satellite/admin: verify proxy host

This change adds an authentication step to check if requests to the
back-office API are through a verified host, e.g.: Oauth2 proxy.

Change-Id: Iaec4746939578049b9d038001d2d69067bcafea6

Author: wilfred-asomanii

satellite/admin.go

@@ -296,6 +296,7 @@ func NewAdmin(log *zap.Logger, full *identity.FullIdentity, db DB, metabaseDB *m
 			return nil, err
 		}
 
+		config.Admin.BackOffice.AllowedOauthHost = config.Admin.AllowedOauthHost
 		peer.Admin.Service = backoffice.NewService(
 			log.Named("back-office:service"),
 			peer.DB.Console(),

satellite/admin/back-office/authorization.go

@@ -102,7 +102,8 @@ type Authorizer struct {
 	log         *zap.Logger
 	groupsRoles map[string]Authorization
 
-	enabled bool
+	enabled     bool
+	allowedHost string
 }
 
 // NewAuthorizer creates an Authorizer with the list of groups that are assigned to each different
@@ -139,6 +140,7 @@ func NewAuthorizer(
 		log:         log.Named("authorizer"),
 		groupsRoles: groupsRoles,
 		enabled:     !config.BypassAuth,
+		allowedHost: config.AllowedOauthHost,
 	}
 }
 
@@ -196,3 +198,15 @@ func (auth *Authorizer) IsRejected(w http.ResponseWriter, r *http.Request, perms
 	api.ServeError(auth.log, w, http.StatusUnauthorized, err)
 	return true
 }
+
+// VerifyHost checks that the provided host is allowed to host the back office.
+func (auth *Authorizer) VerifyHost(r *http.Request) error {
+	if !auth.enabled {
+		return nil
+	}
+
+	if r.Host != auth.allowedHost {
+		return Error.New("forbidden host: %s", r.Host)
+	}
+	return nil
+}

satellite/admin/back-office/gen/main.go

@@ -152,7 +152,12 @@ type authMiddleware struct {
 }
 
 func (a authMiddleware) Generate(_ *apigen.API, _ *apigen.EndpointGroup, ep *apigen.FullEndpoint) string {
-	format := ""
+	format := `
+		if err = h.auth.VerifyHost(r); err != nil {
+			api.ServeError(h.log, w, http.StatusForbidden, err)
+			return
+		}
+	`
 	if apigen.LoadSetting(passAuthParamKey, ep, false) {
 		format += `
 			authInfo := h.auth.GetAuthInfo(r)

satellite/admin/back-office/handlers.gen.go

@@ -139,6 +139,11 @@ func (h *SettingsHandler) handleGetSettings(w http.ResponseWriter, r *http.Reque
 
 	w.Header().Set("Content-Type", "application/json")
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	authInfo := h.auth.GetAuthInfo(r)
 	if authInfo == nil || len(authInfo.Groups) == 0 {
 		api.ServeError(h.log, w, http.StatusUnauthorized, errs.New("Unauthorized"))
@@ -183,6 +188,11 @@ func (h *UserManagementHandler) handleGetFreezeEventTypes(w http.ResponseWriter,
 
 	w.Header().Set("Content-Type", "application/json")
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	retVal, httpErr := h.service.GetFreezeEventTypes(ctx)
 	if httpErr.Err != nil {
 		api.ServeError(h.log, w, httpErr.Status, httpErr.Err)
@@ -208,6 +218,11 @@ func (h *UserManagementHandler) handleGetUserByEmail(w http.ResponseWriter, r *h
 		return
 	}
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	if h.auth.IsRejected(w, r, 1) {
 		return
 	}
@@ -249,6 +264,11 @@ func (h *UserManagementHandler) handleFreezeUser(w http.ResponseWriter, r *http.
 		return
 	}
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	if h.auth.IsRejected(w, r, 128) {
 		return
 	}
@@ -278,6 +298,11 @@ func (h *UserManagementHandler) handleUnfreezeUser(w http.ResponseWriter, r *htt
 		return
 	}
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	if h.auth.IsRejected(w, r, 256) {
 		return
 	}
@@ -307,6 +332,11 @@ func (h *ProjectManagementHandler) handleGetProject(w http.ResponseWriter, r *ht
 		return
 	}
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	if h.auth.IsRejected(w, r, 8192) {
 		return
 	}
@@ -348,6 +378,11 @@ func (h *ProjectManagementHandler) handleUpdateProjectLimits(w http.ResponseWrit
 		return
 	}
 
+	if err = h.auth.VerifyHost(r); err != nil {
+		api.ServeError(h.log, w, http.StatusForbidden, err)
+		return
+	}
+
 	if h.auth.IsRejected(w, r, 16384) {
 		return
 	}

satellite/admin/back-office/server.go

@@ -38,6 +38,8 @@ type Config struct {
 	StaticDir string `help:"an alternate directory path which contains the static assets for the satellite administration web app. When empty, it uses the embedded assets" releaseDefault:"" devDefault:""`
 
 	BypassAuth bool `help:"ignore authentication for local development" default:"false" hidden:"true"`
+	// hidden for now because it is provided by the legacy admin server.
+	AllowedOauthHost string `help:"the oauth host allowed to host the backoffice." default:"" hidden:"true"`
 
 	UserGroupsRoleAdmin           []string `help:"the list of groups whose users has the administration role"   releaseDefault:"" devDefault:""`
 	UserGroupsRoleViewer          []string `help:"the list of groups whose users has the viewer role"           releaseDefault:"" devDefault:""`

satellite/admin/back-office/service.go

@@ -61,3 +61,8 @@ func NewService(
 func (s *Service) TestSetBypassAuth(bypass bool) {
 	s.authorizer.enabled = !bypass
 }
+
+// TestSetAllowedHost sets the allowed host for oauth. This is only for testing purposes.
+func (s *Service) TestSetAllowedHost(host string) {
+	s.authorizer.allowedHost = host
+}

satellite/admin/back-office/settings_test.go

@@ -98,6 +98,7 @@ func TestGetSettings(t *testing.T) {
 		sat := planet.Satellites[0]
 		address := sat.Admin.Admin.Listener.Addr()
 		settingsUrl := "http://" + address.String() + "/back-office/api/v1/settings/"
+		sat.Admin.Admin.Service.TestSetAllowedHost(address.String())
 
 		for _, tc := range testCases {
 			t.Run(tc.Name, func(t *testing.T) {

satellite/admin/server_test.go

@@ -278,6 +278,38 @@ func TestWithOAuth(t *testing.T) {
 
 			require.Equal(t, http.StatusOK, response.StatusCode)
 		})
+
+		// Test back-office API access through Oauth.
+		t.Run("BackOfficeThroughOauth", func(t *testing.T) {
+			t.Run("AllowedHost", func(t *testing.T) {
+				sat.Admin.Admin.Service.TestSetAllowedHost(address)
+				req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL+"/back-office/api/v1/settings/", nil)
+				require.NoError(t, err)
+				req.Header.Set("X-Forwarded-Groups", "LimitUpdate")
+
+				response, err := http.DefaultClient.Do(req)
+				require.NoError(t, err)
+				require.NoError(t, response.Body.Close())
+
+				require.Equal(t, http.StatusOK, response.StatusCode)
+			})
+
+			t.Run("NotAllowedHost", func(t *testing.T) {
+				sat.Admin.Admin.Service.TestSetAllowedHost("some-other-host")
+				req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL+"/back-office/api/v1/settings/", nil)
+				require.NoError(t, err)
+				req.Header.Set("X-Forwarded-Groups", "LimitUpdate")
+
+				response, err := http.DefaultClient.Do(req)
+				require.NoError(t, err)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, response.Body.Close())
+				require.NoError(t, err)
+
+				require.Equal(t, http.StatusForbidden, response.StatusCode)
+				require.Contains(t, string(body), "forbidden host")
+			})
+		})
 	})
 }