diff --git a/service/OneService.cpp b/service/OneService.cpp index 683db6e24..961f02cc6 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -201,6 +201,26 @@ std::string ssoResponseTemplate = R"""( )"""; +bool bearerTokenValid(const std::string authHeader, const std::string &checkToken) { + std::vector tokens = OSUtils::split(authHeader.c_str(), " ", NULL, NULL); + if (tokens.size() != 2) { + return false; + } + + std::string bearer = tokens[0]; + std::string token = tokens[1]; + std::transform(bearer.begin(), bearer.end(), bearer.begin(), [](unsigned char c){return std::tolower(c);}); + if (bearer != "bearer") { + return false; + } + + if (token != checkToken) { + return false; + } + + return true; +} + #if ZT_DEBUG==1 std::string dump_headers(const httplib::Headers &headers) { std::string s; @@ -753,6 +773,7 @@ public: const std::string _homePath; std::string _authToken; + std::string _metricsToken; std::string _controllerDbPath; const std::string _networksPath; const std::string _moonsPath; @@ -950,6 +971,26 @@ public: _authToken = _trimString(_authToken); } + { + const std::string metricsTokenPath(_homePath + ZT_PATH_SEPARATOR_S "metricstoken.secret"); + if (!OSUtils::readFile(metricsTokenPath.c_str(),_metricsToken)) { + unsigned char foo[24]; + Utils::getSecureRandom(foo,sizeof(foo)); + _metricsToken = ""; + for(unsigned int i=0;icontainsAddress(remoteAddr)) { - ipAllowed = true; - break; - } - } - } + setContent(req, res, "{}"); + res.status = 401; + return httplib::Server::HandlerResponse::Handled; + } else { + std::string r = req.remote_addr; + InetAddress remoteAddr(r.c_str()); + + bool ipAllowed = false; + bool isAuth = false; + // If localhost, allow + if (remoteAddr.ipScope() == InetAddress::IP_SCOPE_LOOPBACK) { + ipAllowed = true; + } + + if (!ipAllowed) { + for (auto i = _allowManagementFrom.begin(); i != _allowManagementFrom.end(); ++i) { + if (i->containsAddress(remoteAddr)) { + ipAllowed = true; + break; + } + } + } - if (ipAllowed) { - // auto-pass endpoints in `noAuthEndpoints`. No auth token required - if (std::find(noAuthEndpoints.begin(), noAuthEndpoints.end(), req.path) != noAuthEndpoints.end()) { - isAuth = true; - } + if (ipAllowed) { + // auto-pass endpoints in `noAuthEndpoints`. No auth token required + if (std::find(noAuthEndpoints.begin(), noAuthEndpoints.end(), req.path) != noAuthEndpoints.end()) { + isAuth = true; + } - if (!isAuth) { - // check auth token - if (req.has_header("x-zt1-auth")) { - std::string token = req.get_header_value("x-zt1-auth"); - if (token == _authToken) { - isAuth = true; - } - } else if (req.has_param("auth")) { - std::string token = req.get_param_value("auth"); - if (token == _authToken) { - isAuth = true; - } - } - } - } + if (!isAuth) { + // check auth token + if (req.has_header("x-zt1-auth")) { + std::string token = req.get_header_value("x-zt1-auth"); + if (token == _authToken) { + isAuth = true; + } + } else if (req.has_param("auth")) { + std::string token = req.get_param_value("auth"); + if (token == _authToken) { + isAuth = true; + } + } else if (req.has_header("authorization")) { + std::string auth = req.get_header_value("authorization"); + isAuth = bearerTokenValid(auth, _authToken); + } + } + } - if (ipAllowed && isAuth) { - return httplib::Server::HandlerResponse::Unhandled; - } - setContent(req, res, "{}"); - res.status = 401; - return httplib::Server::HandlerResponse::Handled; + if (ipAllowed && isAuth) { + return httplib::Server::HandlerResponse::Unhandled; + } + setContent(req, res, "{}"); + res.status = 401; + return httplib::Server::HandlerResponse::Handled; + } };