Require JWTs for write/delete operations on the "unsecured" route

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Changed
+
+- A JWKS URL is now required for operation, and will be used to validate write requests on the unsecured route.
+
 ## [0.1.1] - 2024-07-19
 
 ### Added

Dockerfile

@@ -19,13 +19,13 @@ COPY cloud-init-server /usr/local/bin/
 ENV TOKEN_URL="http://opaal:3333/token"
 ENV SMD_URL="http://smd:27779"
 ENV LISTEN_ADDR="0.0.0.0:27777"
-ENV JWKS_URL=""
+ENV JWKS_URL="http://opaal:3333/keys"
 
 # nobody 65534:65534
 USER 65534:65534
 
 # Set up the command to start the service.
-CMD /usr/local/bin/cloud-init-server --listen ${LISTEN_ADDR} --smd-url ${SMD_URL} --token-url ${TOKEN_URL} --jwks-url ${JWKS_URL:-""}
+CMD /usr/local/bin/cloud-init-server --listen ${LISTEN_ADDR} --smd-url ${SMD_URL} --token-url ${TOKEN_URL} --jwks-url ${JWKS_URL}
 
 
 ENTRYPOINT ["/sbin/tini", "--"]

cmd/cloud-init-server/main.go

@@ -24,7 +24,7 @@ var (
 	ciEndpoint    = ":27777"
 	tokenEndpoint = "http://opaal:3333/token" // jwt for smd access obtained from here
 	smdEndpoint   = "http://smd:27779"
-	jwksUrl       = "" // jwt keyserver URL for secure-route token validation
+	jwksUrl       = "http://opaal:3333/keys" // jwt keyserver URL for secure-route token validation
 	insecure      = false
 	accessToken   = ""
 	certPath      = ""
@@ -36,7 +36,7 @@ func main() {
 	flag.StringVar(&ciEndpoint, "listen", ciEndpoint, "Server IP and port for cloud-init-server to listen on")
 	flag.StringVar(&tokenEndpoint, "token-url", tokenEndpoint, "OIDC server URL (endpoint) to fetch new tokens from (for SMD access)")
 	flag.StringVar(&smdEndpoint, "smd-url", smdEndpoint, "Server host and port only for running SMD (do not include /hsm/v2)")
-	flag.StringVar(&jwksUrl, "jwks-url", jwksUrl, "JWT keyserver URL, required to enable secure route")
+	flag.StringVar(&jwksUrl, "jwks-url", jwksUrl, "JWT keyserver URL, for JWT validation")
 	flag.StringVar(&accessToken, "access-token", accessToken, "encoded JWT access token")
 	flag.StringVar(&clusterName, "cluster-name", clusterName, "Name of the cluster")
 	flag.StringVar(&certPath, "cacert", certPath, "Path to CA cert. (defaults to system CAs)")
@@ -45,18 +45,12 @@ func main() {
 
 	// Set up JWT verification via the specified URL, if any
 	var keyset *jwtauth.JWTAuth
-	secureRouteEnable := false
-	if jwksUrl != "" {
-		var err error
-		keyset, err = fetchPublicKeyFromURL(jwksUrl)
-		if err != nil {
-			fmt.Printf("JWKS initialization failed: %s\n", err)
-		} else {
-			// JWKS init SUCCEEDED, secure route supported
-			secureRouteEnable = true
-		}
-	} else {
-		fmt.Println("No JWKS URL provided; secure route will be disabled")
+	var err error
+	fmt.Printf("Initializing JWKS from URL: %s\n", jwksUrl)
+	keyset, err = fetchPublicKeyFromURL(jwksUrl)
+	if err != nil {
+		fmt.Printf("JWKS initialization failed: %s\n", err)
+		os.Exit(2)
 	}
 
 	// Setup logger
@@ -96,45 +90,61 @@ func main() {
 	store := memstore.NewMemStore()
 	ciHandler := NewCiHandler(store, sm, clusterName)
 	router_unsec := chi.NewRouter()
-	initCiRouter(router_unsec, ciHandler)
+	initCiRouter(router_unsec, keyset, ciHandler)
 	router.Mount("/cloud-init", router_unsec)
 
-	if secureRouteEnable {
-		// Secured datastore and router
-		store_sec := memstore.NewMemStore()
-		ciHandler_sec := NewCiHandler(store_sec, sm, clusterName)
-		router_sec := chi.NewRouter()
-		router_sec.Use(
-			jwtauth.Verifier(keyset),
-			openchami_authenticator.AuthenticatorWithRequiredClaims(keyset, []string{"sub", "iss", "aud"}),
-		)
-		initCiRouter(router_sec, ciHandler_sec)
-		router.Mount("/cloud-init-secure", router_sec)
-	}
+	// Secured datastore and router
+	store_sec := memstore.NewMemStore()
+	ciHandler_sec := NewCiHandler(store_sec, sm, clusterName)
+	router_sec := chi.NewRouter()
+	router_sec.Use(
+		jwtauth.Verifier(keyset),
+		openchami_authenticator.AuthenticatorWithRequiredClaims(keyset, []string{"sub", "iss", "aud"}),
+	)
+	initCiRouter(router_sec, nil, ciHandler_sec)
+	router.Mount("/cloud-init-secure", router_sec)
 
 	// Serve all routes
 	log.Fatal().Err(http.ListenAndServe(ciEndpoint, router)).Msg("Server closed")
 
 }
 
-func initCiRouter(router chi.Router, handler *CiHandler) {
-	// Add cloud-init endpoints to router
-	router.Get("/", handler.ListEntries)
-	router.Get("/user-data", handler.GetDataByIP(UserData))
-	router.Get("/meta-data", handler.GetDataByIP(MetaData))
-	router.Get("/vendor-data", handler.GetDataByIP(VendorData))
-	router.Get("/instance-data", InstanceDataHandler(handler.sm, handler.clusterName))
-	router.Get("/{id}", GetEntry(handler.store, handler.sm))
-	router.Get("/{id}/user-data", handler.GetDataByMAC(UserData))
-	router.Put("/{id}/user-data", handler.UpdateUserEntry)
-	router.Get("/{id}/meta-data", handler.GetDataByMAC(MetaData))
-	router.Get("/{id}/vendor-data", handler.GetDataByMAC(VendorData))
-	router.Delete("/{id}", handler.DeleteEntry)
-
-	// groups API endpoints
-	router.Get("/groups", handler.GetGroups)
-	router.Post("/groups/{id}", handler.AddGroupData)
-	router.Get("/groups/{id}", handler.GetGroupData)
-	router.Put("/groups/{id}", handler.UpdateGroupData)
-	router.Delete("/groups/{id}", handler.RemoveGroupData)
+func initCiRouter(router chi.Router, keyset *jwtauth.JWTAuth, handler *CiHandler) {
+	// Read endpoints
+	router.Group(func(router chi.Router) {
+		// Standard endpoints
+		router.Get("/", handler.ListEntries)
+		router.Get("/user-data", handler.GetDataByIP(UserData))
+		router.Get("/meta-data", handler.GetDataByIP(MetaData))
+		router.Get("/vendor-data", handler.GetDataByIP(VendorData))
+		router.Get("/instance-data", InstanceDataHandler(handler.sm, handler.clusterName))
+		router.Get("/{id}", GetEntry(handler.store, handler.sm))
+		router.Get("/{id}/user-data", handler.GetDataByMAC(UserData))
+		router.Get("/{id}/meta-data", handler.GetDataByMAC(MetaData))
+		router.Get("/{id}/vendor-data", handler.GetDataByMAC(VendorData))
+
+		// groups API endpoints
+		router.Get("/groups", handler.GetGroups)
+		router.Get("/groups/{id}", handler.GetGroupData)
+	})
+
+	// Write endpoints
+	router.Group(func(router chi.Router) {
+		// Use auth middleware for write endpoints, if possible
+		if keyset != nil {
+			router.Use(
+				jwtauth.Verifier(keyset),
+				jwtauth.Authenticator(keyset),
+			)
+		}
+
+		// Standard endpoints
+		router.Put("/{id}/user-data", handler.UpdateUserEntry)
+		router.Delete("/{id}", handler.DeleteEntry)
+
+		// groups API endpoints
+		router.Post("/groups/{id}", handler.AddGroupData)
+		router.Put("/groups/{id}", handler.UpdateGroupData)
+		router.Delete("/groups/{id}", handler.RemoveGroupData)
+	})
 }