-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecure_communication.py
More file actions
307 lines (247 loc) · 10.8 KB
/
secure_communication.py
File metadata and controls
307 lines (247 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
"""
Secure Communication Middleware for Sovereign Map
Integrates TPM-inspired trust & verification with Flask backend
"""
import json
import logging
import time
import hashlib
import hmac
import os
from functools import wraps
from typing import Dict, Any, Callable, Optional
from datetime import datetime
from flask import request, jsonify, g
from tpm_cert_manager import TPMCertificateManager, NodeAuthenticator
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
def _admin_authorized() -> bool:
expected = str(os.getenv("TRUST_ADMIN_TOKEN", "")).strip()
if not expected:
return False
header_token = str(request.headers.get("X-Trust-Admin-Token", "")).strip()
auth = str(request.headers.get("Authorization", "")).strip()
bearer = auth[7:].strip() if auth.lower().startswith("bearer ") else ""
return hmac.compare_digest(header_token, expected) or hmac.compare_digest(
bearer, expected
)
class SecureNodeCommunication:
"""Middleware for secure node-to-node communication."""
def __init__(self, node_id: int, cert_dir: str = "/etc/sovereign/certs"):
self.node_id = node_id
self.cert_manager = TPMCertificateManager(cert_dir)
self.authenticator = NodeAuthenticator(node_id, self.cert_manager)
# Trust cache to avoid repeated verification
self.trust_cache = {}
self.cache_ttl = 3600 # 1 hour
self.max_clock_skew_seconds = 300 # 5 minutes
logger.info(f"SecureNodeCommunication initialized for node {node_id}")
def initialize_node_certs(self, num_nodes: int):
"""Generate certificates for all nodes in the network."""
for i in range(num_nodes):
if i != self.node_id:
try:
self.cert_manager.generate_node_cert(i, f"Node-{i}")
except Exception as e:
logger.warning(f"Certificate may already exist for node {i}: {e}")
def secure_endpoint(self, f: Callable) -> Callable:
"""Decorator to secure Flask endpoints with node authentication."""
@wraps(f)
def decorated_function(*args, **kwargs):
# Check if request has authentication header
auth_header = request.headers.get("X-Node-Auth")
signature = request.headers.get("X-Signature")
from_node = request.headers.get("X-From-Node")
if not all([auth_header, signature, from_node]):
logger.warning("Missing authentication headers")
return jsonify({"error": "Missing authentication headers"}), 401
try:
request_data = None
if request.method in {"POST", "PUT", "PATCH"}:
request_data = request.get_json(silent=True)
# Verify the request is signed by a trusted node
if not self._verify_request(
from_node, signature, auth_header, request_data
):
logger.warning(
f"Signature verification failed from node {from_node}"
)
return jsonify({"error": "Invalid signature"}), 401
# Verify node certificate
if not self.cert_manager.verify_node_certificate(int(from_node)):
logger.warning(
f"Certificate verification failed for node {from_node}"
)
return jsonify({"error": "Certificate verification failed"}), 401
# Store peer info in request context
g.peer_node_id = int(from_node)
g.peer_verified = True
return f(*args, **kwargs)
except Exception as e:
logger.error(f"Error during authentication: {e}")
return jsonify({"error": "Authentication failed"}), 500
return decorated_function
def _verify_request(
self,
from_node: str,
signature: str,
auth_payload_hex: str,
request_data: Optional[Dict[str, Any]] = None,
) -> bool:
"""Verify that a request is properly signed."""
try:
from_node_id = int(from_node)
signature_bytes = bytes.fromhex(signature)
auth_payload_bytes = bytes.fromhex(auth_payload_hex)
payload = json.loads(auth_payload_bytes.decode())
payload_from_node = int(payload.get("from_node"))
payload_timestamp = int(payload.get("timestamp"))
if payload_from_node != from_node_id:
logger.warning(
f"Authenticated payload node mismatch: header={from_node_id}, payload={payload_from_node}"
)
return False
if abs(int(time.time()) - payload_timestamp) > self.max_clock_skew_seconds:
logger.warning(f"Stale or replayed request from node {from_node_id}")
return False
if request_data is not None and payload.get("data") != request_data:
logger.warning(f"Signed payload/body mismatch from node {from_node_id}")
return False
payload_digest = hashlib.sha256(auth_payload_bytes).hexdigest()
# Check trust cache
cache_key = f"{from_node_id}:{payload_digest}:{signature}"
if cache_key in self.trust_cache:
cached_time, result = self.trust_cache[cache_key]
if time.time() - cached_time < self.cache_ttl:
return result
# Verify signature
result = self.authenticator.verify_message(
auth_payload_bytes, signature_bytes, from_node_id
)
# Cache result
self.trust_cache[cache_key] = (time.time(), result)
return result
except Exception as e:
logger.error(f"Error verifying request: {e}")
return False
def create_signed_request(self, target_node_id: int, data: Dict) -> Dict:
"""Create a signed request to send to a peer node."""
message = json.dumps(
{"from_node": self.node_id, "timestamp": int(time.time()), "data": data}
).encode()
signature = self.authenticator.sign_message(message)
return {
"headers": {
"X-From-Node": str(self.node_id),
"X-Signature": signature.hex(),
"X-Node-Auth": message.hex(),
},
"body": data,
}
def get_trust_status(self) -> Dict[str, Any]:
"""Get current trust status of all nodes."""
report = self.cert_manager.get_trust_report()
return {
"node_id": self.node_id,
"timestamp": datetime.utcnow().isoformat(),
"ca_certificate": report["ca_cert"],
"total_nodes": report["total_nodes"],
"verified_nodes": report["verified_nodes"],
"revoked_certificates": report["revoked_count"],
"node_details": {
node_name: {
"verified": node_info.get("verified", False),
"expires_at": node_info.get("expires_at"),
"serial": node_info.get("serial"),
}
for node_name, node_info in report["nodes"].items()
},
}
class RequestSigner:
"""Helper class for signing requests before sending them."""
def __init__(self, comm: SecureNodeCommunication):
self.comm = comm
def sign_and_send(self, method: str, url: str, data: Dict = None) -> Dict:
"""Sign a request and return the headers and body."""
signed = self.comm.create_signed_request(0, data or {})
return {
"method": method,
"url": url,
"headers": {**signed["headers"], "Content-Type": "application/json"},
"data": json.dumps(signed["body"]),
}
def create_secure_app_middleware(app, node_id: int, num_nodes: int = 10):
"""
Attach secure communication middleware to a Flask app.
Usage:
from flask import Flask
app = Flask(__name__)
comm = create_secure_app_middleware(app, node_id=0, num_nodes=10)
"""
comm = SecureNodeCommunication(node_id)
comm.initialize_node_certs(num_nodes)
# Store in app context
app.secure_comm = comm
# Add endpoints for trust management
@app.route("/trust/status", methods=["GET"])
def get_trust_status():
"""Get trust status of the network."""
return jsonify(comm.get_trust_status())
@app.route("/trust/verify/<int:peer_node_id>", methods=["POST"])
def verify_peer(peer_node_id):
"""Manually verify a peer node's certificate."""
if not _admin_authorized():
return jsonify({"error": "unauthorized"}), 401
verified = comm.cert_manager.verify_node_certificate(peer_node_id)
return jsonify(
{
"node_id": peer_node_id,
"verified": verified,
"timestamp": datetime.utcnow().isoformat(),
}
)
@app.route("/trust/revoke/<int:peer_node_id>", methods=["POST"])
def revoke_peer_cert(peer_node_id):
"""Revoke a peer node's certificate (admin only)."""
if not _admin_authorized():
return jsonify({"error": "unauthorized"}), 401
revoked = comm.cert_manager.revoke_node_certificate(peer_node_id)
return jsonify(
{
"node_id": peer_node_id,
"revoked": revoked,
"timestamp": datetime.utcnow().isoformat(),
}
)
@app.route("/trust/certificate/<int:node_id>", methods=["GET"])
def get_node_certificate(node_id):
"""Get a node's certificate (for peer verification)."""
cert_path = comm.cert_manager.cert_dir / f"node-{node_id}-cert.pem"
if not cert_path.exists():
return jsonify({"error": "Certificate not found"}), 404
with open(cert_path, "r") as f:
cert_pem = f.read()
return jsonify(
{
"node_id": node_id,
"certificate": cert_pem,
"timestamp": datetime.utcnow().isoformat(),
}
)
return comm
if __name__ == "__main__":
# Example usage
from flask import Flask
app = Flask(__name__)
# Initialize secure communication
comm = create_secure_app_middleware(app, node_id=0, num_nodes=5)
# Add a secure endpoint
@app.route("/secure/data", methods=["POST"])
@comm.secure_endpoint
def secure_endpoint():
from_node = g.peer_node_id if hasattr(g, "peer_node_id") else "unknown"
data = request.json
return jsonify({"status": "received", "from_node": from_node, "data": data})
print("Secure communication middleware initialized")
print(f"Running on port 5000 with mTLS enabled")
app.run(host="0.0.0.0", port=5000, debug=False)