albatross/src/vmm_tls.ml

(* (c) 2018 Hannes Mehnert, all rights reserved *)

open Rresult.R.Infix

open Vmm_core

(* let check_policy =
     (* get names and static resources *)
     List.fold_left (fun acc ca ->
         acc >>= fun acc ->
         Vmm_asn.delegation_of_cert asn_version ca >>= fun res ->
         let name = id ca in
         Ok ((name, res) :: acc))
       (Ok []) chain >>= fun policies ->
     (* check static policies *)
     Logs.debug (fun m -> m "now checking static policies") ;
     check_policies vm_config (List.map snd policies) >>= fun () ->
*)

let handle _addr version chain =
  separate_chain chain >>= fun (leaf, chain) ->
  let prefix = List.map name chain in
  let name = prefix @ [ name leaf ] in
  Logs.debug (fun m -> m "leaf is %s, chain %a"
                 (X509.common_name_to_string leaf)
                 Fmt.(list ~sep:(unit " -> ") string)
                 (List.map X509.common_name_to_string chain)) ;
  (* TODO: inspect top-level-cert of chain. *)
  (* TODO: logging let login_hdr, login_ev = Log.hdr name, `Login addr in *)
  (* TODO: update policies (parse chain for policy, and apply them)! *)
  Vmm_asn.wire_command_of_cert version leaf >>= fun wire ->
  (* we only allow some commands via certificate *)
  match wire with
  | `Console_cmd (`Console_subscribe _)
  | `Stats_cmd `Stats_subscribe
  | `Log_cmd (`Log_subscribe _)
  | `Vm_cmd _
  | `Policy_cmd _ -> Ok (name, wire) (* TODO policy_cmd is special (via delegation chain) *)
  | _ -> Error (`Msg "unexpected command")
copyright 2018-10-23 22:13:47 +00:00			`(* (c) 2018 Hannes Mehnert, all rights reserved *)`

move more stuff around 2018-10-23 22:10:08 +00:00			`open Rresult.R.Infix`
initial 2017-05-26 14:30:34 +00:00
move more stuff around 2018-10-23 22:10:08 +00:00			`open Vmm_core`
initial 2017-05-26 14:30:34 +00:00
move more stuff around 2018-10-23 22:10:08 +00:00			`(* let check_policy =`
			`(* get names and static resources *)`
			`List.fold_left (fun acc ca ->`
			`acc >>= fun acc ->`
			`Vmm_asn.delegation_of_cert asn_version ca >>= fun res ->`
			`let name = id ca in`
			`Ok ((name, res) :: acc))`
			`(Ok []) chain >>= fun policies ->`
			`(* check static policies *)`
			`Logs.debug (fun m -> m "now checking static policies") ;`
			`check_policies vm_config (List.map snd policies) >>= fun () ->`
			`*)`
initial 2017-05-26 14:30:34 +00:00
move more stuff around 2018-10-23 22:10:08 +00:00			`let handle _addr version chain =`
			`separate_chain chain >>= fun (leaf, chain) ->`
			`let prefix = List.map name chain in`
			`let name = prefix @ [ name leaf ] in`
			`Logs.debug (fun m -> m "leaf is %s, chain %a"`
			`(X509.common_name_to_string leaf)`
			`Fmt.(list ~sep:(unit " -> ") string)`
			`(List.map X509.common_name_to_string chain)) ;`
			`(* TODO: inspect top-level-cert of chain. *)`
			(* TODO: logging let login_hdr, login_ev = Log.hdr name, `Login addr in *)
whitelist commands accepted via tls certificate 2018-10-25 14:27:56 +00:00			`(* TODO: update policies (parse chain for policy, and apply them)! *)`
			`Vmm_asn.wire_command_of_cert version leaf >>= fun wire ->`
			`(* we only allow some commands via certificate *)`
			`match wire with`
			\| `Console_cmd (`Console_subscribe _)
			\| `Stats_cmd `Stats_subscribe
			\| `Log_cmd (`Log_subscribe _)
			\| `Vm_cmd _
			\| `Policy_cmd _ -> Ok (name, wire) (* TODO policy_cmd is special (via delegation chain) *)
			\| _ -> Error (`Msg "unexpected command")