wgkex
wgkex copied to clipboard
freifunkMUC
Add ability to blacklist certain keys
Add a (temporary) blacklist feature to the daemon. This is needed in case some abusive client wants to connect. Then we just reject the Wireguard key and don't send it to MQTT.
- How do you want to identify the client (name? key?)?
- Where do you want to block them? In the flask app?
- Should the config be runtime, or hard coded into the config file (or both?) ?
I'm guessing easiest thing to do is create a new API for an in-memory list of keys/clients you want to block, and check this list before calling MQTT: https://github.com/freifunkMUC/wgkex/blob/main/wgkex/broker/app.py#L77
My idea was to read a blacklist.yaml from the broker and reject all keys which are in there. So those aren't even sent to MQTT, as you said :).
It would be cool if the file is occassionally checked for changes and reloaded to memory. But also just a static file which is read on start of the broker is fine.
My prefered format would be:
- Key1
reason: "Abuse"
- Key2
But reason is optional and we put this in the answer to the client.
Then I think solving this first is the correct thing to do: https://github.com/freifunkMUC/wgkex/issues/39
I created a first draft to block keys on the client side in https://github.com/freifunkMUC/wgkex/pull/76 .
I'll go about looking at trying to get keys back out of the worker to the broker so we avoid duplication.