Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
Georg Pfuetzenreuter 2024-08-30 05:13:05 +02:00
parent 27d54bf3ff
commit b8ca3cec9f
Signed by: Georg
GPG Key ID: 1ED2F138E7E6FF57
6 changed files with 192 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
nftables-http-api

View File

@ -1 +1,19 @@
# RESTful HTTP API for nftables sets
Early work in progress.
Configuration contains hashed tokens, which can in the future be used to authorize modifications for a list of nftables sets:
```
tokensets:
$2y$05$ZifkrfFg2XZU2ds7Lrcl9usJVyxHro9Ezjo84OMpsBSau4pEu42eS:
- SomeSet
```
Generate token hashes using any bcrypt hashing tool, `htpasswd` from the `apache-utils` suite works well:
```
$ htpasswd -Bn x
```
Ignore the username part.

9
go.mod Normal file
View File

@ -0,0 +1,9 @@
module nftables-http-api
go 1.22.6
require (
github.com/gorilla/mux v1.8.1
golang.org/x/crypto v0.26.0
gopkg.in/yaml.v3 v3.0.1
)

8
go.sum Normal file
View File

@ -0,0 +1,8 @@
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

107
nftables-http-api.go Normal file
View File

@ -0,0 +1,107 @@
/*
* nftables-http-api
* Copyright (C) 2024 Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
*
* This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package main
import (
"flag"
"log"
"net/http"
"os"
"github.com/gorilla/mux"
"gopkg.in/yaml.v3"
)
var config Config
var configFile string
var listen string
func init() {
flag.StringVar(&configFile, "config", "/etc/nft-set-api.yml", "Path to configuration file")
flag.StringVar(&listen, "listen", "[::1]:8082", "Address and port to listen on")
}
type Config struct {
TokenSets map[string][]string
}
type authMiddleWareMap struct {
tokenSets map[string]string
}
func (authMiddleWare *authMiddleWareMap) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var givenToken = r.Header.Get("TOKEN")
params := mux.Vars(r)
givenSet := params["set"]
if givenToken == "" {
doReturn(w, http.StatusUnauthorized, "missing token")
return
}
for configToken, configSets := range config.TokenSets {
if doCheckToken(givenToken, configToken) {
for _, configSet := range configSets {
if givenSet == configSet {
next.ServeHTTP(w, r)
return
}
}
}
}
log.Printf("Not processing unauthenticated request from %s", r.RemoteAddr)
doReturn(w, http.StatusUnauthorized, "invalid token")
})
}
func main() {
flag.Parse()
log.Print("Booting ...")
buffer, err := os.ReadFile(configFile)
if err != nil {
log.Fatalln("Could not read configuration file:", err)
return
}
err = yaml.Unmarshal(buffer, &config)
if err != nil {
log.Fatalln("Could not parse configuration file:", err)
return
}
log.Printf("%+v\n", config)
log.Print("Listening on ", listen)
router := mux.NewRouter()
router.HandleFunc("/set/{set}", handleSetRoute).Methods("GET")
authMiddleWare := authMiddleWareMap{make(map[string]string)}
router.Use(authMiddleWare.Middleware)
http.ListenAndServe(listen, router)
}
func handleSetRoute(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
params := mux.Vars(r)
method := r.Method
set := params["set"]
log.Printf("Processing authorized %s request from %s for set %s", method, r.RemoteAddr, set)
if method == "GET" {
doReturn(w, http.StatusOK, "ok")
}
}

49
utils.go Normal file
View File

@ -0,0 +1,49 @@
/*
* This file is part of nftables-http-api.
* Copyright (C) 2024 Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
*
* The nftables-http-api program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package main
import (
"encoding/json"
"log"
"net/http"
"golang.org/x/crypto/bcrypt"
)
type Response struct {
RError string `json:"error,omitempty"`
RResult string `json:"result,omitempty"`
}
func doReturn(w http.ResponseWriter, status int, text string) {
var response any
if status == http.StatusOK {
response = Response{RResult: text}
} else {
response = Response{RError: text}
}
j, err := json.Marshal(response)
if err != nil {
log.Fatalf("Failed to marshal JSON: %s", err)
}
w.WriteHeader(status)
w.Write(j)
}
func doCheckToken(token string, hash string) bool {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(token))
if err == nil {
return true
} else {
log.Printf("Token check failed: %s", err)
return false
}
}