diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c3418dd --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +nftables-http-api diff --git a/README.md b/README.md index a4ed63e..a6fcf7d 100644 --- a/README.md +++ b/README.md @@ -1 +1,19 @@ # RESTful HTTP API for nftables sets + +Early work in progress. + +Configuration contains hashed tokens, which can in the future be used to authorize modifications for a list of nftables sets: + +``` +tokensets: + $2y$05$ZifkrfFg2XZU2ds7Lrcl9usJVyxHro9Ezjo84OMpsBSau4pEu42eS: + - SomeSet +``` + +Generate token hashes using any bcrypt hashing tool, `htpasswd` from the `apache-utils` suite works well: + +``` +$ htpasswd -Bn x +``` + +Ignore the username part. diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..6dfb020 --- /dev/null +++ b/go.mod @@ -0,0 +1,9 @@ +module nftables-http-api + +go 1.22.6 + +require ( + github.com/gorilla/mux v1.8.1 + golang.org/x/crypto v0.26.0 + gopkg.in/yaml.v3 v3.0.1 +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..7866c64 --- /dev/null +++ b/go.sum @@ -0,0 +1,8 @@ +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/nftables-http-api.go b/nftables-http-api.go new file mode 100644 index 0000000..c72e4ef --- /dev/null +++ b/nftables-http-api.go @@ -0,0 +1,107 @@ +/* + * nftables-http-api + * Copyright (C) 2024 Georg Pfuetzenreuter + * + * This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. + + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License along with this program. If not, see . + */ + +package main + +import ( + "flag" + "log" + "net/http" + "os" + "github.com/gorilla/mux" + "gopkg.in/yaml.v3" +) + +var config Config +var configFile string +var listen string + +func init() { + flag.StringVar(&configFile, "config", "/etc/nft-set-api.yml", "Path to configuration file") + flag.StringVar(&listen, "listen", "[::1]:8082", "Address and port to listen on") +} + +type Config struct { + TokenSets map[string][]string +} + +type authMiddleWareMap struct { + tokenSets map[string]string +} + +func (authMiddleWare *authMiddleWareMap) Middleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var givenToken = r.Header.Get("TOKEN") + params := mux.Vars(r) + givenSet := params["set"] + + if givenToken == "" { + doReturn(w, http.StatusUnauthorized, "missing token") + return + } + + for configToken, configSets := range config.TokenSets { + if doCheckToken(givenToken, configToken) { + for _, configSet := range configSets { + if givenSet == configSet { + next.ServeHTTP(w, r) + return + } + } + } + } + + log.Printf("Not processing unauthenticated request from %s", r.RemoteAddr) + + doReturn(w, http.StatusUnauthorized, "invalid token") + + }) +} + +func main() { + flag.Parse() + log.Print("Booting ...") + + buffer, err := os.ReadFile(configFile) + if err != nil { + log.Fatalln("Could not read configuration file:", err) + return + } + + err = yaml.Unmarshal(buffer, &config) + if err != nil { + log.Fatalln("Could not parse configuration file:", err) + return + } + log.Printf("%+v\n", config) + + log.Print("Listening on ", listen) + + router := mux.NewRouter() + router.HandleFunc("/set/{set}", handleSetRoute).Methods("GET") + + authMiddleWare := authMiddleWareMap{make(map[string]string)} + router.Use(authMiddleWare.Middleware) + + http.ListenAndServe(listen, router) +} + +func handleSetRoute(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + params := mux.Vars(r) + method := r.Method + set := params["set"] + log.Printf("Processing authorized %s request from %s for set %s", method, r.RemoteAddr, set) + + if method == "GET" { + doReturn(w, http.StatusOK, "ok") + } +} diff --git a/utils.go b/utils.go new file mode 100644 index 0000000..e4183f1 --- /dev/null +++ b/utils.go @@ -0,0 +1,49 @@ +/* + * This file is part of nftables-http-api. + * Copyright (C) 2024 Georg Pfuetzenreuter + * + * The nftables-http-api program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. + + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License along with this program. If not, see . + */ + +package main + +import ( + "encoding/json" + "log" + "net/http" + "golang.org/x/crypto/bcrypt" +) + +type Response struct { + RError string `json:"error,omitempty"` + RResult string `json:"result,omitempty"` +} + +func doReturn(w http.ResponseWriter, status int, text string) { + var response any + if status == http.StatusOK { + response = Response{RResult: text} + } else { + response = Response{RError: text} + } + j, err := json.Marshal(response) + if err != nil { + log.Fatalf("Failed to marshal JSON: %s", err) + } + w.WriteHeader(status) + w.Write(j) +} + +func doCheckToken(token string, hash string) bool { + err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(token)) + if err == nil { + return true + } else { + log.Printf("Token check failed: %s", err) + return false + } +}