introduce admin_api_ro flag to restrict operations to only r/o

In operator-based deployments, kbs-client (and in general the admin API)
should not be allowed to try and modify the resources, for two reasons:

1. trustee runs in a container so the fs is r/o
2. management of such resources is by design delegated to kubernetes
   configmaps

Therefore add admin_api_ro flags defaulting to false under the [admin]
section of kbs-config.toml.

Signed-off-by: Emanuele Giuseppe Esposito <[email protected]>

Author: esposem

integration-tests/src/common.rs

@@ -206,6 +206,7 @@ impl TestHarness {
             admin: AdminConfig {
                 auth_public_key: None,
                 insecure_api: true,
+                admin_api_read_only: false,
             },
             policy_engine: PolicyEngineConfig {
                 policy_path: kbs_policy_path,

kbs/docs/config.md

@@ -204,10 +204,11 @@ Detailed [documentation](https://docs.trustauthority.intel.com).
 
 The following properties can be set under the `[admin]` section.
 
-| Property          | Type    | Description                                                       | Required | Default |
-|-------------------|---------|-------------------------------------------------------------------|----------|---------|
-| `auth_public_key` | String  | Path to the public key used to authenticate the admin APIs        | No       | None    |
-| `insecure_api`    | Boolean | Whether KBS will not verify the public key when called admin APIs | No       | `false` |
+| Property               | Type    | Description                                                       | Required | Default |
+|------------------------|---------|-------------------------------------------------------------------|----------|---------|
+| `auth_public_key`      | String  | Path to the public key used to authenticate the admin APIs        | No       | None    |
+| `insecure_api`         | Boolean | Whether KBS will not verify the public key when called admin APIs | No       | `false` |
+| `admin_api_read_only`  | Boolean | Limit the admin APIs to only get resources.                       | No       | `false` |
 
 ### Policy Engine Configuration
 

kbs/src/admin/config.rs

@@ -7,6 +7,7 @@ use std::path::PathBuf;
 use serde::Deserialize;
 
 pub const DEFAULT_INSECURE_API: bool = false;
+pub const DEFAULT_ADMIN_API_READ_ONLY: bool = false;
 
 #[derive(Clone, Debug, Deserialize, PartialEq)]
 pub struct AdminConfig {
@@ -18,13 +19,18 @@ pub struct AdminConfig {
     /// WARNING: Using this option enables KBS insecure APIs such as Resource Registration without
     /// verifying the JWK.
     pub insecure_api: bool,
+
+    /// Whether the admin APIs should be read-only or not.
+    /// Useful for operator-based deployments.
+    pub admin_api_read_only: bool,
 }
 
 impl Default for AdminConfig {
     fn default() -> Self {
         Self {
             auth_public_key: None,
             insecure_api: DEFAULT_INSECURE_API,
+            admin_api_read_only: DEFAULT_ADMIN_API_READ_ONLY,
         }
     }
 }

kbs/src/admin/error.rs

@@ -19,6 +19,9 @@ pub enum Error {
     #[error("`auth_public_key` is not set in the config file")]
     NoPublicKeyGiven,
 
+    #[error("`admin_api_read_only` limits the admin API to read-only operations (GET/HEAD)")]
+    AdminApiReadOnly,
+
     #[error("Failed to parse admin public key")]
     ParsePublicKey(#[from] jwt_simple::Error),
 

kbs/src/admin/mod.rs

@@ -2,7 +2,10 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use actix_web::{http::header::Header, HttpRequest};
+use actix_web::{
+    http::{header::Header, Method},
+    HttpRequest,
+};
 use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
 use config::AdminConfig;
 use jwt_simple::{
@@ -19,12 +22,21 @@ use log::warn;
 #[derive(Default, Clone)]
 pub struct Admin {
     public_key: Option<Ed25519PublicKey>,
+    admin_api_read_only: bool,
 }
 
 impl TryFrom<AdminConfig> for Admin {
     type Error = Error;
 
     fn try_from(value: AdminConfig) -> Result<Self> {
+        if value.admin_api_read_only {
+            warn!("admin API is disabled");
+            return Ok(Self {
+                public_key: None,
+                admin_api_read_only: true,
+            });
+        }
+
         if value.insecure_api {
             warn!("insecure admin APIs are enabled");
             return Ok(Admin::default());
@@ -35,12 +47,19 @@ impl TryFrom<AdminConfig> for Admin {
         let key = Ed25519PublicKey::from_pem(&user_public_key_pem)?;
         Ok(Self {
             public_key: Some(key),
+            admin_api_read_only: false,
         })
     }
 }
 
 impl Admin {
     pub(crate) fn validate_auth(&self, request: &HttpRequest) -> Result<()> {
+        if self.admin_api_read_only
+            && (request.method() != Method::GET || request.method() != Method::HEAD)
+        {
+            return Err(Error::AdminApiReadOnly);
+        }
+
         let Some(public_key) = &self.public_key else {
             return Ok(());
         };

kbs/src/config.rs

@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use crate::admin::config::{AdminConfig, DEFAULT_INSECURE_API};
+use crate::admin::config::{AdminConfig, DEFAULT_ADMIN_API_READ_ONLY, DEFAULT_INSECURE_API};
 use crate::plugins::PluginsConfig;
 use crate::policy_engine::PolicyEngineConfig;
 use crate::token::AttestationTokenVerifierConfig;
@@ -83,6 +83,7 @@ impl TryFrom<&Path> for KbsConfig {
     fn try_from(config_path: &Path) -> Result<Self, Self::Error> {
         let c = Config::builder()
             .set_default("admin.insecure_api", DEFAULT_INSECURE_API)?
+            .set_default("admin.admin_api_read_only", DEFAULT_ADMIN_API_READ_ONLY)?
             .set_default("http_server.insecure_http", DEFAULT_INSECURE_HTTP)?
             .set_default("http_server.sockets", vec![DEFAULT_SOCKET])?
             .set_default(
@@ -169,6 +170,7 @@ mod tests {
         admin: AdminConfig {
             auth_public_key: Some(PathBuf::from("/etc/kbs-admin.pub")),
             insecure_api: false,
+            admin_api_read_only: false,
         },
         policy_engine: PolicyEngineConfig {
             policy_path: PathBuf::from("/etc/kbs-policy.rego"),
@@ -218,6 +220,7 @@ mod tests {
         admin: AdminConfig {
             auth_public_key: None,
             insecure_api: DEFAULT_INSECURE_API,
+            admin_api_read_only: false,
         },
         policy_engine: PolicyEngineConfig {
             policy_path: DEFAULT_POLICY_PATH.into(),
@@ -255,6 +258,7 @@ mod tests {
         admin: AdminConfig {
             auth_public_key: Some(PathBuf::from("/etc/kbs-admin.pub")),
             insecure_api: false,
+            admin_api_read_only: false,
         },
         policy_engine: PolicyEngineConfig {
             policy_path: PathBuf::from("/etc/kbs-policy.rego"),
@@ -293,6 +297,7 @@ mod tests {
         admin: AdminConfig {
             auth_public_key: Some(PathBuf::from("/opt/confidential-containers/kbs/user-keys/public.pub")),
             insecure_api: DEFAULT_INSECURE_API,
+            admin_api_read_only: false,
         },
         policy_engine: PolicyEngineConfig::default(),
         plugins: Vec::new(),
@@ -334,6 +339,7 @@ mod tests {
         admin: AdminConfig {
             auth_public_key: Some("/kbs/kbs.pem".into()),
             insecure_api: DEFAULT_INSECURE_API,
+            admin_api_read_only: false,
         },
         policy_engine: PolicyEngineConfig::default(),
         plugins: Vec::new(),
@@ -369,6 +375,7 @@ mod tests {
         admin: AdminConfig {
             auth_public_key: Some("/kbs/kbs.pem".into()),
             insecure_api: DEFAULT_INSECURE_API,
+            admin_api_read_only: false,
         },
         policy_engine: PolicyEngineConfig::default(),
         plugins: Vec::new(),