first push

Author: AleC-IX

CAcert/CA.conf

@@ -0,0 +1,13 @@
+[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+prompt = no
+
+[ req_distinguished_name ]
+CN = <SERVER_URL>
+
+[ v3_ca ]
+basicConstraints = CA:TRUE
+keyUsage = keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer

README.md

@@ -1,2 +1,82 @@
-# broker
-FLUIDOS Broker
+<!-- markdownlint-disable first-line-h1 -->
+<p align="center">
+<a href="https://www.fluidos.eu/"> <img src="./docs/images/fluidoslogo.png" width="150"/> </a>
+<h3 align="center">FLUIDOS Broker</h3>
+</p>  
+
+# WAN Discovery – RabbitMQ Configuration Guide
+
+This repository provides an example of configuration to set up a RabbitMQ message broker for WAN-based discovery of FLUIDOS Nodes.
+
+## Prerequisites
+
+A vanilla RabbitMQ installation is required on your server.  
+Refer to the official <a href="https://www.rabbitmq.com/docs/configure"> RabbitMQ Configuration </a> to determine the correct location of the rabbitmq.conf file based on your system.
+
+The provided `rabbitmq.conf` configuration enforces TLS peer authentication for both client and server communications. It configures RabbitMQ to use the default SSL port 5671 and disables the non-SSL TCP port 5672. The configuration also sets the Common Name (CN) of the SSL certificate as the authentication ID, additionally, it restricts access to the Management UI and `rabbitmqadmin` tools to localhost, enhancing the system’s security by limiting administrative access to the local machine only.  
+To enable TLS-based authentication, activate the RabbitMQ TLS authentication plugin:  
+`rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl`
+
+## Certificate Issuance
+
+To enable TLS-based authentication, you must generate the self-signed root certificate and a server certificate issued by the root certificate.  
+We use RSA 2048-bit encryption, and example configurations are provided below.
+
+    openssl req -x509 -newkey rsa:2048 -keyout CA_privKey.pem -out CA_cert.pem -days 365 -config CA.conf
+
+    openssl x509 -req -in serverCert/server.csr -CA CAcert/CA_cert.pem -CAkey CAcert/CA_privKey.pem -CAcreateserial -out serverCert/server_cert.pem -days 365 -sha256 -extfile serverCert/server.conf -extensions v3_req
+
+
+## User & Queue Configuration
+
+Some scripts rely on `rabbitmqadmin`, so ensure that an administrator user is properly configured and that the default "guest" user is restricted to localhost access only.  
+  
+From the `users.yaml` configuration, clients publish to the same exchange but use distinct routing keys, which correspond to their Common Name (CN) in their certificate.
+These routing keys determine message distribution across tiers (which act as exchanges).
+Each client is subscribed to its own private queue, which receives messages routed from the relevant tiers.  
+  
+The `setup.sh` script automates the setup of queues, permissions, exchanges, and bindings as defined in `users.yaml`.
+Client certificates and private keys, ensuring each client can authenticate securely.  
+  
+The `eraseRabbit.sh` script removes all queues, bindings, exchanges, and users, except for the default "guest" user, ensuring continued access via `rabbitmqadmin`.  
+  
+The `deleteUserBindings.sh` script removes all the bindings for the user passed as argument.  
+  
+Once the setup is over it it is possible to refine the configuration with specific `rabbitmqctl` and `rabbitmqadmin` commands to create more bindings.  
+Previously issued certificates will continue to function as expected.  
+
+## Message Routing & Permissions
+
+Each client can publish only using its assigned routing key to the defaultPeeringExchange and can subscribe only to its private queue.  
+Clients are categorized into four arbitrary tiers for message routing.
+
+### A simple schema that illustrates a possible broker architecture
+
+<p align="center">
+<img src="./docs/images/broker_server.jpg"/>
+</p>
+
+## Directory structure example compatible for setup.sh
+
+    ~/
+    ├─ CAcert/
+    │  ├─ CA.conf
+    │  ├─ CA_privKey.pem
+    │  ├─ CA_cert.pem
+    ├─ clientCert/
+    │  ├─ clientA_priv.pem
+    │  ├─ clientA_cert.pem
+    │  ├─ clientB_priv.pem
+    │  ├─ clientB_cert.pem
+    │  ├─ client.conf
+    │  ├─ clientA_request.csr
+    │  ├─ clientB_request.csr
+    ├─ serverCert/
+    │  ├─ server_cert.pem
+    │  ├─ server_privKey.pem
+    │  ├─ server.conf
+    │  ├─ server.csr
+    ├─ users.yaml
+    ├─ setup.sh
+    ├─ cert_gen.sh
+    ├─ eraseRabbit.sh

cert_gen.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/bash
+
+#1-key and csr
+openssl req -new -newkey rsa:2048 -nodes -keyout clientCert/"$1"_priv.pem -config clientCert/client.conf -out clientCert/"$1"_request.csr -subj "/CN="$1""
+
+#2-sign client cert
+openssl x509 -req -in clientCert/"$1"_request.csr -CA CAcert/CA_cert.pem -CAkey CAcert/CA_privKey.pem -CAcreateserial -out clientCert/"$1"_cert.pem -days 365 -extfile clientCert/client.conf -extensions v3_req -passin pass:<YOUR_PASSWORD>

clientCert/client.conf

@@ -0,0 +1,8 @@
+[ req ]
+req_extensions = v3_req
+prompt = no
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth

deleteUserBindings.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Check 1 param
+if [ -z "$1" ]; then
+    echo "Need 1 parameter"
+    exit 1
+fi
+
+USR_NAME="$1"
+
+# List binding
+BINDINGS=$(rabbitmqadmin list bindings source destination routing_key -f tsv)
+
+# For each binding delete if contains USR_NAME 
+while IFS=$'\t' read -r SOURCE DESTINATION ROUTING_KEY; do
+    # check if USR_NAME is contained in a destination or routing key
+    if [[ "$ROUTING_KEY" == *"$USR_NAME"* ]]; then
+        echo "Remove binding: Exchange '$SOURCE' → Queue '$DESTINATION' with Routing Key '$ROUTING_KEY'..."
+        rabbitmqadmin delete binding source="$SOURCE" destination="$DESTINATION" destination_type="exchange" properties_key="$ROUTING_KEY"
+    fi
+    if [[ "$DESTINATION" == *"$USR_NAME"* ]]; then
+    echo "Remove binding: Exchange '$SOURCE' → Queue '$DESTINATION' with Routing Key '$ROUTING_KEY'..."
+        rabbitmqadmin delete binding source="$SOURCE" destination="$DESTINATION" destination_type="queue"
+    fi
+
+done <<< "$BINDINGS"
+
+echo "Deletion complete"

docs/images/broker_server.jpg

@@ -0,0 +1,34 @@
+#!/usr/bin/bash
+
+# Delete users except guest (default admin only from localhost)
+echo "Retrieving users..."
+USERS=$(rabbitmqadmin list users name -f tsv)
+
+for USER in $USERS; do
+  if [ "$USER" != "guest" ]; then
+    echo "Deleting user: $USER"
+    rabbitmqadmin delete user name="$USER"
+  else
+    echo "Skipping guest"
+  fi
+done
+
+# Delete queues
+echo "Retrieving queues..."
+QUEUES=$(rabbitmqadmin list queues name -f tsv)
+
+for QUEUE in $QUEUES; do
+    echo "Deleting queue: $QUEUE"
+    rabbitmqadmin delete queue name="$QUEUE"
+done
+
+# Delete exchange except default (amq.*)
+echo "Retrieving exchanges..."
+EXCHANGES=$(rabbitmqadmin list exchanges name -f tsv | grep -vE '^amq\.')
+
+for EXCHANGE in $EXCHANGES; do
+    echo "Deleting exchange: $EXCHANGE"
+    rabbitmqadmin delete exchange name="$EXCHANGE"
+done
+
+echo "All clean!"

docs/images/fluidoslogo.png

@@ -0,0 +1,14 @@
+management.tcp.listen = 127.0.0.1
+listeners.tcp = none
+listeners.ssl.default = 5671
+ssl_options.cacertfile = /etc/rabbitmq/serverCert/CA_cert.pem
+ssl_options.certfile = /etc/rabbitmq/serverCert/server_cert.pem
+ssl_options.keyfile = /etc/rabbitmq/serverCert/server_privKey.pem
+ssl_options.verify = verify_peer
+ssl_options.password = <YOUR_PASSWORD>
+ssl_options.fail_if_no_peer_cert = true
+auth_mechanisms.1 = EXTERNAL
+ssl_cert_login_from  = common_name
+ssl_handshake_timeout = 5000
+log.file = /var/log/rabbitmq/rabbitmq.log
+log.file.level = debug

eraseRabbit.sh

@@ -0,0 +1,13 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[ req_distinguished_name ]
+CN = <SERVER_URL>
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:<SERVER_URL>

rabbitmq.conf

@@ -0,0 +1,66 @@
+#!/usr/bin/bash
+#EXTERNAL DEFAULT EXCHANGE
+rabbitmqadmin declare exchange name=DefaultPeerRequest type=topic durable=true
+
+#INTERNAL TIERS EXCHANGES
+rabbitmqadmin declare exchange name=Tier1 type=fanout durable=true internal=true
+rabbitmqadmin declare exchange name=Tier2 type=fanout durable=true internal=true
+rabbitmqadmin declare exchange name=Tier3 type=fanout durable=true internal=true
+rabbitmqadmin declare exchange name=Tier4 type=fanout durable=true internal=true
+
+#read users from conf file and fill arrays
+config_file="users.yaml"
+users_array=()
+write_tier_array=()
+read_tier_array=()
+
+USERS=$(rabbitmqadmin list users name -f tsv)
+
+while IFS= read -r line || [[ -n "$line" ]]; do
+
+  if [[ "$line" =~ ^[[:space:]]*name[[:space:]]*:[[:space:]]*(.*)$ ]]; then
+    users_array+=("${BASH_REMATCH[1]}")
+  fi
+
+  if [[ "$line" =~ ^[[:space:]]*write[[:space:]]*:[[:space:]]*(.*)$ ]]; then
+    write_tier_array+=("${BASH_REMATCH[1]}")
+  fi
+
+  if [[ "$line" =~ ^[[:space:]]*read[[:space:]]*:[[:space:]]*(.*)$ ]]; then
+    read_tier_array+=("${BASH_REMATCH[1]}")
+  fi
+
+done < "$config_file"
+
+#for each user
+for user in "${!users_array[@]}"; do  
+    FOUND=0
+    for USER in $USERS; do
+      if [[ "$USER" == "${users_array[$user]}" ]]; then
+              FOUND=1
+        echo "User ${users_array[$user]} already exists"
+      fi
+    done
+    #create rabbitmq user
+  if [[ $FOUND -eq 0 ]]; then
+    rabbitmqctl add_user "${users_array[$user]}" ""
+  
+    #remove PW (auth only through certificates)
+  rabbitmqctl clear_password ${users_array[$user]}
+  fi
+    #personal queue 
+  rabbitmqadmin declare queue name=${users_array[$user]}
+
+    #writing permission on default exchange with its route key and reading permission on its queue
+  rabbitmqctl set_permissions -p / ${users_array[$user]} "\$" "^(DefaultPeerRequest)\$" "^(${users_array[$user]})\$"
+
+    #setting message routing to tiers (BINDING EXCHANGE TO EXHANGE)
+  rabbitmqadmin declare binding source="DefaultPeerRequest" destination="${write_tier_array[$user]}" routing_key="${users_array[$user]}" destination_type="exchange"
+
+    #setting queues filling from tiers (BINDING EXCHANGE TO QUEUE)
+  rabbitmqadmin declare binding source="${read_tier_array[$user]}" destination="${users_array[$user]}"
+    #certificates generation
+  if [[ "$FOUND" -eq 0 ]]; then
+    ./cert_gen.sh ${users_array[$user]}
+  fi
+done

serverCert/server.conf

@@ -0,0 +1,14 @@
+---
+- userA :
+    name : clientA
+    write : Tier1
+    read : Tier1
+- userB :
+    name : clientB
+    write : Tier1
+    read : Tier1
+# - userC : 
+#     name : clientC
+#     write : Tier3
+#     read : Tier3
+...