fix(security): Implement Phase 1 critical security fixes
CORS: - Restrict CORS to DASHBOARD_URL environment variable - Default to production dashboard domain Authentication: - Add AuthUser requirement to all agent management endpoints - Add AuthUser requirement to all command endpoints - Add AuthUser requirement to all metrics endpoints - Add audit logging for command execution (user_id tracked) Agent Security: - Replace Unicode characters with ASCII markers [OK]/[ERROR]/[WARNING] - Add certificate pinning for update downloads (allowlist domains) - Fix insecure temp file creation (use /var/run/gururmm with 0700 perms) - Fix rollback script backgrounding (use setsid instead of literal &) Dashboard Security: - Move token storage from localStorage to sessionStorage - Add proper TypeScript types (remove 'any' from error handlers) - Centralize token management functions Legacy Agent: - Add -AllowInsecureTLS parameter (opt-in required) - Add Windows Event Log audit trail when insecure mode used - Update documentation with security warnings Closes: Phase 1 items in issue #1 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -8,6 +8,7 @@ use axum::{
|
||||
use serde::{Deserialize, Serialize};
|
||||
use uuid::Uuid;
|
||||
|
||||
use crate::auth::AuthUser;
|
||||
use crate::db::{self, AgentResponse, AgentStats};
|
||||
use crate::ws::{generate_api_key, hash_api_key};
|
||||
use crate::AppState;
|
||||
@@ -29,10 +30,20 @@ pub struct RegisterAgentRequest {
|
||||
}
|
||||
|
||||
/// Register a new agent (generates API key)
|
||||
/// Requires authentication to prevent unauthorized agent registration.
|
||||
pub async fn register_agent(
|
||||
State(state): State<AppState>,
|
||||
user: AuthUser,
|
||||
Json(req): Json<RegisterAgentRequest>,
|
||||
) -> Result<Json<RegisterAgentResponse>, (StatusCode, String)> {
|
||||
// Log who is registering the agent
|
||||
tracing::info!(
|
||||
user_id = %user.user_id,
|
||||
hostname = %req.hostname,
|
||||
os_type = %req.os_type,
|
||||
"Agent registration initiated by user"
|
||||
);
|
||||
|
||||
// Generate a new API key
|
||||
let api_key = generate_api_key(&state.config.auth.api_key_prefix);
|
||||
let api_key_hash = hash_api_key(&api_key);
|
||||
@@ -50,6 +61,12 @@ pub async fn register_agent(
|
||||
.await
|
||||
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
|
||||
|
||||
tracing::info!(
|
||||
user_id = %user.user_id,
|
||||
agent_id = %agent.id,
|
||||
"Agent registered successfully"
|
||||
);
|
||||
|
||||
Ok(Json(RegisterAgentResponse {
|
||||
agent_id: agent.id,
|
||||
api_key, // Return the plain API key (only shown once!)
|
||||
@@ -59,8 +76,10 @@ pub async fn register_agent(
|
||||
}
|
||||
|
||||
/// List all agents
|
||||
/// Requires authentication.
|
||||
pub async fn list_agents(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
) -> Result<Json<Vec<AgentResponse>>, (StatusCode, String)> {
|
||||
let agents = db::get_all_agents(&state.db)
|
||||
.await
|
||||
@@ -71,8 +90,10 @@ pub async fn list_agents(
|
||||
}
|
||||
|
||||
/// Get a specific agent
|
||||
/// Requires authentication.
|
||||
pub async fn get_agent(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
Path(id): Path<Uuid>,
|
||||
) -> Result<Json<AgentResponse>, (StatusCode, String)> {
|
||||
let agent = db::get_agent_by_id(&state.db, id)
|
||||
@@ -84,8 +105,10 @@ pub async fn get_agent(
|
||||
}
|
||||
|
||||
/// Delete an agent
|
||||
/// Requires authentication.
|
||||
pub async fn delete_agent(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
Path(id): Path<Uuid>,
|
||||
) -> Result<StatusCode, (StatusCode, String)> {
|
||||
// Check if agent is connected and disconnect it
|
||||
@@ -106,8 +129,10 @@ pub async fn delete_agent(
|
||||
}
|
||||
|
||||
/// Get agent statistics
|
||||
/// Requires authentication.
|
||||
pub async fn get_stats(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
) -> Result<Json<AgentStats>, (StatusCode, String)> {
|
||||
let stats = db::get_agent_stats(&state.db)
|
||||
.await
|
||||
@@ -123,8 +148,10 @@ pub struct MoveAgentRequest {
|
||||
}
|
||||
|
||||
/// Move an agent to a different site
|
||||
/// Requires authentication.
|
||||
pub async fn move_agent(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
Path(id): Path<Uuid>,
|
||||
Json(req): Json<MoveAgentRequest>,
|
||||
) -> Result<Json<AgentResponse>, (StatusCode, String)> {
|
||||
@@ -149,8 +176,10 @@ pub async fn move_agent(
|
||||
}
|
||||
|
||||
/// List all agents with full details (site/client info)
|
||||
/// Requires authentication.
|
||||
pub async fn list_agents_with_details(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
) -> Result<Json<Vec<db::AgentWithDetails>>, (StatusCode, String)> {
|
||||
let agents = db::get_all_agents_with_details(&state.db)
|
||||
.await
|
||||
@@ -160,8 +189,10 @@ pub async fn list_agents_with_details(
|
||||
}
|
||||
|
||||
/// List unassigned agents (not belonging to any site)
|
||||
/// Requires authentication.
|
||||
pub async fn list_unassigned_agents(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
) -> Result<Json<Vec<AgentResponse>>, (StatusCode, String)> {
|
||||
let agents = db::get_unassigned_agents(&state.db)
|
||||
.await
|
||||
@@ -172,8 +203,10 @@ pub async fn list_unassigned_agents(
|
||||
}
|
||||
|
||||
/// Get extended state for an agent (network interfaces, uptime, etc.)
|
||||
/// Requires authentication.
|
||||
pub async fn get_agent_state(
|
||||
State(state): State<AppState>,
|
||||
_user: AuthUser,
|
||||
Path(id): Path<Uuid>,
|
||||
) -> Result<Json<db::AgentState>, (StatusCode, String)> {
|
||||
let agent_state = db::get_agent_state(&state.db, id)
|
||||
|
||||
Reference in New Issue
Block a user