Skip to content
This repository has been archived by the owner on Mar 29, 2024. It is now read-only.

Commit

Permalink
Permit user-level localhost API access
Browse files Browse the repository at this point in the history
  • Loading branch information
@dhaavi
dhaavi committed Jan 19, 2022
1 parent 6bd393d commit 4803bfa
Showing 1 changed file with 33 additions and 0 deletions.
33 changes: 33 additions & 0 deletions captain/module.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,16 @@ package captain

import (
"fmt"
"net"
"net/http"
"time"

"github.com/safing/portbase/api"
"github.com/safing/portbase/config"
"github.com/safing/portbase/modules"
"github.com/safing/portbase/modules/subsystems"
"github.com/safing/portbase/rng"
"github.com/safing/portmaster/network/netutils"
"github.com/safing/spn/conf"
"github.com/safing/spn/crew"
"github.com/safing/spn/ships"
Expand Down Expand Up @@ -52,6 +56,13 @@ func prep() error {
return err
}

if conf.PublicHub() {
// Register API authenticator.
if err := api.SetAuthenticator(apiAuthenticator); err != nil {
return err
}
}

return prepConfig()
}

Expand Down Expand Up @@ -124,3 +135,25 @@ func stop() error {

return nil
}

// apiAuthenticator grants User permissions for local API requests.
func apiAuthenticator(r *http.Request, s *http.Server) (*api.AuthToken, error) {
// Get remote IP.
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
return nil, fmt.Errorf("failed to split host/port: %w", err)
}
remoteIP := net.ParseIP(host)
if remoteIP == nil {
return nil, fmt.Errorf("failed to parse remote address %s", host)
}

if !netutils.GetIPScope(remoteIP).IsLocalhost() {
return nil, api.ErrAPIAccessDeniedMessage
}

return &api.AuthToken{
Read: api.PermitUser,
Write: api.PermitUser,
}, nil
}

0 comments on commit 4803bfa

Please sign in to comment.