From 5010fda59586bacb894b4874f444a4fd021e4119 Mon Sep 17 00:00:00 2001 From: Bryan Biedenkapp Date: Fri, 30 May 2025 09:30:49 -0400 Subject: [PATCH] deprecate Peer ACL blacklist mode; (#91) --- configs/fne-config.example.yml | 8 +++--- src/common/lookups/LookupTable.h | 2 +- src/common/lookups/PeerListLookup.cpp | 31 +++------------------- src/common/lookups/PeerListLookup.h | 27 +++---------------- src/fne/HostFNE.cpp | 11 +------- src/fne/network/FNENetwork.cpp | 33 +++++++---------------- src/fne/network/RESTAPI.cpp | 38 --------------------------- src/fne/network/RESTAPI.h | 7 ----- src/fne/network/RESTDefines.h | 1 - src/peered/PeerEdMain.cpp | 2 +- 10 files changed, 21 insertions(+), 139 deletions(-) diff --git a/configs/fne-config.example.yml b/configs/fne-config.example.yml index 86cef87a..036a5544 100644 --- a/configs/fne-config.example.yml +++ b/configs/fne-config.example.yml @@ -253,16 +253,14 @@ system: time: 2 # - # Peer whitelist and blacklist configuration + # Peer ACL configuration # peer_acl: # Flag indicating whether or not the peer ACLs are enabled. enable: false - # Peer ACL mode: whitelist or blacklist - mode: whitelist - # Full path to the white/blacklist file. + # Full path to the peer ACL file. file: peer_list.dat - # Amount of time between updates of white/blacklist file. (minutes) + # Amount of time between updates of peer ACL file. (minutes) time: 2 # diff --git a/src/common/lookups/LookupTable.h b/src/common/lookups/LookupTable.h index 452db861..2a80d90b 100644 --- a/src/common/lookups/LookupTable.h +++ b/src/common/lookups/LookupTable.h @@ -48,7 +48,7 @@ namespace lookups /** * @brief Initializes a new instance of the LookupTable class. * @param filename Full-path to the lookup table file. - * @param reloadTime Interval of time to reload the channel identity table. + * @param reloadTime Interval of time to reload the lookup table. */ LookupTable(const std::string& filename, uint32_t reloadTime) : Thread(), diff --git a/src/common/lookups/PeerListLookup.cpp b/src/common/lookups/PeerListLookup.cpp index 0554c015..14dac95b 100644 --- a/src/common/lookups/PeerListLookup.cpp +++ b/src/common/lookups/PeerListLookup.cpp @@ -50,8 +50,8 @@ bool PeerListLookup::m_locked = false; /* Initializes a new instance of the PeerListLookup class. */ -PeerListLookup::PeerListLookup(const std::string& filename, Mode mode, uint32_t reloadTime, bool peerAcl) : LookupTable(filename, reloadTime), - m_acl(peerAcl), m_mode(mode) +PeerListLookup::PeerListLookup(const std::string& filename, uint32_t reloadTime, bool peerAcl) : LookupTable(filename, reloadTime), + m_acl(peerAcl) { /* stub */ } @@ -158,32 +158,7 @@ bool PeerListLookup::isPeerAllowed(uint32_t id) const return true; // if not enabled, allow all peers } - bool allowed = false; - if (m_mode == WHITELIST) { - allowed = isPeerInList(id); - } else if (m_mode == BLACKLIST) { - allowed = !isPeerInList(id); - } - - return allowed; -} - -/* Sets the mode to either WHITELIST or BLACKLIST. */ - -void PeerListLookup::setMode(Mode mode) -{ - __LOCK_TABLE(); - - m_mode = mode; - - __UNLOCK_TABLE(); -} - -/* Gets the current mode. */ - -PeerListLookup::Mode PeerListLookup::getMode() const -{ - return m_mode; + return isPeerInList(id); } /* Gets the entire peer ID table. */ diff --git a/src/common/lookups/PeerListLookup.h b/src/common/lookups/PeerListLookup.h index 5a55a627..d4ae371e 100644 --- a/src/common/lookups/PeerListLookup.h +++ b/src/common/lookups/PeerListLookup.h @@ -152,21 +152,13 @@ namespace lookups */ class HOST_SW_API PeerListLookup : public LookupTable { public: - /** - * @brief Peer List Mode - */ - enum Mode { - WHITELIST, //! Peers listed are whitelisted - BLACKLIST //! Peers listed are blacklisted - }; - /** * @brief Initializes a new instance of the PeerListLookup class. * @param filename Full-path to the list file. - * @param mode Mode to operate in (WHITELIST or BLACKLIST). - * @param peerAcl Flag indicating if the lookup is enabled. + * @param reloadTime Interval of time to reload the lookup table. + * @param peerAcl Flag indicating these rules are enabled for enforcing access control. */ - PeerListLookup(const std::string& filename, Mode mode, uint32_t reloadTime, bool peerAcl); + PeerListLookup(const std::string& filename, uint32_t reloadTime, bool peerAcl); /** * @brief Clears all entries from the list. @@ -223,17 +215,6 @@ namespace lookups */ bool isPeerListEmpty() const { return m_table.size() == 0U; } - /** - * @brief Sets the mode to either WHITELIST or BLACKLIST. - * @param mode The mode to set. - */ - void setMode(Mode mode); - /** - * @brief Gets the current mode. - * @returns Mode Current peer list operational mode. - */ - Mode getMode() const; - /** * @brief Gets the entire peer ID table. * @returns std::unordered_map @@ -261,8 +242,6 @@ namespace lookups bool save() override; private: - Mode m_mode; - static std::mutex m_mutex; //! Mutex used for change locking. static bool m_locked; //! Flag used for read locking (prevents find lookups), should be used when atomic operations (add/erase/etc) are being used. }; diff --git a/src/fne/HostFNE.cpp b/src/fne/HostFNE.cpp index dabcfb29..f42e9d94 100644 --- a/src/fne/HostFNE.cpp +++ b/src/fne/HostFNE.cpp @@ -399,16 +399,8 @@ bool HostFNE::readParams() std::string peerListLookupFile = systemConf["peer_acl"]["file"].as(); bool peerListLookupEnable = systemConf["peer_acl"]["enable"].as(false); - std::string peerListModeStr = systemConf["peer_acl"]["mode"].as("whitelist"); uint32_t peerListConfigReload = systemConf["peer_acl"]["time"].as(30U); - lookups::PeerListLookup::Mode peerListMode; - if (peerListModeStr == "blacklist") { - peerListMode = lookups::PeerListLookup::BLACKLIST; - } else { - peerListMode = lookups::PeerListLookup::WHITELIST; - } - LogInfo("Talkgroup Rule Lookups"); LogInfo(" File: %s", talkgroupConfig.length() > 0U ? talkgroupConfig.c_str() : "None"); if (talkgroupConfigReload > 0U) @@ -421,12 +413,11 @@ bool HostFNE::readParams() // try to load peer whitelist/blacklist LogInfo("Peer List Lookups"); LogInfo(" Enabled: %s", peerListLookupEnable ? "yes" : "no"); - LogInfo(" Mode: %s", peerListMode == lookups::PeerListLookup::BLACKLIST ? "blacklist" : "whitelist"); LogInfo(" File: %s", peerListLookupFile.length() > 0U ? peerListLookupFile.c_str() : "None"); if (peerListConfigReload > 0U) LogInfo(" Reload: %u mins", peerListConfigReload); - m_peerListLookup = new PeerListLookup(peerListLookupFile, peerListMode, peerListConfigReload, peerListLookupEnable); + m_peerListLookup = new PeerListLookup(peerListLookupFile, peerListConfigReload, peerListLookupEnable); m_peerListLookup->read(); // try to load peer whitelist/blacklist diff --git a/src/fne/network/FNENetwork.cpp b/src/fne/network/FNENetwork.cpp index 9aca8e7a..3e75a1a7 100644 --- a/src/fne/network/FNENetwork.cpp +++ b/src/fne/network/FNENetwork.cpp @@ -714,11 +714,7 @@ void FNENetwork::taskNetworkRx(NetPacketRequest* req) } if (!network->m_peerListLookup->isPeerAllowed(peerId) && !network->m_peerListLookup->isPeerListEmpty()) { - if (network->m_peerListLookup->getMode() == lookups::PeerListLookup::BLACKLIST) { - LogWarning(LOG_NET, "PEER %u RPTL, blacklisted from access", peerId); - } else { - LogWarning(LOG_NET, "PEER %u RPTL, failed whitelist check", peerId); - } + LogWarning(LOG_NET, "PEER %u RPTL, failed peer ACL check", peerId); network->writePeerNAK(peerId, TAG_REPEATER_LOGIN, NET_CONN_NAK_PEER_ACL, req->address, req->addrLen); @@ -751,11 +747,7 @@ void FNENetwork::taskNetworkRx(NetPacketRequest* req) } if (!network->m_peerListLookup->isPeerAllowed(peerId) && !network->m_peerListLookup->isPeerListEmpty()) { - if (network->m_peerListLookup->getMode() == lookups::PeerListLookup::BLACKLIST) { - LogWarning(LOG_NET, "PEER %u RPTL, blacklisted from access", peerId); - } else { - LogWarning(LOG_NET, "PEER %u RPTL, failed whitelist check", peerId); - } + LogWarning(LOG_NET, "PEER %u RPTL, failed peer ACL check", peerId); network->writePeerNAK(peerId, TAG_REPEATER_LOGIN, NET_CONN_NAK_PEER_ACL, req->address, req->addrLen); @@ -805,12 +797,7 @@ void FNENetwork::taskNetworkRx(NetPacketRequest* req) bool validAcl = true; if (network->m_peerListLookup->getACL()) { if (!network->m_peerListLookup->isPeerAllowed(peerId) && !network->m_peerListLookup->isPeerListEmpty()) { - if (network->m_peerListLookup->getMode() == lookups::PeerListLookup::BLACKLIST) { - LogWarning(LOG_NET, "PEER %u RPTK, blacklisted from access", peerId); - } else { - LogWarning(LOG_NET, "PEER %u RPTK, failed whitelist check", peerId); - } - + LogWarning(LOG_NET, "PEER %u RPTK, failed peer ACL check", peerId); validAcl = false; } else { lookups::PeerId peerEntry = network->m_peerListLookup->find(peerId); @@ -1158,15 +1145,13 @@ void FNENetwork::taskNetworkRx(NetPacketRequest* req) if (connection->connected() && connection->address() == ip) { // is this peer allowed to request keys? if (network->m_peerListLookup->getACL()) { - if (network->m_peerListLookup->getMode() == lookups::PeerListLookup::WHITELIST) { - lookups::PeerId peerEntry = network->m_peerListLookup->find(peerId); - if (peerEntry.peerDefault()) { + lookups::PeerId peerEntry = network->m_peerListLookup->find(peerId); + if (peerEntry.peerDefault()) { + break; + } else { + if (!peerEntry.canRequestKeys()) { + LogError(LOG_NET, "PEER %u (%s) requested enc. key but is not allowed, no response", peerId, connection->identity().c_str()); break; - } else { - if (!peerEntry.canRequestKeys()) { - LogError(LOG_NET, "PEER %u (%s) requested enc. key but is not allowed, no response", peerId, connection->identity().c_str()); - break; - } } } } diff --git a/src/fne/network/RESTAPI.cpp b/src/fne/network/RESTAPI.cpp index 4248c6ae..5a0949f8 100644 --- a/src/fne/network/RESTAPI.cpp +++ b/src/fne/network/RESTAPI.cpp @@ -650,7 +650,6 @@ void RESTAPI::initializeEndpoints() m_dispatcher.match(FNE_PUT_PEER_ADD).put(REST_API_BIND(RESTAPI::restAPI_PutPeerAdd, this)); m_dispatcher.match(FNE_PUT_PEER_DELETE).put(REST_API_BIND(RESTAPI::restAPI_PutPeerDelete, this)); m_dispatcher.match(FNE_GET_PEER_COMMIT).get(REST_API_BIND(RESTAPI::restAPI_GetPeerCommit, this)); - m_dispatcher.match(FNE_GET_PEER_MODE).get(REST_API_BIND(RESTAPI::restAPI_GetPeerMode, this)); m_dispatcher.match(FNE_GET_FORCE_UPDATE).get(REST_API_BIND(RESTAPI::restAPI_GetForceUpdate, this)); @@ -1334,43 +1333,6 @@ void RESTAPI::restAPI_GetPeerCommit(const HTTPPayload& request, HTTPPayload& rep /* */ -void RESTAPI::restAPI_GetPeerMode(const HTTPPayload& request, HTTPPayload& reply, const RequestMatch& match) -{ - if (!validateAuth(request, reply)) { - return; - } - - json::object response = json::object(); - setResponseDefaultStatus(response); - - lookups::PeerListLookup::Mode mode = m_peerListLookup->getMode(); - bool acl = m_peerListLookup->getACL(); - - std::string modeStr; - - if (acl) { - switch (mode) { - case lookups::PeerListLookup::WHITELIST: - modeStr = "WHITELIST"; - break; - case lookups::PeerListLookup::BLACKLIST: - modeStr = "BLACKLIST"; - break; - default: - modeStr = "UNKNOWN"; - break; - } - } - else { - modeStr = "DISABLED"; - } - - response["mode"].set(modeStr); - reply.payload(response); -} - -/* */ - void RESTAPI::restAPI_GetForceUpdate(const HTTPPayload& request, HTTPPayload& reply, const RequestMatch& match) { if (!validateAuth(request, reply)) { diff --git a/src/fne/network/RESTAPI.h b/src/fne/network/RESTAPI.h index d0437e3d..d18fcf9e 100644 --- a/src/fne/network/RESTAPI.h +++ b/src/fne/network/RESTAPI.h @@ -269,13 +269,6 @@ private: * @param match HTTP request matcher. */ void restAPI_GetPeerCommit(const HTTPPayload& request, HTTPPayload& reply, const network::rest::RequestMatch& match); - /** - * @brief - * @param request HTTP request. - * @param reply HTTP reply. - * @param match HTTP request matcher. - */ - void restAPI_GetPeerMode(const HTTPPayload& request, HTTPPayload& reply, const network::rest::RequestMatch& match); /** * @brief diff --git a/src/fne/network/RESTDefines.h b/src/fne/network/RESTDefines.h index f1035014..95208b5c 100644 --- a/src/fne/network/RESTDefines.h +++ b/src/fne/network/RESTDefines.h @@ -43,7 +43,6 @@ #define FNE_PUT_PEER_ADD "/peer/add" #define FNE_PUT_PEER_DELETE "/peer/delete" #define FNE_GET_PEER_COMMIT "/peer/commit" -#define FNE_GET_PEER_MODE "/peer/mode" #define FNE_GET_FORCE_UPDATE "/force-update" diff --git a/src/peered/PeerEdMain.cpp b/src/peered/PeerEdMain.cpp index a6d68ae1..a2ea5d60 100644 --- a/src/peered/PeerEdMain.cpp +++ b/src/peered/PeerEdMain.cpp @@ -208,7 +208,7 @@ int main(int argc, char** argv) g_logDisplayLevel = 0U; - g_pidLookups = new PeerListLookup(g_iniFile, PeerListLookup::WHITELIST, 0U, false); + g_pidLookups = new PeerListLookup(g_iniFile, 0U, false); g_pidLookups->read(); LogMessage(LOG_HOST, "Loaded peer ID file: %s", g_iniFile.c_str());