introduce admin_api_ro flag to restrict operations to only r/o

In operator-based deployments, kbs-client (and in general the admin API)
should not be allowed to try and modify the resources, for two reasons:

1. trustee runs in a container so the fs is r/o
2. management of such resources is by design delegated to kubernetes
   configmaps

Therefore add admin_api_ro flags defaulting to false under the [admin]
section of kbs-config.toml.

Signed-off-by: Emanuele Giuseppe Esposito <[email protected]>

Author: esposem

kbs/docs/config.md

@@ -207,6 +207,7 @@ The following properties can be set under the `[admin]` section.
 |--------------------------|--------------|------------------------------------------------------------------------------------------------------------|----------|----------------------|
 | `auth_public_key`        | String       | Path to the public key used to authenticate the admin APIs                                                 | No       | None                 |
 | `insecure_api`           | Boolean      | Whether KBS will not verify the public key when called admin APIs                                          | No       | `false`              |
+| `admin_api_ro`           | Boolean      | Limit the admin APIs to only get resources. Useful for operator-based deployments                      | No       | `false`              |
 
 ### Policy Engine Configuration
 

kbs/src/admin/config.rs

@@ -7,6 +7,7 @@ use std::path::PathBuf;
 use serde::Deserialize;
 
 pub const DEFAULT_INSECURE_API: bool = false;
+pub const DEFAULT_ADMIN_API_RO: bool = false;
 
 #[derive(Clone, Debug, Deserialize, PartialEq)]
 pub struct AdminConfig {
@@ -18,13 +19,18 @@ pub struct AdminConfig {
     /// WARNING: Using this option enables KBS insecure APIs such as Resource Registration without
     /// verifying the JWK.
     pub insecure_api: bool,
+
+    /// Whether the admin APIs should be read-only or not.
+    /// Useful for operator-based deployments.
+    pub admin_api_ro: bool,
 }
 
 impl Default for AdminConfig {
     fn default() -> Self {
         Self {
             auth_public_key: None,
             insecure_api: DEFAULT_INSECURE_API,
+            admin_api_ro: DEFAULT_ADMIN_API_RO,
         }
     }
 }

kbs/src/admin/error.rs

@@ -19,6 +19,9 @@ pub enum Error {
     #[error("`auth_public_key` is not set in the config file")]
     NoPublicKeyGiven,
 
+    #[error("Admin API is limited to read-only operations (GET)")]
+    AdminApiReadOnly,
+
     #[error("Failed to parse admin public key")]
     ParsePublicKey(#[from] jwt_simple::Error),
 

kbs/src/admin/mod.rs

@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use actix_web::{http::header::Header, HttpRequest};
+use actix_web::{http::{header::Header, Method}, HttpRequest};
 use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
 use config::AdminConfig;
 use jwt_simple::{
@@ -19,12 +19,21 @@ use log::warn;
 #[derive(Default, Clone)]
 pub struct Admin {
     public_key: Option<Ed25519PublicKey>,
+    admin_api_ro: bool,
 }
 
 impl TryFrom<AdminConfig> for Admin {
     type Error = Error;
 
     fn try_from(value: AdminConfig) -> Result<Self> {
+        if value.admin_api_ro {
+            warn!("admin API is disabled");
+            return Ok(Self {
+                public_key: None,
+                admin_api_ro: true,
+            });
+        }
+
         if value.insecure_api {
             warn!("insecure admin APIs are enabled");
             return Ok(Admin::default());
@@ -35,12 +44,17 @@ impl TryFrom<AdminConfig> for Admin {
         let key = Ed25519PublicKey::from_pem(&user_public_key_pem)?;
         Ok(Self {
             public_key: Some(key),
+            admin_api_ro: false,
         })
     }
 }
 
 impl Admin {
     pub(crate) fn validate_auth(&self, request: &HttpRequest) -> Result<()> {
+        if request.method() == Method::POST && self.admin_api_ro {
+            return Err(Error::AdminApiReadOnly);
+        }
+
         let Some(public_key) = &self.public_key else {
             return Ok(());
         };

kbs/src/config.rs

@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use crate::admin::config::{AdminConfig, DEFAULT_INSECURE_API};
+use crate::admin::config::{AdminConfig, DEFAULT_INSECURE_API, DEFAULT_ADMIN_API_RO};
 use crate::plugins::PluginsConfig;
 use crate::policy_engine::PolicyEngineConfig;
 use crate::token::AttestationTokenVerifierConfig;
@@ -83,6 +83,7 @@ impl TryFrom<&Path> for KbsConfig {
     fn try_from(config_path: &Path) -> Result<Self, Self::Error> {
         let c = Config::builder()
             .set_default("admin.insecure_api", DEFAULT_INSECURE_API)?
+            .set_default("admin.admin_api_ro", DEFAULT_ADMIN_API_RO)?
             .set_default("http_server.insecure_http", DEFAULT_INSECURE_HTTP)?
             .set_default("http_server.sockets", vec![DEFAULT_SOCKET])?
             .set_default(