Merge pull request #751 from safing/feature/my-profile-endpoint
Add endpoint to retrieve the current profile ID
This commit is contained in:
182
core/api.go
182
core/api.go
@@ -1,14 +1,22 @@
|
||||
package core
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"time"
|
||||
|
||||
"github.com/safing/portbase/api"
|
||||
"github.com/safing/portbase/config"
|
||||
"github.com/safing/portbase/log"
|
||||
"github.com/safing/portbase/modules"
|
||||
"github.com/safing/portbase/notifications"
|
||||
"github.com/safing/portbase/rng"
|
||||
"github.com/safing/portbase/utils/debug"
|
||||
"github.com/safing/portmaster/compat"
|
||||
"github.com/safing/portmaster/process"
|
||||
"github.com/safing/portmaster/resolver"
|
||||
"github.com/safing/portmaster/status"
|
||||
"github.com/safing/portmaster/updates"
|
||||
@@ -55,6 +63,48 @@ func registerAPIEndpoints() error {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := api.RegisterEndpoint(api.Endpoint{
|
||||
Path: "app/auth",
|
||||
Read: api.PermitAnyone,
|
||||
BelongsTo: module,
|
||||
StructFunc: authorizeApp,
|
||||
Name: "Request an authentication token with a given set of permissions. The user will be prompted to either authorize or deny the request. Used for external or third-party tool integrations.",
|
||||
Parameters: []api.Parameter{
|
||||
{
|
||||
Method: http.MethodGet,
|
||||
Field: "app-name",
|
||||
Description: "The name of the application requesting access",
|
||||
},
|
||||
{
|
||||
Method: http.MethodGet,
|
||||
Field: "read",
|
||||
Description: "The requested read permission",
|
||||
},
|
||||
{
|
||||
Method: http.MethodGet,
|
||||
Field: "write",
|
||||
Description: "The requested write permission",
|
||||
},
|
||||
{
|
||||
Method: http.MethodGet,
|
||||
Field: "ttl",
|
||||
Description: "The time-to-live for the new access token. Defaults to 24h",
|
||||
},
|
||||
},
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := api.RegisterEndpoint(api.Endpoint{
|
||||
Path: "app/profile",
|
||||
Read: api.PermitUser,
|
||||
BelongsTo: module,
|
||||
StructFunc: getMyProfile,
|
||||
Name: "Get the ID of the calling profile",
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -99,3 +149,135 @@ func debugInfo(ar *api.Request) (data []byte, err error) {
|
||||
// Return data.
|
||||
return di.Bytes(), nil
|
||||
}
|
||||
|
||||
// getSavePermission returns the requested api.Permission from p.
|
||||
// It only allows "user" and "admin" as external processes should
|
||||
// never be able to request "self".
|
||||
func getSavePermission(p string) api.Permission {
|
||||
switch p {
|
||||
case "user":
|
||||
return api.PermitUser
|
||||
case "admin":
|
||||
return api.PermitAdmin
|
||||
default:
|
||||
return api.NotSupported
|
||||
}
|
||||
}
|
||||
|
||||
func getMyProfile(ar *api.Request) (interface{}, error) {
|
||||
proc, err := process.GetProcessByRequestOrigin(ar)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
localProfile := proc.Profile().LocalProfile()
|
||||
|
||||
return map[string]interface{}{
|
||||
"profile": localProfile.ID,
|
||||
"source": localProfile.Source,
|
||||
"name": localProfile.Name,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func authorizeApp(ar *api.Request) (interface{}, error) {
|
||||
appName := ar.Request.URL.Query().Get("app-name")
|
||||
readPermStr := ar.Request.URL.Query().Get("read")
|
||||
writePermStr := ar.Request.URL.Query().Get("write")
|
||||
|
||||
ttl := time.Hour * 24
|
||||
if ttlStr := ar.Request.URL.Query().Get("ttl"); ttlStr != "" {
|
||||
var err error
|
||||
ttl, err = time.ParseDuration(ttlStr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// convert the requested read and write permissions to their api.Permission
|
||||
// value. This ensures only "user" or "admin" permissions can be requested.
|
||||
if getSavePermission(readPermStr) <= api.NotSupported {
|
||||
return nil, fmt.Errorf("invalid read permission")
|
||||
}
|
||||
if getSavePermission(writePermStr) <= api.NotSupported {
|
||||
return nil, fmt.Errorf("invalid read permission")
|
||||
}
|
||||
|
||||
proc, err := process.GetProcessByRequestOrigin(ar)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to identify requesting process: %w", err)
|
||||
}
|
||||
|
||||
n := notifications.Notification{
|
||||
Type: notifications.Prompt,
|
||||
EventID: "core:authorize-app-" + time.Now().String(),
|
||||
Title: "An app requests access to the Portmaster",
|
||||
Message: "Allow " + appName + " (" + proc.Profile().LocalProfile().Name + ") to query and modify the Portmaster?\n\nBinary: " + proc.Path,
|
||||
ShowOnSystem: true,
|
||||
Expires: time.Now().Add(time.Minute).UnixNano(),
|
||||
AvailableActions: []*notifications.Action{
|
||||
{
|
||||
ID: "allow",
|
||||
Text: "Authorize",
|
||||
},
|
||||
{
|
||||
ID: "deny",
|
||||
Text: "Deny",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
ch := make(chan string)
|
||||
|
||||
validUntil := time.Now().Add(ttl)
|
||||
|
||||
n.SetActionFunction(func(ctx context.Context, n *notifications.Notification) error {
|
||||
n.Lock()
|
||||
defer n.Unlock()
|
||||
|
||||
if n.SelectedActionID != "allow" {
|
||||
close(ch)
|
||||
return nil
|
||||
}
|
||||
|
||||
keys := config.Concurrent.GetAsStringArray(api.CfgAPIKeys, []string{})()
|
||||
|
||||
newKeyData, err := rng.Bytes(8)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
newKeyHex := hex.EncodeToString(newKeyData)
|
||||
|
||||
query := url.Values{
|
||||
"read": []string{readPermStr},
|
||||
"write": []string{writePermStr},
|
||||
"expires": []string{validUntil.Format(time.RFC3339)},
|
||||
}
|
||||
|
||||
keys = append(keys, fmt.Sprintf("%s?%s", newKeyHex, query.Encode()))
|
||||
|
||||
if err := config.SetConfigOption(api.CfgAPIKeys, keys); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
ch <- newKeyHex
|
||||
|
||||
return nil
|
||||
})
|
||||
|
||||
n.Save()
|
||||
|
||||
select {
|
||||
case key := <-ch:
|
||||
if len(key) == 0 {
|
||||
return nil, fmt.Errorf("access denied")
|
||||
}
|
||||
|
||||
return map[string]interface{}{
|
||||
"key": key,
|
||||
"validUntil": validUntil,
|
||||
}, nil
|
||||
case <-ar.Context().Done():
|
||||
return nil, fmt.Errorf("timeout")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,10 +1,14 @@
|
||||
package netutils
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
var errInvalidIP = errors.New("invalid IP address")
|
||||
|
||||
// IPFromAddr extracts or parses the IP address contained in the given address.
|
||||
func IPFromAddr(addr net.Addr) (net.IP, error) {
|
||||
// Convert addr to IP if needed.
|
||||
@@ -28,3 +32,23 @@ func IPFromAddr(addr net.Addr) (net.IP, error) {
|
||||
return ip, nil
|
||||
}
|
||||
}
|
||||
|
||||
// ParseHostPort parses a <ip>:port formatted address.
|
||||
func ParseHostPort(address string) (net.IP, uint16, error) {
|
||||
ipString, portString, err := net.SplitHostPort(address)
|
||||
if err != nil {
|
||||
return nil, 0, err
|
||||
}
|
||||
|
||||
ip := net.ParseIP(ipString)
|
||||
if ip == nil {
|
||||
return nil, 0, errInvalidIP
|
||||
}
|
||||
|
||||
port, err := strconv.ParseUint(portString, 10, 16)
|
||||
if err != nil {
|
||||
return nil, 0, err
|
||||
}
|
||||
|
||||
return ip, uint16(port), nil
|
||||
}
|
||||
|
||||
@@ -6,7 +6,9 @@ import (
|
||||
"net"
|
||||
"time"
|
||||
|
||||
"github.com/safing/portbase/api"
|
||||
"github.com/safing/portbase/log"
|
||||
"github.com/safing/portmaster/network/netutils"
|
||||
"github.com/safing/portmaster/network/packet"
|
||||
"github.com/safing/portmaster/network/state"
|
||||
"github.com/safing/portmaster/profile"
|
||||
@@ -94,3 +96,27 @@ func GetNetworkHost(ctx context.Context, remoteIP net.IP) (process *Process, err
|
||||
|
||||
return networkHost, nil
|
||||
}
|
||||
|
||||
// GetProcessByRequestOrigin returns the process that initiated the API request ar.
|
||||
func GetProcessByRequestOrigin(ar *api.Request) (*Process, error) {
|
||||
// get remote IP/Port
|
||||
remoteIP, remotePort, err := netutils.ParseHostPort(ar.RemoteAddr)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get remote IP/Port: %w", err)
|
||||
}
|
||||
|
||||
pkt := &packet.Info{
|
||||
Inbound: false, // outbound as we are looking for the process of the source address
|
||||
Version: packet.IPv4,
|
||||
Protocol: packet.TCP,
|
||||
Src: remoteIP, // source as in the process we are looking for
|
||||
SrcPort: remotePort, // source as in the process we are looking for
|
||||
}
|
||||
|
||||
proc, _, err := GetProcessByConnection(ar.Context(), pkt)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return proc, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user