add api-aaa

inverse-inc · Nov 22, 2024 · 5bfdd0d · 5bfdd0d
1 parent d255827
commit 5bfdd0d
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 33 deletions.
diff --git a/conf/caddy-services/api.conf.example b/conf/caddy-services/api.conf.example
@@ -79,6 +79,11 @@
 		reverse_proxy /api/v1/pki/* {$PF_SERVICES_URL_PFPKI} {
 		}
 
+		# netdata forward
+		handle_path /api/v1/monitoring/* {
+			reverse_proxy {$PF_SERVICES_URL_NETDATA}
+		}
+
 		import api.conf.d/*.conf
 
 		# Everything else goes to the Perl API
@@ -92,10 +97,6 @@
 		# doh forward
 		reverse_proxy /dns-query/* {$PF_SERVICES_URL_PFDNS_DOH} {
 		}
-
-		# netdata forward
-		reverse_proxy /monitoring/* {$PF_SERVICES_URL_NETDATA} {
-		}
 	}
 }
 

diff --git a/go/api-frontend/aaa/authentication.go b/go/api-frontend/aaa/authentication.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/inverse-inc/go-utils/log"
 )
@@ -75,6 +76,10 @@ func (tam *TokenAuthenticationMiddleware) BearerRequestIsAuthorized(ctx context.
 }
 
 func (tam *TokenAuthenticationMiddleware) tokenFromRequest(ctx context.Context, r *http.Request) string {
+	authCookie, err := r.Cookie("token")
+	if err == nil {
+		return authCookie.Value
+	}
 	authHeader := r.Header.Get("Authorization")
 	return strings.TrimPrefix(authHeader, "Bearer ")
 }
@@ -83,8 +88,13 @@ func (tam *TokenAuthenticationMiddleware) IsAuthenticated(ctx context.Context, t
 	return tam.tokenBackend.TokenIsValid(token), nil
 }
 
-func (tam *TokenAuthenticationMiddleware) TouchTokenInfo(ctx context.Context, r *http.Request) {
-	tam.tokenBackend.TouchTokenInfo(tam.tokenFromRequest(ctx, r))
+func (tam *TokenAuthenticationMiddleware) TouchTokenInfo(ctx context.Context, w http.ResponseWriter, r *http.Request) {
+	token := tam.tokenFromRequest(ctx, r)
+	tam.tokenBackend.TouchTokenInfo(token)
+
+	expire := time.Now().Add(15 * time.Minute)
+	cookie := http.Cookie{Name: "token", Value: token, Path: "/", Expires: expire, MaxAge: 90000}
+	http.SetCookie(w, &cookie)
 }
 
 func (tam *TokenAuthenticationMiddleware) ExtractUserIdentity(r *http.Request) (string, string, bool) {
@@ -110,3 +120,5 @@ func (tam *TokenAuthenticationMiddleware) ExtractUserIdentity(r *http.Request) (
 
 	return pair[0], pair[1], true
 }
+
+
diff --git a/go/api-frontend/aaa/authorization.go b/go/api-frontend/aaa/authorization.go
@@ -16,7 +16,6 @@ var apiPrefix = "/api/v1"
 var apiPrefixV1_1 = "/api/v1.1"
 var configApiPrefix = apiPrefix + "/config"
 var configNamespaceRe = regexp.MustCompile("^" + regexp.QuoteMeta(configApiPrefix))
-var netdataPrefix = "/monitoring"
 
 type adminRoleMapping struct {
 	prefix     string
@@ -59,6 +58,7 @@ var pathAdminRolesMap = []adminRoleMapping{
 	adminRoleMapping{prefix: apiPrefix + "/services", role: "SERVICES"},
 
 	adminRoleMapping{prefix: apiPrefix + "/reports/", role: "REPORTS"},
+	adminRoleMapping{prefix: apiPrefix + "/monitoring/", role: "SYSTEM"},
 
 	adminRoleMapping{prefix: apiPrefixV1_1 + "/reports", role: "REPORTS"},
 	adminRoleMapping{prefix: apiPrefixV1_1 + "/report/", role: "REPORTS"},
@@ -134,8 +134,6 @@ var pathAdminRolesMap = []adminRoleMapping{
 	adminRoleMapping{prefix: configApiPrefix + "/syslog_forwarders", role: "SYSLOG"},
 	adminRoleMapping{prefix: configApiPrefix + "/event_handler/", role: "PFDETECT"},
 	adminRoleMapping{prefix: configApiPrefix + "/event_handlers", role: "PFDETECT"},
-
-	adminRoleMapping{prefix: netdataPrefix, role: "SYSTEM"},
 }
 
 var methodSuffixMap = map[string]string{
@@ -160,10 +158,12 @@ func NewTokenAuthorizationMiddleware(tb TokenBackend) *TokenAuthorizationMiddlew
 }
 
 func (tam *TokenAuthorizationMiddleware) TokenFromBearerRequest(ctx context.Context, r *http.Request) string {
+	authCookie, err := r.Cookie("token")
+	if err == nil {
+		return authCookie.Value
+	}
 	authHeader := r.Header.Get("Authorization")
-	token := strings.TrimPrefix(authHeader, "Bearer ")
-
-	return token
+	return strings.TrimPrefix(authHeader, "Bearer ")
 }
 
 // Checks whether or not that request is authorized based on the path and method

diff --git a/go/plugin/caddy2/api-aaa/api-aaa.go b/go/plugin/caddy2/api-aaa/api-aaa.go
@@ -229,6 +229,9 @@ func (h ApiAAAHandler) handleLogin(w http.ResponseWriter, r *http.Request, p htt
 	w.Header().Set("Content-Type", "application/json")
 
 	if auth {
+		expire := time.Now().Add(15 * time.Minute)
+		cookie := http.Cookie{Name: "token", Value: token, Path: "/", Expires: expire, MaxAge: 90000}
+		http.SetCookie(w, &cookie)
 		w.WriteHeader(http.StatusOK)
 		res, _ := json.Marshal(map[string]string{
 			"token": token,
@@ -249,7 +252,7 @@ func (h ApiAAAHandler) handleTokenInfo(w http.ResponseWriter, r *http.Request, p
 	defer statsd.NewStatsDTiming(ctx).Send("api-aaa.token_info")
 
 	if r.URL.Query().Get("no-expiration-extension") == "" {
-		h.authentication.TouchTokenInfo(ctx, r)
+		h.authentication.TouchTokenInfo(ctx, w, r)
 	}
 	info, expiration := h.authorization.GetTokenInfoFromBearerRequest(ctx, r)
 
@@ -341,7 +344,7 @@ func (h ApiAAAHandler) HandleAAA(w http.ResponseWriter, r *http.Request) bool {
 		return false
 	}
 
-	h.authentication.TouchTokenInfo(ctx, r)
+	h.authentication.TouchTokenInfo(ctx, w, r)
 
 	auth, err = h.authorization.BearerRequestIsAuthorized(ctx, r)
 

diff --git a/lib/pf/services/manager/haproxy_admin.pm b/lib/pf/services/manager/haproxy_admin.pm
@@ -91,24 +91,19 @@ sub generateConfig {
         my $mgmt_ip = $tags{'management_ip'};
         my $mgmt_backend_ip_config;
         my $mgmt_backend_ip_api_config;
-        my $netdata_service_uri = URI->new($Config{services_url}{netdata});
-        my $netdata_service_host = $netdata_service_uri->host;
-        my $netdata_service_port = $netdata_service_uri->port;
         my $mgmt_srv_netdata .= <<"EOT";
 
 backend 127.0.0.1-netdata
         option httpclose
         option forwardfor
-        #errorfile 502 /usr/local/pf/html/pfappserver/root/errors/502.json.http
-        #errorfile 503 /usr/local/pf/html/pfappserver/root/errors/503.json.http
         acl paramsquery query -m found
         http-request lua.admin
-        http-request set-header Host $netdata_service_host
-        http-request set-dst-port int($netdata_service_port)
-        server $netdata_service_host $netdata_service_host:$netdata_service_port weight 1 maxconn 100
-        http-request set-uri %[var(req.path)]?%[query] if paramsquery
-        http-request set-uri %[var(req.path)] unless paramsquery
+        http-request set-header Host $api_frontend_service_host
+        http-request set-dst-port int($api_frontend_service_port)
+        http-request set-uri /api/v1/monitoring%[var(req.path)]?%[query] if paramsquery
+        http-request set-uri /api/v1/monitoring%[var(req.path)] unless paramsquery
         http-response add-header X-Frame-Options SAMEORIGIN
+        server $api_frontend_service_host $api_frontend_service_host:$api_frontend_service_port weight 1 maxconn 100 ssl verify none
 EOT
 
         my $mgmt_api_backend;
@@ -126,24 +121,21 @@ EOT
 EOT
             $check = 'backup';
 
-            if ($mgmt_back_ip ne $netdata_service_host) {
-                $mgmt_srv_netdata .= <<"EOT";
+            $mgmt_srv_netdata .= <<"EOT";
 
 backend $mgmt_back_ip-netdata
         option httpclose
         option forwardfor
-        #errorfile 502 /usr/local/pf/html/pfappserver/root/errors/502.json.http
-        #errorfile 503 /usr/local/pf/html/pfappserver/root/errors/503.json.http
         acl paramsquery query -m found
         http-request lua.admin
         http-request set-header Host $mgmt_back_ip
         http-request set-dst-port int(19999)
-        server $mgmt_back_ip $mgmt_back_ip:19999 weight 1 maxconn 100
-        http-request set-uri %[var(req.path)]?%[query] if paramsquery
-        http-request set-uri %[var(req.path)] unless paramsquery
+        http-request set-uri /api/v1/monitoring%[var(req.path)]?%[query] if paramsquery
+        http-request set-uri /api/v1/monitoring%[var(req.path)] unless paramsquery
         http-response add-header X-Frame-Options SAMEORIGIN
+        server $mgmt_back_ip $mgmt_back_ip:19999 weight 1 maxconn 100 ssl verify none
 EOT
-            }
+
             $mgmt_api_backend .= <<"EOT";
 
 backend $mgmt_back_ip-api

diff --git a/lib/pf/services/manager/roles/env_golang_service.pm b/lib/pf/services/manager/roles/env_golang_service.pm
@@ -38,9 +38,10 @@ before generateConfig => sub {
            PF_SERVICES_URL_PFSSO => $Config{services_url}{pfsso},
            PF_SERVICES_URL_PFLDAPEXPLORER => $Config{services_url}{pfldapexplorer},
            PF_SERVICES_URL_PFCONNECTOR_SERVER => $Config{services_url}{'pfconnector-server'},
+           PF_SERVICES_URL_NETDATA =>  $Config{services_url}{netdata},
            STATSD_ADDRESS => $Config{advanced}{statsd_listen_host}.":".$Config{advanced}{statsd_listen_port},
            PFCONNECTOR_SERVER_DYN_REVERSE_HOST => $management_network ? $management_network->{Tip} : '',
-       }, 
+       },
     };
     $tt->process("/usr/local/pf/containers/environment.template", $vars, "/usr/local/pf/var/conf/".$self->name.".env") or die $tt->error();
 };