add security policies for public access to API

matth-x · matth-x · commit 664585ff9998 · 2024-10-08T19:20:30.000Z
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -98,7 +98,7 @@ else()
         mbedx509
     )
     target_compile_definitions(mo_simulator PUBLIC
-        MG_ENABLE_MBEDTLS=1
+        MG_TLS=MG_TLS_MBED
     )
 
 endif()
diff --git a/src/main.cpp b/src/main.cpp
@@ -9,6 +9,7 @@
 
 #include <MicroOcpp.h>
 #include <MicroOcpp/Core/Context.h>
+#include <MicroOcpp/Core/FilesystemUtils.h>
 #include "evse.h"
 #include "api.h"
 
@@ -128,6 +129,10 @@ void app_loop() {
 
 #if MO_NETLIB == MO_NETLIB_MONGOOSE
 
+#ifndef MO_SIM_ENDPOINT_URL
+#define MO_SIM_ENDPOINT_URL "http://0.0.0.0:8000" //URL to forward to mg_http_listen(). Will be ignored if the URL field exists in api.jsn
+#endif
+
 int main() {
 
 #if MBEDTLS_PLATFORM_MEMORY
@@ -143,12 +148,20 @@ int main() {
     mg_log_set(MG_LL_INFO);                            
     mg_mgr_init(&mgr);
 
-    mg_http_listen(&mgr, "0.0.0.0:8000", http_serve, NULL);     // Create listening connection
-
     auto filesystem = MicroOcpp::makeDefaultFilesystemAdapter(MicroOcpp::FilesystemOpt::Use_Mount_FormatOnFail);
 
     load_ocpp_version(filesystem);
 
+    auto api_settings_doc = MicroOcpp::FilesystemUtils::loadJson(filesystem, MO_FILENAME_PREFIX "api.jsn", "Simulator");
+    if (!api_settings_doc) {
+        api_settings_doc = MicroOcpp::makeJsonDoc("Simulator", 0);
+    }
+    JsonObject api_settings = api_settings_doc->as<JsonObject>();
+
+    const char *api_url = api_settings["url"] | MO_SIM_ENDPOINT_URL;
+
+    mg_http_listen(&mgr, api_url, http_serve, (void*)api_url);     // Create listening connection
+
     osock = new MicroOcpp::MOcppMongooseClient(&mgr,
         "ws://echo.websocket.events",
         "charger-01",
@@ -160,7 +173,7 @@ int main() {
             MicroOcpp::ProtocolVersion{1,6}
         );
 
-    server_initialize(osock);
+    server_initialize(osock, api_settings["cert"] | "", api_settings["key"] | "", api_settings["user"] | "", api_settings["pass"] | "");
     app_setup(*osock, filesystem);
 
     setOnResetExecute([] (bool isHard) {
diff --git a/src/net_mongoose.cpp b/src/net_mongoose.cpp
@@ -16,22 +16,49 @@
 #define CORS_HEADERS "Access-Control-Allow-Origin: *\r\nAccess-Control-Allow-Headers:Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers\r\nAccess-Control-Allow-Methods: GET,HEAD,OPTIONS,POST,PUT\r\n"
 
 MicroOcpp::MOcppMongooseClient *ao_sock = nullptr;
+const char *api_cert = "";
+const char *api_key = "";
+const char *api_user = "";
+const char *api_pass = "";
 
-void server_initialize(MicroOcpp::MOcppMongooseClient *osock) {
-  ao_sock = osock;
+void server_initialize(MicroOcpp::MOcppMongooseClient *osock, const char *cert, const char *key, const char *user, const char *pass) {
+    ao_sock = osock;
+    api_cert = cert;
+    api_key = key;
+    api_user = user;
+    api_pass = pass;
 }
 
-char* toStringPtr(std::string cppString){
-  char *cstr = new char[cppString.length() + 1];
-  strcpy(cstr, cppString.c_str());
-  return cstr;
+bool api_check_basic_auth(const char *user, const char *pass) {
+    if (strcmp(api_user, user)) {
+        return false;
+    }
+    if (strcmp(api_pass, pass)) {
+        return false;
+    }
+    return true;
 }
 
 void http_serve(struct mg_connection *c, int ev, void *ev_data) {
-    if (ev == MG_EV_HTTP_MSG) {
+    if (ev == MG_EV_ACCEPT) {
+        if (mg_url_is_ssl((const char*)c->fn_data)) {  // TLS listener!
+            struct mg_tls_opts opts = {0};
+            opts.cert = mg_str(api_cert);
+            opts.key = mg_str(api_key);
+            mg_tls_init(c, &opts);
+        }
+    } else if (ev == MG_EV_HTTP_MSG) {
         //struct mg_http_message *message_data = (struct mg_http_message *) ev_data;
         struct mg_http_message *message_data = reinterpret_cast<struct mg_http_message *>(ev_data);
         const char *final_headers = DEFAULT_HEADER CORS_HEADERS;
+
+        char user[64], pass[64];
+        mg_http_creds(message_data, user, sizeof(user), pass, sizeof(pass));
+        if (!api_check_basic_auth(user, pass)) {
+            mg_http_reply(c, 403, final_headers, "Not Authorised\n");
+            return;
+        }
+
         struct mg_str json = message_data->body;
 
         MO_DBG_VERBOSE("%.*s", 20, message_data->uri.buf);
diff --git a/src/net_mongoose.h b/src/net_mongoose.h
@@ -13,7 +13,7 @@ namespace MicroOcpp {
 class MOcppMongooseClient;
 }
 
-void server_initialize(MicroOcpp::MOcppMongooseClient *osock);
+void server_initialize(MicroOcpp::MOcppMongooseClient *osock, const char *cert = "", const char *key = "", const char *user = "", const char *pass = "");
 
 void http_serve(struct mg_connection *c, int ev, void *ev_data);
 

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ else()`
`98`	`98`	`mbedx509`
`99`	`99`	`)`
`100`	`100`	`target_compile_definitions(mo_simulator PUBLIC`
`101`		`- MG_ENABLE_MBEDTLS=1`
	`101`	`+ MG_TLS=MG_TLS_MBED`
`102`	`102`	`)`
`103`	`103`
`104`	`104`	`endif()`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ namespace MicroOcpp {`
`13`	`13`	`class MOcppMongooseClient;`
`14`	`14`	`}`
`15`	`15`
`16`		`-void server_initialize(MicroOcpp::MOcppMongooseClient *osock);`
	`16`	`+void server_initialize(MicroOcpp::MOcppMongooseClient osock, const char cert = "", const char key = "", const char user = "", const char *pass = "");`
`17`	`17`
`18`	`18`	`void http_serve(struct mg_connection c, int ev, void ev_data);`
`19`	`19`