2021-11-29 13:06:50 +00:00
|
|
|
package openamt
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/base64"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
httperror "github.com/portainer/libhttp/error"
|
|
|
|
"github.com/portainer/libhttp/request"
|
|
|
|
"github.com/portainer/libhttp/response"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
2022-09-16 16:18:44 +00:00
|
|
|
|
|
|
|
"github.com/rs/zerolog/log"
|
|
|
|
"software.sslmate.com/src/go-pkcs12"
|
2021-11-29 13:06:50 +00:00
|
|
|
)
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
type openAMTConfigurePayload struct {
|
|
|
|
Enabled bool
|
|
|
|
MPSServer string
|
|
|
|
MPSUser string
|
|
|
|
MPSPassword string
|
|
|
|
DomainName string
|
|
|
|
CertFileName string
|
|
|
|
CertFileContent string
|
|
|
|
CertFilePassword string
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
func (payload *openAMTConfigurePayload) Validate(r *http.Request) error {
|
|
|
|
if payload.Enabled {
|
2021-11-30 23:35:47 +00:00
|
|
|
if payload.MPSServer == "" {
|
|
|
|
return errors.New("MPS Server must be provided")
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
if payload.MPSUser == "" {
|
|
|
|
return errors.New("MPS User must be provided")
|
|
|
|
}
|
|
|
|
if payload.MPSPassword == "" {
|
|
|
|
return errors.New("MPS Password must be provided")
|
|
|
|
}
|
|
|
|
if payload.DomainName == "" {
|
|
|
|
return errors.New("domain name must be provided")
|
|
|
|
}
|
2022-01-23 19:48:04 +00:00
|
|
|
if payload.CertFileContent == "" {
|
2021-11-29 13:06:50 +00:00
|
|
|
return errors.New("certificate file must be provided")
|
|
|
|
}
|
2022-01-23 19:48:04 +00:00
|
|
|
if payload.CertFileName == "" {
|
|
|
|
return errors.New("certificate file name must be provided")
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
2022-01-23 19:48:04 +00:00
|
|
|
if payload.CertFilePassword == "" {
|
|
|
|
return errors.New("certificate password must be provided")
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
// @id OpenAMTConfigure
|
2021-11-29 13:06:50 +00:00
|
|
|
// @summary Enable Portainer's OpenAMT capabilities
|
|
|
|
// @description Enable Portainer's OpenAMT capabilities
|
|
|
|
// @description **Access policy**: administrator
|
|
|
|
// @tags intel
|
|
|
|
// @security jwt
|
|
|
|
// @accept json
|
|
|
|
// @produce json
|
2022-01-23 19:48:04 +00:00
|
|
|
// @param body body openAMTConfigurePayload true "OpenAMT Settings"
|
2021-11-29 13:06:50 +00:00
|
|
|
// @success 204 "Success"
|
|
|
|
// @failure 400 "Invalid request"
|
|
|
|
// @failure 403 "Permission denied to access settings"
|
|
|
|
// @failure 500 "Server error"
|
|
|
|
// @router /open_amt [post]
|
2022-01-23 19:48:04 +00:00
|
|
|
func (handler *Handler) openAMTConfigure(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
|
|
|
|
var payload openAMTConfigurePayload
|
2021-11-29 13:06:50 +00:00
|
|
|
err := request.DecodeAndValidateJSONPayload(r, &payload)
|
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Error().Err(err).Msg("invalid request payload")
|
|
|
|
|
2022-09-14 23:42:39 +00:00
|
|
|
return httperror.BadRequest("Invalid request payload", err)
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
if payload.Enabled {
|
|
|
|
certificateErr := validateCertificate(payload.CertFileContent, payload.CertFilePassword)
|
2021-11-29 13:06:50 +00:00
|
|
|
if certificateErr != nil {
|
2022-09-14 23:42:39 +00:00
|
|
|
return httperror.BadRequest("Error validating certificate", certificateErr)
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err = handler.enableOpenAMT(payload)
|
|
|
|
if err != nil {
|
2022-09-14 23:42:39 +00:00
|
|
|
return httperror.BadRequest("Error enabling OpenAMT", err)
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
return response.Empty(w)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = handler.disableOpenAMT()
|
|
|
|
if err != nil {
|
2022-09-14 23:42:39 +00:00
|
|
|
return httperror.BadRequest("Error disabling OpenAMT", err)
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
return response.Empty(w)
|
|
|
|
}
|
|
|
|
|
|
|
|
func validateCertificate(certificateRaw string, certificatePassword string) error {
|
|
|
|
certificateData, err := base64.StdEncoding.Strict().DecodeString(certificateRaw)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
_, certificate, _, err := pkcs12.DecodeChain(certificateData, certificatePassword)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if certificate == nil {
|
|
|
|
return errors.New("certificate could not be decoded")
|
|
|
|
}
|
|
|
|
|
|
|
|
issuer := certificate.Issuer.CommonName
|
|
|
|
if !isValidIssuer(issuer) {
|
|
|
|
return fmt.Errorf("certificate issuer is invalid: %v", issuer)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func isValidIssuer(issuer string) bool {
|
|
|
|
formattedIssuer := strings.ToLower(strings.ReplaceAll(issuer, " ", ""))
|
|
|
|
return strings.Contains(formattedIssuer, "comodo") ||
|
|
|
|
strings.Contains(formattedIssuer, "digicert") ||
|
|
|
|
strings.Contains(formattedIssuer, "entrust") ||
|
|
|
|
strings.Contains(formattedIssuer, "godaddy")
|
|
|
|
}
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
func (handler *Handler) enableOpenAMT(configurationPayload openAMTConfigurePayload) error {
|
2021-11-29 13:06:50 +00:00
|
|
|
configuration := portainer.OpenAMTConfiguration{
|
2022-01-23 19:48:04 +00:00
|
|
|
Enabled: true,
|
|
|
|
MPSServer: configurationPayload.MPSServer,
|
|
|
|
MPSUser: configurationPayload.MPSUser,
|
|
|
|
MPSPassword: configurationPayload.MPSPassword,
|
|
|
|
CertFileContent: configurationPayload.CertFileContent,
|
|
|
|
CertFileName: configurationPayload.CertFileName,
|
|
|
|
CertFilePassword: configurationPayload.CertFilePassword,
|
|
|
|
DomainName: configurationPayload.DomainName,
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
err := handler.OpenAMTService.Configure(configuration)
|
2021-11-29 13:06:50 +00:00
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Error().Err(err).Msg("error configuring OpenAMT server")
|
|
|
|
|
2021-11-29 13:06:50 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = handler.saveConfiguration(configuration)
|
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Error().Err(err).Msg("error updating OpenAMT configurations")
|
|
|
|
|
2021-11-29 13:06:50 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Info().Msg("OpenAMT successfully enabled")
|
|
|
|
|
2021-11-29 13:06:50 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (handler *Handler) saveConfiguration(configuration portainer.OpenAMTConfiguration) error {
|
|
|
|
settings, err := handler.DataStore.Settings().Settings()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-01-23 19:48:04 +00:00
|
|
|
configuration.MPSToken = ""
|
2021-11-29 13:06:50 +00:00
|
|
|
|
|
|
|
settings.OpenAMTConfiguration = configuration
|
|
|
|
|
2022-10-14 21:09:07 +00:00
|
|
|
return handler.DataStore.Settings().UpdateSettings(settings)
|
2021-11-29 13:06:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (handler *Handler) disableOpenAMT() error {
|
|
|
|
settings, err := handler.DataStore.Settings().Settings()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
settings.OpenAMTConfiguration.Enabled = false
|
|
|
|
|
|
|
|
err = handler.DataStore.Settings().UpdateSettings(settings)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Info().Msg("OpenAMT successfully disabled")
|
|
|
|
|
2021-11-29 13:06:50 +00:00
|
|
|
return nil
|
|
|
|
}
|