From 1708e0cd442519680ae332f754fb75bebd082d3f Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 20 Jan 2016 16:53:05 -0800 Subject: [PATCH] api/server: Add signature endpoints --- api/server.go | 18 ++++++++++++++++++ cmd/bootcfg/main.go | 30 +++++++++++++++++++++++------- 2 files changed, 41 insertions(+), 7 deletions(-) diff --git a/api/server.go b/api/server.go index 9adcfa69..f4080b73 100644 --- a/api/server.go +++ b/api/server.go @@ -3,6 +3,7 @@ package api import ( "net/http" + "github.com/coreos/coreos-baremetal/sign" "github.com/coreos/pkg/capnslog" ) @@ -19,12 +20,15 @@ type Config struct { Store Store // Path to static assets AssetsPath string + // Config signer + Signer sign.Signer } // Server serves matches boot and configuration settings to machines. type Server struct { store Store assetsPath string + signer sign.Signer } // NewServer returns a new Server. @@ -32,6 +36,7 @@ func NewServer(config *Config) *Server { return &Server{ store: config.Store, assetsPath: config.AssetsPath, + signer: config.Signer, } } @@ -54,6 +59,19 @@ func (s *Server) HTTPHandler() http.Handler { // ignition configs mux.Handle("/ignition", logRequests(NewHandler(gr.matchSpecHandler(ignitionHandler(s.store))))) + // Signatures + signerChain := func(next http.Handler) http.Handler { + return logRequests(sign.SignatureHandler(s.signer, next)) + } + if s.signer != nil { + mux.Handle("/boot.ipxe.sig", signerChain(ipxeInspect())) + mux.Handle("/boot.ipxe.0.sig", signerChain(ipxeInspect())) + mux.Handle("/ipxe.sig", signerChain(NewHandler(gr.matchSpecHandler(ipxeHandler())))) + mux.Handle("/pixiecore/v1/boot.sig/", signerChain(pixiecoreHandler(gr, s.store))) + mux.Handle("/cloud.sig", signerChain(NewHandler(gr.matchSpecHandler(cloudHandler(s.store))))) + mux.Handle("/ignition.sig", signerChain(NewHandler(gr.matchSpecHandler(ignitionHandler(s.store))))) + } + // kernel, initrd, and TLS assets mux.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir(s.assetsPath)))) return mux diff --git a/cmd/bootcfg/main.go b/cmd/bootcfg/main.go index 55c11d86..80e346cc 100644 --- a/cmd/bootcfg/main.go +++ b/cmd/bootcfg/main.go @@ -10,6 +10,7 @@ import ( "github.com/coreos/coreos-baremetal/api" "github.com/coreos/coreos-baremetal/config" + "github.com/coreos/coreos-baremetal/sign" "github.com/coreos/pkg/capnslog" "github.com/coreos/pkg/flagutil" ) @@ -22,18 +23,20 @@ var ( func main() { flags := struct { - address string - configPath string - dataPath string - assetsPath string - logLevel string - version bool - help bool + address string + configPath string + dataPath string + assetsPath string + keyRingPath string + logLevel string + version bool + help bool }{} flag.StringVar(&flags.address, "address", "127.0.0.1:8080", "HTTP listen address") flag.StringVar(&flags.configPath, "config", "./data/config.yaml", "Path to config file") flag.StringVar(&flags.dataPath, "data-path", "./data", "Path to data directory") flag.StringVar(&flags.assetsPath, "assets-path", "./assets", "Path to static assets") + flag.StringVar(&flags.keyRingPath, "key-ring-path", "", "Path to a private keyring file") // available log levels https://godoc.org/github.com/coreos/pkg/capnslog#LogLevel flag.StringVar(&flags.logLevel, "log-level", "info", "Set the logging level") // subcommands @@ -45,6 +48,8 @@ func main() { if err := flagutil.SetFlagsFromEnv(flag.CommandLine, "BOOTCFG"); err != nil { log.Fatal(err.Error()) } + // restrict OpenPGP passphrase to pass via environment variable only + passphrase := os.Getenv("BOOTCFG_PASSPHRASE") if flags.version { fmt.Println(version) @@ -81,6 +86,16 @@ func main() { // storage store := api.NewFileStore(http.Dir(flags.dataPath)) + // (optional) signing + var signer sign.Signer + if flags.keyRingPath != "" { + var err error + signer, err = sign.LoadGPGSigner(flags.keyRingPath, passphrase) + if err != nil { + log.Fatal(err) + } + } + // load bootstrap config cfg, err := config.LoadConfig(flags.configPath) if err != nil { @@ -92,6 +107,7 @@ func main() { config := &api.Config{ Store: store, AssetsPath: flags.assetsPath, + Signer: signer, } server := api.NewServer(config) log.Infof("starting bootcfg API Server on %s", flags.address)