1.4.1 • Published 2 years ago

microservicebus-dam v1.4.1

Weekly downloads
1
License
MIT
Repository
github
Last release
2 years ago

microservicebus-dam

Device User Administration

The DAM service is used to dynamically control user access to gateways. In short it polls device access information from mSB Device API (/api/nodes/{id}/access) and creates/removes user accounts on the device. These individual user/admin accounts are being used mainly by SSH.

This repo contains two projects, dam-service and dam-democlient. The dam-service is the service, running with high privileges, and actually carry out changes to user accounts/sudo-rules/etc. This snap must be installed on devices where a need of dynamic user access management is needed. Whereas the dam-democlient project is a sample application how to interact with dam-service via the local unix-sockets.

To install service in Snap environment:

snap install microservicebus-dam --devmode

snap connect microservicebus-node:socket-plug microservicebus-dam:socket-slot
snap connect microservicebus-dam:account-control
snap connect microservicebus-dam:hardware-observe
snap connect microservicebus-dam:home
snap connect microservicebus-dam:modem-manager modem-manager:service
snap connect microservicebus-dam:physical-memory-observe

# Set to non-public mSB instance uri if needed:
# $ snap set microservicebus-dam dam.hostname=vattenfall.microservicebus.com

# Set to Debug mode if troubleshooting issue and need more verbose output in syslog/journal.
# $ snap set microservicebus-dam dam.debug=true

# Restart snap for plug&slots and configuration to take effect.
snap restart microservicebus-dam

The --devmode is (still) needed since 'chmod/chown' does not work for /home/* directories in Ubuntu Core 16.

Available environment variables:

DAM_HW_JSON_FILEPATH # File path to JSON file storing hardware specific details. E.g. '/mnt/config/manufacturer/hardware.json'

DAM_HW_JSON_SERIALNUMBER_PATH # Dot notated JSON path to serial number in JSON hw file above. E.g. 'device.info.serial'

DAM_PROTECTED_USERACCOUNTS # A comma-separated list of account to not touch. E.g. 'microservicebus,uberadmin'. Previously env var 'PROTECTED_ACCOUNTS'.

DAM_USERS_HOMEDIR # Path to home dir base. Default '/home/'

DAM_EXTRAUSERS_PLATFORM # bool to instruct DAM to operate against /etc/{passwd,group,...} or extrauser's /var/lib/extrausers/{passwd,group,...}.
           # 'true' means we should only work with /var/lib/extrausers/{passwd,group,...}
           # If not mentioned at all (or other value than 'true') we operate against /etc/{passwd,group,...}
           # Previously env. var 'EXTRAUSERS'

DAM_SOCKET_FOLDER # path to where the folder 'socket/' and nex the socket file 'dam.sock' will be appended to. Defaults to os.tmpdir() (e.g. /tmp)

DAM_REFRESH_INTERVAL # the interval, in seconds, between scheduled refreshes of grants will be reloaded. Defaults to 30*60 (every 30 minute)

DAM_MSB_GRANTS_BASE_URI # The base path of where '/api/nodes/remoteAccess' is located. Defaults to 'https://microservicebus.com'

To test: (the following test executes end-to-end test on the machine running executing test.

PLEASE NOTE! ALL CUSTOM USERS WILL BE REMOVED DURING TEST!

Start Azure VM (if needed and applicable):

# Set subscription
az account set --subscription '9cbac1c1-f32d-45b2-89dc-9d722bbd18cc' # Axians | Axians IoT Nordic

# Start VM
az vm start --resource-group 'microServiceBus-dam' --name 'msb-dam-zxcvbhjuytrf'

# Login
sleep 60
ssh $(whoami)@msb-dam-zxcvbhjuytrf-ip.westeurope.cloudapp.azure.com

Execute on (possible new) target platform or msb-dam-zxcvbhjuytrf machine.

sudo snap stop microservicebus-dam.service # Stop service to not interfere with test.
sudo snap run --shell microservicebus-dam.service
export PATH=$PATH:$SNAP/bin:$SNAP/lib/node_modules/npm/bin/
cd /snap/microservicebus-dam/x1/lib/node_modules/microservicebus-dam
npm_package_scripts_test=mocha npx nyc  --temp-dir=/tmp/.nyc_output/ --cache-dir=/tmp/.nyc_cache/ mocha -b --exit

Output example:

  System base configuration
    #makeSureWeAreRunningAsRoot()
      ✓ should return "root"
    #noAdditionalUsersPresent()
      ✓ should return maximum 1 when no additional regular users are present

  Test Mock API
    #getOneUser()
      ✓ should return one valid user
    #getTwoUser()
      ✓ should return two valid users
    #getNoUser()
      ✓ should return no valid users
    #oneValidUserWithInvalidSSHKey()
[INFO] | Manual refresh complete.
      ✓ should NOT have a successful ssh login (669ms)
    #noValidUserWithInvalidSSHKey()
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
/bin/sh: 1: mmcli: not found
[INFO] | Device Access Management v1.1.1
[INFO] | MACs: 00:0d:3a:4a:00:7a
[INFO] | Serial: 2afcf5038ab54524b4aebee05ff0ce28
[INFO] | IMEI: null
[INFO] | All set...lets go
[INFO] | Scheduled refresh complete.
[INFO] | Scheduled refresh complete.
      ✓ should NOT have a successful ssh login (10194ms)
    #oneValidUserWithValidLogin()
[INFO] | Manual refresh complete.
Client disconnected
      ✓ should have a successful ssh login (1117ms)
    #noValidUserWithInvalidSSHKey()
16 Oct 05:43:26 - Listening on /var/snap/microservicebus-dam/common/socket/dam.sock
[INFO] | listening...
      ✓ should NOT have a successful ssh login (947ms)
    #oneValidUserOneProtectedUserWithValidLogin()
[WARN] | ignoring user account 'admin' since it's protected.
[INFO] | Manual refresh complete.
Client disconnected
      ✓ should have a successful ssh login (1099ms)
    #oneValidUserWithAnErrorServerResponseBeforeValidLogin()
[WARN] | ignoring user account 'admin' since it's protected.
[INFO] | Manual refresh complete.
[WARN] | ignoring user account 'admin' since it's protected.
[INFO] | Manual refresh complete.
      ✓ should have a successful ssh login (1203ms)
    #oneValidUserWithWorkingFullSudoAccess()
[WARN] | ignoring user account 'admin' since it's protected.
[INFO] | Manual refresh complete.
[WARN] | ignoring user account 'admin' since it's protected.
[INFO] | Scheduled refresh complete.
      ✓ should have a successful ssh login and a successful sudo command execution (2157ms)
  12 passing (17s)

--------------------|----------|----------|----------|----------|-------------------|
File                |  % Stmts | % Branch |  % Funcs |  % Lines | Uncovered Line #s |
--------------------|----------|----------|----------|----------|-------------------|
All files           |    70.39 |    52.88 |     87.3 |    70.53 |                   |
 dmidecode.js       |       75 |      100 |      100 |       75 |             12,13 |
 macs.js            |      100 |      100 |      100 |      100 |                   |
 main.js            |    71.43 |       50 |    78.26 |    73.53 |... 48,149,156,178 |
 platform-common.js |    76.11 |    56.36 |    85.71 |    75.45 |... 00,211,217,218 |
 usermgmt.js        |    65.02 |    50.51 |    95.45 |    64.68 |... 92,393,394,432 |
--------------------|----------|----------|----------|----------|-------------------|```
(the following test executes end-to-end test on the machine running executing test. 

**PLEASE NOTE! ALL CUSTOM USERS WILL BE REMOVED DURING TEST!**
1.4.1

2 years ago

1.4.0

4 years ago

1.3.0

4 years ago

1.2.3

4 years ago

1.0.0

5 years ago