPI) AddConsumerGroup(protoGroup *proto.ConsumerGroup, recovered bool) (*consumerGroup, error) { @@ -1830,6 +1927,36 @@ func (m *metadataAPI) propagateReportGroupCoordinator(ctx context.Context, req * return isLeader, status } +// propagateAddPolicy forwards a AddPolicyOp request to +// the metadata leader. The bool indicates if this server has since become +// leader and the request should be performed locally. A Status is returned if +// the propagated request failed. +func (m *metadataAPI) propagateAddPolicy(ctx context.Context, req *proto.AddPolicyOp) ( + bool, *status.Status) { + + propagate := &proto.PropagatedRequest{ + Op: proto.Op_ADD_POLICY, + AddPolicyOp: req, + } + _, isLeader, status := m.propagateRequest(ctx, propagate) + return isLeader, status +} + +// propagateRevokePolicy forwards a RevokePolicyOp request to +// the metadata leader. The bool indicates if this server has since become +// leader and the request should be performed locally. A Status is returned if +// the propagated request failed. +func (m *metadataAPI) propagateRevokePolicy(ctx context.Context, req *proto.RevokePolicyOp) ( + bool, *status.Status) { + + propagate := &proto.PropagatedRequest{ + Op: proto.Op_REVOKE_POLICY, + RevokePolicyOp: req, + } + _, isLeader, status := m.propagateRequest(ctx, propagate) + return isLeader, status +} + // propagateRequest forwards a metadata request to the metadata leader. The // bool indicates if this server has since become leader and the request should // be performed locally. A Status is returned if the propagated request failed. diff --git a/server/metadata_test.go b/server/metadata_test.go index 43dff06f..c1f885b4 100644 --- a/server/metadata_test.go +++ b/server/metadata_test.go @@ -2,9 +2,11 @@ package server import ( "context" + "errors" "testing" "time" + "github.com/casbin/casbin/v2" client "github.com/liftbridge-io/liftbridge-api/go" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -595,3 +597,288 @@ func TestMetadataSelectPartitionLeader(t *testing.T) { leader = metadata.selectPartitionLeader(replicas) require.Equal(t, "a", leader) } + +// TestMetadataAddPolicy ensure that leader node can add ACL policies. +func TestMetadataAddPolicy(t *testing.T) { + defer cleanupStorage(t) + + s1 := New(getTestConfig("a", true, 0)) + require.NoError(t, s1.Start()) + defer s1.Stop() + + // wait for metadata leader + leader := getMetadataLeader(t, 10*time.Second, s1) + require.NotNil(t, leader) + + metadata := newMetadataAPI(leader) + defer metadata.Reset() + + // Moneky-patch authorization instance for metadata server + policyEnforcer, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + metadata.Server.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + + // AddPolicy via leader + status := metadata.AddPolicy(context.Background(), + &proto.AddPolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + + require.Equal(t, codes.OK, status.Code()) + s1Policies := s1.authzEnforcer.enforcer.GetPolicy() + require.Equal(t, 1, len(s1Policies)) + +} + +// TestMetadataAddPolicyPropagate ensures that a follower server can propagate AddPolicy request to leader +func TestMetadataAddPolicyPropagate(t *testing.T) { + defer cleanupStorage(t) + + s1 := New(getTestConfig("a", true, 0)) + require.NoError(t, s1.Start()) + defer s1.Stop() + + s2 := New(getTestConfig("b", false, 0)) + require.NoError(t, s2.Start()) + defer s2.Stop() + + // Monkey-patch authorization instance for metadata server 1 + policyEnforcerS1, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + + s1.authzEnforcer = &authzEnforcer{enforcer: policyEnforcerS1} + + // Monkey-patch authorization instance for metadata server 2 + policyEnforcerS2, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + + s2.authzEnforcer = &authzEnforcer{enforcer: policyEnforcerS2} + + // wait for metadata leader + leader := getMetadataLeader(t, 10*time.Second, s1, s2) + + var metadata = &metadataAPI{} + if leader == s1 { + metadata = newMetadataAPI(s2) + } else { + metadata = newMetadataAPI(s1) + } + defer metadata.Reset() + + // AddPolicy via follower + status := metadata.AddPolicy(context.Background(), + &proto.AddPolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + // Expect Raft log is replicated without errors + require.Equal(t, codes.OK, status.Code()) + + // Wait until all servers fully apply RaftLog on FSM + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 1, s1) + require.NoError(t, err) + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 1, s2) + require.NoError(t, err) + + // Expect the policy is present in both leader and follower node + expectedPolicies := []string{"a", "b", "read"} + + s1Policies := s1.authzEnforcer.enforcer.GetPolicy() + require.Equal(t, expectedPolicies, s1Policies[0]) + + s2Policies := s2.authzEnforcer.enforcer.GetPolicy() + require.Equal(t, expectedPolicies, s2Policies[0]) +} + +// TestMetadataRevokePolicy ensure that leader node can remove ACL policy +func TestMetadataRevokePolicy(t *testing.T) { + defer cleanupStorage(t) + + s1 := New(getTestConfig("a", true, 0)) + require.NoError(t, s1.Start()) + defer s1.Stop() + + // wait for metadata leader + leader := getMetadataLeader(t, 10*time.Second, s1) + require.NotNil(t, leader) + + // Revoke a policy via leader + metadata := newMetadataAPI(leader) + defer metadata.Reset() + + // Moneky-patch authorization instance for metadata server + policyEnforcer, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + policyEnforcer.AddPolicy("a", "b", "read") + metadata.Server.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + + // Revoke the policy + status := metadata.RevokePolicy(context.Background(), + &proto.RevokePolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + + // Expect the policy to be successfully revoked + require.Equal(t, codes.OK, status.Code()) + s1Policies := s1.authzEnforcer.enforcer.GetPolicy() + require.Equal(t, 0, len(s1Policies)) +} + +// TestMetadataRevokePolicyPropagate ensures that a follower server can propagate RevokePolicy request to leader +func TestMetadataRevokePolicyPropagate(t *testing.T) { + defer cleanupStorage(t) + + s1 := New(getTestConfig("a", true, 0)) + require.NoError(t, s1.Start()) + defer s1.Stop() + + s2 := New(getTestConfig("b", false, 0)) + require.NoError(t, s2.Start()) + defer s2.Stop() + + // Monkey-patch authorization instance for metadata server 1 + policyEnforcerS1, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + policyEnforcerS1.AddPolicy("a", "b", "read") + s1.authzEnforcer = &authzEnforcer{enforcer: policyEnforcerS1} + + // Monkey-patch authorization instance for metadata server 2 + policyEnforcerS2, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + policyEnforcerS2.AddPolicy("a", "b", "read") + s2.authzEnforcer = &authzEnforcer{enforcer: policyEnforcerS2} + + // wait for metadata leader + leader := getMetadataLeader(t, 10*time.Second, s1, s2) + + var metadata = &metadataAPI{} + if leader == s1 { + metadata = newMetadataAPI(s2) + } else { + metadata = newMetadataAPI(s1) + } + defer metadata.Reset() + + // RevokePolicy via follower + status := metadata.RevokePolicy(context.Background(), + &proto.RevokePolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + // Expect Raft log is replicated without errors + require.Equal(t, codes.OK, status.Code()) + + // Expect the policy is revoked in both leader and follower node + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 0, s1) + require.NoError(t, err) + err = waitUntilAuthorizationLogAppliedOnFSM(t, 5*time.Second, 0, s2) + require.NoError(t, err) + +} + +// TestMetadataListPolicy ensures that all existing ACL policies can be retrieved from metadata api. +func TestMetadataListPolicy(t *testing.T) { + defer cleanupStorage(t) + + s1 := New(getTestConfig("a", true, 0)) + require.NoError(t, s1.Start()) + defer s1.Stop() + + // wait for metadata leader + getMetadataLeader(t, 10*time.Second, s1) + metadata := newMetadataAPI(s1) + defer metadata.Reset() + + // Monkey-patch authorization instance for metadata server + policyEnforcer, err := casbin.NewEnforcer("./configs/authz/model.conf") + require.NoError(t, err) + + // Add policies + _, err = policyEnforcer.AddPolicies([][]string{{"a", "b", "read"}, {"c", "d", "write"}}) + require.NoError(t, err) + metadata.Server.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + + // Add a policy + status := metadata.AddPolicy(context.Background(), + &proto.AddPolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + + require.Equal(t, codes.OK, status.Code()) + + // Add a second policy + status = metadata.AddPolicy(context.Background(), + &proto.AddPolicyOp{Policy: &proto.Policy{ + UserId: "c", + ResourceId: "d", + Action: "write"}}) + + require.Equal(t, codes.OK, status.Code()) + + // Retrieve all policies + allPoliciesResp, status := metadata.ListPolicy(context.Background(), &client.ListPolicyRequest{}) + require.Equal(t, codes.OK, status.Code()) + + expectedPolicies := make(map[int32]*client.ACLPolicy) + expectedPolicies[0] = &client.ACLPolicy{UserId: "a", ResourceId: "b", Action: "read"} + expectedPolicies[1] = &client.ACLPolicy{UserId: "c", ResourceId: "d", Action: "write"} + + require.Equal(t, allPoliciesResp.Policies, expectedPolicies) +} + +// TestRaftReplicationOnServerWithoutAuthz makes sure that no Raft replication would fail, +// even when an AddPolicy and RevokePolicy log is received on a server without authorization enabled. +// I.e: Given a server with authorization deactivated, once a Raft log for add policy and revoke policy is received, +// it will not throw panic or error. This is to ensure that RaftLog for authorization has no effect +// on the availability of the cluster +func TestRaftReplicationOnServerWithoutAuthz(t *testing.T) { + s1 := New(getTestConfig("a", true, 0)) + require.NoError(t, s1.Start()) + defer s1.Stop() + + getMetadataLeader(t, 10*time.Second, s1) + + metadata := newMetadataAPI(s1) + defer metadata.Reset() + + // Disable authorization on this server + metadata.Server.authzEnforcer = nil + + // Add a policy + status := metadata.AddPolicy(context.Background(), + &proto.AddPolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + + // No effect on Raft replication + require.Equal(t, codes.OK, status.Code()) + + // Revoke policy + status = metadata.RevokePolicy(context.Background(), + &proto.RevokePolicyOp{Policy: &proto.Policy{ + UserId: "a", + ResourceId: "b", + Action: "read"}}) + + // No effect on Raft replication + require.Equal(t, codes.OK, status.Code()) +} + +// waitUntilAuthorizationLogAppliedOnFSM waits for the given server to fully apply authorization RaftLog. +// After a given time-out period, an error is returned to indicate the authorization RaftLog has not +// been fully applied on the given server's FSM. +func waitUntilAuthorizationLogAppliedOnFSM(t *testing.T, timeout time.Duration, size int, s *Server) error { + deadline := time.Now().Add(timeout) + for time.Now().Before(deadline) { + authorizationPolicies := s.authzEnforcer.enforcer.GetPolicy() + if len(authorizationPolicies) == size { + return nil + } + time.Sleep(15 * time.Millisecond) + } + return errors.New("Authorization Raft log is not applied on the given server") +} diff --git a/server/propagation.go b/server/propagation.go index 60169b13..328c10f4 100644 --- a/server/propagation.go +++ b/server/propagation.go @@ -53,6 +53,10 @@ func (s *Server) handlePropagatedRequest(m *nats.Msg) { resp = s.handleLeaveConsumerGroup(req) case proto.Op_REPORT_CONSUMER_GROUP_COORDINATOR: resp = s.handleReportConsumerGroupCoordinator(req) + case proto.Op_ADD_POLICY: + resp = s.handleAddPolicy(req) + case proto.Op_REVOKE_POLICY: + resp = s.handleRevokePolicy(req) default: s.logger.Warnf("Unknown propagated request operation: %s", req.Op) return @@ -181,3 +185,23 @@ func (s *Server) handleReportConsumerGroupCoordinator(req *proto.PropagatedReque } return resp } + +func (s *Server) handleAddPolicy(req *proto.PropagatedRequest) *proto.PropagatedResponse { + resp := &proto.PropagatedResponse{ + Op: req.Op, + } + if err := s.metadata.AddPolicy(context.Background(), req.AddPolicyOp); err != nil { + resp.Error = &proto.Error{Code: uint32(err.Code()), Msg: err.Message()} + } + return resp +} + +func (s *Server) handleRevokePolicy(req *proto.PropagatedRequest) *proto.PropagatedResponse { + resp := &proto.PropagatedResponse{ + Op: req.Op, + } + if err := s.metadata.RevokePolicy(context.Background(), req.RevokePolicyOp); err != nil { + resp.Error = &proto.Error{Code: uint32(err.Code()), Msg: err.Message()} + } + return resp +} diff --git a/server/protocol/internal.pb.go b/server/protocol/internal.pb.go index da4f2a46..dd59765a 100644 --- a/server/protocol/internal.pb.go +++ b/server/protocol/internal.pb.go @@ -1,5 +1,5 @@ // Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: server/protocol/internal.proto +// source: internal.proto package protocol @@ -40,6 +40,8 @@ const ( Op_LEAVE_CONSUMER_GROUP Op = 12 Op_REPORT_CONSUMER_GROUP_COORDINATOR Op = 13 Op_CHANGE_CONSUMER_GROUP_COORDINATOR Op = 14 + Op_ADD_POLICY Op = 15 + Op_REVOKE_POLICY Op = 16 ) var Op_name = map[int32]string{ @@ -58,6 +60,8 @@ var Op_name = map[int32]string{ 12: "LEAVE_CONSUMER_GROUP", 13: "REPORT_CONSUMER_GROUP_COORDINATOR", 14: "CHANGE_CONSUMER_GROUP_COORDINATOR", + 15: "ADD_POLICY", + 16: "REVOKE_POLICY", } var Op_value = map[string]int32{ @@ -76,6 +80,8 @@ var Op_value = map[string]int32{ "LEAVE_CONSUMER_GROUP": 12, "REPORT_CONSUMER_GROUP_COORDINATOR": 13, "CHANGE_CONSUMER_GROUP_COORDINATOR": 14, + "ADD_POLICY": 15, + "REVOKE_POLICY": 16, } func (x Op) String() string { @@ -83,7 +89,7 @@ func (x Op) String() string { } func (Op) EnumDescriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{0} + return fileDescriptor_41f4a519b878ee3b, []int{0} } type ServerState struct { @@ -97,7 +103,7 @@ func (m *ServerState) Reset() { *m = ServerState{} } func (m *ServerState) String() string { return proto.CompactTextString(m) } func (*ServerState) ProtoMessage() {} func (*ServerState) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{0} + return fileDescriptor_41f4a519b878ee3b, []int{0} } func (m *ServerState) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -148,6 +154,8 @@ type RaftLog struct { JoinConsumerGroupOp *JoinConsumerGroupOp `protobuf:"bytes,12,opt,name=joinConsumerGroupOp,proto3" json:"joinConsumerGroupOp,omitempty"` LeaveConsumerGroupOp *LeaveConsumerGroupOp `protobuf:"bytes,13,opt,name=leaveConsumerGroupOp,proto3" json:"leaveConsumerGroupOp,omitempty"` ChangeConsumerGroupCoordinatorOp *ChangeConsumerGroupCoordinatorOp `protobuf:"bytes,14,opt,name=changeConsumerGroupCoordinatorOp,proto3" json:"changeConsumerGroupCoordinatorOp,omitempty"` + AddPolicyOp *AddPolicyOp `protobuf:"bytes,15,opt,name=addPolicyOp,proto3" json:"addPolicyOp,omitempty"` + RevokePolicyOp *RevokePolicyOp `protobuf:"bytes,16,opt,name=revokePolicyOp,proto3" json:"revokePolicyOp,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -157,7 +165,7 @@ func (m *RaftLog) Reset() { *m = RaftLog{} } func (m *RaftLog) String() string { return proto.CompactTextString(m) } func (*RaftLog) ProtoMessage() {} func (*RaftLog) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{1} + return fileDescriptor_41f4a519b878ee3b, []int{1} } func (m *RaftLog) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -284,6 +292,20 @@ func (m *RaftLog) GetChangeConsumerGroupCoordinatorOp() *ChangeConsumerGroupCoor return nil } +func (m *RaftLog) GetAddPolicyOp() *AddPolicyOp { + if m != nil { + return m.AddPolicyOp + } + return nil +} + +func (m *RaftLog) GetRevokePolicyOp() *RevokePolicyOp { + if m != nil { + return m.RevokePolicyOp + } + return nil +} + type CreateStreamOp struct { Stream *Stream `protobuf:"bytes,1,opt,name=stream,proto3" json:"stream,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -295,7 +317,7 @@ func (m *CreateStreamOp) Reset() { *m = CreateStreamOp{} } func (m *CreateStreamOp) String() string { return proto.CompactTextString(m) } func (*CreateStreamOp) ProtoMessage() {} func (*CreateStreamOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{2} + return fileDescriptor_41f4a519b878ee3b, []int{2} } func (m *CreateStreamOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -346,7 +368,7 @@ func (m *ShrinkISROp) Reset() { *m = ShrinkISROp{} } func (m *ShrinkISROp) String() string { return proto.CompactTextString(m) } func (*ShrinkISROp) ProtoMessage() {} func (*ShrinkISROp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{3} + return fileDescriptor_41f4a519b878ee3b, []int{3} } func (m *ShrinkISROp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -425,7 +447,7 @@ func (m *ExpandISROp) Reset() { *m = ExpandISROp{} } func (m *ExpandISROp) String() string { return proto.CompactTextString(m) } func (*ExpandISROp) ProtoMessage() {} func (*ExpandISROp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{4} + return fileDescriptor_41f4a519b878ee3b, []int{4} } func (m *ExpandISROp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -500,7 +522,7 @@ func (m *DeleteStreamOp) Reset() { *m = DeleteStreamOp{} } func (m *DeleteStreamOp) String() string { return proto.CompactTextString(m) } func (*DeleteStreamOp) ProtoMessage() {} func (*DeleteStreamOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{5} + return fileDescriptor_41f4a519b878ee3b, []int{5} } func (m *DeleteStreamOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -549,7 +571,7 @@ func (m *PauseStreamOp) Reset() { *m = PauseStreamOp{} } func (m *PauseStreamOp) String() string { return proto.CompactTextString(m) } func (*PauseStreamOp) ProtoMessage() {} func (*PauseStreamOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{6} + return fileDescriptor_41f4a519b878ee3b, []int{6} } func (m *PauseStreamOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -611,7 +633,7 @@ func (m *ResumeStreamOp) Reset() { *m = ResumeStreamOp{} } func (m *ResumeStreamOp) String() string { return proto.CompactTextString(m) } func (*ResumeStreamOp) ProtoMessage() {} func (*ResumeStreamOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{7} + return fileDescriptor_41f4a519b878ee3b, []int{7} } func (m *ResumeStreamOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -669,7 +691,7 @@ func (m *ReportLeaderOp) Reset() { *m = ReportLeaderOp{} } func (m *ReportLeaderOp) String() string { return proto.CompactTextString(m) } func (*ReportLeaderOp) ProtoMessage() {} func (*ReportLeaderOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{8} + return fileDescriptor_41f4a519b878ee3b, []int{8} } func (m *ReportLeaderOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -746,7 +768,7 @@ func (m *ChangeLeaderOp) Reset() { *m = ChangeLeaderOp{} } func (m *ChangeLeaderOp) String() string { return proto.CompactTextString(m) } func (*ChangeLeaderOp) ProtoMessage() {} func (*ChangeLeaderOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{9} + return fileDescriptor_41f4a519b878ee3b, []int{9} } func (m *ChangeLeaderOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -810,7 +832,7 @@ func (m *ReportConsumerGroupCoordinatorOp) Reset() { *m = ReportConsumer func (m *ReportConsumerGroupCoordinatorOp) String() string { return proto.CompactTextString(m) } func (*ReportConsumerGroupCoordinatorOp) ProtoMessage() {} func (*ReportConsumerGroupCoordinatorOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{10} + return fileDescriptor_41f4a519b878ee3b, []int{10} } func (m *ReportConsumerGroupCoordinatorOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -879,7 +901,7 @@ func (m *ChangeConsumerGroupCoordinatorOp) Reset() { *m = ChangeConsumer func (m *ChangeConsumerGroupCoordinatorOp) String() string { return proto.CompactTextString(m) } func (*ChangeConsumerGroupCoordinatorOp) ProtoMessage() {} func (*ChangeConsumerGroupCoordinatorOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{11} + return fileDescriptor_41f4a519b878ee3b, []int{11} } func (m *ChangeConsumerGroupCoordinatorOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -933,7 +955,7 @@ func (m *PublishActivityOp) Reset() { *m = PublishActivityOp{} } func (m *PublishActivityOp) String() string { return proto.CompactTextString(m) } func (*PublishActivityOp) ProtoMessage() {} func (*PublishActivityOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{12} + return fileDescriptor_41f4a519b878ee3b, []int{12} } func (m *PublishActivityOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -982,7 +1004,7 @@ func (m *SetStreamReadonlyOp) Reset() { *m = SetStreamReadonlyOp{} } func (m *SetStreamReadonlyOp) String() string { return proto.CompactTextString(m) } func (*SetStreamReadonlyOp) ProtoMessage() {} func (*SetStreamReadonlyOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{13} + return fileDescriptor_41f4a519b878ee3b, []int{13} } func (m *SetStreamReadonlyOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1043,7 +1065,7 @@ func (m *CreateConsumerGroupOp) Reset() { *m = CreateConsumerGroupOp{} } func (m *CreateConsumerGroupOp) String() string { return proto.CompactTextString(m) } func (*CreateConsumerGroupOp) ProtoMessage() {} func (*CreateConsumerGroupOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{14} + return fileDescriptor_41f4a519b878ee3b, []int{14} } func (m *CreateConsumerGroupOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1092,7 +1114,7 @@ func (m *JoinConsumerGroupOp) Reset() { *m = JoinConsumerGroupOp{} } func (m *JoinConsumerGroupOp) String() string { return proto.CompactTextString(m) } func (*JoinConsumerGroupOp) ProtoMessage() {} func (*JoinConsumerGroupOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{15} + return fileDescriptor_41f4a519b878ee3b, []int{15} } func (m *JoinConsumerGroupOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1155,7 +1177,7 @@ func (m *LeaveConsumerGroupOp) Reset() { *m = LeaveConsumerGroupOp{} } func (m *LeaveConsumerGroupOp) String() string { return proto.CompactTextString(m) } func (*LeaveConsumerGroupOp) ProtoMessage() {} func (*LeaveConsumerGroupOp) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{16} + return fileDescriptor_41f4a519b878ee3b, []int{16} } func (m *LeaveConsumerGroupOp) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1205,6 +1227,166 @@ func (m *LeaveConsumerGroupOp) GetExpired() bool { return false } +// Policy represents an ACL-style policy +type Policy struct { + UserId string `protobuf:"bytes,1,opt,name=userId,proto3" json:"userId,omitempty"` + ResourceId string `protobuf:"bytes,2,opt,name=resourceId,proto3" json:"resourceId,omitempty"` + Action string `protobuf:"bytes,3,opt,name=action,proto3" json:"action,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Policy) Reset() { *m = Policy{} } +func (m *Policy) String() string { return proto.CompactTextString(m) } +func (*Policy) ProtoMessage() {} +func (*Policy) Descriptor() ([]byte, []int) { + return fileDescriptor_41f4a519b878ee3b, []int{17} +} +func (m *Policy) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *Policy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_Policy.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *Policy) XXX_Merge(src proto.Message) { + xxx_messageInfo_Policy.Merge(m, src) +} +func (m *Policy) XXX_Size() int { + return m.Size() +} +func (m *Policy) XXX_DiscardUnknown() { + xxx_messageInfo_Policy.DiscardUnknown(m) +} + +var xxx_messageInfo_Policy proto.InternalMessageInfo + +func (m *Policy) GetUserId() string { + if m != nil { + return m.UserId + } + return "" +} + +func (m *Policy) GetResourceId() string { + if m != nil { + return m.ResourceId + } + return "" +} + +func (m *Policy) GetAction() string { + if m != nil { + return m.Action + } + return "" +} + +// AddPolicyOp adds an ACL-style policy +type AddPolicyOp struct { + Policy *Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *AddPolicyOp) Reset() { *m = AddPolicyOp{} } +func (m *AddPolicyOp) String() string { return proto.CompactTextString(m) } +func (*AddPolicyOp) ProtoMessage() {} +func (*AddPolicyOp) Descriptor() ([]byte, []int) { + return fileDescriptor_41f4a519b878ee3b, []int{18} +} +func (m *AddPolicyOp) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *AddPolicyOp) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_AddPolicyOp.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *AddPolicyOp) XXX_Merge(src proto.Message) { + xxx_messageInfo_AddPolicyOp.Merge(m, src) +} +func (m *AddPolicyOp) XXX_Size() int { + return m.Size() +} +func (m *AddPolicyOp) XXX_DiscardUnknown() { + xxx_messageInfo_AddPolicyOp.DiscardUnknown(m) +} + +var xxx_messageInfo_AddPolicyOp proto.InternalMessageInfo + +func (m *AddPolicyOp) GetPolicy() *Policy { + if m != nil { + return m.Policy + } + return nil +} + +// RevokePolicyOp removes an ACL-style policy +type RevokePolicyOp struct { + Policy *Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *RevokePolicyOp) Reset() { *m = RevokePolicyOp{} } +func (m *RevokePolicyOp) String() string { return proto.CompactTextString(m) } +func (*RevokePolicyOp) ProtoMessage() {} +func (*RevokePolicyOp) Descriptor() ([]byte, []int) { + return fileDescriptor_41f4a519b878ee3b, []int{19} +} +func (m *RevokePolicyOp) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RevokePolicyOp) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_RevokePolicyOp.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *RevokePolicyOp) XXX_Merge(src proto.Message) { + xxx_messageInfo_RevokePolicyOp.Merge(m, src) +} +func (m *RevokePolicyOp) XXX_Size() int { + return m.Size() +} +func (m *RevokePolicyOp) XXX_DiscardUnknown() { + xxx_messageInfo_RevokePolicyOp.DiscardUnknown(m) +} + +var xxx_messageInfo_RevokePolicyOp proto.InternalMessageInfo + +func (m *RevokePolicyOp) GetPolicy() *Policy { + if m != nil { + return m.Policy + } + return nil +} + type NullableInt64 struct { Value int64 `protobuf:"varint,1,opt,name=value,proto3" json:"value,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -1216,7 +1398,7 @@ func (m *NullableInt64) Reset() { *m = NullableInt64{} } func (m *NullableInt64) String() string { return proto.CompactTextString(m) } func (*NullableInt64) ProtoMessage() {} func (*NullableInt64) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{17} + return fileDescriptor_41f4a519b878ee3b, []int{20} } func (m *NullableInt64) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1263,7 +1445,7 @@ func (m *NullableInt32) Reset() { *m = NullableInt32{} } func (m *NullableInt32) String() string { return proto.CompactTextString(m) } func (*NullableInt32) ProtoMessage() {} func (*NullableInt32) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{18} + return fileDescriptor_41f4a519b878ee3b, []int{21} } func (m *NullableInt32) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1310,7 +1492,7 @@ func (m *NullableBool) Reset() { *m = NullableBool{} } func (m *NullableBool) String() string { return proto.CompactTextString(m) } func (*NullableBool) ProtoMessage() {} func (*NullableBool) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{19} + return fileDescriptor_41f4a519b878ee3b, []int{22} } func (m *NullableBool) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1369,7 +1551,7 @@ func (m *StreamConfig) Reset() { *m = StreamConfig{} } func (m *StreamConfig) String() string { return proto.CompactTextString(m) } func (*StreamConfig) ProtoMessage() {} func (*StreamConfig) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{20} + return fileDescriptor_41f4a519b878ee3b, []int{23} } func (m *StreamConfig) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1504,7 +1686,7 @@ func (m *Stream) Reset() { *m = Stream{} } func (m *Stream) String() string { return proto.CompactTextString(m) } func (*Stream) ProtoMessage() {} func (*Stream) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{21} + return fileDescriptor_41f4a519b878ee3b, []int{24} } func (m *Stream) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1590,7 +1772,7 @@ func (m *Partition) Reset() { *m = Partition{} } func (m *Partition) String() string { return proto.CompactTextString(m) } func (*Partition) ProtoMessage() {} func (*Partition) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{22} + return fileDescriptor_41f4a519b878ee3b, []int{25} } func (m *Partition) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1715,7 +1897,7 @@ func (m *Consumer) Reset() { *m = Consumer{} } func (m *Consumer) String() string { return proto.CompactTextString(m) } func (*Consumer) ProtoMessage() {} func (*Consumer) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{23} + return fileDescriptor_41f4a519b878ee3b, []int{26} } func (m *Consumer) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1772,7 +1954,7 @@ func (m *ConsumerGroup) Reset() { *m = ConsumerGroup{} } func (m *ConsumerGroup) String() string { return proto.CompactTextString(m) } func (*ConsumerGroup) ProtoMessage() {} func (*ConsumerGroup) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{24} + return fileDescriptor_41f4a519b878ee3b, []int{27} } func (m *ConsumerGroup) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1842,7 +2024,7 @@ func (m *RaftJoinRequest) Reset() { *m = RaftJoinRequest{} } func (m *RaftJoinRequest) String() string { return proto.CompactTextString(m) } func (*RaftJoinRequest) ProtoMessage() {} func (*RaftJoinRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{25} + return fileDescriptor_41f4a519b878ee3b, []int{28} } func (m *RaftJoinRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1897,7 +2079,7 @@ func (m *RaftJoinResponse) Reset() { *m = RaftJoinResponse{} } func (m *RaftJoinResponse) String() string { return proto.CompactTextString(m) } func (*RaftJoinResponse) ProtoMessage() {} func (*RaftJoinResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{26} + return fileDescriptor_41f4a519b878ee3b, []int{29} } func (m *RaftJoinResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1945,7 +2127,7 @@ func (m *MetadataSnapshot) Reset() { *m = MetadataSnapshot{} } func (m *MetadataSnapshot) String() string { return proto.CompactTextString(m) } func (*MetadataSnapshot) ProtoMessage() {} func (*MetadataSnapshot) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{27} + return fileDescriptor_41f4a519b878ee3b, []int{30} } func (m *MetadataSnapshot) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2001,7 +2183,7 @@ func (m *ReplicationRequest) Reset() { *m = ReplicationRequest{} } func (m *ReplicationRequest) String() string { return proto.CompactTextString(m) } func (*ReplicationRequest) ProtoMessage() {} func (*ReplicationRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{28} + return fileDescriptor_41f4a519b878ee3b, []int{31} } func (m *ReplicationRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2062,7 +2244,7 @@ func (m *LeaderEpochOffsetRequest) Reset() { *m = LeaderEpochOffsetReque func (m *LeaderEpochOffsetRequest) String() string { return proto.CompactTextString(m) } func (*LeaderEpochOffsetRequest) ProtoMessage() {} func (*LeaderEpochOffsetRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{29} + return fileDescriptor_41f4a519b878ee3b, []int{32} } func (m *LeaderEpochOffsetRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2109,7 +2291,7 @@ func (m *LeaderEpochOffsetResponse) Reset() { *m = LeaderEpochOffsetResp func (m *LeaderEpochOffsetResponse) String() string { return proto.CompactTextString(m) } func (*LeaderEpochOffsetResponse) ProtoMessage() {} func (*LeaderEpochOffsetResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{30} + return fileDescriptor_41f4a519b878ee3b, []int{33} } func (m *LeaderEpochOffsetResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2158,6 +2340,8 @@ type PropagatedRequest struct { JoinConsumerGroupOp *JoinConsumerGroupOp `protobuf:"bytes,10,opt,name=joinConsumerGroupOp,proto3" json:"joinConsumerGroupOp,omitempty"` LeaveConsumerGroupOp *LeaveConsumerGroupOp `protobuf:"bytes,11,opt,name=leaveConsumerGroupOp,proto3" json:"leaveConsumerGroupOp,omitempty"` ReportConsumerGroupCoordinatorOp *ReportConsumerGroupCoordinatorOp `protobuf:"bytes,12,opt,name=reportConsumerGroupCoordinatorOp,proto3" json:"reportConsumerGroupCoordinatorOp,omitempty"` + AddPolicyOp *AddPolicyOp `protobuf:"bytes,13,opt,name=addPolicyOp,proto3" json:"addPolicyOp,omitempty"` + RevokePolicyOp *RevokePolicyOp `protobuf:"bytes,14,opt,name=revokePolicyOp,proto3" json:"revokePolicyOp,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -2167,7 +2351,7 @@ func (m *PropagatedRequest) Reset() { *m = PropagatedRequest{} } func (m *PropagatedRequest) String() string { return proto.CompactTextString(m) } func (*PropagatedRequest) ProtoMessage() {} func (*PropagatedRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{31} + return fileDescriptor_41f4a519b878ee3b, []int{34} } func (m *PropagatedRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2280,6 +2464,20 @@ func (m *PropagatedRequest) GetReportConsumerGroupCoordinatorOp() *ReportConsume return nil } +func (m *PropagatedRequest) GetAddPolicyOp() *AddPolicyOp { + if m != nil { + return m.AddPolicyOp + } + return nil +} + +func (m *PropagatedRequest) GetRevokePolicyOp() *RevokePolicyOp { + if m != nil { + return m.RevokePolicyOp + } + return nil +} + type Error struct { Code uint32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"` Msg string `protobuf:"bytes,2,opt,name=msg,proto3" json:"msg,omitempty"` @@ -2292,7 +2490,7 @@ func (m *Error) Reset() { *m = Error{} } func (m *Error) String() string { return proto.CompactTextString(m) } func (*Error) ProtoMessage() {} func (*Error) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{32} + return fileDescriptor_41f4a519b878ee3b, []int{35} } func (m *Error) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2348,7 +2546,7 @@ func (m *PropagatedResponse) Reset() { *m = PropagatedResponse{} } func (m *PropagatedResponse) String() string { return proto.CompactTextString(m) } func (*PropagatedResponse) ProtoMessage() {} func (*PropagatedResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{33} + return fileDescriptor_41f4a519b878ee3b, []int{36} } func (m *PropagatedResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2422,7 +2620,7 @@ func (m *PropagatedResponse_JoinConsumerGroupResponse) String() string { } func (*PropagatedResponse_JoinConsumerGroupResponse) ProtoMessage() {} func (*PropagatedResponse_JoinConsumerGroupResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{33, 0} + return fileDescriptor_41f4a519b878ee3b, []int{36, 0} } func (m *PropagatedResponse_JoinConsumerGroupResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2476,7 +2674,7 @@ func (m *ServerInfoRequest) Reset() { *m = ServerInfoRequest{} } func (m *ServerInfoRequest) String() string { return proto.CompactTextString(m) } func (*ServerInfoRequest) ProtoMessage() {} func (*ServerInfoRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{34} + return fileDescriptor_41f4a519b878ee3b, []int{37} } func (m *ServerInfoRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2525,7 +2723,7 @@ func (m *ServerInfoResponse) Reset() { *m = ServerInfoResponse{} } func (m *ServerInfoResponse) String() string { return proto.CompactTextString(m) } func (*ServerInfoResponse) ProtoMessage() {} func (*ServerInfoResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{35} + return fileDescriptor_41f4a519b878ee3b, []int{38} } func (m *ServerInfoResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2587,7 +2785,7 @@ func (m *PartitionStatusRequest) Reset() { *m = PartitionStatusRequest{} func (m *PartitionStatusRequest) String() string { return proto.CompactTextString(m) } func (*PartitionStatusRequest) ProtoMessage() {} func (*PartitionStatusRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{36} + return fileDescriptor_41f4a519b878ee3b, []int{39} } func (m *PartitionStatusRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2642,7 +2840,7 @@ func (m *PartitionStatusResponse) Reset() { *m = PartitionStatusResponse func (m *PartitionStatusResponse) String() string { return proto.CompactTextString(m) } func (*PartitionStatusResponse) ProtoMessage() {} func (*PartitionStatusResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{37} + return fileDescriptor_41f4a519b878ee3b, []int{40} } func (m *PartitionStatusResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2697,7 +2895,7 @@ func (m *PartitionNotification) Reset() { *m = PartitionNotification{} } func (m *PartitionNotification) String() string { return proto.CompactTextString(m) } func (*PartitionNotification) ProtoMessage() {} func (*PartitionNotification) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{38} + return fileDescriptor_41f4a519b878ee3b, []int{41} } func (m *PartitionNotification) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2754,7 +2952,7 @@ func (m *Cursor) Reset() { *m = Cursor{} } func (m *Cursor) String() string { return proto.CompactTextString(m) } func (*Cursor) ProtoMessage() {} func (*Cursor) Descriptor() ([]byte, []int) { - return fileDescriptor_7d9410777bf851c3, []int{39} + return fileDescriptor_41f4a519b878ee3b, []int{42} } func (m *Cursor) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2830,6 +3028,9 @@ func init() { proto.RegisterType((*CreateConsumerGroupOp)(nil), "protocol.CreateConsumerGroupOp") proto.RegisterType((*JoinConsumerGroupOp)(nil), "protocol.JoinConsumerGroupOp") proto.RegisterType((*LeaveConsumerGroupOp)(nil), "protocol.LeaveConsumerGroupOp") + proto.RegisterType((*Policy)(nil), "protocol.Policy") + proto.RegisterType((*AddPolicyOp)(nil), "protocol.AddPolicyOp") + proto.RegisterType((*RevokePolicyOp)(nil), "protocol.RevokePolicyOp") proto.RegisterType((*NullableInt64)(nil), "protocol.NullableInt64") proto.RegisterType((*NullableInt32)(nil), "protocol.NullableInt32") proto.RegisterType((*NullableBool)(nil), "protocol.NullableBool") @@ -2856,135 +3057,143 @@ func init() { proto.RegisterType((*Cursor)(nil), "protocol.Cursor") } -func init() { proto.RegisterFile("server/protocol/internal.proto", fileDescriptor_7d9410777bf851c3) } - -var fileDescriptor_7d9410777bf851c3 = []byte{ - // 1997 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe4, 0x58, 0x5f, 0x6f, 0x1b, 0x4b, - 0x15, 0xbf, 0xb6, 0x63, 0xc7, 0x3e, 0x4e, 0x5c, 0x67, 0x9a, 0xa4, 0x6e, 0xe9, 0x0d, 0x61, 0xa1, - 0x52, 0xa8, 0x2e, 0xad, 0x48, 0xaf, 0x8a, 0x40, 0x80, 0x70, 0x9d, 0xa5, 0xdd, 0x7b, 0x1d, 0x3b, - 0x1a, 0x3b, 0x15, 0x17, 0xa1, 0x1b, 0x6d, 0x76, 0xc7, 0xce, 0x96, 0xf5, 0xce, 0x32, 0x3b, 0x8e, - 0xd2, 0x0f, 0xc0, 0x37, 0xe0, 0x01, 0x10, 0x2f, 0x3c, 0xf1, 0x41, 0x78, 0x81, 0x37, 0x1e, 0x79, - 0xbc, 0x2a, 0x5f, 0x80, 0x8f, 0x80, 0x66, 0x76, 0xf6, 0xbf, 0xed, 0x08, 0x87, 0x07, 0xa4, 0xfb, - 0xb6, 0xe7, 0xcc, 0xef, 0xfc, 0x9b, 0x39, 0x73, 0xce, 0xd9, 0x81, 0x83, 0x80, 0xb0, 0x6b, 0xc2, - 0x9e, 0xfb, 0x8c, 0x72, 0x6a, 0x51, 0xf7, 0xb9, 0xe3, 0x71, 0xc2, 0x3c, 0xd3, 0x7d, 0x26, 0x39, - 0xa8, 0x1e, 0x2d, 0x68, 0xdf, 0x85, 0xe6, 0x48, 0x62, 0x47, 0xdc, 0xe4, 0x04, 0x3d, 0x82, 0x7a, - 0x28, 0x6a, 0x9c, 0x74, 0x4a, 0x87, 0xa5, 0xa3, 0x06, 0x8e, 0x69, 0xed, 0xdf, 0x9b, 0xb0, 0x89, - 0xcd, 0x09, 0xef, 0xd3, 0x29, 0x7a, 0x0c, 0x65, 0xea, 0x4b, 0x44, 0xeb, 0x78, 0xeb, 0x59, 0xa4, - 0xed, 0xd9, 0xd0, 0xc7, 0x65, 0xea, 0xa3, 0x9f, 0x41, 0xcb, 0x62, 0xc4, 0xe4, 0x64, 0xc4, 0x19, - 0x31, 0x67, 0x43, 0xbf, 0x53, 0x3e, 0x2c, 0x1d, 0x35, 0x8f, 0x3b, 0x09, 0xb2, 0x97, 0x59, 0xc7, - 0x39, 0x3c, 0xfa, 0x01, 0x34, 0x83, 0x2b, 0xe6, 0x78, 0xbf, 0x36, 0x46, 0x78, 0xe8, 0x77, 0x2a, - 0x52, 0x7c, 0x2f, 0x11, 0x1f, 0x25, 0x8b, 0x38, 0x8d, 0x94, 0xa6, 0xaf, 0x4c, 0x6f, 0x4a, 0xfa, - 0xc4, 0xb4, 0x09, 0x1b, 0xfa, 0x9d, 0x8d, 0x82, 0xe9, 0xcc, 0x3a, 0xce, 0xe1, 0x85, 0x69, 0x72, - 0xe3, 0x9b, 0x9e, 0x1d, 0x9a, 0xae, 0xe6, 0x4d, 0xeb, 0xc9, 0x22, 0x4e, 0x23, 0x85, 0x69, 0x9b, - 0xb8, 0x24, 0x15, 0x75, 0x2d, 0x6f, 0xfa, 0x24, 0xb3, 0x8e, 0x73, 0x78, 0xf4, 0x13, 0xd8, 0xf6, - 0xcd, 0x79, 0x90, 0x28, 0xd8, 0x94, 0x0a, 0x1e, 0x24, 0x0a, 0xce, 0xd2, 0xcb, 0x38, 0x8b, 0x16, - 0x0e, 0x30, 0x12, 0xcc, 0x67, 0x89, 0x7c, 0x3d, 0xef, 0x00, 0xce, 0xac, 0xe3, 0x1c, 0x1e, 0x19, - 0xb0, 0xe3, 0xcf, 0x2f, 0x5d, 0x27, 0xb8, 0xea, 0x5a, 0xdc, 0xb9, 0x76, 0xf8, 0xfb, 0xa1, 0xdf, - 0x69, 0x48, 0x25, 0xdf, 0x48, 0x39, 0x91, 0x87, 0xe0, 0xa2, 0x14, 0x1a, 0xc2, 0xfd, 0x80, 0xf0, - 0x50, 0x33, 0x26, 0xa6, 0x4d, 0x3d, 0x57, 0x28, 0x03, 0xa9, 0xec, 0xe3, 0xd4, 0x49, 0x16, 0x41, - 0x78, 0x91, 0x24, 0x3a, 0x87, 0xbd, 0x30, 0x49, 0x7a, 0xd4, 0x13, 0x4e, 0xb3, 0xd7, 0x8c, 0xce, - 0xfd, 0xa1, 0xdf, 0x69, 0x4a, 0x95, 0xdf, 0xcc, 0xe7, 0x56, 0x0e, 0x86, 0x17, 0x4b, 0x0b, 0x3f, - 0xdf, 0x51, 0xc7, 0xcb, 0x2b, 0xdd, 0xca, 0xfb, 0xf9, 0x59, 0x11, 0x84, 0x17, 0x49, 0x22, 0x0c, - 0xbb, 0x2e, 0x31, 0xaf, 0x0b, 0x6e, 0x6e, 0x4b, 0x8d, 0x07, 0x89, 0xc6, 0xfe, 0x02, 0x14, 0x5e, - 0x28, 0x8b, 0xae, 0xe1, 0x30, 0xcc, 0xd2, 0xcc, 0x42, 0x8f, 0x52, 0x66, 0x3b, 0x9e, 0xc9, 0xa9, - 0xc8, 0xf3, 0x96, 0xd4, 0xff, 0x34, 0x9f, 0xe7, 0xcb, 0x25, 0xf0, 0xad, 0x3a, 0xb5, 0x1f, 0x41, - 0x2b, 0x7b, 0x51, 0xd1, 0x11, 0xd4, 0x02, 0xf9, 0x2d, 0x2f, 0x7f, 0xf3, 0xb8, 0x9d, 0x3a, 0xc9, - 0xf0, 0xc4, 0xd4, 0xba, 0xf6, 0x97, 0x12, 0x34, 0x53, 0xd7, 0x14, 0xed, 0x67, 0x24, 0x1b, 0x11, - 0x0e, 0x3d, 0x86, 0x86, 0x6f, 0x32, 0xee, 0x70, 0x87, 0x7a, 0xb2, 0x4e, 0x54, 0x71, 0xc2, 0x40, - 0x47, 0x70, 0x8f, 0x11, 0xdf, 0x75, 0x2c, 0x73, 0x4c, 0x31, 0x99, 0xd1, 0x6b, 0x22, 0x8b, 0x41, - 0x03, 0xe7, 0xd9, 0x42, 0xbf, 0x2b, 0xef, 0xb0, 0xbc, 0xf1, 0x0d, 0xac, 0x28, 0x74, 0x08, 0xcd, - 0xf0, 0x4b, 0xf7, 0xa9, 0x75, 0x25, 0xef, 0xf3, 0x06, 0x4e, 0xb3, 0xb4, 0x3f, 0x97, 0xa0, 0x99, - 0xba, 0xd5, 0x6b, 0x7a, 0xaa, 0xc1, 0x56, 0xec, 0x52, 0xd7, 0xb6, 0x95, 0x9b, 0x19, 0xde, 0x1d, - 0x7c, 0x3c, 0x82, 0x56, 0xb6, 0x78, 0x2c, 0xf3, 0x52, 0x23, 0xb0, 0x9d, 0xa9, 0x12, 0x4b, 0xc3, - 0x39, 0x00, 0x88, 0xbd, 0x0f, 0x3a, 0xe5, 0xc3, 0xca, 0x51, 0x15, 0xa7, 0x38, 0x22, 0xdc, 0xb0, - 0x3c, 0x74, 0x5d, 0x57, 0x46, 0x53, 0xc7, 0x09, 0x43, 0x7b, 0x03, 0xad, 0x6c, 0x31, 0x59, 0xd7, - 0x8e, 0xf6, 0xc7, 0x92, 0x50, 0xe5, 0x53, 0xc6, 0xe3, 0x1a, 0xbc, 0xde, 0x09, 0x74, 0x60, 0x53, - 0xed, 0xb6, 0xda, 0xfc, 0x88, 0xbc, 0xc3, 0xbe, 0x7f, 0x09, 0xad, 0x6c, 0xbf, 0x58, 0xd3, 0xb7, - 0xc4, 0x83, 0x4a, 0xda, 0x03, 0xed, 0x77, 0x25, 0x38, 0x0c, 0x83, 0x5f, 0x7e, 0x0d, 0x45, 0x60, - 0x53, 0xc1, 0x35, 0x6c, 0x65, 0x33, 0x22, 0xc5, 0xde, 0x5a, 0x4a, 0xce, 0xb0, 0xa5, 0xd5, 0x06, - 0x4e, 0x71, 0x44, 0x80, 0x56, 0xa2, 0x4a, 0xd9, 0x4e, 0xb3, 0xd0, 0x2e, 0x54, 0x89, 0x0c, 0x7e, - 0x43, 0x06, 0x1f, 0x12, 0xda, 0x97, 0x70, 0x78, 0x5b, 0xf9, 0x58, 0xe1, 0x55, 0xce, 0x6a, 0xb9, - 0x60, 0x55, 0xfb, 0x3e, 0xec, 0x14, 0xba, 0x88, 0x4c, 0x38, 0x73, 0xc2, 0x0d, 0xcf, 0x26, 0x37, - 0x52, 0xe5, 0x06, 0x4e, 0x18, 0x9a, 0x03, 0xf7, 0x17, 0xf4, 0x8a, 0xb5, 0xb3, 0xfb, 0x11, 0xd4, - 0x99, 0xd2, 0xa2, 0x92, 0x3b, 0xa6, 0xb5, 0xb7, 0xb0, 0xb7, 0xb0, 0x87, 0x88, 0x06, 0x6d, 0xa5, - 0x59, 0xaa, 0x08, 0xa6, 0x1a, 0x74, 0x46, 0x02, 0x67, 0xd1, 0x22, 0x84, 0x05, 0x6d, 0xe4, 0x0e, - 0xc7, 0xdb, 0x81, 0xcd, 0x30, 0xdc, 0xa0, 0x53, 0x39, 0xac, 0x08, 0x49, 0x45, 0x6a, 0xef, 0x60, - 0x77, 0x51, 0x7f, 0xb9, 0x9b, 0x2d, 0x72, 0xe3, 0x3b, 0x8c, 0xd8, 0x6a, 0xbf, 0x22, 0x52, 0x7b, - 0x02, 0xdb, 0x83, 0xb9, 0xeb, 0x9a, 0x97, 0x2e, 0x31, 0x3c, 0xfe, 0xf2, 0x53, 0x91, 0x53, 0xd7, - 0xa6, 0x3b, 0x27, 0xd2, 0x44, 0x05, 0x87, 0x44, 0x0e, 0xf6, 0xe2, 0x38, 0x0b, 0xab, 0x46, 0xb0, - 0xef, 0xc0, 0x56, 0x04, 0x7b, 0x45, 0xa9, 0x9b, 0x45, 0xd5, 0x23, 0xd4, 0x1f, 0x36, 0x61, 0x2b, - 0xcc, 0x85, 0x1e, 0xf5, 0x26, 0xce, 0x14, 0xe9, 0xb0, 0xc3, 0x08, 0x27, 0x9e, 0x38, 0xdd, 0x53, - 0xf3, 0xe6, 0xd5, 0x7b, 0x4e, 0x82, 0xe2, 0xf1, 0x64, 0xfc, 0xc4, 0x45, 0x09, 0xf4, 0x39, 0xec, - 0xa6, 0x99, 0xa7, 0x24, 0x08, 0xcc, 0x29, 0x09, 0xd4, 0x00, 0xbb, 0x54, 0xd3, 0x42, 0x21, 0xd4, - 0x15, 0xcd, 0x2b, 0xe1, 0x77, 0xa7, 0x44, 0x4d, 0xb2, 0x4b, 0xf5, 0xe4, 0xf1, 0x42, 0x85, 0xe5, - 0x12, 0xd3, 0x23, 0xcc, 0x10, 0x23, 0xfc, 0xb5, 0xe9, 0xaa, 0x81, 0x76, 0xb9, 0x8a, 0x1c, 0x5e, - 0xa8, 0x08, 0xc8, 0x74, 0x46, 0x3c, 0x1e, 0xef, 0x4b, 0xf5, 0x16, 0x15, 0x39, 0xbc, 0xc8, 0xfb, - 0x84, 0x25, 0xc2, 0xa8, 0xad, 0x56, 0x90, 0x45, 0x8b, 0x4d, 0xb5, 0xe8, 0xcc, 0x37, 0x2d, 0xc1, - 0x78, 0x4d, 0x19, 0x9d, 0x73, 0xc7, 0x23, 0x41, 0x71, 0xbc, 0xcd, 0xe4, 0x07, 0x5e, 0x28, 0x84, - 0x7e, 0x0a, 0x2d, 0xc5, 0xd7, 0x3d, 0x81, 0xb5, 0xd5, 0x94, 0xbb, 0x5f, 0x54, 0x23, 0xf2, 0x07, - 0xe7, 0xd0, 0x22, 0x16, 0x73, 0xce, 0xa9, 0xec, 0x91, 0x63, 0x67, 0x46, 0xd4, 0x7c, 0xbb, 0x3c, - 0x96, 0x0c, 0x1a, 0xfd, 0x0a, 0x3e, 0x8e, 0x19, 0x27, 0x4e, 0x20, 0x71, 0x93, 0xd1, 0xfc, 0x32, - 0xb0, 0x98, 0x73, 0x49, 0x58, 0xa0, 0x26, 0xdc, 0x65, 0xde, 0xac, 0x16, 0x46, 0xcf, 0xa1, 0x36, - 0x73, 0x3c, 0x23, 0x60, 0x6a, 0xaa, 0x5d, 0xba, 0x37, 0x0a, 0x86, 0x7e, 0x09, 0x8f, 0xa9, 0xcf, - 0x9d, 0x99, 0x13, 0x70, 0xc7, 0xea, 0x51, 0xcf, 0x9a, 0x33, 0x46, 0x3c, 0xeb, 0x7d, 0x8f, 0x7a, - 0x9c, 0x51, 0x57, 0xcd, 0xb1, 0xcb, 0xbc, 0x59, 0x29, 0x8b, 0x5e, 0x02, 0x10, 0xcf, 0x62, 0xef, - 0x7d, 0xd9, 0xd2, 0xb6, 0x57, 0x6a, 0x4a, 0x21, 0xb5, 0xbf, 0x97, 0xa0, 0x16, 0xde, 0x4d, 0x84, - 0x60, 0xc3, 0x33, 0x67, 0x44, 0xd5, 0x1a, 0xf9, 0x2d, 0x8b, 0xd6, 0xfc, 0xf2, 0x1d, 0xb1, 0xb8, - 0xaa, 0x32, 0x11, 0x89, 0x5e, 0x64, 0x6a, 0xb6, 0xa8, 0x68, 0xcd, 0xe3, 0xfb, 0xe9, 0x9f, 0x1f, - 0xb5, 0x96, 0x29, 0xe4, 0xcf, 0xa0, 0x66, 0xc9, 0x12, 0xa0, 0x2e, 0xc6, 0x7e, 0x7e, 0x22, 0x0d, - 0x0b, 0x04, 0x56, 0x28, 0xf4, 0x09, 0xec, 0xc8, 0x3f, 0x01, 0x87, 0x7a, 0xe2, 0x40, 0x03, 0x6e, - 0xce, 0xc2, 0xbf, 0xbc, 0x0a, 0x2e, 0x2e, 0x68, 0x7f, 0x2d, 0x43, 0xe3, 0x2c, 0x3d, 0x61, 0x44, - 0xae, 0x97, 0xb2, 0xae, 0x27, 0x6d, 0xa8, 0x9c, 0x69, 0x43, 0x2d, 0x28, 0x3b, 0x61, 0xc1, 0xac, - 0xe2, 0xb2, 0x63, 0x8b, 0x6a, 0x26, 0x0b, 0xae, 0x1a, 0x44, 0x42, 0x42, 0xf8, 0xa4, 0x46, 0x15, - 0x61, 0xe6, 0xe7, 0xa6, 0x25, 0xda, 0x66, 0x55, 0x0a, 0x15, 0x17, 0xc2, 0xd6, 0x25, 0x99, 0x41, - 0xa7, 0x26, 0xcb, 0x7e, 0x4c, 0xa7, 0xe6, 0x8c, 0xcd, 0xcc, 0xa4, 0xd3, 0x86, 0x8a, 0x13, 0xb0, - 0x4e, 0x5d, 0xc2, 0xc5, 0x67, 0x7e, 0xf6, 0x69, 0x14, 0x66, 0x9f, 0x64, 0x34, 0x80, 0xd4, 0x68, - 0x20, 0x2c, 0xc8, 0xdf, 0x4e, 0x5b, 0xa6, 0x68, 0x1d, 0x2b, 0x2a, 0xd3, 0x50, 0xb7, 0x72, 0x0d, - 0xf5, 0x53, 0xa8, 0x47, 0x8d, 0x48, 0xed, 0x48, 0xb8, 0x7d, 0x62, 0x47, 0x52, 0x3d, 0xac, 0x9c, - 0xed, 0x61, 0xbf, 0x2d, 0xc1, 0x76, 0xa6, 0x7f, 0x15, 0x64, 0x3f, 0x81, 0xcd, 0x19, 0x99, 0xc9, - 0x6b, 0x57, 0x96, 0xd9, 0x82, 0x8a, 0x9d, 0x18, 0x47, 0x90, 0xb5, 0x87, 0x21, 0x1d, 0xee, 0x61, - 0x73, 0xc2, 0x45, 0xeb, 0xc6, 0xe4, 0x37, 0x73, 0x12, 0xc8, 0xe3, 0xf6, 0xa8, 0x4d, 0xe2, 0x57, - 0x12, 0x45, 0x89, 0x4d, 0x10, 0x5f, 0x5d, 0xdb, 0x8e, 0xc6, 0x9e, 0x98, 0xd6, 0x8e, 0xa0, 0x9d, - 0xa8, 0x09, 0x7c, 0xea, 0x05, 0x44, 0x1a, 0x64, 0x8c, 0x32, 0xa5, 0x26, 0x24, 0x34, 0x0a, 0xed, - 0x53, 0xc2, 0x4d, 0xdb, 0xe4, 0xe6, 0xc8, 0x33, 0xfd, 0xe0, 0x8a, 0x72, 0xf4, 0x34, 0xd9, 0xa6, - 0x92, 0x0c, 0xb5, 0xf8, 0xe7, 0x15, 0x01, 0x44, 0x15, 0x91, 0x79, 0x15, 0xed, 0xca, 0xd2, 0xf9, - 0x44, 0xc1, 0x34, 0x17, 0x10, 0x4e, 0xd2, 0x2c, 0x0a, 0x52, 0xfe, 0x00, 0x48, 0x6e, 0x1c, 0x67, - 0xc2, 0x10, 0x5b, 0x40, 0x27, 0x93, 0x80, 0x84, 0xb7, 0xb8, 0x82, 0x15, 0x95, 0xcf, 0xab, 0x4a, - 0x71, 0xa6, 0xfe, 0x31, 0x74, 0xfa, 0x09, 0x39, 0x94, 0x62, 0x91, 0xcd, 0x9c, 0x74, 0xa9, 0x28, - 0xfd, 0x43, 0x78, 0xb8, 0x40, 0x5a, 0xed, 0xe7, 0x63, 0x68, 0x10, 0xcf, 0x0e, 0x99, 0x6a, 0xfa, - 0x48, 0x18, 0xda, 0x3f, 0x6b, 0xb0, 0x73, 0xc6, 0xa8, 0x6f, 0x4e, 0x4d, 0x4e, 0xec, 0x24, 0xcc, - 0xff, 0xdf, 0xb7, 0x2c, 0x96, 0xf9, 0x2f, 0x2a, 0xbe, 0x65, 0x65, 0xff, 0x9b, 0x70, 0x0e, 0xff, - 0xb5, 0x7e, 0xcb, 0x5a, 0xf2, 0x00, 0xd5, 0x58, 0xfb, 0x01, 0x6a, 0xc9, 0x4b, 0x11, 0xfc, 0xcf, - 0x5f, 0x8a, 0x9a, 0x77, 0x7b, 0x29, 0x62, 0xb7, 0xfc, 0x4e, 0xaa, 0x99, 0xe0, 0x69, 0x3e, 0x8b, - 0x56, 0xbd, 0x14, 0xdd, 0xa6, 0x53, 0xfb, 0x1e, 0x54, 0x75, 0x51, 0xbb, 0x44, 0xc7, 0xb7, 0xa8, - 0x1d, 0x76, 0xfc, 0x6d, 0x2c, 0xbf, 0x45, 0xf3, 0x99, 0x05, 0x53, 0x55, 0x10, 0xc5, 0xa7, 0xf6, - 0xa7, 0x32, 0xa0, 0xf4, 0x4d, 0x8c, 0xaf, 0xef, 0xaa, 0xab, 0xf8, 0x24, 0x2a, 0x96, 0xe1, 0x0d, - 0xbc, 0x97, 0xca, 0x63, 0xc1, 0x56, 0xd5, 0x13, 0xb9, 0xb0, 0x57, 0xd8, 0x6d, 0x61, 0x41, 0xed, - 0xeb, 0xcb, 0x54, 0x06, 0x16, 0x3c, 0x28, 0x1e, 0x5e, 0xb4, 0x82, 0x17, 0x2b, 0x7d, 0x34, 0x82, - 0x87, 0x4b, 0x65, 0xf2, 0x1d, 0xa7, 0xb4, 0xa2, 0xe3, 0x94, 0xd3, 0x1d, 0xe7, 0xdb, 0xb0, 0x13, - 0xbe, 0xca, 0x1b, 0xde, 0x84, 0x46, 0x75, 0x2a, 0xd7, 0xfc, 0xb4, 0x3e, 0xa0, 0x34, 0x48, 0x99, - 0xcc, 0xb7, 0x48, 0x04, 0x1b, 0x57, 0x34, 0x88, 0x46, 0x2d, 0xf9, 0x2d, 0x78, 0xe2, 0x38, 0xd5, - 0x58, 0x22, 0xbf, 0xb5, 0x01, 0xec, 0xc7, 0x73, 0xce, 0x88, 0x9b, 0x7c, 0x1e, 0xa4, 0x7a, 0xdd, - 0x7f, 0xff, 0xe0, 0xa1, 0x9d, 0xc2, 0x83, 0x82, 0x3e, 0xe5, 0xe2, 0x3e, 0xd4, 0xc8, 0x8d, 0x13, - 0xf0, 0x40, 0xfd, 0xd2, 0x29, 0x4a, 0x34, 0x4f, 0x27, 0x08, 0x6b, 0x97, 0xd4, 0x57, 0xc7, 0x31, - 0xad, 0x9d, 0xc2, 0x5e, 0xac, 0x6e, 0x40, 0xb9, 0x33, 0x51, 0xbd, 0x6a, 0x4d, 0xef, 0x18, 0xd4, - 0x7a, 0x73, 0x16, 0x50, 0xb6, 0xe6, 0x73, 0xce, 0x23, 0xa8, 0x5b, 0x52, 0xde, 0x88, 0x1e, 0xfa, - 0x62, 0x3a, 0xd5, 0x18, 0x37, 0xd2, 0x8d, 0xf1, 0xe9, 0x57, 0x65, 0x28, 0x0f, 0x7d, 0xb4, 0x03, - 0xdb, 0x3d, 0xac, 0x77, 0xc7, 0xfa, 0xc5, 0x68, 0x8c, 0xf5, 0xee, 0x69, 0xfb, 0x23, 0xd4, 0x02, - 0x18, 0xbd, 0xc1, 0xc6, 0xe0, 0xf3, 0x0b, 0x63, 0x84, 0xdb, 0x25, 0x01, 0xc1, 0xfa, 0xd9, 0x10, - 0x8f, 0x2f, 0xfa, 0x7a, 0xf7, 0x44, 0xc7, 0xed, 0xb2, 0x94, 0x7a, 0xd3, 0x1d, 0xbc, 0xd6, 0x23, - 0x56, 0x45, 0x48, 0xe9, 0xbf, 0x38, 0xeb, 0x0e, 0x4e, 0xa4, 0xd4, 0x86, 0x80, 0x9c, 0xe8, 0x7d, - 0x3d, 0x51, 0x5c, 0x45, 0x6d, 0xd8, 0x3a, 0xeb, 0x9e, 0x8f, 0x62, 0x4e, 0x2d, 0x54, 0x3d, 0x3a, - 0x3f, 0x8d, 0x59, 0x9b, 0x68, 0x17, 0xda, 0x67, 0xe7, 0xaf, 0xfa, 0xc6, 0xe8, 0xcd, 0x45, 0xb7, - 0x37, 0x36, 0xde, 0x1a, 0xe3, 0x2f, 0xda, 0x75, 0xf4, 0x00, 0xee, 0x8f, 0xf4, 0xb1, 0x42, 0x5d, - 0x60, 0xbd, 0x7b, 0x32, 0x1c, 0xf4, 0xbf, 0x68, 0x37, 0xd0, 0x43, 0xd8, 0x53, 0xfe, 0xf7, 0x86, - 0x03, 0xa1, 0x09, 0x5f, 0xbc, 0xc6, 0xc3, 0xf3, 0xb3, 0x36, 0x08, 0x99, 0xcf, 0x86, 0xc6, 0x20, - 0xbf, 0xd0, 0x44, 0x1d, 0xd8, 0xed, 0xeb, 0xdd, 0xb7, 0x05, 0x91, 0x2d, 0xf4, 0x04, 0xbe, 0xa5, - 0x42, 0xcd, 0x2e, 0x5d, 0xf4, 0x86, 0x43, 0x7c, 0x62, 0x0c, 0xba, 0xe3, 0x21, 0x6e, 0x6f, 0x0b, - 0x98, 0x0a, 0x7f, 0x05, 0xac, 0xf5, 0xaa, 0xfd, 0xb7, 0x0f, 0x07, 0xa5, 0x7f, 0x7c, 0x38, 0x28, - 0x7d, 0xf5, 0xe1, 0xa0, 0xf4, 0xfb, 0x7f, 0x1d, 0x7c, 0x74, 0x59, 0x93, 0x97, 0xfd, 0xc5, 0x7f, - 0x02, 0x00, 0x00, 0xff, 0xff, 0x12, 0x70, 0xa0, 0xa5, 0x12, 0x1b, 0x00, 0x00, +func init() { proto.RegisterFile("internal.proto", fileDescriptor_41f4a519b878ee3b) } + +var fileDescriptor_41f4a519b878ee3b = []byte{ + // 2121 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe4, 0x59, 0x5f, 0x6f, 0x1b, 0x4b, + 0x15, 0xbf, 0xb6, 0xe3, 0x7f, 0xc7, 0xb1, 0xe3, 0x4c, 0x93, 0x5c, 0xb7, 0xf4, 0x86, 0xb0, 0x50, + 0x29, 0x54, 0x97, 0x22, 0xd2, 0xab, 0x5e, 0x81, 0x00, 0xe1, 0xda, 0x4b, 0xbb, 0xb7, 0x8e, 0xd7, + 0x1a, 0x27, 0xd5, 0x2d, 0x42, 0x37, 0xda, 0xec, 0x4e, 0x92, 0xed, 0x5d, 0xef, 0x2c, 0xb3, 0xeb, + 0x28, 0x7d, 0x46, 0x7c, 0x03, 0x1e, 0x00, 0xf1, 0xc2, 0x13, 0x1f, 0x84, 0x17, 0x78, 0x43, 0xe2, + 0x0b, 0xa0, 0xf2, 0xc8, 0x97, 0x40, 0x33, 0x3b, 0xfb, 0xdf, 0x76, 0x54, 0x87, 0x07, 0x24, 0x9e, + 0xbc, 0xe7, 0xcc, 0xef, 0x9c, 0x39, 0x33, 0x73, 0xe6, 0xfc, 0x19, 0x43, 0xc7, 0x76, 0x03, 0xc2, + 0x5c, 0xc3, 0x79, 0xe2, 0x31, 0x1a, 0x50, 0xd4, 0x10, 0x3f, 0x26, 0x75, 0x94, 0xef, 0x42, 0x6b, + 0x4a, 0xd8, 0x35, 0x61, 0xd3, 0xc0, 0x08, 0x08, 0x7a, 0x00, 0x0d, 0x5f, 0x90, 0xda, 0xb0, 0x57, + 0x3a, 0x28, 0x1d, 0x36, 0x71, 0x4c, 0x2b, 0xff, 0x6e, 0x40, 0x1d, 0x1b, 0x17, 0xc1, 0x88, 0x5e, + 0xa2, 0x87, 0x50, 0xa6, 0x9e, 0x40, 0x74, 0x8e, 0x36, 0x9f, 0x44, 0xda, 0x9e, 0xe8, 0x1e, 0x2e, + 0x53, 0x0f, 0xfd, 0x0c, 0x3a, 0x26, 0x23, 0x46, 0x40, 0xa6, 0x01, 0x23, 0xc6, 0x4c, 0xf7, 0x7a, + 0xe5, 0x83, 0xd2, 0x61, 0xeb, 0xa8, 0x97, 0x20, 0x07, 0x99, 0x71, 0x9c, 0xc3, 0xa3, 0xcf, 0xa1, + 0xe5, 0x5f, 0x31, 0xdb, 0xfd, 0x5a, 0x9b, 0x62, 0xdd, 0xeb, 0x55, 0x84, 0xf8, 0x6e, 0x22, 0x3e, + 0x4d, 0x06, 0x71, 0x1a, 0x29, 0xa6, 0xbe, 0x32, 0xdc, 0x4b, 0x32, 0x22, 0x86, 0x45, 0x98, 0xee, + 0xf5, 0x36, 0x0a, 0x53, 0x67, 0xc6, 0x71, 0x0e, 0xcf, 0xa7, 0x26, 0x37, 0x9e, 0xe1, 0x5a, 0xe1, + 0xd4, 0xd5, 0xfc, 0xd4, 0x6a, 0x32, 0x88, 0xd3, 0x48, 0x3e, 0xb5, 0x45, 0x1c, 0x92, 0x5a, 0x75, + 0x2d, 0x3f, 0xf5, 0x30, 0x33, 0x8e, 0x73, 0x78, 0xf4, 0x13, 0x68, 0x7b, 0xc6, 0xdc, 0x4f, 0x14, + 0xd4, 0x85, 0x82, 0x8f, 0x13, 0x05, 0x93, 0xf4, 0x30, 0xce, 0xa2, 0xb9, 0x01, 0x8c, 0xf8, 0xf3, + 0x59, 0x22, 0xdf, 0xc8, 0x1b, 0x80, 0x33, 0xe3, 0x38, 0x87, 0x47, 0x1a, 0x6c, 0x7b, 0xf3, 0x73, + 0xc7, 0xf6, 0xaf, 0xfa, 0x66, 0x60, 0x5f, 0xdb, 0xc1, 0x3b, 0xdd, 0xeb, 0x35, 0x85, 0x92, 0x6f, + 0xa4, 0x8c, 0xc8, 0x43, 0x70, 0x51, 0x0a, 0xe9, 0x70, 0xcf, 0x27, 0x41, 0xa8, 0x19, 0x13, 0xc3, + 0xa2, 0xae, 0xc3, 0x95, 0x81, 0x50, 0xf6, 0x49, 0xea, 0x24, 0x8b, 0x20, 0xbc, 0x48, 0x12, 0x9d, + 0xc2, 0x6e, 0xe8, 0x24, 0x03, 0xea, 0x72, 0xa3, 0xd9, 0x0b, 0x46, 0xe7, 0x9e, 0xee, 0xf5, 0x5a, + 0x42, 0xe5, 0x37, 0xf3, 0xbe, 0x95, 0x83, 0xe1, 0xc5, 0xd2, 0xdc, 0xce, 0xb7, 0xd4, 0x76, 0xf3, + 0x4a, 0x37, 0xf3, 0x76, 0x7e, 0x51, 0x04, 0xe1, 0x45, 0x92, 0x08, 0xc3, 0x8e, 0x43, 0x8c, 0xeb, + 0x82, 0x99, 0x6d, 0xa1, 0x71, 0x3f, 0xd1, 0x38, 0x5a, 0x80, 0xc2, 0x0b, 0x65, 0xd1, 0x35, 0x1c, + 0x84, 0x5e, 0x9a, 0x19, 0x18, 0x50, 0xca, 0x2c, 0xdb, 0x35, 0x02, 0xca, 0xfd, 0xbc, 0x23, 0xf4, + 0x3f, 0xce, 0xfb, 0xf9, 0x72, 0x09, 0x7c, 0xab, 0x4e, 0x7e, 0x17, 0x0c, 0xcb, 0x9a, 0x50, 0xc7, + 0x36, 0xf9, 0xe1, 0x6d, 0xe5, 0xef, 0x42, 0x3f, 0x19, 0xc4, 0x69, 0x64, 0xe8, 0x8a, 0xd7, 0xf4, + 0x6b, 0x12, 0xcb, 0x76, 0x8b, 0xae, 0x98, 0x1e, 0xc7, 0x39, 0xbc, 0xf2, 0x23, 0xe8, 0x64, 0x63, + 0x04, 0x3a, 0x84, 0x9a, 0x2f, 0xbe, 0x45, 0xdc, 0x69, 0x1d, 0x75, 0x53, 0x4e, 0x14, 0x3a, 0x8b, + 0x1c, 0x57, 0xfe, 0x5c, 0x82, 0x56, 0x2a, 0x42, 0xa0, 0xbd, 0x8c, 0x64, 0x33, 0xc2, 0xa1, 0x87, + 0xd0, 0xf4, 0x0c, 0x16, 0xd8, 0x81, 0x4d, 0x5d, 0x11, 0xa2, 0xaa, 0x38, 0x61, 0xa0, 0x43, 0xd8, + 0x62, 0xc4, 0x73, 0x6c, 0xd3, 0x38, 0xa1, 0x98, 0xcc, 0xe8, 0x35, 0x11, 0x71, 0xa8, 0x89, 0xf3, + 0x6c, 0xae, 0xdf, 0x11, 0xe1, 0x43, 0x04, 0x9b, 0x26, 0x96, 0x14, 0x3a, 0x80, 0x56, 0xf8, 0xa5, + 0x7a, 0xd4, 0xbc, 0x12, 0xa1, 0x64, 0x03, 0xa7, 0x59, 0xca, 0x9f, 0x4a, 0xd0, 0x4a, 0x05, 0x94, + 0x35, 0x2d, 0x55, 0x60, 0x33, 0x36, 0xa9, 0x6f, 0x59, 0xd2, 0xcc, 0x0c, 0xef, 0x0e, 0x36, 0x1e, + 0x42, 0x27, 0x1b, 0xb7, 0x96, 0x59, 0xa9, 0x10, 0x68, 0x67, 0x02, 0xd4, 0xd2, 0xe5, 0xec, 0x03, + 0xc4, 0xd6, 0xfb, 0xbd, 0xf2, 0x41, 0xe5, 0xb0, 0x8a, 0x53, 0x1c, 0xbe, 0xdc, 0x30, 0x32, 0xf5, + 0x1d, 0x47, 0xac, 0xa6, 0x81, 0x13, 0x86, 0xf2, 0x12, 0x3a, 0xd9, 0x38, 0xb6, 0xee, 0x3c, 0xca, + 0x1f, 0x4a, 0x5c, 0x95, 0x47, 0x59, 0x10, 0x87, 0xff, 0xf5, 0x4e, 0xa0, 0x07, 0x75, 0xb9, 0xdb, + 0x72, 0xf3, 0x23, 0xf2, 0x0e, 0xfb, 0xfe, 0x15, 0x74, 0xb2, 0xa9, 0x6a, 0x4d, 0xdb, 0x12, 0x0b, + 0x2a, 0x69, 0x0b, 0x94, 0xdf, 0x96, 0xe0, 0x20, 0x5c, 0xfc, 0x8a, 0x08, 0xd0, 0x83, 0xfa, 0x25, + 0xe7, 0x6a, 0x96, 0x9c, 0x33, 0x22, 0xf9, 0xde, 0x9a, 0x52, 0x4e, 0xb3, 0xc4, 0xac, 0x4d, 0x9c, + 0xe2, 0xf0, 0x05, 0x9a, 0x89, 0x2a, 0x39, 0x77, 0x9a, 0x85, 0x76, 0xa0, 0x4a, 0xc4, 0xe2, 0x37, + 0xc4, 0xe2, 0x43, 0x42, 0xf9, 0x0a, 0x0e, 0x6e, 0x8b, 0x5c, 0x2b, 0xac, 0xca, 0xcd, 0x5a, 0x2e, + 0xcc, 0xaa, 0xfc, 0x00, 0xb6, 0x0b, 0x09, 0x4c, 0x38, 0x9c, 0x71, 0x11, 0x68, 0xae, 0x45, 0x6e, + 0x84, 0xca, 0x0d, 0x9c, 0x30, 0x14, 0x1b, 0xee, 0x2d, 0x48, 0x53, 0x6b, 0x7b, 0xf7, 0x03, 0x68, + 0x30, 0xa9, 0x45, 0x3a, 0x77, 0x4c, 0x2b, 0xaf, 0x61, 0x77, 0x61, 0xfa, 0xe2, 0xb5, 0x81, 0x99, + 0x66, 0xc9, 0x20, 0x98, 0xaa, 0x0d, 0x32, 0x12, 0x38, 0x8b, 0xe6, 0x4b, 0x58, 0x90, 0xc1, 0xee, + 0x70, 0xbc, 0x3d, 0xa8, 0x87, 0xcb, 0xf5, 0x7b, 0x95, 0x83, 0x0a, 0x97, 0x94, 0xa4, 0xf2, 0x16, + 0x76, 0x16, 0xa5, 0xb6, 0xbb, 0xcd, 0x45, 0x6e, 0x3c, 0x9b, 0x11, 0x4b, 0xee, 0x57, 0x44, 0x2a, + 0x5f, 0x42, 0x2d, 0xcc, 0x18, 0xfc, 0x30, 0xe6, 0xbe, 0x90, 0x97, 0x87, 0x11, 0x52, 0x5c, 0x37, + 0x23, 0x3e, 0x9d, 0x33, 0x93, 0x24, 0xba, 0x13, 0x0e, 0x97, 0x33, 0x4c, 0x71, 0x71, 0xe4, 0xed, + 0x08, 0x29, 0xe5, 0x73, 0x68, 0xa5, 0xb2, 0x1b, 0x4f, 0x3e, 0x9e, 0xf8, 0x2e, 0x26, 0x9f, 0x10, + 0x83, 0xe5, 0x38, 0x4f, 0x5c, 0xd9, 0xd4, 0xf6, 0x01, 0xb2, 0x8f, 0xa0, 0x3d, 0x9e, 0x3b, 0x8e, + 0x71, 0xee, 0x10, 0xcd, 0x0d, 0x9e, 0x7d, 0xc6, 0xaf, 0xc8, 0xb5, 0xe1, 0xcc, 0x89, 0x90, 0xac, + 0xe0, 0x90, 0xc8, 0xc1, 0x9e, 0x1e, 0x65, 0x61, 0xd5, 0x08, 0xf6, 0x1d, 0xd8, 0x8c, 0x60, 0xcf, + 0x29, 0x75, 0xb2, 0xa8, 0x46, 0x84, 0xfa, 0x7d, 0x1d, 0x36, 0x43, 0xd7, 0x1e, 0x50, 0xf7, 0xc2, + 0xbe, 0x44, 0x2a, 0x6c, 0x33, 0x12, 0x10, 0x97, 0x6f, 0xc3, 0xb1, 0x71, 0xf3, 0xfc, 0x5d, 0x40, + 0xfc, 0xa2, 0xb7, 0x65, 0xec, 0xc4, 0x45, 0x09, 0xf4, 0x0a, 0x76, 0xd2, 0xcc, 0x63, 0xe2, 0xfb, + 0xc6, 0x25, 0xf1, 0x65, 0x2b, 0xb0, 0x54, 0xd3, 0x42, 0x21, 0xd4, 0xe7, 0xb9, 0x38, 0xe1, 0xf7, + 0x2f, 0x89, 0xec, 0x09, 0x96, 0xea, 0xc9, 0xe3, 0xb9, 0x0a, 0xd3, 0x21, 0x86, 0x4b, 0x98, 0xc6, + 0x9b, 0xa1, 0x6b, 0xc3, 0x91, 0xad, 0xc1, 0x72, 0x15, 0x39, 0x3c, 0x57, 0xe1, 0x93, 0xcb, 0x19, + 0x71, 0x83, 0x78, 0x5f, 0xaa, 0xb7, 0xa8, 0xc8, 0xe1, 0xf9, 0x35, 0x4e, 0x58, 0x7c, 0x19, 0xb5, + 0xd5, 0x0a, 0xb2, 0x68, 0xbe, 0xa9, 0x26, 0x9d, 0x79, 0x86, 0xc9, 0x19, 0x2f, 0x28, 0xa3, 0xf3, + 0xc0, 0x76, 0x89, 0x5f, 0x6c, 0x14, 0x32, 0xfe, 0x81, 0x17, 0x0a, 0xa1, 0x9f, 0x42, 0x47, 0xf2, + 0x55, 0x97, 0x63, 0x2d, 0xd9, 0x2f, 0xec, 0x15, 0xd5, 0x70, 0xff, 0xc1, 0x39, 0x34, 0x5f, 0x8b, + 0x31, 0x0f, 0xa8, 0x48, 0xf9, 0x27, 0xf6, 0x8c, 0xc8, 0x4e, 0x61, 0xf9, 0x5a, 0x32, 0x68, 0xf4, + 0x4b, 0xf8, 0x24, 0x66, 0x0c, 0x6d, 0x5f, 0xe0, 0x2e, 0xa6, 0xf3, 0x73, 0xdf, 0x64, 0xf6, 0x39, + 0x61, 0xbe, 0xec, 0x15, 0x96, 0x59, 0xb3, 0x5a, 0x18, 0x7d, 0x1f, 0x6a, 0x33, 0xdb, 0xd5, 0x7c, + 0x26, 0xfb, 0x83, 0xa5, 0x7b, 0x23, 0x61, 0xe8, 0x17, 0xf0, 0x90, 0x7a, 0x81, 0x3d, 0xb3, 0xfd, + 0xc0, 0x36, 0x07, 0xd4, 0x35, 0xe7, 0x8c, 0x11, 0xd7, 0x7c, 0x37, 0xa0, 0x6e, 0xc0, 0xa8, 0x23, + 0x3b, 0x82, 0x65, 0xd6, 0xac, 0x94, 0x45, 0xcf, 0x00, 0x88, 0x6b, 0xb2, 0x77, 0x9e, 0x08, 0x34, + 0xed, 0x95, 0x9a, 0x52, 0x48, 0xe5, 0x6f, 0x25, 0xa8, 0x85, 0x77, 0x13, 0x21, 0xd8, 0x70, 0x8d, + 0x19, 0x91, 0xd1, 0x4d, 0x7c, 0x8b, 0x18, 0x3c, 0x3f, 0x7f, 0x4b, 0xcc, 0x40, 0x06, 0xb6, 0x88, + 0x44, 0x4f, 0x33, 0x29, 0x88, 0x07, 0xe8, 0xd6, 0xd1, 0xbd, 0x74, 0x1b, 0x29, 0xc7, 0x32, 0x79, + 0xe9, 0x09, 0xd4, 0x4c, 0x11, 0x02, 0xe4, 0xc5, 0xd8, 0xcb, 0x17, 0xd8, 0x61, 0x80, 0xc0, 0x12, + 0x85, 0x3e, 0x85, 0x6d, 0xd1, 0x53, 0xd9, 0xd4, 0xe5, 0x07, 0xea, 0x07, 0xc6, 0x2c, 0xec, 0x97, + 0x2b, 0xb8, 0x38, 0xa0, 0xfc, 0xa5, 0x0c, 0xcd, 0x49, 0xba, 0x60, 0x8a, 0x4c, 0x2f, 0x65, 0x4d, + 0x4f, 0xb2, 0x6a, 0x39, 0x93, 0x55, 0x3b, 0x50, 0xb6, 0xc3, 0xf8, 0x5f, 0xc5, 0x65, 0xdb, 0xe2, + 0xd1, 0x4c, 0xe4, 0x0f, 0x59, 0x57, 0x85, 0x04, 0xb7, 0x49, 0x56, 0x5e, 0x7c, 0x9a, 0x9f, 0x1b, + 0x26, 0xaf, 0x02, 0xaa, 0x42, 0xa8, 0x38, 0x10, 0x66, 0x62, 0xc1, 0xf4, 0x7b, 0x35, 0x91, 0xc5, + 0x62, 0x3a, 0x55, 0x36, 0xd5, 0x33, 0x85, 0x5b, 0x17, 0x2a, 0xb6, 0xcf, 0x7a, 0x0d, 0x01, 0xe7, + 0x9f, 0xf9, 0x52, 0xae, 0x59, 0x28, 0xe5, 0x92, 0x4a, 0x07, 0x52, 0x95, 0x0e, 0x9f, 0x41, 0x34, + 0xf0, 0x96, 0x70, 0xd1, 0x06, 0x96, 0x54, 0xa6, 0x3e, 0xd8, 0xcc, 0xd5, 0x07, 0x9f, 0x41, 0x23, + 0xca, 0xab, 0x72, 0x47, 0xc2, 0xed, 0xe3, 0x3b, 0x92, 0x4a, 0xc9, 0xe5, 0x6c, 0x4a, 0xfe, 0x4d, + 0x09, 0xda, 0x99, 0x74, 0x5c, 0x90, 0xfd, 0x14, 0xea, 0x33, 0x32, 0x13, 0xd7, 0xae, 0x2c, 0xbc, + 0x05, 0x15, 0x0b, 0x0b, 0x1c, 0x41, 0xd6, 0xae, 0xed, 0x54, 0xd8, 0xc2, 0xc6, 0x45, 0xc0, 0x2b, + 0x11, 0x4c, 0x7e, 0x35, 0x27, 0xbe, 0x38, 0x6e, 0x97, 0x5a, 0x24, 0x7e, 0x6f, 0x92, 0x14, 0xdf, + 0x04, 0xfe, 0xd5, 0xb7, 0xac, 0xa8, 0x8a, 0x8b, 0x69, 0xe5, 0x10, 0xba, 0x89, 0x1a, 0xdf, 0xa3, + 0xae, 0x4f, 0xc4, 0x84, 0x8c, 0x51, 0x26, 0xd5, 0x84, 0x84, 0x42, 0xa1, 0x7b, 0x4c, 0x02, 0xc3, + 0x32, 0x02, 0x63, 0xea, 0x1a, 0x9e, 0x7f, 0x45, 0x03, 0xf4, 0x38, 0xd9, 0xa6, 0x92, 0x58, 0x6a, + 0xb1, 0x91, 0x8c, 0x00, 0x3c, 0x8a, 0x08, 0xbf, 0x8a, 0x76, 0x65, 0x69, 0xb9, 0x25, 0x61, 0x8a, + 0x03, 0x08, 0x27, 0x6e, 0x16, 0x2d, 0x52, 0xf4, 0x33, 0x82, 0x1b, 0xaf, 0x33, 0x61, 0xf0, 0x2d, + 0xa0, 0x17, 0x17, 0x3e, 0x09, 0x6f, 0x71, 0x05, 0x4b, 0x2a, 0xef, 0x57, 0x95, 0x62, 0x8b, 0xf0, + 0x63, 0xe8, 0x8d, 0x12, 0x52, 0x17, 0x62, 0xd1, 0x9c, 0x39, 0xe9, 0x52, 0x51, 0xfa, 0x87, 0x70, + 0x7f, 0x81, 0xb4, 0xdc, 0xcf, 0x87, 0xd0, 0x24, 0xae, 0x15, 0x32, 0x65, 0xf5, 0x91, 0x30, 0x94, + 0x7f, 0xd4, 0x61, 0x7b, 0xc2, 0xa8, 0x67, 0x5c, 0x1a, 0x01, 0xb1, 0x92, 0x65, 0xfe, 0xef, 0xbe, + 0x0a, 0xb2, 0x4c, 0x9b, 0x57, 0x7c, 0x15, 0xcc, 0xb6, 0x81, 0x38, 0x87, 0xff, 0xbf, 0x7e, 0x15, + 0x5c, 0xf2, 0x94, 0xd7, 0x5c, 0xfb, 0x29, 0x6f, 0xc9, 0x9b, 0x1b, 0xfc, 0xd7, 0xdf, 0xdc, 0x5a, + 0x77, 0x7b, 0x73, 0x63, 0xb7, 0x74, 0xc7, 0xb2, 0x26, 0x78, 0x9c, 0xf7, 0xa2, 0x55, 0x6f, 0x6e, + 0xb7, 0xe9, 0xcc, 0xbf, 0xb9, 0xb5, 0xef, 0xf0, 0xe6, 0xd6, 0xf9, 0xc0, 0x37, 0xb7, 0xef, 0x41, + 0x55, 0xe5, 0x61, 0x93, 0x17, 0x1b, 0x26, 0xb5, 0xc2, 0x62, 0xa3, 0x8d, 0xc5, 0x37, 0xcf, 0x7b, + 0x33, 0xff, 0x52, 0xc6, 0x62, 0xfe, 0xa9, 0xfc, 0xb1, 0x0c, 0x28, 0x1d, 0x04, 0xe2, 0xc8, 0xb1, + 0x2a, 0x0a, 0x3c, 0x8a, 0xe2, 0x74, 0x78, 0xf9, 0xb7, 0x52, 0x57, 0x88, 0xb3, 0x65, 0xe0, 0x46, + 0x0e, 0xec, 0x16, 0x0e, 0x9a, 0xcf, 0x20, 0x8f, 0xf4, 0x59, 0xca, 0xf9, 0x0b, 0x16, 0x14, 0xfd, + 0x26, 0x1a, 0xc1, 0x8b, 0x95, 0x3e, 0x98, 0xc2, 0xfd, 0xa5, 0x32, 0xf9, 0x64, 0x57, 0x5a, 0x91, + 0xec, 0xca, 0xe9, 0x64, 0xf7, 0x6d, 0xd8, 0x0e, 0xff, 0x5a, 0xd1, 0xdc, 0x0b, 0x1a, 0x85, 0xc8, + 0x5c, 0xde, 0x55, 0x46, 0x80, 0xd2, 0x20, 0x39, 0x65, 0x3e, 0x3b, 0x23, 0xd8, 0xb8, 0xa2, 0x7e, + 0x54, 0xe5, 0x89, 0x6f, 0xce, 0xe3, 0x9e, 0x24, 0x2b, 0x22, 0xf1, 0xad, 0x8c, 0x61, 0x2f, 0x2e, + 0xb1, 0xa6, 0x81, 0x11, 0xcc, 0xfd, 0x54, 0x9a, 0xfd, 0xf0, 0xa7, 0x23, 0xe5, 0x18, 0x3e, 0x2e, + 0xe8, 0x93, 0x26, 0xee, 0x41, 0x8d, 0xdc, 0xd8, 0x7e, 0xe0, 0xcb, 0x6e, 0x52, 0x52, 0x3c, 0x6f, + 0xdb, 0x7e, 0x18, 0x36, 0x85, 0xbe, 0x06, 0x8e, 0x69, 0xe5, 0x18, 0x76, 0x63, 0x75, 0x63, 0x1a, + 0xd8, 0x17, 0x32, 0x4d, 0xae, 0x69, 0x1d, 0x83, 0xda, 0x60, 0xce, 0x7c, 0xca, 0xd6, 0x7c, 0x18, + 0x7b, 0x00, 0x0d, 0x53, 0xc8, 0x6b, 0xd1, 0x93, 0x69, 0x4c, 0xa7, 0x72, 0xf2, 0x46, 0x3a, 0x27, + 0x3f, 0xfe, 0x75, 0x05, 0xca, 0xba, 0x87, 0xb6, 0xa1, 0x3d, 0xc0, 0x6a, 0xff, 0x44, 0x3d, 0x9b, + 0x9e, 0x60, 0xb5, 0x7f, 0xdc, 0xfd, 0x08, 0x75, 0x00, 0xa6, 0x2f, 0xb1, 0x36, 0x7e, 0x75, 0xa6, + 0x4d, 0x71, 0xb7, 0xc4, 0x21, 0x58, 0x9d, 0xe8, 0xf8, 0xe4, 0x6c, 0xa4, 0xf6, 0x87, 0x2a, 0xee, + 0x96, 0x85, 0xd4, 0xcb, 0xfe, 0xf8, 0x85, 0x1a, 0xb1, 0x2a, 0x5c, 0x4a, 0xfd, 0x72, 0xd2, 0x1f, + 0x0f, 0x85, 0xd4, 0x06, 0x87, 0x0c, 0xd5, 0x91, 0x9a, 0x28, 0xae, 0xa2, 0x2e, 0x6c, 0x4e, 0xfa, + 0xa7, 0xd3, 0x98, 0x53, 0x0b, 0x55, 0x4f, 0x4f, 0x8f, 0x63, 0x56, 0x1d, 0xed, 0x40, 0x77, 0x72, + 0xfa, 0x7c, 0xa4, 0x4d, 0x5f, 0x9e, 0xf5, 0x07, 0x27, 0xda, 0x6b, 0xed, 0xe4, 0x4d, 0xb7, 0x81, + 0x3e, 0x86, 0x7b, 0x53, 0xf5, 0x44, 0xa2, 0xce, 0xb0, 0xda, 0x1f, 0xea, 0xe3, 0xd1, 0x9b, 0x6e, + 0x13, 0xdd, 0x87, 0x5d, 0x69, 0xff, 0x40, 0x1f, 0x73, 0x4d, 0xf8, 0xec, 0x05, 0xd6, 0x4f, 0x27, + 0x5d, 0xe0, 0x32, 0x5f, 0xe8, 0xda, 0x38, 0x3f, 0xd0, 0x42, 0x3d, 0xd8, 0x19, 0xa9, 0xfd, 0xd7, + 0x05, 0x91, 0x4d, 0xf4, 0x08, 0xbe, 0x25, 0x97, 0x9a, 0x1d, 0x3a, 0x1b, 0xe8, 0x3a, 0x1e, 0x6a, + 0xe3, 0xfe, 0x89, 0x8e, 0xbb, 0x6d, 0x0e, 0x93, 0xcb, 0x5f, 0x01, 0xeb, 0xf0, 0x2d, 0xe9, 0x0f, + 0x87, 0x67, 0x13, 0x7d, 0xa4, 0x0d, 0xde, 0x74, 0xb7, 0xc2, 0xd5, 0xbe, 0xd6, 0x5f, 0xa9, 0x11, + 0xab, 0xfb, 0xbc, 0xfb, 0xd7, 0xf7, 0xfb, 0xa5, 0xbf, 0xbf, 0xdf, 0x2f, 0xfd, 0xf3, 0xfd, 0x7e, + 0xe9, 0x77, 0xff, 0xda, 0xff, 0xe8, 0xbc, 0x26, 0xe2, 0xc1, 0xd3, 0xff, 0x04, 0x00, 0x00, 0xff, + 0xff, 0x2b, 0xcf, 0x65, 0x0e, 0xea, 0x1c, 0x00, 0x00, } func (m *ServerState) Marshal() (dAtA []byte, err error) { @@ -3045,6 +3254,32 @@ func (m *RaftLog) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.RevokePolicyOp != nil { + { + size, err := m.RevokePolicyOp.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x82 + } + if m.AddPolicyOp != nil { + { + size, err := m.AddPolicyOp.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x7a + } if m.ChangeConsumerGroupCoordinatorOp != nil { { size, err := m.ChangeConsumerGroupCoordinatorOp.MarshalToSizedBuffer(dAtA[:i]) @@ -3433,21 +3668,21 @@ func (m *PauseStreamOp) MarshalToSizedBuffer(dAtA []byte) (int, error) { dAtA[i] = 0x18 } if len(m.Partitions) > 0 { - dAtA16 := make([]byte, len(m.Partitions)*10) - var j15 int + dAtA18 := make([]byte, len(m.Partitions)*10) + var j17 int for _, num1 := range m.Partitions { num := uint64(num1) for num >= 1<<7 { - dAtA16[j15] = uint8(uint64(num)&0x7f | 0x80) + dAtA18[j17] = uint8(uint64(num)&0x7f | 0x80) num >>= 7 - j15++ + j17++ } - dAtA16[j15] = uint8(num) - j15++ + dAtA18[j17] = uint8(num) + j17++ } - i -= j15 - copy(dAtA[i:], dAtA16[:j15]) - i = encodeVarintInternal(dAtA, i, uint64(j15)) + i -= j17 + copy(dAtA[i:], dAtA18[:j17]) + i = encodeVarintInternal(dAtA, i, uint64(j17)) i-- dAtA[i] = 0x12 } @@ -3486,21 +3721,21 @@ func (m *ResumeStreamOp) MarshalToSizedBuffer(dAtA []byte) (int, error) { copy(dAtA[i:], m.XXX_unrecognized) } if len(m.Partitions) > 0 { - dAtA18 := make([]byte, len(m.Partitions)*10) - var j17 int + dAtA20 := make([]byte, len(m.Partitions)*10) + var j19 int for _, num1 := range m.Partitions { num := uint64(num1) for num >= 1<<7 { - dAtA18[j17] = uint8(uint64(num)&0x7f | 0x80) + dAtA20[j19] = uint8(uint64(num)&0x7f | 0x80) num >>= 7 - j17++ + j19++ } - dAtA18[j17] = uint8(num) - j17++ + dAtA20[j19] = uint8(num) + j19++ } - i -= j17 - copy(dAtA[i:], dAtA18[:j17]) - i = encodeVarintInternal(dAtA, i, uint64(j17)) + i -= j19 + copy(dAtA[i:], dAtA20[:j19]) + i = encodeVarintInternal(dAtA, i, uint64(j19)) i-- dAtA[i] = 0x12 } @@ -3779,21 +4014,21 @@ func (m *SetStreamReadonlyOp) MarshalToSizedBuffer(dAtA []byte) (int, error) { dAtA[i] = 0x18 } if len(m.Partitions) > 0 { - dAtA20 := make([]byte, len(m.Partitions)*10) - var j19 int + dAtA22 := make([]byte, len(m.Partitions)*10) + var j21 int for _, num1 := range m.Partitions { num := uint64(num1) for num >= 1<<7 { - dAtA20[j19] = uint8(uint64(num)&0x7f | 0x80) + dAtA22[j21] = uint8(uint64(num)&0x7f | 0x80) num >>= 7 - j19++ + j21++ } - dAtA20[j19] = uint8(num) - j19++ + dAtA22[j21] = uint8(num) + j21++ } - i -= j19 - copy(dAtA[i:], dAtA20[:j19]) - i = encodeVarintInternal(dAtA, i, uint64(j19)) + i -= j21 + copy(dAtA[i:], dAtA22[:j21]) + i = encodeVarintInternal(dAtA, i, uint64(j21)) i-- dAtA[i] = 0x12 } @@ -3947,7 +4182,7 @@ func (m *LeaveConsumerGroupOp) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } -func (m *NullableInt64) Marshal() (dAtA []byte, err error) { +func (m *Policy) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -3957,12 +4192,12 @@ func (m *NullableInt64) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NullableInt64) MarshalTo(dAtA []byte) (int, error) { +func (m *Policy) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NullableInt64) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *Policy) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int @@ -3971,15 +4206,31 @@ func (m *NullableInt64) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if m.Value != 0 { - i = encodeVarintInternal(dAtA, i, uint64(m.Value)) + if len(m.Action) > 0 { + i -= len(m.Action) + copy(dAtA[i:], m.Action) + i = encodeVarintInternal(dAtA, i, uint64(len(m.Action))) i-- - dAtA[i] = 0x8 + dAtA[i] = 0x1a + } + if len(m.ResourceId) > 0 { + i -= len(m.ResourceId) + copy(dAtA[i:], m.ResourceId) + i = encodeVarintInternal(dAtA, i, uint64(len(m.ResourceId))) + i-- + dAtA[i] = 0x12 + } + if len(m.UserId) > 0 { + i -= len(m.UserId) + copy(dAtA[i:], m.UserId) + i = encodeVarintInternal(dAtA, i, uint64(len(m.UserId))) + i-- + dAtA[i] = 0xa } return len(dAtA) - i, nil } -func (m *NullableInt32) Marshal() (dAtA []byte, err error) { +func (m *AddPolicyOp) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -3989,12 +4240,12 @@ func (m *NullableInt32) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NullableInt32) MarshalTo(dAtA []byte) (int, error) { +func (m *AddPolicyOp) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NullableInt32) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *AddPolicyOp) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int @@ -4003,15 +4254,22 @@ func (m *NullableInt32) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if m.Value != 0 { - i = encodeVarintInternal(dAtA, i, uint64(m.Value)) + if m.Policy != nil { + { + size, err := m.Policy.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } i-- - dAtA[i] = 0x8 + dAtA[i] = 0xa } return len(dAtA) - i, nil } -func (m *NullableBool) Marshal() (dAtA []byte, err error) { +func (m *RevokePolicyOp) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -4021,12 +4279,12 @@ func (m *NullableBool) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NullableBool) MarshalTo(dAtA []byte) (int, error) { +func (m *RevokePolicyOp) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NullableBool) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *RevokePolicyOp) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int @@ -4035,20 +4293,22 @@ func (m *NullableBool) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if m.Value { - i-- - if m.Value { - dAtA[i] = 1 - } else { - dAtA[i] = 0 + if m.Policy != nil { + { + size, err := m.Policy.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0x8 + dAtA[i] = 0xa } return len(dAtA) - i, nil } -func (m *StreamConfig) Marshal() (dAtA []byte, err error) { +func (m *NullableInt64) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -4058,12 +4318,12 @@ func (m *StreamConfig) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *StreamConfig) MarshalTo(dAtA []byte) (int, error) { +func (m *NullableInt64) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *StreamConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NullableInt64) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int @@ -4072,31 +4332,132 @@ func (m *StreamConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if m.Encryption != nil { - { - size, err := m.Encryption.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintInternal(dAtA, i, uint64(size)) - } + if m.Value != 0 { + i = encodeVarintInternal(dAtA, i, uint64(m.Value)) i-- - dAtA[i] = 0x6a + dAtA[i] = 0x8 } - if m.OptimisticConcurrencyControl != nil { - { - size, err := m.OptimisticConcurrencyControl.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintInternal(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x62 + return len(dAtA) - i, nil +} + +func (m *NullableInt32) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err } - if m.MinIsr != nil { + return dAtA[:n], nil +} + +func (m *NullableInt32) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NullableInt32) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.Value != 0 { + i = encodeVarintInternal(dAtA, i, uint64(m.Value)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *NullableBool) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NullableBool) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NullableBool) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.Value { + i-- + if m.Value { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *StreamConfig) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *StreamConfig) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *StreamConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.Encryption != nil { + { + size, err := m.Encryption.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x6a + } + if m.OptimisticConcurrencyControl != nil { + { + size, err := m.OptimisticConcurrencyControl.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x62 + } + if m.MinIsr != nil { { size, err := m.MinIsr.MarshalToSizedBuffer(dAtA[:i]) if err != nil { @@ -4781,6 +5142,30 @@ func (m *PropagatedRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.RevokePolicyOp != nil { + { + size, err := m.RevokePolicyOp.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x72 + } + if m.AddPolicyOp != nil { + { + size, err := m.AddPolicyOp.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintInternal(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x6a + } if m.ReportConsumerGroupCoordinatorOp != nil { { size, err := m.ReportConsumerGroupCoordinatorOp.MarshalToSizedBuffer(dAtA[:i]) @@ -5399,6 +5784,14 @@ func (m *RaftLog) Size() (n int) { l = m.ChangeConsumerGroupCoordinatorOp.Size() n += 1 + l + sovInternal(uint64(l)) } + if m.AddPolicyOp != nil { + l = m.AddPolicyOp.Size() + n += 1 + l + sovInternal(uint64(l)) + } + if m.RevokePolicyOp != nil { + l = m.RevokePolicyOp.Size() + n += 2 + l + sovInternal(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -5752,6 +6145,62 @@ func (m *LeaveConsumerGroupOp) Size() (n int) { return n } +func (m *Policy) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.UserId) + if l > 0 { + n += 1 + l + sovInternal(uint64(l)) + } + l = len(m.ResourceId) + if l > 0 { + n += 1 + l + sovInternal(uint64(l)) + } + l = len(m.Action) + if l > 0 { + n += 1 + l + sovInternal(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *AddPolicyOp) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Policy != nil { + l = m.Policy.Size() + n += 1 + l + sovInternal(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *RevokePolicyOp) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Policy != nil { + l = m.Policy.Size() + n += 1 + l + sovInternal(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + func (m *NullableInt64) Size() (n int) { if m == nil { return 0 @@ -6168,6 +6617,14 @@ func (m *PropagatedRequest) Size() (n int) { l = m.ReportConsumerGroupCoordinatorOp.Size() n += 1 + l + sovInternal(uint64(l)) } + if m.AddPolicyOp != nil { + l = m.AddPolicyOp.Size() + n += 1 + l + sovInternal(uint64(l)) + } + if m.RevokePolicyOp != nil { + l = m.RevokePolicyOp.Size() + n += 1 + l + sovInternal(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -6961,6 +7418,78 @@ func (m *RaftLog) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 15: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AddPolicyOp", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.AddPolicyOp == nil { + m.AddPolicyOp = &AddPolicyOp{} + } + if err := m.AddPolicyOp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 16: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RevokePolicyOp", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.RevokePolicyOp == nil { + m.RevokePolicyOp = &RevokePolicyOp{} + } + if err := m.RevokePolicyOp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipInternal(dAtA[iNdEx:]) @@ -9079,7 +9608,7 @@ func (m *LeaveConsumerGroupOp) Unmarshal(dAtA []byte) error { } return nil } -func (m *NullableInt64) Unmarshal(dAtA []byte) error { +func (m *Policy) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9102,17 +9631,17 @@ func (m *NullableInt64) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NullableInt64: wiretype end group for non-group") + return fmt.Errorf("proto: Policy: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NullableInt64: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: Policy: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { case 1: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType) + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field UserId", wireType) } - m.Value = 0 + var stringLen uint64 for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowInternal @@ -9122,7 +9651,328 @@ func (m *NullableInt64) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - m.Value |= int64(b&0x7F) << shift + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.UserId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ResourceId", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ResourceId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Action", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Action = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipInternal(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthInternal + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *AddPolicyOp) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: AddPolicyOp: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: AddPolicyOp: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Policy", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Policy == nil { + m.Policy = &Policy{} + } + if err := m.Policy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipInternal(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthInternal + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *RevokePolicyOp) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RevokePolicyOp: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RevokePolicyOp: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Policy", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Policy == nil { + m.Policy = &Policy{} + } + if err := m.Policy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipInternal(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthInternal + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NullableInt64) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NullableInt64: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NullableInt64: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType) + } + m.Value = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Value |= int64(b&0x7F) << shift if b < 0x80 { break } @@ -11677,6 +12527,78 @@ func (m *PropagatedRequest) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 13: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AddPolicyOp", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.AddPolicyOp == nil { + m.AddPolicyOp = &AddPolicyOp{} + } + if err := m.AddPolicyOp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 14: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RevokePolicyOp", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInternal + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthInternal + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthInternal + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.RevokePolicyOp == nil { + m.RevokePolicyOp = &RevokePolicyOp{} + } + if err := m.RevokePolicyOp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipInternal(dAtA[iNdEx:]) diff --git a/server/protocol/internal.proto b/server/protocol/internal.proto index 39a334ce..b7e35818 100644 --- a/server/protocol/internal.proto +++ b/server/protocol/internal.proto @@ -22,6 +22,8 @@ enum Op { LEAVE_CONSUMER_GROUP = 12; REPORT_CONSUMER_GROUP_COORDINATOR = 13; CHANGE_CONSUMER_GROUP_COORDINATOR = 14; + ADD_POLICY = 15; + REVOKE_POLICY = 16; } message RaftLog { @@ -39,6 +41,8 @@ message RaftLog { JoinConsumerGroupOp joinConsumerGroupOp = 12; LeaveConsumerGroupOp leaveConsumerGroupOp = 13; ChangeConsumerGroupCoordinatorOp changeConsumerGroupCoordinatorOp = 14; + AddPolicyOp addPolicyOp = 15; + RevokePolicyOp revokePolicyOp = 16; } message CreateStreamOp { @@ -128,6 +132,23 @@ message LeaveConsumerGroupOp { bool expired = 3; // If consumer was removed because they timed out. } +// Policy represents an ACL-style policy +message Policy { + string userId = 1; + string resourceId = 2; + string action = 3; +} + +// AddPolicyOp adds an ACL-style policy +message AddPolicyOp { + Policy policy = 1; +} + +// RevokePolicyOp removes an ACL-style policy +message RevokePolicyOp { + Policy policy = 1; +} + message NullableInt64 { int64 value = 1; } @@ -234,6 +255,8 @@ message PropagatedRequest { JoinConsumerGroupOp joinConsumerGroupOp = 10; LeaveConsumerGroupOp leaveConsumerGroupOp = 11; ReportConsumerGroupCoordinatorOp reportConsumerGroupCoordinatorOp = 12; + AddPolicyOp addPolicyOp = 13; + RevokePolicyOp revokePolicyOp = 14; } message Error { diff --git a/server/server.go b/server/server.go index cba01729..476144a4 100644 --- a/server/server.go +++ b/server/server.go @@ -15,6 +15,8 @@ import ( "time" "github.com/casbin/casbin/v2" + "github.com/casbin/casbin/v2/model" + fileadapter "github.com/casbin/casbin/v2/persist/file-adapter" "github.com/hashicorp/raft" client "github.com/liftbridge-io/liftbridge-api/go" gnatsd "github.com/nats-io/nats-server/v2/server" @@ -466,19 +468,12 @@ func (s *Server) startAPIServer() error { } } // Configure authorization - if s.config.TLSClientAuthz && s.config.TLSClientAuthzModel != "" && s.config.TLSClientAuthzPolicy != "" { + if s.config.TLSClientAuthz { opts = append(opts, grpc.UnaryInterceptor(AuthzUnaryInterceptor), grpc.StreamInterceptor(AuthzStreamInterceptor)) - policyEnforcer, err := casbin.NewEnforcer(s.config.TLSClientAuthzModel, s.config.TLSClientAuthzPolicy) + err = s.initAuthzEnforcer() if err != nil { - return errors.Wrap(err, "failed to initialize authorization policy enforcer") + return errors.Wrap(err, "failed to initialize authorization") } - err = policyEnforcer.LoadPolicy() - - if err != nil { - return errors.Wrap(err, "failed to load authorization permissions") - } - - s.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} } creds := credentials.NewTLS(&config) @@ -514,6 +509,41 @@ func (s *Server) startAPIServer() error { return nil } +// initAuthzEnforcer initializes authorization enforcer based on configuration +func (s *Server) initAuthzEnforcer() error { + if s.config.TLSClientAuthzModel != "" && s.config.TLSClientAuthzPolicy != "" { + s.logger.Warn("DeprecationWarning: Using file-based configuration to persist authorization is no longer supported") + + policyEnforcer, err := casbin.NewEnforcer(s.config.TLSClientAuthzModel, s.config.TLSClientAuthzPolicy) + if err != nil { + return err + } + err = policyEnforcer.LoadPolicy() + + if err != nil { + return errors.Wrap(err, "failed to load authorization permissions") + } + s.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + + } else { + // Default ACL-with-superuser model + authzModel, err := model.NewModelFromString(DefaultACLAuthzModel) + if err != nil { + return err + } + + // Initialize casbin object without a storage file + // as policies are stored directly on Raft + authzStorage := fileadapter.NewAdapter("") + policyEnforcer, err := casbin.NewEnforcer(authzModel, authzStorage) + if err != nil { + return err + } + s.authzEnforcer = &authzEnforcer{enforcer: policyEnforcer} + } + return nil +} + // createNATSConn creates a new NATS connection with the given name. func (s *Server) createNATSConn(name string) (*nats.Conn, error) { var err error diff --git a/server/server_test.go b/server/server_test.go index 9e8c91aa..a9f825f8 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -1970,7 +1970,7 @@ func TestTLSAuth(t *testing.T) { panic(err) } certPool.AppendCertsFromPEM(ca) - certificate, err := tls.LoadX509KeyPair("./configs/certs/client/client-cert.pem", "./configs/certs/client/client-key.pem") + certificate, err := tls.LoadX509KeyPair("./configs/certs/client/client1/client1-cert.pem", "./configs/certs/client/client1/client1-key.pem") if err != nil { panic(err) }