diff --git a/README.md b/README.md index 7889ca0..8f54884 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,10 @@ ManagerA1 ManagerA2 ManagerB1 ManagerB2 -ManagerAB1 -ManagerAB2 ManagerC1 ManagerC2 +ManagerABC1 +ManagerABC2 MakerA1 MakerA2 @@ -39,11 +39,22 @@ GuestC1 GuestC2 GuestACB1 GuestACB2 + +MakerQRA +MakerQRB +MakerQRC ``` # Machines Machines have all a Dummy Actor +## List of Categories +``` +CategoryA +CategoryB +CategoryC +``` + ## List of Machines ``` MachineA1 @@ -66,21 +77,48 @@ MachineC5 ``` # Roles -Something about Roles +All Roles have only one Permission +Users have multipile Roles to give them access +`TestEnv.Admin` have all Permissions ## List of Roles ``` -TestEnv.Disclose.A -TestEnv.Disclose.B -TestEnv.Disclose.C +Admin -TestEnv.Use.A -TestEnv.Use.B -TestEnv.Use.C +ManageA +ManageB +ManageC + +UseA +UseB +UseC + +ReadA +ReadB +ReadC + +DiscloseA +DiscloseB +DiscloseC +``` + +## List of Permissions +``` +TestEnv.Admin TestEnv.Manage.A TestEnv.Manage.B TestEnv.Manage.C -TestEnv.Admin +TestEnv.Write.A +TestEnv.Write.B +TestEnv.Write.C + +TestEnv.Read.A +TestEnv.Read.B +TestEnv.Read.C + +TestEnv.Disclose.A +TestEnv.Disclose.B +TestEnv.Disclose.C ``` diff --git a/bffh.dhall b/bffh.dhall new file mode 100644 index 0000000..e27565e --- /dev/null +++ b/bffh.dhall @@ -0,0 +1,294 @@ +{- Main configuration file for bffh + - ================================ + - + - In this configuration file you configure almost all parts of how bffh operates, but most importantly: + - * Machines + - * Initiators and Actors + - * Which Initiators and Actors relate to which machine(s) + - * Roles and the permissions granted by them + -} + +-- The config is in the configuration format/language dhall. You can find more information about dhall over at +-- https://dhall-lang.org + +-- (Our) Dhall is somewhat similar to JSON and YAML in that it expects a top-level object containing the +-- configuration values +{ + -- Configure the addresses and ports bffh listens on + listens = [ + -- BFFH binds a port for every listen object in this array. + -- Each listen object is of the format { address = , port = } + -- If you don't specify a port bffh will use the default of `59661` + -- 'address' can be a IP address or a hostname + -- If bffh can not bind a port for the specified combination if will log an error but *continue with the remaining ports* + { address = "::", port = Some 59661 } + ], + + -- Configure TLS. BFFH requires a PEM-encoded certificate and the associated key as two separate files + certfile = "/etc/bffh/cert.pem", + keyfile = "/etc/bffh/key.pem", + + -- BFFH right now requires a running MQTT broker. + mqtt_url = "tcp://mqtt:1883", + + -- Path to the database file for bffh. bffh will in fact create two files; ${db_path} and ${db_path}.lock. + -- BFFH will *not* create any directories so ensure that the directory exists and the user running bffh has write + -- access into them. + db_path = "/var/lib/bffh/db", + + -- Audit log path. Bffh will log state changes into this file, one per line. + -- Audit log entries are for now JSON: + -- {"timestamp":1641497361,"machine":"Testmachine","state":{"state":{"InUse":{"uid":"Testuser","subuid":null,"realm":null}}}} + auditlog_path = "/tmp/bffh.audit", + + -- In dhall you can also easily import definitions from other files, e.g. you could write + -- roles = ./roles.dhall + + + + + + + + + + + + roles = { + Admin = { + permissions = [ + "TestEnv.Admin", + "TestEnv.Manage.A", + "TestEnv.Manage.B", + "TestEnv.Manage.C", + "TestEnv.Write.A", + "TestEnv.Write.B", + "TestEnv.Write.C", + "TestEnv.Read.A", + "TestEnv.Read.B", + "TestEnv.Read.C", + "TestEnv.Disclose.A", + "TestEnv.Disclose.B", + "TestEnv.Disclose.C" + ] + }, + + ManageA = { + permissions = [ "TestEnv.Manage.A" ] + }, + ManageB = { + permissions = [ "TestEnv.Manage.B" ] + }, + ManageC = { + permissions = [ "TestEnv.Manage.C" ] + }, + + UseA = { + permissions = [ "TestEnv.Use.A" ] + }, + UseB = { + permissions = [ "TestEnv.Use.B" ] + }, + UseC = { + permissions = [ "TestEnv.Use.C" ] + }, + + ReadA = { + permissions = [ "TestEnv.Read.A" ] + }, + ReadB = { + permissions = [ "TestEnv.Read.B" ] + }, + ReadC = { + permissions = [ "TestEnv.Read.C" ] + }, + + DiscloseA = { + permissions = [ "TestEnv.Disclose.A" ] + }, + DiscloseB = { + permissions = [ "TestEnv.Disclose.B" ] + }, + DiscloseC = { + permissions = [ "TestEnv.Disclose.C" ] + } + }, + + machines = { + MachineA1 = { + name = "MachineA1", + description = "Description of MachineA1", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA2 = { + name = "MachineA2", + description = "Description of MachineA2", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA3 = { + name = "MachineA3", + description = "Description of MachineA3", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA4 = { + name = "MachineA4", + description = "Description of MachineA4", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA5 = { + name = "MachineA5", + description = "Description of MachineA5", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + + MachineB1 = { + name = "MachineB1", + description = "Description of MachineB1", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB2 = { + name = "MachineB2", + description = "Description of MachineB2", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB3 = { + name = "MachineB3", + description = "Description of MachineB3", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB4 = { + name = "MachineB4", + description = "Description of MachineB4", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB5 = { + name = "MachineB5", + description = "Description of MachineB5", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + + MachineC1 = { + name = "MachineC1", + description = "Description of MachineC1", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC2 = { + name = "MachineC2", + description = "Description of MachineC2", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC3 = { + name = "MachineC3", + description = "Description of MachineC3", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC4 = { + name = "MachineC4", + description = "Description of MachineC4", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC5 = { + name = "MachineC5", + description = "Description of MachineC5", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + }, + + actors = {=}, + + actor_connections = [] : List { machine : Text, actor : Text }, + + initiators = {=}, + + init_connections = [] : List { machine : Text, initiator : Text }, +} diff --git a/users.toml b/users.toml new file mode 100644 index 0000000..0cd4bb8 --- /dev/null +++ b/users.toml @@ -0,0 +1,173 @@ +[Admin1] +roles = ["Admin/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[Admin2] +roles = ["Admin/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerA1] +roles = ["ManageA/internal", "UseA/internal", "ReadA/internal", "DiscloseA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerA2] +roles = ["ManageA/internal", "UseA/internal", "ReadA/internal", "DiscloseA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerB1] +roles = ["ManageB/internal", "UseB/internal", "ReadB/internal", "DiscloseB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerB2] +roles = ["ManageB/internal", "UseB/internal", "ReadB/internal", "DiscloseB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerC1] +roles = ["ManageC/internal", "UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerC2] +roles = ["ManageC/internal", "UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerABC1] +roles = ["ManageA/internal", "UseA/internal", "ReadA/internal", "DiscloseA/internal", "ManageB/internal", "UseB/internal", "ReadB/internal", "DiscloseB/internal", "ManageC/internal", "UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerABC2] +roles = ["ManageA/internal", "UseA/internal", "ReadA/internal", "DiscloseA/internal", "ManageB/internal", "UseB/internal", "ReadB/internal", "DiscloseB/internal", "ManageC/internal", "UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerA1] +roles = ["UseA/internal", "ReadA/internal", "DiscloseA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerA2] +roles = ["UseA/internal", "ReadA/internal", "DiscloseA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerB1] +roles = ["UseB/internal", "ReadB/internal", "DiscloseB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerB2] +roles = ["UseB/internal", "ReadB/internal", "DiscloseB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerC1] +roles = ["UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerC2] +roles = ["UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerABC1] +roles = ["UseA/internal", "ReadA/internal", "DiscloseA/internal", "UseB/internal", "ReadB/internal", "DiscloseB/internal", "UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerABC2] +roles = ["UseA/internal", "ReadA/internal", "DiscloseA/internal", "UseB/internal", "ReadB/internal", "DiscloseB/internal", "UseC/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestA1] +roles = ["ReadA/internal", "DiscloseA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestA2] +roles = ["ReadA/internal", "DiscloseA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestB1] +roles = ["ReadB/internal", "DiscloseB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestB2] +roles = ["ReadB/internal", "DiscloseB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestC1] +roles = ["ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestC2] +roles = ["ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestABC1] +roles = ["ReadA/internal", "DiscloseA/internal", "ReadB/internal", "DiscloseB/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestABC2] +roles = ["ReadA/internal", "DiscloseA/internal", "ReadB/internal", "DiscloseB/internal", "ReadC/internal", "DiscloseC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerQRA] +roles = ["UseA/internal", "ReadA/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerQRB] +roles = ["UseB/internal", "ReadB/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerQRC] +roles = ["UseC/internal", "ReadC/internal"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \ No newline at end of file