feat: add path ACL

tinfoilanalytics · Jan 16, 2025 · 3614794 · 3614794
1 parent 4e2e98b
commit 3614794
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 10 deletions.
diff --git a/cmd/shim/main.go b/cmd/shim/main.go
@@ -18,12 +18,13 @@ import (
 var version = "dev" // set by the build system
 
 var opts struct {
-	HostTLSProxyPort uint32 `short:"c" description:"vsock port to connect to host side proxy"`
-	UpstreamPort     uint32 `short:"u" description:"HTTP port to connect to upstream server"`
-	VSockListenPort  uint32 `short:"l" description:"vsock port to listen onn"`
-	Domain           string `short:"d" description:"TLS domain"`
-	Email            string `short:"e" description:"TLS account email"`
-	StagingCA        bool   `short:"s" description:"Use staging CA"`
+	HostTLSProxyPort uint32   `short:"c" description:"vsock port to connect to host side proxy"`
+	UpstreamPort     uint32   `short:"u" description:"HTTP port to connect to upstream server"`
+	VSockListenPort  uint32   `short:"l" description:"vsock port to listen onn"`
+	Domain           string   `short:"d" description:"TLS domain"`
+	Email            string   `short:"e" description:"TLS account email"`
+	StagingCA        bool     `short:"s" description:"Use staging CA"`
+	ProxiedPaths     []string `short:"p" description:"Paths to proxy to the upstream server (all if empty)"`
 }
 
 func setupNetworking() error {
@@ -56,7 +57,7 @@ func main() {
 	log.Printf("Listening on %d, proxying to vsock port %d", tcpPort, opts.HostTLSProxyPort)
 	go tls.Proxy(tcpPort, opts.HostTLSProxyPort)
 
-	srv, err := http.New(opts.UpstreamPort, opts.VSockListenPort, nitro.New())
+	srv, err := http.New(opts.UpstreamPort, opts.VSockListenPort, nitro.New(), opts.ProxiedPaths)
 	if err != nil {
 		log.Fatalf("creating HTTP server: %s", err)
 	}

diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -11,6 +11,7 @@ import (
 	"net/url"
 
 	"github.com/mdlayher/vsock"
+	log "github.com/sirupsen/logrus"
 	"github.com/tinfoilanalytics/verifier/pkg/attestation"
 
 	"github.com/tinfoilanalytics/nitro-attestation-shim/pkg/http/acme"
@@ -20,8 +21,9 @@ type Server struct {
 	vsockListenPort  uint32
 	httpUpstreamPort uint32
 
-	mux *http.ServeMux
-	ap  *attestation.Provider
+	mux          *http.ServeMux
+	ap           *attestation.Provider
+	proxiedPaths []string
 
 	cert *tls.Certificate
 }
@@ -30,12 +32,14 @@ type Server struct {
 func New(
 	httpUpstreamPort, vsockListenPort uint32,
 	ap attestation.Provider,
+	proxiedPaths []string,
 ) (*Server, error) {
 	s := &Server{
 		vsockListenPort:  vsockListenPort,
 		httpUpstreamPort: httpUpstreamPort,
 		mux:              http.NewServeMux(),
 		ap:               &ap,
+		proxiedPaths:     proxiedPaths,
 	}
 
 	s.mux.HandleFunc("/.well-known/tinfoil-attestation", s.handleAttestation)
@@ -58,6 +62,22 @@ func cors(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleProxy(w http.ResponseWriter, r *http.Request) {
 	cors(w, r)
 
+	log.Infof("Request: %s", r.URL.Path)
+
+	allowed := false
+	if len(s.proxiedPaths) > 0 {
+		for _, path := range s.proxiedPaths {
+			if r.URL.Path == path {
+				allowed = true
+				break
+			}
+		}
+	}
+	if !allowed {
+		http.Error(w, "shim: 403", http.StatusForbidden)
+		return
+	}
+
 	proxy := httputil.NewSingleHostReverseProxy(&url.URL{
 		Scheme: "http",
 		Host:   fmt.Sprintf("localhost:%d", s.httpUpstreamPort),

diff --git a/pkg/http/server_test.go b/pkg/http/server_test.go
@@ -22,7 +22,7 @@ func TestServerNitroRemoteAttestation(t *testing.T) {
 	attestationProvider, rootCert, err := nitro.NewMockAttester()
 	assert.Nil(t, err)
 
-	server, err := New(8080, 0, attestationProvider)
+	server, err := New(8080, 0, attestationProvider, []string{})
 	assert.Nil(t, err)
 	listener, err := net.Listen("tcp", "127.0.0.1:8089")
 	assert.Nil(t, err)