Add support for an API proxy

1b07d030 · ale · 385c5a8f · 1b07d030 · 1b07d030 · 1b07d030
Commit 1b07d030 authored 1 month ago by ale
--- a/docs/reference.md
+++ b/docs/reference.md
@@ -2088,6 +2088,12 @@ using single sign-on, allowing access only to administrators (members
 of the *admins* group). This is quite useful for admin web interfaces
 of internal services that do not support SSO integration of their own.
+`enable_api_proxy`: If true, place the service behind authentication
+using a mechanism more appropriate for non-interactive APIs (HTTP
+Basic Authentication using Application-Specific Passwords). Only members
+of the *admins* group will have access. When this option is set, you
+also need to specify a unique `auth_service` to be used for ASPs.
 #### HTTP (All domains)
 `horizontal_endpoints`: List of HTTP endpoints exported by the

--- a/docs/reference.pdf
+++ b/docs/reference.pdf
--- a/plugins/inventory/float.py
+++ b/plugins/inventory/float.py
@@ -332,6 +332,7 @@ def _build_public_endpoints_map(services):
                'name': upstream_name,
                'service_name': service_name,
                'port': pe['port'],
+                'enable_api_proxy': pe.get('enable_api_proxy', False),
                'enable_sso_proxy': pe.get('enable_sso_proxy', False),
                'sharded': pe.get('sharded', False),
            }
@@ -385,6 +386,7 @@ def _build_horizontal_upstreams_map(services):
                'name': upstream_name,
                'service_name': service_name,
                'port': ep['port'],
+                'enable_api_proxy': False,
                'enable_sso_proxy': False,
                'sharded': False,
            }

--- a/roles/float-infra-nginx/handlers/main.yml
+++ b/roles/float-infra-nginx/handlers/main.yml
@@ -7,6 +7,9 @@
 - name: restart sso-proxy
  systemd: name=sso-proxy.service state=restarted enabled=yes masked=no
+- name: restart api-proxy
+  systemd: name=api-proxy.service state=restarted enabled=yes masked=no
 - name: reload firewall
  systemd:
    name: firewall.service

--- a/roles/float-infra-nginx/tasks/api-proxy.yml
+++ b/roles/float-infra-nginx/tasks/api-proxy.yml
+---
+- set_fact:
+    api_proxy_auth_services: "{{ services.values() | selectattr('public_endpoints', 'defined') | map(attribute='public_endpoints') | flatten | selectattr('enable_api_proxy', 'defined') | selectattr('enable_api_proxy') | map(attribute='auth_service') }}"
+- name: Configure api-proxy auth services
+  copy:
+    dest: "/etc/auth-server/services.d/api-proxy.yml"
+    content: |
+      {% for s in api_proxy_auth_services %}
+      {{ s }}:
+        backends:
+          - backend: file
+            params:
+              src: users.yml
+              static_groups: [admins]
+        enforce_2fa: true
+        rate_limits:
+          - ip_ratelimit
+          - failed_login_blacklist
+          - anti_bruteforce_blacklist
+      {% endfor %}
+  when: "api_proxy_auth_services"
--- a/roles/float-infra-nginx/tasks/main.yml
+++ b/roles/float-infra-nginx/tasks/main.yml
@@ -3,3 +3,7 @@
 # Only set up nginx if there are public_endpoints defined.
 - import_tasks: nginx.yml
  when: float_enable_http_frontend
+- import_tasks: api-proxy.yml
+  when: float_enable_http_frontend
--- a/roles/float-infra-nginx/tasks/nginx.yml
+++ b/roles/float-infra-nginx/tasks/nginx.yml
@@ -6,6 +6,7 @@
    state: present
  vars:
    packages:
+      - api-proxy
      - sso-proxy
      - nginx-full
      - libnginx-mod-http-headers-more-filter
@@ -17,20 +18,32 @@
    dest: /etc/default/sso-proxy
  notify: restart sso-proxy
- name: Configure ssoproxy
+- name: Configure sso-proxy
  template:
-    src: proxy.yml.j2
+    src: sso-proxy.yml.j2
    dest: /etc/sso/proxy.yml
    owner: root
    group: sso-proxy
    mode: 0640
  notify: restart sso-proxy
- name: Add user sso-proxy to credentials group
+- name: Configure api-proxy
+  template:
+    src: api-proxy.yml.j2
+    dest: /etc/api-proxy.yml
+    owner: root
+    group: api-proxy
+    mode: 0640
+  notify: restart api-proxy
+- name: Add proxy users to credentials group
  user:
-    name: sso-proxy
+    name: "{{ item }}"
    groups: ssoproxy-credentials
    append: yes
+  loop:
+    - api-proxy
+    - sso-proxy
 - name: Enable sso-proxy systemd unit
  systemd:

--- a/roles/float-infra-nginx/templates/api-proxy.yml.j2
+++ b/roles/float-infra-nginx/templates/api-proxy.yml.j2
+---
+backends:
+{% for service in services.values() -%}
+{% for endpoint in service.get('public_endpoints', []) -%}
+{% if endpoint.get('enable_api_proxy') %}
+  - host: "{{ endpoint.name }}.{{ domain_public[0] }}"
+{% if endpoint.get('scheme') == 'https' %}
+    tls_server_name: "{{ service.name }}.{{ domain }}"
+    client_tls:
+      cert: "/etc/credentials/x509/ssoproxy/client/cert.pem"
+      key: "/etc/credentials/x509/ssoproxy/client/private_key.pem"
+      ca: "/etc/credentials/x509/ssoproxy/ca.pem"
+{% endif %}
+    upstream:
+      - {{ service.name }}.{{ domain }}:{{ endpoint.port }}
+    auth_service: "{{ endpoint.auth_service }}"
+    allowed_groups:
+{% for group in endpoint.get('allowed_groups', ['admins']) %}
+      - {{ group }}
+{% endfor %}
+{% endif -%}
+{% endfor -%}
+{% endfor %}
--- a/roles/float-infra-nginx/templates/nginx-upstream.j2
+++ b/roles/float-infra-nginx/templates/nginx-upstream.j2
@@ -5,6 +5,11 @@ upstream {{ upstream.name }}{% if shard %}_{{ shard }}{% endif %} {
        Talk directly to the SSO proxy on localhost.
 #}
        server 127.0.0.1:5003;
+{% elif upstream.enable_api_proxy | default(False) %}
+{#
+        Talk directly to the api-proxy on localhost.
+#}
+        server 127.0.0.1:5009;
 {% else %}
 {#
        Use the internal endpoint name, which resolves to multiple IP

--- a/roles/float-infra-nginx/templates/nginx-vhost.j2
+++ b/roles/float-infra-nginx/templates/nginx-vhost.j2
@@ -8,14 +8,14 @@
        location {{ pe_config.path }} {
                include /etc/nginx/snippets/block.conf;
                include /etc/nginx/snippets/proxy.conf;
-{% if not upstream.enable_sso_proxy and pe_config.get('scheme', 'https') == 'https' %}
+{% if not upstream.enable_sso_proxy and not upstream.enable_api_proxy and pe_config.get('scheme', 'https') == 'https' %}
                proxy_pass https://{{ pe_config.float_upstream_name }}{% if upstream.sharded and shard %}_{{ shard }}{% endif %};
                include /etc/nginx/snippets/proxy-ssl.conf;
                proxy_ssl_name {{ upstream.service_name }}.{{ domain }};
 {% else %}
                proxy_pass http://{{ pe_config.float_upstream_name }}{% if upstream.sharded and shard %}_{{ shard }}{% endif %};
 {% endif %}
-{% if not upstream.enable_sso_proxy %}
+{% if not upstream.enable_sso_proxy and not upstream.enable_api_proxy %}
                proxy_cache global;
 {% endif %}
        }

--- a/roles/float-infra-nginx/templates/proxy.yml.j2
+++ b/roles/float-infra-nginx/templates/proxy.yml.j2