api: TLS & Authentication (#4)

Author: DSpeichert

.goreleaser.yml

@@ -25,3 +25,4 @@ archives:
       - README*
       - LICENSE*
       - netbootd.service
+      - netbootd.yml

README.md

@@ -119,7 +119,7 @@ mounts:
     # So that localDir: /tftpboot path: /subdir and client request: /subdir/file.x so that the host
     # path becomes /tfptboot/file.x
     localDir: /tftpboot
-   # When true, the localDir path defined above gets a suffix to the Path prefix appended to it.
+    # When true, the localDir path defined above gets a suffix to the Path prefix appended to it.
     appendSuffix: true
 
   - path: /install.ipxe
@@ -225,8 +225,8 @@ Run e.g. `./netbootd --trace server -m ./examples/`
  
 ## Roadmap / TODOs
 
-* API TLS & Authentication
-* Manifest persistence (currently API-configured manifests live in memory only)
-* Pluggable store backends (e.g. Redis, Etcd, files) for Manifests
-* Notifications (e.g. long-polling wait to return when a given host actually booted)
-* Per-manifest logs available over API
+* [x] API TLS & Authentication
+* [ ] Manifest persistence (currently API-configured manifests live in memory only)
+* [ ] Pluggable store backends (e.g. Redis, Etcd, files) for Manifests
+* [ ] Notifications (e.g. long-polling wait to return when a given host actually booted)
+* [ ] Per-manifest logs available over API

api/server.go

@@ -23,7 +23,9 @@ type Server struct {
 	store  *store.Store
 }
 
-func NewServer(store *store.Store) (server *Server, err error) {
+// NewServer set up HTTP API server instance
+// If authorization is passed, requires privileged operation callers to present Authorization header with this content.
+func NewServer(store *store.Store, authorization string) (server *Server, err error) {
 	r := mux.NewRouter()
 
 	server = &Server{
@@ -64,6 +66,11 @@ func NewServer(store *store.Store) (server *Server, err error) {
 
 	// GET /api/manifests
 	r.HandleFunc("/api/manifests", func(w http.ResponseWriter, r *http.Request) {
+		if authorization != r.Header.Get("Authorization") {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
 		var b []byte
 		if strings.Contains(r.Header.Get("Accept"), "application/json") {
 			w.Header().Set("Content-Type", "applications/json")
@@ -78,6 +85,11 @@ func NewServer(store *store.Store) (server *Server, err error) {
 
 	// GET /api/manifests/{id}
 	r.HandleFunc("/api/manifests/{id}", func(w http.ResponseWriter, r *http.Request) {
+		if authorization != r.Header.Get("Authorization") {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
 		vars := mux.Vars(r)
 		m := store.Find(vars["id"])
 		if m == nil {
@@ -98,6 +110,11 @@ func NewServer(store *store.Store) (server *Server, err error) {
 
 	// PUT /api/manifests/{id}
 	r.HandleFunc("/api/manifests/{id}", func(w http.ResponseWriter, r *http.Request) {
+		if authorization != r.Header.Get("Authorization") {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
 		buf, _ := ioutil.ReadAll(r.Body)
 		var m manifest.Manifest
 		if r.Header.Get("Content-Type") == "application/json" {
@@ -119,6 +136,11 @@ func NewServer(store *store.Store) (server *Server, err error) {
 
 	// DELETE /api/manifests/{id}
 	r.HandleFunc("/api/manifests/{id}", func(w http.ResponseWriter, r *http.Request) {
+		if authorization != r.Header.Get("Authorization") {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
 		vars := mux.Vars(r)
 		store.ForgetManifest(vars["id"])
 
@@ -129,6 +151,10 @@ func NewServer(store *store.Store) (server *Server, err error) {
 	r.HandleFunc("/api/self/suspend-boot", func(w http.ResponseWriter, r *http.Request) {
 		var ip net.IP
 		if queryFirst(r, "spoof") != "" {
+			if authorization != r.Header.Get("Authorization") {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 			ip = net.ParseIP(queryFirst(r, "spoof"))
 		} else {
 			host, _, _ := net.SplitHostPort(r.RemoteAddr)
@@ -149,6 +175,10 @@ func NewServer(store *store.Store) (server *Server, err error) {
 	r.HandleFunc("/api/self/unsuspend-boot", func(w http.ResponseWriter, r *http.Request) {
 		var ip net.IP
 		if queryFirst(r, "spoof") != "" {
+			if authorization != r.Header.Get("Authorization") {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 			ip = net.ParseIP(queryFirst(r, "spoof"))
 		} else {
 			host, _, _ := net.SplitHostPort(r.RemoteAddr)
@@ -169,6 +199,10 @@ func NewServer(store *store.Store) (server *Server, err error) {
 	r.HandleFunc("/api/self/manifest", func(w http.ResponseWriter, r *http.Request) {
 		var ip net.IP
 		if queryFirst(r, "spoof") != "" {
+			if authorization != r.Header.Get("Authorization") {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 			ip = net.ParseIP(queryFirst(r, "spoof"))
 		} else {
 			host, _, _ := net.SplitHostPort(r.RemoteAddr)
@@ -199,6 +233,10 @@ func (server *Server) Serve(l net.Listener) error {
 	return server.httpServer.Serve(l)
 }
 
+func (server *Server) ServeTLS(l net.Listener, certFile string, keyFile string) error {
+	return server.httpServer.ServeTLS(l, certFile, keyFile)
+}
+
 func queryFirst(r *http.Request, k string) string {
 	keys, ok := r.URL.Query()[k]
 	if !ok || len(keys[0]) < 1 {

cmd/server.go

@@ -10,6 +10,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"net"
 	"os"
 	"os/signal"
@@ -20,16 +21,22 @@ var (
 	ifname       string
 	httpPort     int
 	apiPort      int
+	apiTlsCert   string
+	apiTlsKey    string
 	manifestPath string
 )
 
 func init() {
 	serverCmd.Flags().StringVarP(&addr, "address", "a", "", "IP address to listen on (DHCP, TFTP, HTTP)")
 	serverCmd.Flags().IntVarP(&httpPort, "http-port", "p", 8080, "HTTP port to listen on")
 	serverCmd.Flags().IntVarP(&apiPort, "api-port", "r", 8081, "HTTP API port to listen on")
+	serverCmd.Flags().StringVar(&apiTlsCert, "api-tls-cert", "", "Path to TLS certificate API")
+	serverCmd.Flags().StringVar(&apiTlsKey, "api-tls-key", "", "Path to TLS certificate for API")
 	serverCmd.Flags().StringVarP(&ifname, "interface", "i", "", "interface to listen on, e.g. eth0 (DHCP)")
 	serverCmd.Flags().StringVarP(&manifestPath, "manifests", "m", "", "load manifests from directory")
 
+	viper.BindPFlag("api.TLSCertificatePath", serverCmd.Flags().Lookup("api-tls-cert"))
+	viper.BindPFlag("api.TLSPrivateKeyPath", serverCmd.Flags().Lookup("api-tls-key"))
 	rootCmd.AddCommand(serverCmd)
 }
 
@@ -93,7 +100,7 @@ var serverCmd = &cobra.Command{
 		log.Info().Interface("addr", connHttp.Addr()).Msg("HTTP listening")
 
 		// HTTP API service
-		apiServer, err := api.NewServer(store)
+		apiServer, err := api.NewServer(store, viper.GetString("api.authorization"))
 		if err != nil {
 			log.Fatal().Err(err)
 		}
@@ -104,8 +111,23 @@ var serverCmd = &cobra.Command{
 		if err != nil {
 			log.Fatal().Err(err)
 		}
-		go apiServer.Serve(connApi)
-		log.Info().Interface("api", connApi.Addr()).Msg("HTTP API listening")
+		if viper.GetString("api.TLSCertificatePath") != "" && viper.GetString("api.TLSPrivateKeyPath") != "" {
+			log.Info().Interface("api", connApi.Addr()).Msg("HTTP API listening with TLS...")
+			go func() {
+				err := apiServer.ServeTLS(connApi, viper.GetString("api.TLSCertificatePath"), viper.GetString("api.TLSPrivateKeyPath"))
+				log.Error().Err(err).Msg("Error initializing TLS HTTP API listener!")
+			}()
+		} else {
+			go apiServer.Serve(connApi)
+			log.Info().Interface("api", connApi.Addr()).Msg("HTTP API listening...")
+			go func() {
+				go apiServer.Serve(connApi)
+				log.Error().Err(err).Msg("Error initializing HTTP API listener!")
+			}()
+		}
+		if !viper.IsSet("api.authorization") {
+			log.Warn().Interface("api", connApi.Addr()).Msg("API is running without authentication, set Authorization in config!")
+		}
 
 		// notify systemd
 		sent, err := systemd.SdNotify(true, "READY=1\n")

config/config.go

@@ -1,4 +1,9 @@
 package config
 
 type Config struct {
+	Api struct {
+		Authorization      string
+		TLSPrivateKeyPath  string
+		TLSCertificatePath string
+	}
 }

go.mod

@@ -11,25 +11,18 @@ require (
 	github.com/google/uuid v1.2.0 // indirect
 	github.com/gorilla/mux v1.8.0
 	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.11 // indirect
-	github.com/insomniacslk/dhcp v0.0.0-20210120172423-cc9239ac6294
-	github.com/magiconair/properties v1.8.4 // indirect
-	github.com/mitchellh/copystructure v1.1.1 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
-	github.com/pelletier/go-toml v1.8.1 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/pin/tftp v2.1.0+incompatible
-	github.com/rs/zerolog v1.20.0
-	github.com/spf13/afero v1.5.1 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
+	github.com/rs/zerolog v1.23.0
 	github.com/spf13/cobra v1.1.3
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/viper v1.7.1
+	github.com/spf13/viper v1.8.1
 	github.com/u-root/u-root v7.0.0+incompatible
-	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
-	golang.org/x/net v0.0.0-20210220033124-5f55cee0dc0d
-	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43
-	golang.org/x/text v0.3.5 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 // indirect
+	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect
+	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
+	golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb
 	gopkg.in/yaml.v2 v2.4.0
 )