Add API tokens support (#9)
All checks were successful
continuous-integration/drone/push Build is passing

Make it possible to create token authorized to query predetermined set of routes.

Reviewed-on: #9
Co-authored-by: Pierre HUBERT <pierre.git@communiquons.org>
Co-committed-by: Pierre HUBERT <pierre.git@communiquons.org>
This commit is contained in:
Pierre HUBERT 2024-04-23 17:04:43 +00:00 committed by Pierre Hubert
parent 149e3f4d72
commit c7de64cc02
33 changed files with 2686 additions and 60 deletions

View File

@ -568,6 +568,12 @@ dependencies = [
"rustc-demangle",
]
[[package]]
name = "base16ct"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
[[package]]
name = "base64"
version = "0.20.0"
@ -586,6 +592,26 @@ version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51"
[[package]]
name = "base64ct"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
[[package]]
name = "basic-jwt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "741afb780192f091b1ceebdc794540a956f3eb96628939f83c5d15e0cb98fa71"
dependencies = [
"anyhow",
"elliptic-curve",
"jsonwebtoken",
"p384",
"rand",
"serde",
]
[[package]]
name = "bincode"
version = "2.0.0-rc.3"
@ -792,6 +818,12 @@ version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
[[package]]
name = "const-oid"
version = "0.9.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
[[package]]
name = "convert_case"
version = "0.4.0"
@ -890,6 +922,18 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
[[package]]
name = "crypto-bigint"
version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
dependencies = [
"generic-array",
"rand_core",
"subtle",
"zeroize",
]
[[package]]
name = "crypto-common"
version = "0.1.6"
@ -945,6 +989,17 @@ dependencies = [
"syn 2.0.58",
]
[[package]]
name = "der"
version = "0.7.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
dependencies = [
"const-oid",
"pem-rfc7468",
"zeroize",
]
[[package]]
name = "deranged"
version = "0.3.11"
@ -974,6 +1029,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"const-oid",
"crypto-common",
"subtle",
]
@ -984,12 +1040,47 @@ version = "0.15.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
[[package]]
name = "ecdsa"
version = "0.16.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
dependencies = [
"der",
"digest",
"elliptic-curve",
"rfc6979",
"signature",
"spki",
]
[[package]]
name = "either"
version = "1.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "11157ac094ffbdde99aa67b23417ebdd801842852b500e395a45a9c0aac03e4a"
[[package]]
name = "elliptic-curve"
version = "0.13.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
dependencies = [
"base16ct",
"crypto-bigint",
"digest",
"ff",
"generic-array",
"group",
"hkdf",
"pem-rfc7468",
"pkcs8",
"rand_core",
"sec1",
"subtle",
"zeroize",
]
[[package]]
name = "encoding_rs"
version = "0.8.33"
@ -1069,6 +1160,16 @@ dependencies = [
"simd-adler32",
]
[[package]]
name = "ff"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
dependencies = [
"rand_core",
"subtle",
]
[[package]]
name = "flate2"
version = "1.0.28"
@ -1215,6 +1316,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
"zeroize",
]
[[package]]
@ -1224,8 +1326,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi",
"wasm-bindgen",
]
[[package]]
@ -1254,6 +1358,17 @@ version = "0.28.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
[[package]]
name = "group"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
dependencies = [
"ff",
"rand_core",
"subtle",
]
[[package]]
name = "h2"
version = "0.3.26"
@ -1596,6 +1711,21 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "jsonwebtoken"
version = "9.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b9ae10193d25051e74945f1ea2d0b42e03cc3b890f7e4cc5faa44997d808193f"
dependencies = [
"base64 0.21.7",
"js-sys",
"pem",
"ring",
"serde",
"serde_json",
"simple_asn1",
]
[[package]]
name = "language-tags"
version = "0.3.2"
@ -2007,6 +2137,18 @@ dependencies = [
"vcpkg",
]
[[package]]
name = "p384"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209"
dependencies = [
"ecdsa",
"elliptic-curve",
"primeorder",
"sha2",
]
[[package]]
name = "parking_lot"
version = "0.12.1"
@ -2042,6 +2184,25 @@ version = "1.0.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
[[package]]
name = "pem"
version = "3.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
dependencies = [
"base64 0.22.0",
"serde",
]
[[package]]
name = "pem-rfc7468"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
dependencies = [
"base64ct",
]
[[package]]
name = "percent-encoding"
version = "2.3.1"
@ -2080,6 +2241,16 @@ version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
[[package]]
name = "pkcs8"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
dependencies = [
"der",
"spki",
]
[[package]]
name = "pkg-config"
version = "0.3.30"
@ -2123,6 +2294,15 @@ version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
[[package]]
name = "primeorder"
version = "0.13.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
dependencies = [
"elliptic-curve",
]
[[package]]
name = "proc-macro2"
version = "1.0.79"
@ -2367,6 +2547,16 @@ dependencies = [
"winreg",
]
[[package]]
name = "rfc6979"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
dependencies = [
"hmac",
"subtle",
]
[[package]]
name = "rgb"
version = "0.8.37"
@ -2376,6 +2566,21 @@ dependencies = [
"bytemuck",
]
[[package]]
name = "ring"
version = "0.17.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
dependencies = [
"cc",
"cfg-if",
"getrandom",
"libc",
"spin",
"untrusted",
"windows-sys 0.52.0",
]
[[package]]
name = "rust-embed"
version = "8.3.0"
@ -2484,6 +2689,20 @@ version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]]
name = "sec1"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
dependencies = [
"base16ct",
"der",
"generic-array",
"pkcs8",
"subtle",
"zeroize",
]
[[package]]
name = "security-framework"
version = "2.10.0"
@ -2515,18 +2734,18 @@ checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca"
[[package]]
name = "serde"
version = "1.0.197"
version = "1.0.198"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2"
checksum = "9846a40c979031340571da2545a4e5b7c4163bdae79b301d5f86d03979451fcc"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.197"
version = "1.0.198"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b"
checksum = "e88edab869b01783ba905e7d0153f9fc1a6505a96e4ad3018011eedb838566d9"
dependencies = [
"proc-macro2",
"quote",
@ -2605,6 +2824,16 @@ dependencies = [
"libc",
]
[[package]]
name = "signature"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
dependencies = [
"digest",
"rand_core",
]
[[package]]
name = "simd-adler32"
version = "0.3.7"
@ -2620,6 +2849,18 @@ dependencies = [
"quote",
]
[[package]]
name = "simple_asn1"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085"
dependencies = [
"num-bigint",
"num-traits",
"thiserror",
"time",
]
[[package]]
name = "slab"
version = "0.4.9"
@ -2654,6 +2895,16 @@ dependencies = [
"lock_api",
]
[[package]]
name = "spki"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
dependencies = [
"base64ct",
"der",
]
[[package]]
name = "strsim"
version = "0.10.0"
@ -3020,6 +3271,12 @@ dependencies = [
"subtle",
]
[[package]]
name = "untrusted"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
[[package]]
name = "url"
version = "2.5.0"
@ -3129,6 +3386,7 @@ dependencies = [
"actix-web",
"actix-web-actors",
"anyhow",
"basic-jwt",
"bytes",
"clap",
"dotenvy",
@ -3500,6 +3758,12 @@ dependencies = [
"syn 2.0.58",
]
[[package]]
name = "zeroize"
version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
[[package]]
name = "zstd"
version = "0.13.1"

View File

@ -45,3 +45,4 @@ rust-embed = { version = "8.3.0" }
mime_guess = "2.0.4"
dotenvy = "0.15.7"
nix = { version = "0.28.0", features = ["net"] }
basic-jwt = "0.2.0"

View File

@ -0,0 +1,66 @@
use basic_jwt::JWTPrivateKey;
use clap::Parser;
use std::os::unix::prelude::CommandExt;
use std::process::Command;
use std::str::FromStr;
use virtweb_backend::api_tokens::TokenVerb;
use virtweb_backend::extractors::api_auth_extractor::TokenClaims;
use virtweb_backend::utils::time_utils::time;
/// cURL wrapper to query Virtweb backend API
#[derive(Parser, Debug)]
#[command(version, about, long_about = None)]
struct Args {
/// URL of VirtWeb
#[arg(short('u'), long, env, default_value = "http://localhost:8000")]
virtweb_url: String,
/// Token ID
#[arg(short('i'), long, env)]
token_id: String,
/// Token private key
#[arg(short('t'), long, env)]
token_key: String,
/// Request verb
#[arg(short('X'), long, default_value = "GET")]
verb: String,
/// Request URI
uri: String,
/// Command line arguments to pass to cURL
#[clap(trailing_var_arg = true, allow_hyphen_values = true)]
run: Vec<String>,
}
fn main() {
let args = Args::parse();
let full_url = format!("{}{}", args.virtweb_url, args.uri);
log::debug!("Full URL: {full_url}");
let key = JWTPrivateKey::ES384 {
r#priv: args.token_key,
};
let claims = TokenClaims {
sub: args.token_id.to_string(),
iat: time() as usize,
exp: time() as usize + 50,
verb: TokenVerb::from_str(&args.verb).expect("Invalid request verb!"),
path: args.uri,
nonce: uuid::Uuid::new_v4().to_string(),
};
let jwt = key.sign_jwt(&claims).expect("Failed to sign JWT!");
Command::new("curl")
.args(["-X", &args.verb])
.args(["-H", &format!("x-token-id: {}", args.token_id)])
.args(["-H", &format!("x-token-content: {jwt}")])
.args(args.run)
.arg(full_url)
.exec();
panic!("Failed to run curl!")
}

View File

@ -0,0 +1,299 @@
//! # API tokens management
use crate::app_config::AppConfig;
use crate::constants;
use crate::utils::time_utils::time;
use actix_http::Method;
use basic_jwt::{JWTPrivateKey, JWTPublicKey};
use std::path::Path;
use std::str::FromStr;
#[derive(serde::Serialize, serde::Deserialize, Clone, Copy, Debug)]
pub struct TokenID(pub uuid::Uuid);
impl TokenID {
/// Parse a string as a token id
pub fn parse(t: &str) -> anyhow::Result<Self> {
Ok(Self(uuid::Uuid::parse_str(t)?))
}
}
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone, Eq, PartialEq)]
pub struct TokenRight {
verb: TokenVerb,
path: String,
}
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
pub struct TokenRights(Vec<TokenRight>);
impl TokenRights {
pub fn check_error(&self) -> Option<&'static str> {
for r in &self.0 {
if !r.path.starts_with("/api/") {
return Some("All API rights shall start with /api/");
}
if r.path.len() > constants::API_TOKEN_RIGHT_PATH_MAX_LENGTH {
return Some("An API path shall not exceed maximum URL size!");
}
}
None
}
pub fn contains(&self, verb: TokenVerb, path: &str) -> bool {
let req_path_split = path.split('/').collect::<Vec<_>>();
'root: for r in &self.0 {
if r.verb != verb {
continue 'root;
}
let mut last_idx = 0;
for (idx, part) in r.path.split('/').enumerate() {
if idx >= req_path_split.len() {
continue 'root;
}
if part != "*" && part != req_path_split[idx] {
continue 'root;
}
last_idx = idx;
}
// Check we visited the whole path
if last_idx + 1 == req_path_split.len() {
return true;
}
}
false
}
}
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
pub struct Token {
pub id: TokenID,
pub name: String,
pub description: String,
created: u64,
updated: u64,
#[serde(skip_serializing_if = "Option::is_none")]
pub pub_key: Option<JWTPublicKey>,
pub rights: TokenRights,
pub last_used: u64,
pub ip_restriction: Option<ipnetwork::IpNetwork>,
pub max_inactivity: Option<u64>,
}
impl Token {
/// Turn the token into a JSON string
fn save(&self) -> anyhow::Result<()> {
let json = serde_json::to_string(self)?;
std::fs::write(AppConfig::get().api_token_definition_path(self.id), json)?;
Ok(())
}
/// Load token information from a file
fn load_from_file(path: &Path) -> anyhow::Result<Self> {
Ok(serde_json::from_str(&std::fs::read_to_string(path)?)?)
}
/// Check whether a token is expired or not
pub fn is_expired(&self) -> bool {
if let Some(max_inactivity) = self.max_inactivity {
if max_inactivity + self.last_used < time() {
return true;
}
}
false
}
/// Check whether last_used shall be updated or not
pub fn should_update_last_activity(&self) -> bool {
self.last_used + 3600 < time()
}
}
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone, Copy, Eq, PartialEq)]
pub enum TokenVerb {
GET,
POST,
PUT,
PATCH,
DELETE,
}
impl TokenVerb {
pub fn as_method(&self) -> Method {
match self {
TokenVerb::GET => Method::GET,
TokenVerb::POST => Method::POST,
TokenVerb::PUT => Method::PUT,
TokenVerb::PATCH => Method::PATCH,
TokenVerb::DELETE => Method::DELETE,
}
}
}
impl FromStr for TokenVerb {
type Err = ();
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s {
"GET" => Ok(TokenVerb::GET),
"POST" => Ok(TokenVerb::POST),
"PUT" => Ok(TokenVerb::PUT),
"PATCH" => Ok(TokenVerb::PATCH),
"DELETE" => Ok(TokenVerb::DELETE),
_ => Err(()),
}
}
}
/// Structure used to create a token
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
pub struct NewToken {
pub name: String,
pub description: String,
pub rights: TokenRights,
pub ip_restriction: Option<ipnetwork::IpNetwork>,
pub max_inactivity: Option<u64>,
}
impl NewToken {
/// Check for error in token
pub fn check_error(&self) -> Option<&'static str> {
if self.name.len() < constants::API_TOKEN_NAME_MIN_LENGTH {
return Some("Name is too short!");
}
if self.name.len() > constants::API_TOKEN_NAME_MAX_LENGTH {
return Some("Name is too long!");
}
if self.description.len() < constants::API_TOKEN_DESCRIPTION_MIN_LENGTH {
return Some("Description is too short!");
}
if self.description.len() > constants::API_TOKEN_DESCRIPTION_MAX_LENGTH {
return Some("Description is too long!");
}
if let Some(err) = self.rights.check_error() {
return Some(err);
}
if let Some(t) = self.max_inactivity {
if t < 3600 {
return Some("API tokens shall be valid for at least 1 hour!");
}
}
None
}
}
/// Create a new Token
pub async fn create(t: &NewToken) -> anyhow::Result<(Token, JWTPrivateKey)> {
let priv_key = JWTPrivateKey::generate_ec384_signing_key()?;
let pub_key = priv_key.to_public_key()?;
let token = Token {
name: t.name.to_string(),
description: t.description.to_string(),
id: TokenID(uuid::Uuid::new_v4()),
created: time(),
updated: time(),
pub_key: Some(pub_key),
rights: t.rights.clone(),
last_used: time(),
ip_restriction: t.ip_restriction,
max_inactivity: t.max_inactivity,
};
token.save()?;
Ok((token, priv_key))
}
/// Get the entire list of api tokens
pub async fn full_list() -> anyhow::Result<Vec<Token>> {
let mut list = Vec::new();
for f in std::fs::read_dir(AppConfig::get().api_tokens_path())? {
list.push(Token::load_from_file(&f?.path())?);
}
Ok(list)
}
/// Get the information about a single token
pub async fn get_single(id: TokenID) -> anyhow::Result<Token> {
Token::load_from_file(&AppConfig::get().api_token_definition_path(id))
}
/// Update API tokens rights
pub async fn update_rights(id: TokenID, rights: TokenRights) -> anyhow::Result<()> {
let mut token = get_single(id).await?;
token.rights = rights;
token.updated = time();
token.save()?;
Ok(())
}
/// Set last_used value of token
pub async fn refresh_last_used(id: TokenID) -> anyhow::Result<()> {
let mut token = get_single(id).await?;
token.last_used = time();
token.save()?;
Ok(())
}
/// Delete an API token
pub async fn delete(id: TokenID) -> anyhow::Result<()> {
let path = AppConfig::get().api_token_definition_path(id);
if path.exists() {
std::fs::remove_file(path)?;
}
Ok(())
}
#[cfg(test)]
mod test {
use crate::api_tokens::{TokenRight, TokenRights, TokenVerb};
#[test]
fn test_rights_patch() {
let rights = TokenRights(vec![
TokenRight {
path: "/api/vm/*".to_string(),
verb: TokenVerb::GET,
},
TokenRight {
path: "/api/vm/a".to_string(),
verb: TokenVerb::PUT,
},
TokenRight {
path: "/api/vm/a/other".to_string(),
verb: TokenVerb::DELETE,
},
TokenRight {
path: "/api/net/create".to_string(),
verb: TokenVerb::POST,
},
]);
assert!(rights.contains(TokenVerb::GET, "/api/vm/ab"));
assert!(!rights.contains(TokenVerb::GET, "/api/vm"));
assert!(!rights.contains(TokenVerb::GET, "/api/vm/ab/c"));
assert!(rights.contains(TokenVerb::PUT, "/api/vm/a"));
assert!(!rights.contains(TokenVerb::PUT, "/api/vm/other"));
assert!(rights.contains(TokenVerb::POST, "/api/net/create"));
assert!(!rights.contains(TokenVerb::GET, "/api/net/create"));
assert!(!rights.contains(TokenVerb::POST, "/api/net/b"));
assert!(!rights.contains(TokenVerb::POST, "/api/net/create/b"));
}
}

View File

@ -1,3 +1,4 @@
use crate::api_tokens::TokenID;
use crate::constants;
use crate::libvirt_lib_structures::XMLUuid;
use crate::libvirt_rest_structures::net::NetworkName;
@ -268,6 +269,14 @@ impl AppConfig {
self.definitions_path()
.join(format!("nwfilter-{}.json", name.0))
}
pub fn api_tokens_path(&self) -> PathBuf {
self.storage_path().join(constants::STORAGE_TOKENS_DIR)
}
pub fn api_token_definition_path(&self, id: TokenID) -> PathBuf {
self.api_tokens_path().join(format!("{}.json", id.0))
}
}
#[derive(Debug, Clone, serde::Serialize)]

View File

@ -89,3 +89,21 @@ pub const NAT_MODE_ENV_VAR_NAME: &str = "NAT_MODE";
/// Nat hook file path
pub const NAT_HOOK_PATH: &str = "/etc/libvirt/hooks/network";
/// Directory where API tokens are stored, inside storage directory
pub const STORAGE_TOKENS_DIR: &str = "tokens";
/// API token name min length
pub const API_TOKEN_NAME_MIN_LENGTH: usize = 3;
/// API token name max length
pub const API_TOKEN_NAME_MAX_LENGTH: usize = 30;
/// API token description min length
pub const API_TOKEN_DESCRIPTION_MIN_LENGTH: usize = 5;
/// API token description max length
pub const API_TOKEN_DESCRIPTION_MAX_LENGTH: usize = 30;
/// API token right path max length
pub const API_TOKEN_RIGHT_PATH_MAX_LENGTH: usize = 255;

View File

@ -0,0 +1,100 @@
//! # API tokens management
use crate::api_tokens;
use crate::api_tokens::{NewToken, TokenID, TokenRights};
use crate::controllers::api_tokens_controller::rest_token::RestToken;
use crate::controllers::HttpResult;
use actix_web::{web, HttpResponse};
use basic_jwt::JWTPrivateKey;
/// Create a special module for REST token to enforce usage of constructor function
mod rest_token {
use crate::api_tokens::Token;
#[derive(serde::Serialize)]
pub struct RestToken {
#[serde(flatten)]
token: Token,
}
impl RestToken {
pub fn new(mut token: Token) -> Self {
token.pub_key = None;
Self { token }
}
}
}
#[derive(serde::Serialize)]
struct CreateTokenResult {
token: RestToken,
priv_key: JWTPrivateKey,
}
/// Create a new API token
pub async fn create(new_token: web::Json<NewToken>) -> HttpResult {
if let Some(err) = new_token.check_error() {
log::error!("Failed to validate new API token information! {err}");
return Ok(HttpResponse::BadRequest().json(format!(
"Failed to validate new API token information! {err}"
)));
}
let (token, priv_key) = api_tokens::create(&new_token).await?;
Ok(HttpResponse::Ok().json(CreateTokenResult {
token: RestToken::new(token),
priv_key,
}))
}
/// Get the list of API tokens
pub async fn list() -> HttpResult {
let list = api_tokens::full_list()
.await?
.into_iter()
.map(RestToken::new)
.collect::<Vec<_>>();
Ok(HttpResponse::Ok().json(list))
}
#[derive(serde::Deserialize)]
pub struct TokenIDInPath {
uid: TokenID,
}
/// Get the information about a single token
pub async fn get_single(path: web::Path<TokenIDInPath>) -> HttpResult {
let token = api_tokens::get_single(path.uid).await?;
Ok(HttpResponse::Ok().json(RestToken::new(token)))
}
#[derive(serde::Deserialize)]
pub struct UpdateTokenBody {
rights: TokenRights,
}
/// Update a token
pub async fn update(
path: web::Path<TokenIDInPath>,
body: web::Json<UpdateTokenBody>,
) -> HttpResult {
if let Some(err) = body.rights.check_error() {
log::error!("Failed to validate updated API token information! {err}");
return Ok(HttpResponse::BadRequest()
.json(format!("Failed to validate API token information! {err}")));
}
api_tokens::update_rights(path.uid, body.0.rights).await?;
Ok(HttpResponse::Accepted().finish())
}
/// Delete a token
pub async fn delete(path: web::Path<TokenIDInPath>) -> HttpResult {
api_tokens::delete(path.uid).await?;
Ok(HttpResponse::Accepted().finish())
}

View File

@ -6,6 +6,7 @@ use std::error::Error;
use std::fmt::{Display, Formatter};
use std::io::ErrorKind;
pub mod api_tokens_controller;
pub mod auth_controller;
pub mod iso_controller;
pub mod network_controller;

View File

@ -51,6 +51,9 @@ struct ServerConstraints {
nwfilter_comment_size: LenConstraints,
nwfilter_priority: SLenConstraints,
nwfilter_selectors_count: LenConstraints,
api_token_name_size: LenConstraints,
api_token_description_size: LenConstraints,
api_token_right_path_size: LenConstraints,
}
pub async fn static_config(local_auth: LocalAuthEnabled) -> impl Responder {
@ -98,6 +101,21 @@ pub async fn static_config(local_auth: LocalAuthEnabled) -> impl Responder {
max: 1000,
},
nwfilter_selectors_count: LenConstraints { min: 0, max: 1 },
api_token_name_size: LenConstraints {
min: constants::API_TOKEN_NAME_MIN_LENGTH,
max: constants::API_TOKEN_NAME_MAX_LENGTH,
},
api_token_description_size: LenConstraints {
min: constants::API_TOKEN_DESCRIPTION_MIN_LENGTH,
max: constants::API_TOKEN_DESCRIPTION_MAX_LENGTH,
},
api_token_right_path_size: LenConstraints {
min: 0,
max: constants::API_TOKEN_RIGHT_PATH_MAX_LENGTH,
},
},
})
}

View File

@ -0,0 +1,151 @@
use crate::api_tokens::{Token, TokenID, TokenVerb};
use crate::api_tokens;
use crate::utils::time_utils::time;
use actix_remote_ip::RemoteIP;
use actix_web::dev::Payload;
use actix_web::error::{ErrorBadRequest, ErrorUnauthorized};
use actix_web::{Error, FromRequest, HttpRequest};
use std::future::Future;
use std::pin::Pin;
#[derive(serde::Serialize, serde::Deserialize, Debug)]
pub struct TokenClaims {
pub sub: String,
pub iat: usize,
pub exp: usize,
pub verb: TokenVerb,
pub path: String,
pub nonce: String,
}
pub struct ApiAuthExtractor {
pub token: Token,
pub claims: TokenClaims,
}
impl FromRequest for ApiAuthExtractor {
type Error = Error;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, payload: &mut Payload) -> Self::Future {
let req = req.clone();
let remote_ip = match RemoteIP::from_request(&req, payload).into_inner() {
Ok(ip) => ip,
Err(e) => return Box::pin(async { Err(e) }),
};
Box::pin(async move {
let (token_id, token_jwt) = match (
req.headers().get("x-token-id"),
req.headers().get("x-token-content"),
) {
(Some(id), Some(jwt)) => (
id.to_str().unwrap_or("").to_string(),
jwt.to_str().unwrap_or("").to_string(),
),
(_, _) => {
return Err(ErrorBadRequest("API auth headers were not all specified!"));
}
};
let token_id = match TokenID::parse(&token_id) {
Ok(t) => t,
Err(e) => {
log::error!("Failed to parse token id! {e}");
return Err(ErrorBadRequest("Unable to validate token ID!"));
}
};
let token = match api_tokens::get_single(token_id).await {
Ok(t) => t,
Err(e) => {
log::error!("Failed to retrieve token: {e}");
return Err(ErrorBadRequest("Unable to validate token!"));
}
};
if token.is_expired() {
log::error!("Token has expired (not been used for too long)!");
return Err(ErrorBadRequest("Unable to validate token!"));
}
let claims = match token
.pub_key
.as_ref()
.expect("All tokens shall have public key!")
.validate_jwt::<TokenClaims>(&token_jwt)
{
Ok(c) => c,
Err(e) => {
log::error!("Failed to validate JWT: {e}");
return Err(ErrorBadRequest("Unable to validate token!"));
}
};
if claims.sub != token.id.0.to_string() {
log::error!("JWT sub mismatch (should equal to token id)!");
return Err(ErrorBadRequest(
"JWT sub mismatch (should equal to token id)!",
));
}
if time() + 60 * 15 < claims.iat as u64 {
log::error!("iat is in the future!");
return Err(ErrorBadRequest("iat is in the future!"));
}
if claims.exp < claims.iat {
log::error!("exp shall not be smaller than iat!");
return Err(ErrorBadRequest("exp shall not be smaller than iat!"));
}
if claims.exp - claims.iat > 1800 {
log::error!("JWT shall not be valid more than 30 minutes!");
return Err(ErrorBadRequest(
"JWT shall not be valid more than 30 minutes!",
));
}
if claims.path != req.path() {
log::error!("JWT path mismatch!");
return Err(ErrorBadRequest("JWT path mismatch!"));
}
if claims.verb.as_method() != req.method() {
log::error!("JWT method mismatch!");
return Err(ErrorBadRequest("JWT method mismatch!"));
}
if !token.rights.contains(claims.verb, req.path()) {
log::error!(
"Attempt to use a token for an unauthorized route! (token_id={})",
token.id.0
);
return Err(ErrorUnauthorized(
"Token cannot be used to query this route!",
));
}
if let Some(ip) = token.ip_restriction {
if !ip.contains(remote_ip.0) {
log::error!(
"Attempt to use a token for an unauthorized IP! {remote_ip:?} token_id={}",
token.id.0
);
return Err(ErrorUnauthorized("Token cannot be used from this IP!"));
}
}
if token.should_update_last_activity() {
if let Err(e) = api_tokens::refresh_last_used(token.id).await {
log::error!("Could not update token last activity! {e}");
return Err(ErrorBadRequest("Couldn't refresh token last activity!"));
}
}
Ok(ApiAuthExtractor { token, claims })
})
}
}

View File

@ -1,2 +1,3 @@
pub mod api_auth_extractor;
pub mod auth_extractor;
pub mod local_auth_extractor;

View File

@ -1,4 +1,5 @@
pub mod actors;
pub mod api_tokens;
pub mod app_config;
pub mod constants;
pub mod controllers;

View File

@ -22,8 +22,8 @@ use virtweb_backend::constants::{
MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME,
};
use virtweb_backend::controllers::{
auth_controller, iso_controller, network_controller, nwfilter_controller, server_controller,
static_controller, vm_controller,
api_tokens_controller, auth_controller, iso_controller, network_controller,
nwfilter_controller, server_controller, static_controller, vm_controller,
};
use virtweb_backend::libvirt_client::LibVirtClient;
use virtweb_backend::middlewares::auth_middleware::AuthChecker;
@ -50,6 +50,7 @@ async fn main() -> std::io::Result<()> {
files_utils::create_directory_if_missing(AppConfig::get().disks_storage_path()).unwrap();
files_utils::create_directory_if_missing(AppConfig::get().nat_path()).unwrap();
files_utils::create_directory_if_missing(AppConfig::get().definitions_path()).unwrap();
files_utils::create_directory_if_missing(AppConfig::get().api_tokens_path()).unwrap();
let conn = Data::new(LibVirtClient(
LibVirtActor::connect()
@ -84,7 +85,7 @@ async fn main() -> std::io::Result<()> {
let mut cors = Cors::default()
.allowed_origin(&AppConfig::get().website_origin)
.allowed_methods(vec!["GET", "POST", "DELETE", "PUT"])
.allowed_methods(vec!["GET", "POST", "DELETE", "PUT", "PATCH"])
.allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
.allowed_header(header::CONTENT_TYPE)
.supports_credentials()
@ -276,6 +277,27 @@ async fn main() -> std::io::Result<()> {
"/api/nwfilter/{uid}",
web::delete().to(nwfilter_controller::delete),
)
// API tokens controller
.route(
"/api/token/create",
web::post().to(api_tokens_controller::create),
)
.route(
"/api/token/list",
web::get().to(api_tokens_controller::list),
)
.route(
"/api/token/{uid}",
web::get().to(api_tokens_controller::get_single),
)
.route(
"/api/token/{uid}",
web::patch().to(api_tokens_controller::update),
)
.route(
"/api/token/{uid}",
web::delete().to(api_tokens_controller::delete),
)
// Static assets
.route("/", web::get().to(static_controller::root_index))
.route(

View File

@ -3,6 +3,7 @@ use std::rc::Rc;
use crate::app_config::AppConfig;
use crate::constants;
use crate::extractors::api_auth_extractor::ApiAuthExtractor;
use crate::extractors::auth_extractor::AuthExtractor;
use actix_web::body::EitherBody;
use actix_web::dev::Payload;
@ -68,8 +69,28 @@ where
let auth_disabled = AppConfig::get().unsecure_disable_auth;
// Check authentication, if required
if !auth_disabled
// Check API authentication
if req.headers().get("x-token-id").is_some() {
let auth =
match ApiAuthExtractor::from_request(req.request(), &mut Payload::None).await {
Ok(auth) => auth,
Err(e) => {
log::error!(
"Failed to extract API authentication information from request! {e}"
);
return Ok(req
.into_response(HttpResponse::PreconditionFailed().finish())
.map_into_right_body());
}
};
log::info!(
"Using API token '{}' to perform the request",
auth.token.name
);
}
// Check user authentication, if required
else if !auth_disabled
&& !constants::ROUTES_WITHOUT_AUTH.contains(&req.path())
&& req.path().starts_with("/api/")
{

View File

@ -27,6 +27,7 @@
"@types/react-syntax-highlighter": "^15.5.11",
"@types/uuid": "^9.0.5",
"@vitejs/plugin-react": "^4.2.1",
"date-and-time": "^3.1.1",
"filesize": "^10.0.12",
"humanize-duration": "^3.29.0",
"mui-file-input": "^4.0.4",
@ -35,7 +36,7 @@
"react-router-dom": "^6.15.0",
"react-syntax-highlighter": "^15.5.0",
"react-vnc": "^1.0.0",
"typescript": "^4.1.6",
"typescript": "^4.0.0",
"uuid": "^9.0.1",
"vite": "^5.0.8",
"vite-tsconfig-paths": "^4.2.2",
@ -8877,6 +8878,11 @@
"url": "https://github.com/sponsors/ljharb"
}
},
"node_modules/date-and-time": {
"version": "3.1.1",
"resolved": "https://registry.npmjs.org/date-and-time/-/date-and-time-3.1.1.tgz",
"integrity": "sha512-N9kstidT3P0VUk1iKOFilOZ6251r6iTUNx9M9kvgL2jqOk9mljWZUq5CjAtYwCnppWHbERk5YFQUrSbY7FQOpA=="
},
"node_modules/debug": {
"version": "4.3.4",
"resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
@ -22232,9 +22238,9 @@
}
},
"node_modules/vite-tsconfig-paths/node_modules/typescript": {
"version": "5.4.4",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.4.tgz",
"integrity": "sha512-dGE2Vv8cpVvw28v8HCPqyb08EzbBURxDpuhJvTrusShUfGnhHBafDsLdS1EhhxyL6BJQE+2cT3dDPAv+MQ6oLw==",
"version": "5.4.5",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.5.tgz",
"integrity": "sha512-vcI4UpRgg81oIRUFwR0WSIHKt11nJ7SAVlYNIu+QpqeyXP+gpQJy/Z4+F0aGxSE4MqwjyXvW/TzgkLAx2AGHwQ==",
"optional": true,
"peer": true,
"bin": {

View File

@ -23,6 +23,7 @@
"@types/react-syntax-highlighter": "^15.5.11",
"@types/uuid": "^9.0.5",
"@vitejs/plugin-react": "^4.2.1",
"date-and-time": "^3.1.1",
"filesize": "^10.0.12",
"humanize-duration": "^3.29.0",
"mui-file-input": "^4.0.4",
@ -31,7 +32,7 @@
"react-router-dom": "^6.15.0",
"react-syntax-highlighter": "^15.5.0",
"react-vnc": "^1.0.0",
"typescript": "^5.0.0",
"typescript": "^4.0.0",
"uuid": "^9.0.1",
"vite": "^5.0.8",
"vite-tsconfig-paths": "^4.2.2",

View File

@ -9,29 +9,35 @@ import "./App.css";
import { AuthApi } from "./api/AuthApi";
import { ServerApi } from "./api/ServerApi";
import {
CreateNetworkRoute,
EditNetworkRoute,
} from "./routes/EditNetworkRoute";
import { CreateVMRoute, EditVMRoute } from "./routes/EditVMRoute";
import { IsoFilesRoute } from "./routes/IsoFilesRoute";
import { NetworksListRoute } from "./routes/NetworksListRoute";
import { NotFoundRoute } from "./routes/NotFound";
import { SysInfoRoute } from "./routes/SysInfoRoute";
import { VMListRoute } from "./routes/VMListRoute";
import { VMRoute } from "./routes/VMRoute";
import { VNCRoute } from "./routes/VNCRoute";
import { LoginRoute } from "./routes/auth/LoginRoute";
import { OIDCCbRoute } from "./routes/auth/OIDCCbRoute";
import { BaseAuthenticatedPage } from "./widgets/BaseAuthenticatedPage";
import { BaseLoginPage } from "./widgets/BaseLoginPage";
import { ViewNetworkRoute } from "./routes/ViewNetworkRoute";
import { HomeRoute } from "./routes/HomeRoute";
import { NetworkFiltersListRoute } from "./routes/NetworkFiltersListRoute";
import { ViewNWFilterRoute } from "./routes/ViewNWFilterRoute";
CreateApiTokenRoute,
EditApiTokenRoute,
} from "./routes/EditAPITokenRoute";
import {
CreateNWFilterRoute,
EditNWFilterRoute,
} from "./routes/EditNWFilterRoute";
import {
CreateNetworkRoute,
EditNetworkRoute,
} from "./routes/EditNetworkRoute";
import { CreateVMRoute, EditVMRoute } from "./routes/EditVMRoute";
import { HomeRoute } from "./routes/HomeRoute";
import { IsoFilesRoute } from "./routes/IsoFilesRoute";
import { NetworkFiltersListRoute } from "./routes/NetworkFiltersListRoute";
import { NetworksListRoute } from "./routes/NetworksListRoute";
import { NotFoundRoute } from "./routes/NotFound";
import { SysInfoRoute } from "./routes/SysInfoRoute";
import { TokensListRoute } from "./routes/TokensListRoute";
import { VMListRoute } from "./routes/VMListRoute";
import { VMRoute } from "./routes/VMRoute";
import { VNCRoute } from "./routes/VNCRoute";
import { ViewApiTokenRoute } from "./routes/ViewApiTokenRoute";
import { ViewNWFilterRoute } from "./routes/ViewNWFilterRoute";
import { ViewNetworkRoute } from "./routes/ViewNetworkRoute";
import { LoginRoute } from "./routes/auth/LoginRoute";
import { OIDCCbRoute } from "./routes/auth/OIDCCbRoute";
import { BaseAuthenticatedPage } from "./widgets/BaseAuthenticatedPage";
import { BaseLoginPage } from "./widgets/BaseLoginPage";
interface AuthContext {
signedIn: boolean;
@ -72,6 +78,11 @@ export function App() {
<Route path="nwfilter/:uuid" element={<ViewNWFilterRoute />} />
<Route path="nwfilter/:uuid/edit" element={<EditNWFilterRoute />} />
<Route path="tokens" element={<TokensListRoute />} />
<Route path="token/new" element={<CreateApiTokenRoute />} />
<Route path="token/:id" element={<ViewApiTokenRoute />} />
<Route path="token/:id/edit" element={<EditApiTokenRoute />} />
<Route path="sysinfo" element={<SysInfoRoute />} />
<Route path="*" element={<NotFoundRoute />} />
</Route>

View File

@ -27,6 +27,9 @@ export interface ServerConstraints {
nwfilter_comment_size: LenConstraint;
nwfilter_priority: LenConstraint;
nwfilter_selectors_count: LenConstraint;
api_token_name_size: LenConstraint;
api_token_description_size: LenConstraint;
api_token_right_path_size: LenConstraint;
}
export interface LenConstraint {

View File

@ -0,0 +1,102 @@
import { time } from "../utils/DateUtils";
import { APIClient } from "./ApiClient";
export type RightVerb = "POST" | "GET" | "PUT" | "DELETE" | "PATCH";
export interface TokenRight {
verb: RightVerb;
path: string;
}
export interface APIToken {
id: string;
name: string;
description: string;
created: number;
updated: number;
rights: TokenRight[];
last_used: number;
ip_restriction?: string;
max_inactivity?: number;
}
export function APITokenURL(t: APIToken, edit: boolean = false): string {
return `/token/${t.id}${edit ? "/edit" : ""}`;
}
export function ExpiredAPIToken(t: APIToken): boolean {
if (!t.max_inactivity) return false;
return t.last_used + t.max_inactivity < time();
}
export interface APITokenPrivateKey {
alg: string;
priv: string;
}
export interface CreatedAPIToken {
token: APIToken;
priv_key: APITokenPrivateKey;
}
export class TokensApi {
/**
* Create a new API token
*/
static async Create(n: APIToken): Promise<CreatedAPIToken> {
return (
await APIClient.exec({
method: "POST",
uri: "/token/create",
jsonData: n,
})
).data;
}
/**
* Get the full list of tokens
*/
static async GetList(): Promise<APIToken[]> {
return (
await APIClient.exec({
method: "GET",
uri: "/token/list",
})
).data;
}
/**
* Get the information about a single token
*/
static async GetSingle(uuid: string): Promise<APIToken> {
return (
await APIClient.exec({
method: "GET",
uri: `/token/${uuid}`,
})
).data;
}
/**
* Update an existing API token information
*/
static async Update(n: APIToken): Promise<void> {
return (
await APIClient.exec({
method: "PATCH",
uri: `/token/${n.id}`,
jsonData: n,
})
).data;
}
/**
* Delete an API token
*/
static async Delete(n: APIToken): Promise<void> {
await APIClient.exec({
method: "DELETE",
uri: `/token/${n.id}`,
});
}
}

View File

@ -0,0 +1,58 @@
import {
Button,
Dialog,
DialogActions,
DialogContent,
DialogTitle,
Typography,
} from "@mui/material";
import { useNavigate } from "react-router-dom";
import { APITokenURL, CreatedAPIToken } from "../api/TokensApi";
import { CopyToClipboard } from "../widgets/CopyToClipboard";
import { InlineCode } from "../widgets/InlineCode";
export function CreatedTokenDialog(p: {
createdToken: CreatedAPIToken;
}): React.ReactElement {
const navigate = useNavigate();
const close = () => {
navigate(APITokenURL(p.createdToken.token));
};
return (
<Dialog open>
<DialogTitle>Token successfully created</DialogTitle>
<DialogContent>
<Typography>
Your token was successfully created. You need now to copy the private
key, as it will be technically impossible to recover it after closing
this dialog.
</Typography>
<InfoBlock label="Token ID" value={p.createdToken.token.id} />
<InfoBlock label="Key algorithm" value={p.createdToken.priv_key.alg} />
<InfoBlock label="Private key" value={p.createdToken.priv_key.priv} />
</DialogContent>
<DialogActions>
<Button onClick={close} color="error">
I copied the key, close this dialog
</Button>
</DialogActions>
</Dialog>
);
}
function InfoBlock(
p: React.PropsWithChildren<{ label: string; value: string }>
): React.ReactElement {
return (
<div
style={{ display: "flex", flexDirection: "column", margin: "20px 10px" }}
>
<Typography variant="overline">{p.label}</Typography>
<CopyToClipboard content={p.value}>
<InlineCode>{p.value}</InlineCode>
</CopyToClipboard>
</div>
);
}

View File

@ -0,0 +1,161 @@
import { Button } from "@mui/material";
import React from "react";
import { useNavigate, useParams } from "react-router-dom";
import {
APIToken,
APITokenURL,
CreatedAPIToken,
TokensApi,
} from "../api/TokensApi";
import { CreatedTokenDialog } from "../dialogs/CreatedTokenDialog";
import { useAlert } from "../hooks/providers/AlertDialogProvider";
import { useLoadingMessage } from "../hooks/providers/LoadingMessageProvider";
import { useSnackbar } from "../hooks/providers/SnackbarProvider";
import { time } from "../utils/DateUtils";
import { AsyncWidget } from "../widgets/AsyncWidget";
import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
import {
APITokenDetails,
TokenWidgetStatus,
} from "../widgets/tokens/APITokenDetails";
export function CreateApiTokenRoute(): React.ReactElement {
const alert = useAlert();
const snackbar = useSnackbar();
const navigate = useNavigate();
const [createdToken, setCreatedToken] = React.useState<
CreatedAPIToken | undefined
>();
const [token] = React.useState<APIToken>({
id: "",
name: "",
description: "",
created: time(),
updated: time(),
last_used: time(),
rights: [],
});
const createApiToken = async (n: APIToken) => {
try {
const res = await TokensApi.Create(n);
snackbar("The api token was successfully created!");
setCreatedToken(res);
} catch (e) {
console.error(e);
alert(`Failed to create API token!\n${e}`);
}
};
return (
<>
{createdToken && <CreatedTokenDialog createdToken={createdToken} />}
<EditApiTokenRouteInner
token={token}
creating={true}
onCancel={() => navigate("/tokens")}
onSave={createApiToken}
/>
</>
);
}
export function EditApiTokenRoute(): React.ReactElement {
const alert = useAlert();
const snackbar = useSnackbar();
const { id } = useParams();
const navigate = useNavigate();
const [token, setToken] = React.useState<APIToken | undefined>();
const load = async () => {
setToken(await TokensApi.GetSingle(id!));
};
const updateApiToken = async (n: APIToken) => {
try {
await TokensApi.Update(n);
snackbar("The token was successfully updated!");
navigate(APITokenURL(token!));
} catch (e) {
console.error(e);
alert(`Failed to update token!\n${e}`);
}
};
return (
<AsyncWidget
loadKey={id}
ready={token !== undefined}
errMsg="Failed to fetch API token informations!"
load={load}
build={() => (
<EditApiTokenRouteInner
token={token!}
creating={false}
onCancel={() => navigate(`/token/${id}`)}
onSave={updateApiToken}
/>
)}
/>
);
}
function EditApiTokenRouteInner(p: {
token: APIToken;
creating: boolean;
onCancel: () => void;
onSave: (token: APIToken) => Promise<void>;
}): React.ReactElement {
const loadingMessage = useLoadingMessage();
const [changed, setChanged] = React.useState(false);
const [, updateState] = React.useState<any>();
const forceUpdate = React.useCallback(() => updateState({}), []);
const valueChanged = () => {
setChanged(true);
forceUpdate();
};
const save = async () => {
loadingMessage.show("Saving API token configuration...");
await p.onSave(p.token);
loadingMessage.hide();
};
return (
<VirtWebRouteContainer
label={p.creating ? "Create an API Token" : "Edit API Token"}
actions={
<span>
{changed && (
<Button
variant="contained"
onClick={save}
style={{ marginRight: "10px" }}
>
{p.creating ? "Create" : "Save"}
</Button>
)}
<Button onClick={p.onCancel} variant="outlined">
Cancel
</Button>
</span>
}
>
<APITokenDetails
token={p.token}
status={
p.creating ? TokenWidgetStatus.Create : TokenWidgetStatus.Update
}
onChange={valueChanged}
/>
</VirtWebRouteContainer>
);
}

View File

@ -1,4 +1,3 @@
import DeleteIcon from "@mui/icons-material/Delete";
import VisibilityIcon from "@mui/icons-material/Visibility";
import {
Button,
@ -13,13 +12,13 @@ import {
Typography,
} from "@mui/material";
import React from "react";
import { useNavigate } from "react-router-dom";
import { NetworkApi, NetworkInfo, NetworkURL } from "../api/NetworksApi";
import { AsyncWidget } from "../widgets/AsyncWidget";
import { RouterLink } from "../widgets/RouterLink";
import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
import { NetworkStatusWidget } from "../widgets/net/NetworkStatusWidget";
import { useNavigate } from "react-router-dom";
import { NetworkHookStatusWidget } from "../widgets/net/NetworkHookStatusWidget";
import { NetworkStatusWidget } from "../widgets/net/NetworkStatusWidget";
export function NetworksListRoute(): React.ReactElement {
const [list, setList] = React.useState<NetworkInfo[] | undefined>();

View File

@ -0,0 +1,126 @@
import VisibilityIcon from "@mui/icons-material/Visibility";
import {
Button,
IconButton,
Paper,
Table,
TableBody,
TableCell,
TableContainer,
TableHead,
TableRow,
} from "@mui/material";
import React from "react";
import { useNavigate } from "react-router-dom";
import {
APIToken,
APITokenURL,
ExpiredAPIToken,
TokensApi,
} from "../api/TokensApi";
import { AsyncWidget } from "../widgets/AsyncWidget";
import { RouterLink } from "../widgets/RouterLink";
import { TimeWidget, timeDiff } from "../widgets/TimeWidget";
import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
export function TokensListRoute(): React.ReactElement {
const [list, setList] = React.useState<APIToken[] | undefined>();
const [count] = React.useState(1);
const load = async () => {
setList(await TokensApi.GetList());
};
return (
<AsyncWidget
loadKey={count}
load={load}
ready={list !== undefined}
errMsg="Failed to load the list of tokens!"
build={() => <TokensListRouteInner list={list!} />}
/>
);
}
export function TokensListRouteInner(p: {
list: APIToken[];
}): React.ReactElement {
const navigate = useNavigate();
return (
<VirtWebRouteContainer
label="API tokens"
actions={
<RouterLink to="/token/new">
<Button>New</Button>
</RouterLink>
}
>
<TableContainer component={Paper}>
<Table>
<TableHead>
<TableRow>
<TableCell>Name</TableCell>
<TableCell>Description</TableCell>
<TableCell>Created</TableCell>
<TableCell>Updated</TableCell>
<TableCell>Last used</TableCell>
<TableCell>IP restriction</TableCell>
<TableCell>Max inactivity</TableCell>
<TableCell>Rights</TableCell>
<TableCell>Actions</TableCell>
</TableRow>
</TableHead>
<TableBody>
{p.list.map((t) => {
return (
<TableRow
key={t.id}
hover
onDoubleClick={() => navigate(APITokenURL(t))}
style={{ backgroundColor: ExpiredAPIToken(t) ? "red" : "" }}
>
<TableCell>
{t.name} {ExpiredAPIToken(t) && <i>(Expired)</i>}
</TableCell>
<TableCell>{t.description}</TableCell>
<TableCell>
<TimeWidget time={t.created} />
</TableCell>
<TableCell>
<TimeWidget time={t.updated} />
</TableCell>
<TableCell>
<TimeWidget time={t.last_used} />
</TableCell>
<TableCell>{t.ip_restriction}</TableCell>
<TableCell>
{t.max_inactivity && timeDiff(0, t.max_inactivity)}
</TableCell>
<TableCell>
{t.rights.map((r) => {
return (
<div>
{r.verb} {r.path}
</div>
);
})}
</TableCell>
<TableCell>
<RouterLink to={APITokenURL(t)}>
<IconButton>
<VisibilityIcon />
</IconButton>
</RouterLink>
</TableCell>
</TableRow>
);
})}
</TableBody>
</Table>
</TableContainer>
</VirtWebRouteContainer>
);
}

View File

@ -0,0 +1,53 @@
import { Button } from "@mui/material";
import React from "react";
import { useNavigate, useParams } from "react-router-dom";
import { APIToken, APITokenURL, TokensApi } from "../api/TokensApi";
import { AsyncWidget } from "../widgets/AsyncWidget";
import { VirtWebRouteContainer } from "../widgets/VirtWebRouteContainer";
import {
APITokenDetails,
TokenWidgetStatus,
} from "../widgets/tokens/APITokenDetails";
export function ViewApiTokenRoute() {
const { id } = useParams();
const [token, setToken] = React.useState<APIToken | undefined>();
const load = async () => {
setToken(await TokensApi.GetSingle(id!));
};
return (
<AsyncWidget
loadKey={id}
ready={token !== undefined}
errMsg="Failed to fetch API token information!"
load={load}
build={() => <ViewAPITokenRouteInner token={token!} />}
/>
);
}
function ViewAPITokenRouteInner(p: { token: APIToken }): React.ReactElement {
const navigate = useNavigate();
return (
<VirtWebRouteContainer
label={`API token ${p.token.name}`}
actions={
<span style={{ display: "flex", alignItems: "center" }}>
<Button
variant="contained"
style={{ marginLeft: "15px" }}
onClick={() => navigate(APITokenURL(p.token, true))}
>
Edit
</Button>
</span>
}
>
<APITokenDetails token={p.token} status={TokenWidgetStatus.Read} />
</VirtWebRouteContainer>
);
}

View File

@ -1,4 +1,5 @@
import {
mdiApi,
mdiBoxShadow,
mdiDisc,
mdiHome,
@ -72,6 +73,11 @@ export function BaseAuthenticatedPage(): React.ReactElement {
uri="/iso"
icon={<Icon path={mdiDisc} size={1} />}
/>
<NavLink
label="API tokens"
uri="/tokens"
icon={<Icon path={mdiApi} size={1} />}
/>
<NavLink
label="Sysinfo"
uri="/sysinfo"

View File

@ -0,0 +1,18 @@
export function InlineCode(p: React.PropsWithChildren): React.ReactElement {
return (
<code
style={{
display: "inline-block",
backgroundColor: "black",
color: "white",
wordBreak: "break-all",
wordWrap: "break-word",
whiteSpace: "pre-wrap",
padding: "0px 7px",
borderRadius: "5px",
}}
>
{p.children}
</code>
);
}

View File

@ -0,0 +1,65 @@
import { Tooltip } from "@mui/material";
import date from "date-and-time";
import { time } from "../utils/DateUtils";
export function formatDate(time: number): string {
const t = new Date();
t.setTime(1000 * time);
return date.format(t, "DD/MM/YYYY HH:mm:ss");
}
export function timeDiff(a: number, b: number): string {
let diff = b - a;
if (diff === 0) return "now";
if (diff === 1) return "1 second";
if (diff < 60) {
return `${diff} seconds`;
}
diff = Math.floor(diff / 60);
if (diff === 1) return "1 minute";
if (diff < 24) {
return `${diff} minutes`;
}
diff = Math.floor(diff / 60);
if (diff === 1) return "1 hour";
if (diff < 24) {
return `${diff} hours`;
}
const diffDays = Math.floor(diff / 24);
if (diffDays === 1) return "1 day";
if (diffDays < 31) {
return `${diffDays} days`;
}
diff = Math.floor(diffDays / 31);
if (diff < 12) {
return `${diff} month`;
}
const diffYears = Math.floor(diffDays / 365);
if (diffYears === 1) return "1 year";
return `${diffYears} years`;
}
export function timeDiffFromNow(t: number): string {
return timeDiff(t, time());
}
export function TimeWidget(p: { time?: number }): React.ReactElement {
if (!p.time) return <></>;
return (
<Tooltip title={formatDate(p.time)}>
<span>{timeDiffFromNow(p.time)}</span>
</Tooltip>
);
}

View File

@ -22,14 +22,16 @@ export function IPInput(p: {
export function IPInputWithMask(p: {
label: string;
editable: boolean;
ipAndMask?: string;
ip?: string;
mask?: number;
onValueChange?: (ip?: string, mask?: number) => void;
onValueChange?: (ip?: string, mask?: number, ipAndMask?: string) => void;
version: 4 | 6;
}): React.ReactElement {
const showSlash = React.useRef(!!p.mask);
const currValue =
p.ipAndMask ??
(p.ip ?? "") + (p.mask || showSlash.current ? "/" : "") + (p.mask ?? "");
const { onValueChange, ...props } = p;
@ -38,7 +40,7 @@ export function IPInputWithMask(p: {
onValueChange={(v) => {
showSlash.current = false;
if (!v) {
onValueChange?.(undefined, undefined);
onValueChange?.(undefined, undefined, undefined);
return;
}
@ -52,7 +54,11 @@ export function IPInputWithMask(p: {
mask = sanitizeMask(p.version, split[1]);
}
onValueChange?.(ip, mask);
onValueChange?.(
ip,
mask,
mask || showSlash.current ? `${ip}/${mask ?? ""}` : ip
);
}}
value={currValue}
{...props}

View File

@ -16,7 +16,7 @@ export interface SelectOption {
export function SelectInput(p: {
value?: string;
editable: boolean;
label: string;
label?: string;
options: SelectOption[];
onValueChange: (o?: string) => void;
}): React.ReactElement {
@ -29,7 +29,7 @@ export function SelectInput(p: {
return (
<FormControl fullWidth variant="standard" style={{ marginBottom: "15px" }}>
<InputLabel>{p.label}</InputLabel>
{p.label && <InputLabel>{p.label}</InputLabel>}
<Select
value={p.value ?? ""}
label={p.label}

View File

@ -3,6 +3,7 @@ import React, { PropsWithChildren } from "react";
import { NetworkHookStatus, ServerApi } from "../../api/ServerApi";
import { AsyncWidget } from "../AsyncWidget";
import { CopyToClipboard } from "../CopyToClipboard";
import { InlineCode } from "../InlineCode";
export function NetworkHookStatusWidget(p: {
hiddenIfInstalled: boolean;
@ -72,25 +73,6 @@ function NetworkHookStatusWidgetInner(p: {
);
}
function InlineCode(p: PropsWithChildren): React.ReactElement {
return (
<code
style={{
display: "inline-block",
backgroundColor: "black",
color: "white",
wordBreak: "break-all",
wordWrap: "break-word",
whiteSpace: "pre-wrap",
padding: "0px 7px",
borderRadius: "5px",
}}
>
{p.children}
</code>
);
}
function CodeBlock(p: PropsWithChildren): React.ReactElement {
return (
<pre

View File

@ -0,0 +1,256 @@
import { Button, Grid } from "@mui/material";
import React from "react";
import { useNavigate } from "react-router-dom";
import { NWFilter, NWFilterApi } from "../../api/NWFilterApi";
import { NetworkApi, NetworkInfo } from "../../api/NetworksApi";
import { ServerApi } from "../../api/ServerApi";
import { APIToken, TokensApi } from "../../api/TokensApi";
import { VMApi, VMInfo } from "../../api/VMApi";
import { useAlert } from "../../hooks/providers/AlertDialogProvider";
import { useConfirm } from "../../hooks/providers/ConfirmDialogProvider";
import { useSnackbar } from "../../hooks/providers/SnackbarProvider";
import { AsyncWidget } from "../AsyncWidget";
import { TabsWidget } from "../TabsWidget";
import { EditSection } from "../forms/EditSection";
import { IPInputWithMask } from "../forms/IPInput";
import { RadioGroupInput } from "../forms/RadioGroupInput";
import { TextInput } from "../forms/TextInput";
import { TokenRawRightsEditor } from "./TokenRawRightsEditor";
import { TokenRightsEditor } from "./TokenRightsEditor";
const SECS_PER_DAY = 3600 * 24;
export enum TokenWidgetStatus {
Create,
Read,
Update,
}
interface DetailsProps {
token: APIToken;
status: TokenWidgetStatus;
onChange?: () => void;
}
export function APITokenDetails(p: DetailsProps): React.ReactElement {
const [vms, setVMs] = React.useState<VMInfo[]>();
const [networks, setNetworks] = React.useState<NetworkInfo[]>();
const [nwFilters, setNetworkFilters] = React.useState<NWFilter[]>();
const [tokens, setTokens] = React.useState<APIToken[]>();
const load = async () => {
setVMs(await VMApi.GetList());
setNetworks(await NetworkApi.GetList());
setNetworkFilters(await NWFilterApi.GetList());
setTokens(await TokensApi.GetList());
};
return (
<AsyncWidget
loadKey={"1"}
load={load}
errMsg="Failed to load some system entities!"
build={() => (
<APITokenDetailsInner
vms={vms!}
networks={networks!}
nwFilters={nwFilters!}
tokens={tokens!}
{...p}
/>
)}
/>
);
}
enum TokenTab {
General = 0,
Rights,
RawRights,
Danger,
}
type DetailsInnerProps = DetailsProps & {
vms: VMInfo[];
networks: NetworkInfo[];
nwFilters: NWFilter[];
tokens: APIToken[];
};
function APITokenDetailsInner(p: DetailsInnerProps): React.ReactElement {
const [currTab, setCurrTab] = React.useState(TokenTab.General);
return (
<>
<TabsWidget
currTab={currTab}
onTabChange={setCurrTab}
options={[
{ label: "General", value: TokenTab.General, visible: true },
{
label: "Rights",
value: TokenTab.Rights,
visible: true,
},
{
label: "Raw rights",
value: TokenTab.RawRights,
visible: true,
},
{
label: "Danger zone",
value: TokenTab.Danger,
color: "red",
visible: p.status === TokenWidgetStatus.Read,
},
]}
/>
{currTab === TokenTab.General && <APITokenTabGeneral {...p} />}
{currTab === TokenTab.Rights && <APITokenRights {...p} />}
{currTab === TokenTab.RawRights && <APITokenRawRights {...p} />}
{currTab === TokenTab.Danger && <APITokenTabDanger {...p} />}
</>
);
}
function APITokenTabGeneral(p: DetailsInnerProps): React.ReactElement {
const [ipVersion, setIpVersion] = React.useState<4 | 6>(
(p.token.ip_restriction ?? "").includes(":") ? 6 : 4
);
return (
<Grid container spacing={2}>
{/* Metadata section */}
<EditSection title="Metadata">
{p.status !== TokenWidgetStatus.Create && (
<TextInput label="UUID" editable={false} value={p.token.id} />
)}
<TextInput
label="Name"
editable={p.status === TokenWidgetStatus.Create}
value={p.token.name}
onValueChange={(v) => {
p.token.name = v ?? "";
p.onChange?.();
}}
size={ServerApi.Config.constraints.api_token_name_size}
/>
<TextInput
label="Description"
editable={p.status === TokenWidgetStatus.Create}
value={p.token.description}
onValueChange={(v) => {
p.token.description = v ?? "";
p.onChange?.();
}}
multiline={true}
size={ServerApi.Config.constraints.api_token_description_size}
/>
</EditSection>
<EditSection title="General settings">
{p.status === TokenWidgetStatus.Create && (
<RadioGroupInput
{...p}
editable={p.status === TokenWidgetStatus.Create}
options={[
{ label: "IPv4", value: "4" },
{ label: "IPv6", value: "6" },
]}
value={ipVersion.toString()}
onValueChange={(v) => {
setIpVersion(Number(v) as any);
}}
label="Token IP restriction version"
/>
)}
<IPInputWithMask
{...p}
label="Token IP network restriction"
ipAndMask={p.token.ip_restriction}
editable={p.status === TokenWidgetStatus.Create}
version={ipVersion}
onValueChange={(_ip, _mask, ipAndMask) => {
p.token.ip_restriction = ipAndMask;
p.onChange?.();
}}
/>
<TextInput
editable={p.status === TokenWidgetStatus.Create}
label="Max inactivity of tokens (days)"
type="number"
value={
p.token.max_inactivity
? Math.floor(p.token.max_inactivity / SECS_PER_DAY).toString()
: ""
}
onValueChange={(v) => {
const secs = Number(v ?? "0") * SECS_PER_DAY;
p.token.max_inactivity = secs === 0 ? undefined : secs;
p.onChange?.();
}}
/>
</EditSection>
</Grid>
);
}
function APITokenRights(p: DetailsInnerProps): React.ReactElement {
return (
<div style={{ padding: "30px" }}>
<TokenRightsEditor
{...p}
editable={p.status !== TokenWidgetStatus.Read}
/>
</div>
);
}
function APITokenRawRights(p: DetailsInnerProps): React.ReactElement {
return (
<div style={{ padding: "30px" }}>
<TokenRawRightsEditor
{...p}
editable={p.status !== TokenWidgetStatus.Read}
/>
</div>
);
}
function APITokenTabDanger(p: DetailsInnerProps): React.ReactElement {
const confirm = useConfirm();
const snackbar = useSnackbar();
const alert = useAlert();
const navigate = useNavigate();
const requestDelete = async () => {
try {
if (
!(await confirm(
"Do you really want to delete this API token?",
`Delete API token ${p.token.name}`,
"Delete"
))
)
return;
await TokensApi.Delete(p.token);
navigate("/tokens");
snackbar("The API token was successfully deleted!");
} catch (e) {
console.error(e);
alert(`Failed to delete the API token!\n${e}`);
}
};
return (
<Button color="error" onClick={requestDelete}>
Delete this API token
</Button>
);
}

View File

@ -0,0 +1,111 @@
import AddIcon from "@mui/icons-material/Add";
import DeleteIcon from "@mui/icons-material/Delete";
import {
IconButton,
Paper,
Table,
TableBody,
TableCell,
TableContainer,
TableHead,
TableRow,
Tooltip,
Typography,
} from "@mui/material";
import { ServerApi } from "../../api/ServerApi";
import { APIToken } from "../../api/TokensApi";
import { SelectInput } from "../forms/SelectInput";
import { TextInput } from "../forms/TextInput";
export function TokenRawRightsEditor(p: {
token: APIToken;
editable: boolean;
onChange?: () => void;
}): React.ReactElement {
const addRule = () => {
p.token.rights.push({ path: "/api/", verb: "GET" });
p.onChange?.();
};
const deleteRule = (id: number) => {
p.token.rights.splice(id, 1);
p.onChange?.();
};
return (
<TableContainer component={Paper}>
<div
style={{
padding: "10px 10px 0px 10px",
display: "flex",
justifyContent: "space-between",
}}
>
<Typography variant="h5">Raw rights</Typography>
<div>
{p.editable && (
<Tooltip title="Add a new right rule">
<IconButton onClick={addRule}>
<AddIcon />
</IconButton>
</Tooltip>
)}
</div>
</div>
<Table>
<TableHead>
<TableRow>
<TableCell>Verb</TableCell>
<TableCell>URI</TableCell>
{p.editable && <TableCell>Actions</TableCell>}
</TableRow>
</TableHead>
<TableBody>
{p.token.rights.map((r, num) => (
<TableRow key={num} hover>
<TableCell style={{ width: "100px" }}>
<SelectInput
{...p}
value={r.verb}
onValueChange={(v) => {
r.verb = v as any;
p.onChange?.();
}}
options={[
{ value: "GET" },
{ value: "POST" },
{ value: "PATCH" },
{ value: "PUT" },
{ value: "DELETE" },
]}
/>
</TableCell>
<TableCell>
<TextInput
{...p}
value={r.path}
onValueChange={(v) => {
r.path = v ?? "";
p.onChange?.();
}}
checkValue={(v) => v.startsWith("/api/")}
size={ServerApi.Config.constraints.api_token_right_path_size}
/>
</TableCell>
{p.editable && (
<TableCell style={{ width: "100px" }}>
<IconButton onClick={() => deleteRule(num)}>
<Tooltip title="Remove the rule">
<DeleteIcon />
</Tooltip>
</IconButton>
</TableCell>
)}
</TableRow>
))}
</TableBody>
</Table>
</TableContainer>
);
}

View File

@ -0,0 +1,690 @@
import {
Checkbox,
FormControlLabel,
Paper,
Table,
TableBody,
TableCell,
TableHead,
TableRow,
Tooltip,
Typography,
} from "@mui/material";
import React from "react";
import { NWFilter } from "../../api/NWFilterApi";
import { NetworkInfo } from "../../api/NetworksApi";
import { ServerApi } from "../../api/ServerApi";
import { APIToken, TokenRight } from "../../api/TokensApi";
import { VMInfo } from "../../api/VMApi";
export function TokenRightsEditor(p: {
token: APIToken;
editable: boolean;
onChange?: () => void;
vms: VMInfo[];
networks: NetworkInfo[];
nwFilters: NWFilter[];
tokens: APIToken[];
}): React.ReactElement {
return (
<>
{/* Virtual machines */}
<RightsSection label="Virtual machines">
<RouteRight
{...p}
right={{ verb: "POST", path: "/api/vm/create" }}
label="Create a new virtual machine"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/vm/list" }}
label="Get list of virtual machines"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/vnc" }}
label="Establish VNC connection"
/>
</RightsSection>
<RightsSection label="VM configuration management">
<Table size="small">
<TableHead>
<TableRow>
<TableCell>VM name</TableCell>
<TableCell align="center">Get definition</TableCell>
<TableCell align="center">Update</TableCell>
<TableCell align="center">Delete</TableCell>
<TableCell align="center">Get XML definition</TableCell>
<TableCell align="center">Get autostart</TableCell>
<TableCell align="center">Set autostart</TableCell>
</TableRow>
</TableHead>
<TableBody>
{/* All VM operations */}
<TableRow hover>
<TableCell>
<i>All</i>
</TableCell>
<CellRight {...p} right={{ verb: "GET", path: "/api/vm/*" }} />
<CellRight {...p} right={{ verb: "PUT", path: "/api/vm/*" }} />
<CellRight {...p} right={{ verb: "DELETE", path: "/api/vm/*" }} />
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/src" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/autostart" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: "/api/vm/*/autostart" }}
/>
</TableRow>
{/* Per VM operations */}
{p.vms.map((v, n) => (
<TableRow hover key={n}>
<TableCell>{v.name}</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}` }}
parent={{ verb: "GET", path: "/api/vm/*" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: `/api/vm/${v.uuid}` }}
parent={{ verb: "PUT", path: "/api/vm/*" }}
/>
<CellRight
{...p}
right={{ verb: "DELETE", path: `/api/vm/${v.uuid}` }}
parent={{ verb: "DELETE", path: "/api/vm/*" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/src` }}
parent={{ verb: "GET", path: "/api/vm/*/src" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/autostart` }}
parent={{ verb: "GET", path: "/api/vm/*/autostart" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: `/api/vm/${v.uuid}/autostart` }}
parent={{ verb: "PUT", path: "/api/vm/*/autostart" }}
/>
</TableRow>
))}
</TableBody>
</Table>
</RightsSection>
<RightsSection label="VM maintenance">
<Table size="small">
<TableHead>
<TableRow>
<TableCell>VM name</TableCell>
<TableCell align="center">Get state</TableCell>
<TableCell align="center">Start</TableCell>
<TableCell align="center">Shutdown</TableCell>
<TableCell align="center">Kill</TableCell>
<TableCell align="center">Reset</TableCell>
<TableCell align="center">Suspend</TableCell>
<TableCell align="center">Resume</TableCell>
<TableCell align="center">Screenshot</TableCell>
<TableCell align="center">VNC token</TableCell>
</TableRow>
</TableHead>
<TableBody>
{/* All VM operations */}
<TableRow hover>
<TableCell>
<i>All</i>
</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/state" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/start" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/shutdown" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/kill" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/reset" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/suspend" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/resume" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/screenshot" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/vm/*/vnc" }}
/>
</TableRow>
{/* Per VM operations */}
{p.vms.map((v, n) => (
<TableRow hover key={n}>
<TableCell>{v.name}</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/state` }}
parent={{ verb: "GET", path: "/api/vm/*/state" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/start` }}
parent={{ verb: "GET", path: "/api/vm/*/start" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/shutdown` }}
parent={{ verb: "GET", path: "/api/vm/*/shutdown" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/kill` }}
parent={{ verb: "GET", path: "/api/vm/*/kill" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/reset` }}
parent={{ verb: "GET", path: "/api/vm/*/reset" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/suspend` }}
parent={{ verb: "GET", path: "/api/vm/*/suspend" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/resume` }}
parent={{ verb: "GET", path: "/api/vm/*/resume" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/screenshot` }}
parent={{ verb: "GET", path: "/api/vm/*/screenshot" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/vm/${v.uuid}/vnc` }}
parent={{ verb: "GET", path: "/api/vm/*/vnc" }}
/>
</TableRow>
))}
</TableBody>
</Table>
</RightsSection>
{/* Networks */}
<RightsSection label="Networks">
<RouteRight
{...p}
right={{ verb: "POST", path: "/api/network/create" }}
label="Create a new network"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/network/list" }}
label="Get list of networks"
/>
</RightsSection>
{/* Networks management */}
<RightsSection label="Networks management">
<Table size="small">
<TableHead>
<TableRow>
<TableCell>Network name</TableCell>
<TableCell align="center">Get definition</TableCell>
<TableCell align="center">Update</TableCell>
<TableCell align="center">Delete</TableCell>
<TableCell align="center">Get XML definition</TableCell>
<TableCell align="center">Get autostart</TableCell>
<TableCell align="center">Set autostart</TableCell>
<TableCell align="center">Get status</TableCell>
<TableCell align="center">Start</TableCell>
<TableCell align="center">Stop</TableCell>
</TableRow>
</TableHead>
<TableBody>
{/* All networks operations */}
<TableRow hover>
<TableCell>
<i>All</i>
</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/network/*" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: "/api/network/*" }}
/>
<CellRight
{...p}
right={{ verb: "DELETE", path: "/api/network/*" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/network/*/src" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/network/*/autostart" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: "/api/network/*/autostart" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/network/*/status" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/network/*/start" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/network/*/stop" }}
/>
</TableRow>
{/* Per network operations */}
{p.networks.map((v, n) => (
<TableRow hover key={n}>
<TableCell>{v.name}</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/network/${v.uuid}` }}
parent={{ verb: "GET", path: "/api/network/*" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: `/api/network/${v.uuid}` }}
parent={{ verb: "PUT", path: "/api/network/*" }}
/>
<CellRight
{...p}
right={{ verb: "DELETE", path: `/api/network/${v.uuid}` }}
parent={{ verb: "DELETE", path: "/api/network/*" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/network/${v.uuid}/src` }}
parent={{ verb: "GET", path: "/api/network/*/src" }}
/>
<CellRight
{...p}
right={{
verb: "GET",
path: `/api/network/${v.uuid}/autostart`,
}}
parent={{ verb: "GET", path: "/api/network/*/autostart" }}
/>
<CellRight
{...p}
right={{
verb: "PUT",
path: `/api/network/${v.uuid}/autostart`,
}}
parent={{ verb: "PUT", path: "/api/network/*/autostart" }}
/>
<CellRight
{...p}
right={{
verb: "GET",
path: `/api/network/${v.uuid}/status`,
}}
parent={{ verb: "GET", path: "/api/network/*/status" }}
/>
<CellRight
{...p}
right={{
verb: "GET",
path: `/api/network/${v.uuid}/start`,
}}
parent={{ verb: "GET", path: "/api/network/*/start" }}
/>
<CellRight
{...p}
right={{
verb: "GET",
path: `/api/network/${v.uuid}/stop`,
}}
parent={{ verb: "GET", path: "/api/network/*/stop" }}
/>
</TableRow>
))}
</TableBody>
</Table>
</RightsSection>
{/* Network filters */}
<RightsSection label="Network filters">
<RouteRight
{...p}
right={{ verb: "POST", path: "/api/nwfilter/create" }}
label="Create a new network filter"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/nwfilter/list" }}
label="Get list of network filters"
/>
</RightsSection>
{/* Networks filters management */}
<RightsSection label="Networks filters management">
<Table size="small">
<TableHead>
<TableRow>
<TableCell>Network filter name</TableCell>
<TableCell align="center">Get definition</TableCell>
<TableCell align="center">Update</TableCell>
<TableCell align="center">Delete</TableCell>
<TableCell align="center">Get XML definition</TableCell>
</TableRow>
</TableHead>
<TableBody>
{/* All networks filters operations */}
<TableRow hover>
<TableCell>
<i>All</i>
</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/nwfilter/*" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: "/api/nwfilter/*" }}
/>
<CellRight
{...p}
right={{ verb: "DELETE", path: "/api/nwfilter/*" }}
/>
<CellRight
{...p}
right={{ verb: "GET", path: "/api/nwfilter/*/src" }}
/>
</TableRow>
{/* Per network filter operations */}
{p.nwFilters.map((v, n) => (
<TableRow hover key={n}>
<TableCell>{v.name}</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/nwfilter/${v.uuid}` }}
parent={{ verb: "GET", path: "/api/nwfilter/*" }}
/>
{ServerApi.Config.builtin_nwfilter_rules.includes(v.name!) ? (
<TableCell></TableCell>
) : (
<CellRight
{...p}
right={{ verb: "PUT", path: `/api/nwfilter/${v.uuid}` }}
parent={{ verb: "PUT", path: "/api/nwfilter/*" }}
/>
)}
{ServerApi.Config.builtin_nwfilter_rules.includes(v.name!) ? (
<TableCell></TableCell>
) : (
<CellRight
{...p}
right={{ verb: "DELETE", path: `/api/nwfilter/${v.uuid}` }}
parent={{ verb: "DELETE", path: "/api/nwfilter/*" }}
/>
)}
<CellRight
{...p}
right={{ verb: "GET", path: `/api/nwfilter/${v.uuid}/src` }}
parent={{ verb: "GET", path: "/api/nwfilter/*/src" }}
/>
</TableRow>
))}
</TableBody>
</Table>
</RightsSection>
{/* API tokens */}
<RightsSection label="API tokens">
<RouteRight
{...p}
right={{ verb: "POST", path: "/api/token/create" }}
label="Create a new API token"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/token/list" }}
label="Get list of API tokens"
/>
</RightsSection>
{/* API tokens management */}
<RightsSection label="API tokens management">
<Table size="small">
<TableHead>
<TableRow>
<TableCell>API token name</TableCell>
<TableCell align="center">Get</TableCell>
<TableCell align="center">Update</TableCell>
<TableCell align="center">Delete</TableCell>
</TableRow>
</TableHead>
<TableBody>
{/* All API tokens operations */}
<TableRow hover>
<TableCell>
<i>All</i>
</TableCell>
<CellRight {...p} right={{ verb: "GET", path: "/api/token/*" }} />
<CellRight {...p} right={{ verb: "PUT", path: "/api/token/*" }} />
<CellRight
{...p}
right={{ verb: "DELETE", path: "/api/token/*" }}
/>
</TableRow>
{/* Per API token operations */}
{p.tokens.map((v, n) => (
<TableRow hover key={n}>
<TableCell>{v.name}</TableCell>
<CellRight
{...p}
right={{ verb: "GET", path: `/api/token/${v.id}` }}
parent={{ verb: "GET", path: "/api/token/*" }}
/>
<CellRight
{...p}
right={{ verb: "PUT", path: `/api/token/${v.id}` }}
parent={{ verb: "PUT", path: "/api/token/*" }}
/>
<CellRight
{...p}
right={{ verb: "DELETE", path: `/api/token/${v.id}` }}
parent={{ verb: "DELETE", path: "/api/token/*" }}
/>
</TableRow>
))}
</TableBody>
</Table>
</RightsSection>
{/* ISO files */}
<RightsSection label="ISO files">
<RouteRight
{...p}
right={{ verb: "POST", path: "/api/iso/upload" }}
label="Upload a new ISO file"
/>
<RouteRight
{...p}
right={{ verb: "POST", path: "/api/iso/upload_from_url" }}
label="Upload a new ISO file from a given URL"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/iso/list" }}
label="Get the list of ISO files"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/iso/*" }}
label="Download ISO files"
/>
<RouteRight
{...p}
right={{ verb: "DELETE", path: "/api/iso/*" }}
label="Delete ISO files"
/>
</RightsSection>
{/* Server general information */}
<RightsSection label="Server">
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/server/static_config" }}
label="Get static server configuration"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/server/info" }}
label="Get server information"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/server/network_hook_status" }}
label="Get network hook status"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/server/number_vcpus" }}
label="Get number of vCPU"
/>
<RouteRight
{...p}
right={{ verb: "GET", path: "/api/server/networks" }}
label="Get list of network cards"
/>
</RightsSection>
</>
);
}
function RightsSection(
p: React.PropsWithChildren<{ label: string }>
): React.ReactElement {
return (
<Paper style={{ padding: "20px", margin: "10px" }}>
<Typography variant="h5">{p.label}</Typography>
{p.children}
</Paper>
);
}
interface RightOpts {
right: TokenRight;
label?: string;
editable: boolean;
token: APIToken;
onChange?: () => void;
parent?: TokenRight;
}
function CellRight(p: RightOpts): React.ReactElement {
return (
<TableCell align="center">
<RouteRight {...p} />
</TableCell>
);
}
function RouteRight(p: RightOpts): React.ReactElement {
const rightIndex = p.token.rights.findIndex(
(r) => r.verb === p.right.verb && r.path === p.right.path
);
const activated = rightIndex !== -1;
const parentActivated =
!!p.parent &&
p.token.rights.findIndex(
(r) => r.verb === p.parent?.verb && r.path === p.parent?.path
) !== -1;
const toggle = (a: boolean) => {
if (a) {
p.token.rights.push(p.right);
} else {
p.token.rights.splice(rightIndex, 1);
}
p.onChange?.();
};
return (
<div>
<Tooltip
title={`${p.right.verb} ${p.right.path}`}
arrow
placement="left"
slotProps={{
popper: {
modifiers: [
{
name: "offset",
options: {
offset: [0, -14],
},
},
],
},
}}
>
{p.label ? (
<FormControlLabel
control={
<Checkbox
checked={activated || parentActivated}
disabled={!p.editable || parentActivated}
onChange={(_e, a) => toggle(a)}
/>
}
label={p.label}
/>
) : (
<span>
<Checkbox
checked={activated || parentActivated}
disabled={!p.editable || parentActivated}
onChange={(_e, a) => toggle(a)}
/>
</span>
)}
</Tooltip>
</div>
);
}