From 731827ed91c0636d60239f89270ba53032c1ce15 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Sat, 9 Jun 2018 15:03:26 +0000 Subject: [PATCH] Merged PR 888561: Enable access control for workload API All workload operations use the Caller policy, except "trust bundle" which uses Anonymous. Related work items: #1471357, #2570052 --- .../edgelet-http-workload/src/server/mod.rs | 22 ++++++++++++------- edgelet/iotedged/src/lib.rs | 4 +++- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/edgelet/edgelet-http-workload/src/server/mod.rs b/edgelet/edgelet-http-workload/src/server/mod.rs index 4f669d2886c..20bfbd8594e 100644 --- a/edgelet/edgelet-http-workload/src/server/mod.rs +++ b/edgelet/edgelet-http-workload/src/server/mod.rs @@ -8,7 +8,9 @@ mod trust_bundle; use std::io; -use edgelet_core::{CreateCertificate, Decrypt, Encrypt, GetTrustBundle, KeyStore}; +use edgelet_core::{CreateCertificate, Decrypt, Encrypt, Error as CoreError, GetTrustBundle, + KeyStore, Module, ModuleRuntime, Policy}; +use edgelet_http::authorization::Authorization; use edgelet_http::route::*; use http::{Request, Response}; use hyper::server::{NewService, Service}; @@ -26,19 +28,23 @@ pub struct WorkloadService { } impl WorkloadService { - pub fn new(key_store: &K, hsm: H) -> Result + pub fn new(key_store: &K, hsm: H, runtime: &M) -> Result where K: 'static + KeyStore + Clone, H: 'static + CreateCertificate + Decrypt + Encrypt + GetTrustBundle + Clone, + M: 'static + ModuleRuntime + Clone, + M::Error: Into, + ::Error: Into, + M::Logs: Into, { let router = router!( - post "/modules/(?P[^/]+)/genid/(?P[^/]+)/sign" => SignHandler::new(key_store.clone()), - post "/modules/(?P[^/]+)/decrypt" => DecryptHandler::new(hsm.clone()), - post "/modules/(?P[^/]+)/encrypt" => EncryptHandler::new(hsm.clone()), - post "/modules/(?P[^/]+)/certificate/identity" => IdentityCertHandler, - post "/modules/(?P[^/]+)/genid/(?P[^/]+)/certificate/server" => ServerCertHandler::new(hsm.clone()), + post "/modules/(?P[^/]+)/genid/(?P[^/]+)/sign" => Authorization::new(SignHandler::new(key_store.clone()), Policy::Caller, runtime.clone()), + post "/modules/(?P[^/]+)/decrypt" => Authorization::new(DecryptHandler::new(hsm.clone()), Policy::Caller, runtime.clone()), + post "/modules/(?P[^/]+)/encrypt" => Authorization::new(EncryptHandler::new(hsm.clone()), Policy::Caller, runtime.clone()), + post "/modules/(?P[^/]+)/certificate/identity" => Authorization::new(IdentityCertHandler, Policy::Caller, runtime.clone()), + post "/modules/(?P[^/]+)/genid/(?P[^/]+)/certificate/server" => Authorization::new(ServerCertHandler::new(hsm.clone()), Policy::Caller, runtime.clone()), - get "/trust-bundle" => TrustBundleHandler::new(hsm), + get "/trust-bundle" => Authorization::new(TrustBundleHandler::new(hsm), Policy::Anonymous, runtime.clone()), ); let inner = router.new_service()?; let service = WorkloadService { inner }; diff --git a/edgelet/iotedged/src/lib.rs b/edgelet/iotedged/src/lib.rs index 44e1b5e585f..ac4e97b59f9 100644 --- a/edgelet/iotedged/src/lib.rs +++ b/edgelet/iotedged/src/lib.rs @@ -244,7 +244,7 @@ where let mgmt = start_management(&settings, &core.handle(), &runtime, &id_man, mgmt_rx)?; - let workload = start_workload(&settings, key_store, &core.handle(), work_rx)?; + let workload = start_workload(&settings, key_store, &core.handle(), &runtime, work_rx)?; let (runt_tx, runt_rx) = oneshot::channel(); let edge_rt = start_runtime(&runtime, &id_man, &hub_name, &device_id, &settings, runt_rx)?; @@ -456,6 +456,7 @@ fn start_workload( settings: &Settings, key_store: &K, handle: &Handle, + runtime: &DockerModuleRuntime, shutdown: Receiver<()>, ) -> Result, Error> where @@ -466,6 +467,7 @@ where let service = LoggingService::new(ApiVersionService::new(WorkloadService::new( key_store, Crypto::new()?, + runtime, )?)); info!("Listening on {} with 1 thread for workload API.", url);