The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/5694
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This is a preparation branch for the RBAC branch, makes things a bit more consistent internally and also puts a restriction in place on the internal API so that it may only be called over the UNIX socket or by another cluster member, but not by a random API client.
From 76a004266a4b3d962ae37245f48747edd4f1a978 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 23 Apr 2019 22:43:40 -0400 Subject: [PATCH 1/5] lxd/api: Rename serverResources to api10Resources MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Making things consistent with existing commands. Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/api_1.0.go | 3 +-- lxd/resources.go | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go index 6f194d76f1..d3ea20ecb8 100644 --- a/lxd/api_1.0.go +++ b/lxd/api_1.0.go @@ -33,6 +33,7 @@ var api10 = []Command{ aliasCmd, aliasesCmd, api10Cmd, + api10ResourcesCmd, certificateFingerprintCmd, certificatesCmd, clusterCmd, @@ -71,8 +72,6 @@ var api10 = []Command{ profilesCmd, projectCmd, projectsCmd, - serverResourceCmd, - serverResourceCmd, storagePoolCmd, storagePoolResourcesCmd, storagePoolsCmd, diff --git a/lxd/resources.go b/lxd/resources.go index 5d9916d162..161dbcc91a 100644 --- a/lxd/resources.go +++ b/lxd/resources.go @@ -10,9 +10,9 @@ import ( "github.com/lxc/lxd/shared/api" ) -var serverResourceCmd = Command{ +var api10ResourcesCmd = Command{ name: "resources", - get: serverResourcesGet, + get: api10ResourcesGet, } var storagePoolResourcesCmd = Command{ @@ -22,7 +22,7 @@ var storagePoolResourcesCmd = Command{ // /1.0/resources // Get system resources -func serverResourcesGet(d *Daemon, r *http.Request) Response { +func api10ResourcesGet(d *Daemon, r *http.Request) Response { // If a target was specified, forward the request to the relevant node. response := ForwardedResponseIfTargetIsRemote(d, r) if response != nil { From 0f8bb153682bf63b70a2cf5c63167eaf4e2ba813 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 23 Apr 2019 22:44:14 -0400 Subject: [PATCH 2/5] lxd/api: Sort API commands list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/api_1.0.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go index d3ea20ecb8..0e34ebbb8e 100644 --- a/lxd/api_1.0.go +++ b/lxd/api_1.0.go @@ -76,12 +76,12 @@ var api10 = []Command{ storagePoolResourcesCmd, storagePoolsCmd, storagePoolVolumesCmd, + storagePoolVolumeSnapshotsTypeCmd, + storagePoolVolumeSnapshotTypeCmd, storagePoolVolumesTypeCmd, storagePoolVolumeTypeContainerCmd, storagePoolVolumeTypeCustomCmd, storagePoolVolumeTypeImageCmd, - storagePoolVolumeSnapshotsTypeCmd, - storagePoolVolumeSnapshotTypeCmd, } func api10Get(d *Daemon, r *http.Request) Response { From ca022cbf401dd46fcec9320a99b89ef31fc71b0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 23 Apr 2019 22:45:59 -0400 Subject: [PATCH 3/5] lxd/api: Rename snapshotHandler to containerSnapshotHandler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/container_snapshot.go | 2 +- lxd/containers.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lxd/container_snapshot.go b/lxd/container_snapshot.go index 0d3fde4f76..bcc77a984b 100644 --- a/lxd/container_snapshot.go +++ b/lxd/container_snapshot.go @@ -170,7 +170,7 @@ func containerSnapshotsPost(d *Daemon, r *http.Request) Response { return OperationResponse(op) } -func snapshotHandler(d *Daemon, r *http.Request) Response { +func containerSnapshotHandler(d *Daemon, r *http.Request) Response { project := projectParam(r) containerName := mux.Vars(r)["name"] snapshotName := mux.Vars(r)["snapshotName"] diff --git a/lxd/containers.go b/lxd/containers.go index 271be1afb7..30aa2b6c63 100644 --- a/lxd/containers.go +++ b/lxd/containers.go @@ -52,10 +52,10 @@ var containerSnapshotsCmd = Command{ var containerSnapshotCmd = Command{ name: "containers/{name}/snapshots/{snapshotName}", - get: snapshotHandler, - post: snapshotHandler, - delete: snapshotHandler, - put: snapshotHandler, + get: containerSnapshotHandler, + post: containerSnapshotHandler, + delete: containerSnapshotHandler, + put: containerSnapshotHandler, } var containerConsoleCmd = Command{ From 573e419cac25c5c96e19d9e02434b9c08a36eb91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 23 Apr 2019 22:49:21 -0400 Subject: [PATCH 4/5] lxd/api: Rename operation functions for consistency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/operations.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/lxd/operations.go b/lxd/operations.go index 8737a7aeae..dc096c617c 100644 --- a/lxd/operations.go +++ b/lxd/operations.go @@ -25,24 +25,24 @@ import ( var operationCmd = Command{ name: "operations/{id}", - get: operationAPIGet, - delete: operationAPIDelete, + get: operationGet, + delete: operationDelete, } var operationsCmd = Command{ name: "operations", - get: operationsAPIGet, + get: operationsGet, } var operationWait = Command{ name: "operations/{id}/wait", - get: operationAPIWaitGet, + get: operationWaitGet, } var operationWebsocket = Command{ name: "operations/{id}/websocket", untrustedGet: true, - get: operationAPIWebsocketGet, + get: operationWebsocketGet, } var operationsLock sync.Mutex @@ -472,7 +472,7 @@ func operationCreate(cluster *db.Cluster, project string, opClass operationClass return &op, nil } -func operationGet(id string) (*operation, error) { +func operationGetInternal(id string) (*operation, error) { operationsLock.Lock() op, ok := operations[id] operationsLock.Unlock() @@ -485,13 +485,13 @@ func operationGet(id string) (*operation, error) { } // API functions -func operationAPIGet(d *Daemon, r *http.Request) Response { +func operationGet(d *Daemon, r *http.Request) Response { id := mux.Vars(r)["id"] var body *api.Operation // First check if the query is for a local operation from this node - op, err := operationGet(id) + op, err := operationGetInternal(id) if err == nil { _, body, err = op.Render() if err != nil { @@ -530,11 +530,11 @@ func operationAPIGet(d *Daemon, r *http.Request) Response { return SyncResponse(true, body) } -func operationAPIDelete(d *Daemon, r *http.Request) Response { +func operationDelete(d *Daemon, r *http.Request) Response { id := mux.Vars(r)["id"] // First check if the query is for a local operation from this node - op, err := operationGet(id) + op, err := operationGetInternal(id) if err == nil { _, err = op.Cancel() if err != nil { @@ -573,7 +573,7 @@ func operationAPIDelete(d *Daemon, r *http.Request) Response { return EmptySyncResponse } -func operationsAPIGet(d *Daemon, r *http.Request) Response { +func operationsGet(d *Daemon, r *http.Request) Response { project := projectParam(r) recursion := util.IsRecursionRequest(r) @@ -745,7 +745,7 @@ func operationsAPIGet(d *Daemon, r *http.Request) Response { return SyncResponse(true, md) } -func operationAPIWaitGet(d *Daemon, r *http.Request) Response { +func operationWaitGet(d *Daemon, r *http.Request) Response { id := mux.Vars(r)["id"] timeout, err := shared.AtoiEmptyDefault(r.FormValue("timeout"), -1) @@ -754,7 +754,7 @@ func operationAPIWaitGet(d *Daemon, r *http.Request) Response { } // First check if the query is for a local operation from this node - op, err := operationGet(id) + op, err := operationGetInternal(id) if err == nil { _, err = op.WaitFinal(timeout) if err != nil { @@ -841,11 +841,11 @@ func (r *forwardedOperationWebSocket) String() string { return r.id } -func operationAPIWebsocketGet(d *Daemon, r *http.Request) Response { +func operationWebsocketGet(d *Daemon, r *http.Request) Response { id := mux.Vars(r)["id"] // First check if the query is for a local operation from this node - op, err := operationGet(id) + op, err := operationGetInternal(id) if err == nil { return &operationWebSocket{r, op} } From c44c87aa9c1bcc0c676914338be496d357dc260b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 23 Apr 2019 22:32:09 -0400 Subject: [PATCH 5/5] lxd: Don't allow remote access to internal API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/daemon.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lxd/daemon.go b/lxd/daemon.go index 96a373869d..f15293b033 100644 --- a/lxd/daemon.go +++ b/lxd/daemon.go @@ -308,6 +308,13 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c Command) { restAPI.HandleFunc(uri, func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") + // Reject internal queries to remote, non-cluster, clients + if version == "internal" && (r.RemoteAddr != "@" && !isClusterNotification(r)) { + logger.Warn("Rejecting remote internal API request", log.Ctx{"ip": r.RemoteAddr}) + Forbidden(nil).Render(w) + return + } + // Block public API requests until we're done with basic // initialization tasks, such setting up the cluster database. select {
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel