api/server: Add signature endpoints

api/server.go

@@ -3,6 +3,7 @@ package api
 import (
 	"net/http"
 
+	"github.com/coreos/coreos-baremetal/sign"
 	"github.com/coreos/pkg/capnslog"
 )
 
@@ -19,12 +20,15 @@ type Config struct {
 	Store Store
 	// Path to static assets
 	AssetsPath string
+	// Config signer
+	Signer sign.Signer
 }
 
 // Server serves matches boot and configuration settings to machines.
 type Server struct {
 	store      Store
 	assetsPath string
+	signer     sign.Signer
 }
 
 // NewServer returns a new Server.
@@ -32,6 +36,7 @@ func NewServer(config *Config) *Server {
 	return &Server{
 		store:      config.Store,
 		assetsPath: config.AssetsPath,
+		signer:     config.Signer,
 	}
 }
 
@@ -54,6 +59,19 @@ func (s *Server) HTTPHandler() http.Handler {
 	// ignition configs
 	mux.Handle("/ignition", logRequests(NewHandler(gr.matchSpecHandler(ignitionHandler(s.store)))))
 
+	// Signatures
+	signerChain := func(next http.Handler) http.Handler {
+		return logRequests(sign.SignatureHandler(s.signer, next))
+	}
+	if s.signer != nil {
+		mux.Handle("/boot.ipxe.sig", signerChain(ipxeInspect()))
+		mux.Handle("/boot.ipxe.0.sig", signerChain(ipxeInspect()))
+		mux.Handle("/ipxe.sig", signerChain(NewHandler(gr.matchSpecHandler(ipxeHandler()))))
+		mux.Handle("/pixiecore/v1/boot.sig/", signerChain(pixiecoreHandler(gr, s.store)))
+		mux.Handle("/cloud.sig", signerChain(NewHandler(gr.matchSpecHandler(cloudHandler(s.store)))))
+		mux.Handle("/ignition.sig", signerChain(NewHandler(gr.matchSpecHandler(ignitionHandler(s.store)))))
+	}
+
 	// kernel, initrd, and TLS assets
 	mux.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir(s.assetsPath))))
 	return mux

cmd/bootcfg/main.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/coreos/coreos-baremetal/api"
 	"github.com/coreos/coreos-baremetal/config"
+	"github.com/coreos/coreos-baremetal/sign"
 	"github.com/coreos/pkg/capnslog"
 	"github.com/coreos/pkg/flagutil"
 )
@@ -22,18 +23,20 @@ var (
 
 func main() {
 	flags := struct {
-		address    string
-		configPath string
-		dataPath   string
-		assetsPath string
-		logLevel   string
-		version    bool
-		help       bool
+		address     string
+		configPath  string
+		dataPath    string
+		assetsPath  string
+		keyRingPath string
+		logLevel    string
+		version     bool
+		help        bool
 	}{}
 	flag.StringVar(&flags.address, "address", "127.0.0.1:8080", "HTTP listen address")
 	flag.StringVar(&flags.configPath, "config", "./data/config.yaml", "Path to config file")
 	flag.StringVar(&flags.dataPath, "data-path", "./data", "Path to data directory")
 	flag.StringVar(&flags.assetsPath, "assets-path", "./assets", "Path to static assets")
+	flag.StringVar(&flags.keyRingPath, "key-ring-path", "", "Path to a private keyring file")
 	// available log levels https://godoc.org/github.com/coreos/pkg/capnslog#LogLevel
 	flag.StringVar(&flags.logLevel, "log-level", "info", "Set the logging level")
 	// subcommands
@@ -45,6 +48,8 @@ func main() {
 	if err := flagutil.SetFlagsFromEnv(flag.CommandLine, "BOOTCFG"); err != nil {
 		log.Fatal(err.Error())
 	}
+	// restrict OpenPGP passphrase to pass via environment variable only
+	passphrase := os.Getenv("BOOTCFG_PASSPHRASE")
 
 	if flags.version {
 		fmt.Println(version)
@@ -81,6 +86,16 @@ func main() {
 	// storage
 	store := api.NewFileStore(http.Dir(flags.dataPath))
 
+	// (optional) signing
+	var signer sign.Signer
+	if flags.keyRingPath != "" {
+		var err error
+		signer, err = sign.LoadGPGSigner(flags.keyRingPath, passphrase)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+
 	// load bootstrap config
 	cfg, err := config.LoadConfig(flags.configPath)
 	if err != nil {
@@ -92,6 +107,7 @@ func main() {
 	config := &api.Config{
 		Store:      store,
 		AssetsPath: flags.assetsPath,
+		Signer:     signer,
 	}
 	server := api.NewServer(config)
 	log.Infof("starting bootcfg API Server on %s", flags.address)