Basics

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

.gitignore

@@ -0,0 +1 @@
+nftables-http-api

README.md

@@ -1 +1,19 @@
 # RESTful HTTP API for nftables sets
+
+Early work in progress.
+
+Configuration contains hashed tokens, which can in the future be used to authorize modifications for a list of nftables sets:
+
+```
+tokensets:
+  $2y$05$ZifkrfFg2XZU2ds7Lrcl9usJVyxHro9Ezjo84OMpsBSau4pEu42eS:
+    - SomeSet
+```
+
+Generate token hashes using any bcrypt hashing tool, `htpasswd` from the `apache-utils` suite works well:
+
+```
+$ htpasswd -Bn x
+```
+
+Ignore the username part.

go.mod

@@ -0,0 +1,9 @@
+module nftables-http-api
+
+go 1.22.6
+
+require (
+	github.com/gorilla/mux v1.8.1
+	golang.org/x/crypto v0.26.0
+	gopkg.in/yaml.v3 v3.0.1
+)

go.sum

@@ -0,0 +1,8 @@
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

nftables-http-api.go

@@ -0,0 +1,107 @@
+/*
+ * nftables-http-api
+ * Copyright (C) 2024 Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
+ *
+ *  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. 
+ */
+
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+	"os"
+	"github.com/gorilla/mux"
+	"gopkg.in/yaml.v3"
+)
+
+var config Config
+var configFile string
+var listen string
+
+func init() {
+	flag.StringVar(&configFile, "config", "/etc/nft-set-api.yml", "Path to configuration file")
+	flag.StringVar(&listen, "listen", "[::1]:8082", "Address and port to listen on")
+}
+
+type Config struct {
+	TokenSets map[string][]string
+}
+
+type authMiddleWareMap struct {
+	tokenSets map[string]string
+}
+
+func (authMiddleWare *authMiddleWareMap) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var givenToken = r.Header.Get("TOKEN")
+		params := mux.Vars(r)
+		givenSet := params["set"]
+
+		if givenToken == "" {
+			doReturn(w, http.StatusUnauthorized, "missing token")
+			return
+		}
+
+		for configToken, configSets := range config.TokenSets {
+			if doCheckToken(givenToken, configToken) {
+				for _, configSet := range configSets {
+					if givenSet == configSet {
+						next.ServeHTTP(w, r)
+						return
+					}
+				}
+			}
+		}
+
+		log.Printf("Not processing unauthenticated request from %s", r.RemoteAddr)
+
+		doReturn(w, http.StatusUnauthorized, "invalid token")
+
+	})
+}
+
+func main() {
+	flag.Parse()
+	log.Print("Booting ...")
+
+	buffer, err := os.ReadFile(configFile)
+	if err != nil {
+		log.Fatalln("Could not read configuration file:", err)
+		return
+	}
+
+	err = yaml.Unmarshal(buffer, &config)
+	if err != nil {
+		log.Fatalln("Could not parse configuration file:", err)
+		return
+	}
+	log.Printf("%+v\n", config)
+
+	log.Print("Listening on ", listen)
+
+	router := mux.NewRouter()
+	router.HandleFunc("/set/{set}", handleSetRoute).Methods("GET")
+
+	authMiddleWare := authMiddleWareMap{make(map[string]string)}
+	router.Use(authMiddleWare.Middleware)
+
+	http.ListenAndServe(listen, router)
+}
+
+func handleSetRoute(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	params := mux.Vars(r)
+	method := r.Method
+	set := params["set"]
+	log.Printf("Processing authorized %s request from %s for set %s", method, r.RemoteAddr, set)
+
+	if method == "GET" {
+		doReturn(w, http.StatusOK, "ok")
+	}
+}

utils.go

@@ -0,0 +1,49 @@
+/*
+ * This file is part of nftables-http-api.
+ * Copyright (C) 2024 Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
+ *
+ *  The nftables-http-api program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. 
+ */
+
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type Response struct {
+	RError string `json:"error,omitempty"`
+	RResult string `json:"result,omitempty"`
+}
+
+func doReturn(w http.ResponseWriter, status int, text string) {
+	var response any
+	if status == http.StatusOK {
+		response = Response{RResult: text}
+	} else {
+		response = Response{RError: text}
+	}
+	j, err := json.Marshal(response)
+	if err != nil {
+		log.Fatalf("Failed to marshal JSON: %s", err)
+	}
+	w.WriteHeader(status)
+	w.Write(j)
+}
+
+func doCheckToken(token string, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(token))
+	if err == nil {
+		return true
+	} else {
+		log.Printf("Token check failed: %s", err)
+		return false
+	}
+}