[lxc-devel] [lxd/master] API endpoints cleanup

Wed Apr 24 02:52:35 UTC 2019

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 566 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190423/334fd849/attachment.bin>
-------------- next part --------------
From 76a004266a4b3d962ae37245f48747edd4f1a978 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 23 Apr 2019 22:43:40 -0400
Subject: [PATCH 1/5] lxd/api: Rename serverResources to api10Resources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Making things consistent with existing commands.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/api_1.0.go   | 3 +--
 lxd/resources.go | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index 6f194d76f1..d3ea20ecb8 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -33,6 +33,7 @@ var api10 = []Command{
 	aliasCmd,
 	aliasesCmd,
 	api10Cmd,
+	api10ResourcesCmd,
 	certificateFingerprintCmd,
 	certificatesCmd,
 	clusterCmd,
@@ -71,8 +72,6 @@ var api10 = []Command{
 	profilesCmd,
 	projectCmd,
 	projectsCmd,
-	serverResourceCmd,
-	serverResourceCmd,
 	storagePoolCmd,
 	storagePoolResourcesCmd,
 	storagePoolsCmd,
diff --git a/lxd/resources.go b/lxd/resources.go
index 5d9916d162..161dbcc91a 100644
--- a/lxd/resources.go
+++ b/lxd/resources.go
@@ -10,9 +10,9 @@ import (
 	"github.com/lxc/lxd/shared/api"
 )
 
-var serverResourceCmd = Command{
+var api10ResourcesCmd = Command{
 	name: "resources",
-	get:  serverResourcesGet,
+	get:  api10ResourcesGet,
 }
 
 var storagePoolResourcesCmd = Command{
@@ -22,7 +22,7 @@ var storagePoolResourcesCmd = Command{
 
 // /1.0/resources
 // Get system resources
-func serverResourcesGet(d *Daemon, r *http.Request) Response {
+func api10ResourcesGet(d *Daemon, r *http.Request) Response {
 	// If a target was specified, forward the request to the relevant node.
 	response := ForwardedResponseIfTargetIsRemote(d, r)
 	if response != nil {

From 0f8bb153682bf63b70a2cf5c63167eaf4e2ba813 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 23 Apr 2019 22:44:14 -0400
Subject: [PATCH 2/5] lxd/api: Sort API commands list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/api_1.0.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index d3ea20ecb8..0e34ebbb8e 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -76,12 +76,12 @@ var api10 = []Command{
 	storagePoolResourcesCmd,
 	storagePoolsCmd,
 	storagePoolVolumesCmd,
+	storagePoolVolumeSnapshotsTypeCmd,
+	storagePoolVolumeSnapshotTypeCmd,
 	storagePoolVolumesTypeCmd,
 	storagePoolVolumeTypeContainerCmd,
 	storagePoolVolumeTypeCustomCmd,
 	storagePoolVolumeTypeImageCmd,
-	storagePoolVolumeSnapshotsTypeCmd,
-	storagePoolVolumeSnapshotTypeCmd,
 }
 
 func api10Get(d *Daemon, r *http.Request) Response {

From ca022cbf401dd46fcec9320a99b89ef31fc71b0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 23 Apr 2019 22:45:59 -0400
Subject: [PATCH 3/5] lxd/api: Rename snapshotHandler to
 containerSnapshotHandler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_snapshot.go | 2 +-
 lxd/containers.go         | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lxd/container_snapshot.go b/lxd/container_snapshot.go
index 0d3fde4f76..bcc77a984b 100644
--- a/lxd/container_snapshot.go
+++ b/lxd/container_snapshot.go
@@ -170,7 +170,7 @@ func containerSnapshotsPost(d *Daemon, r *http.Request) Response {
 	return OperationResponse(op)
 }
 
-func snapshotHandler(d *Daemon, r *http.Request) Response {
+func containerSnapshotHandler(d *Daemon, r *http.Request) Response {
 	project := projectParam(r)
 	containerName := mux.Vars(r)["name"]
 	snapshotName := mux.Vars(r)["snapshotName"]
diff --git a/lxd/containers.go b/lxd/containers.go
index 271be1afb7..30aa2b6c63 100644
--- a/lxd/containers.go
+++ b/lxd/containers.go
@@ -52,10 +52,10 @@ var containerSnapshotsCmd = Command{
 
 var containerSnapshotCmd = Command{
 	name:   "containers/{name}/snapshots/{snapshotName}",
-	get:    snapshotHandler,
-	post:   snapshotHandler,
-	delete: snapshotHandler,
-	put:    snapshotHandler,
+	get:    containerSnapshotHandler,
+	post:   containerSnapshotHandler,
+	delete: containerSnapshotHandler,
+	put:    containerSnapshotHandler,
 }
 
 var containerConsoleCmd = Command{

From 573e419cac25c5c96e19d9e02434b9c08a36eb91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 23 Apr 2019 22:49:21 -0400
Subject: [PATCH 4/5] lxd/api: Rename operation functions for consistency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/operations.go | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/lxd/operations.go b/lxd/operations.go
index 8737a7aeae..dc096c617c 100644
--- a/lxd/operations.go
+++ b/lxd/operations.go
@@ -25,24 +25,24 @@ import (
 
 var operationCmd = Command{
 	name:   "operations/{id}",
-	get:    operationAPIGet,
-	delete: operationAPIDelete,
+	get:    operationGet,
+	delete: operationDelete,
 }
 
 var operationsCmd = Command{
 	name: "operations",
-	get:  operationsAPIGet,
+	get:  operationsGet,
 }
 
 var operationWait = Command{
 	name: "operations/{id}/wait",
-	get:  operationAPIWaitGet,
+	get:  operationWaitGet,
 }
 
 var operationWebsocket = Command{
 	name:         "operations/{id}/websocket",
 	untrustedGet: true,
-	get:          operationAPIWebsocketGet,
+	get:          operationWebsocketGet,
 }
 
 var operationsLock sync.Mutex
@@ -472,7 +472,7 @@ func operationCreate(cluster *db.Cluster, project string, opClass operationClass
 	return &op, nil
 }
 
-func operationGet(id string) (*operation, error) {
+func operationGetInternal(id string) (*operation, error) {
 	operationsLock.Lock()
 	op, ok := operations[id]
 	operationsLock.Unlock()
@@ -485,13 +485,13 @@ func operationGet(id string) (*operation, error) {
 }
 
 // API functions
-func operationAPIGet(d *Daemon, r *http.Request) Response {
+func operationGet(d *Daemon, r *http.Request) Response {
 	id := mux.Vars(r)["id"]
 
 	var body *api.Operation
 
 	// First check if the query is for a local operation from this node
-	op, err := operationGet(id)
+	op, err := operationGetInternal(id)
 	if err == nil {
 		_, body, err = op.Render()
 		if err != nil {
@@ -530,11 +530,11 @@ func operationAPIGet(d *Daemon, r *http.Request) Response {
 	return SyncResponse(true, body)
 }
 
-func operationAPIDelete(d *Daemon, r *http.Request) Response {
+func operationDelete(d *Daemon, r *http.Request) Response {
 	id := mux.Vars(r)["id"]
 
 	// First check if the query is for a local operation from this node
-	op, err := operationGet(id)
+	op, err := operationGetInternal(id)
 	if err == nil {
 		_, err = op.Cancel()
 		if err != nil {
@@ -573,7 +573,7 @@ func operationAPIDelete(d *Daemon, r *http.Request) Response {
 	return EmptySyncResponse
 }
 
-func operationsAPIGet(d *Daemon, r *http.Request) Response {
+func operationsGet(d *Daemon, r *http.Request) Response {
 	project := projectParam(r)
 	recursion := util.IsRecursionRequest(r)
 
@@ -745,7 +745,7 @@ func operationsAPIGet(d *Daemon, r *http.Request) Response {
 	return SyncResponse(true, md)
 }
 
-func operationAPIWaitGet(d *Daemon, r *http.Request) Response {
+func operationWaitGet(d *Daemon, r *http.Request) Response {
 	id := mux.Vars(r)["id"]
 
 	timeout, err := shared.AtoiEmptyDefault(r.FormValue("timeout"), -1)
@@ -754,7 +754,7 @@ func operationAPIWaitGet(d *Daemon, r *http.Request) Response {
 	}
 
 	// First check if the query is for a local operation from this node
-	op, err := operationGet(id)
+	op, err := operationGetInternal(id)
 	if err == nil {
 		_, err = op.WaitFinal(timeout)
 		if err != nil {
@@ -841,11 +841,11 @@ func (r *forwardedOperationWebSocket) String() string {
 	return r.id
 }
 
-func operationAPIWebsocketGet(d *Daemon, r *http.Request) Response {
+func operationWebsocketGet(d *Daemon, r *http.Request) Response {
 	id := mux.Vars(r)["id"]
 
 	// First check if the query is for a local operation from this node
-	op, err := operationGet(id)
+	op, err := operationGetInternal(id)
 	if err == nil {
 		return &operationWebSocket{r, op}
 	}

From c44c87aa9c1bcc0c676914338be496d357dc260b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 23 Apr 2019 22:32:09 -0400
Subject: [PATCH 5/5] lxd: Don't allow remote access to internal API
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/daemon.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 96a373869d..f15293b033 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -308,6 +308,13 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c Command) {
 	restAPI.HandleFunc(uri, func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 
+		// Reject internal queries to remote, non-cluster, clients
+		if version == "internal" && (r.RemoteAddr != "@" && !isClusterNotification(r)) {
+			logger.Warn("Rejecting remote internal API request", log.Ctx{"ip": r.RemoteAddr})
+			Forbidden(nil).Render(w)
+			return
+		}
+
 		// Block public API requests until we're done with basic
 		// initialization tasks, such setting up the cluster database.
 		select {
