Implement API Key whitelisting

gwdevhub · Aug 12, 2024 · 88b01a0 · 88b01a0
1 parent 45fc018
commit 88b01a0
Show file tree

Hide file tree

Showing 11 changed files with 84 additions and 19 deletions.
diff --git a/.github/workflows/docker-deploy.yaml b/.github/workflows/docker-deploy.yaml
@@ -32,6 +32,7 @@ jobs:
         $trimmedIps = "${{ secrets.COMMA_SEPARATED_IPS }}" -split ',' | ForEach-Object { $_.Trim() }
         $newAddressesArray = $jsonContent.IpWhitelistOptions.Addresses + $trimmedIps
         $jsonContent.IpWhitelistOptions.Addresses = $newAddressesArray
+        $jsonContent.ApiWhitelistOptions.Key = "${{ secrets.API_KEY }}"
         $updatedJsonContent = $jsonContent | ConvertTo-Json -Depth 32
         Set-Content -Path Config.json -Value $updatedJsonContent
 

diff --git a/GuildWarsPartySearch.Bot/Dependencies/easywsclient/easywsclient.cpp b/GuildWarsPartySearch.Bot/Dependencies/easywsclient/easywsclient.cpp
@@ -454,7 +454,7 @@ class _RealWebSocket : public easywsclient::WebSocket
 };
 
 
-easywsclient::WebSocket::pointer from_url(const std::string& url, bool useMask, const std::string& origin, const std::string& userAgent) {
+easywsclient::WebSocket::pointer from_url(const std::string& url, bool useMask, const std::string& origin, const std::string& user_agent, const std::string& api_key) {
     char host[512];
     int port;
     char path[512];
@@ -501,7 +501,8 @@ easywsclient::WebSocket::pointer from_url(const std::string& url, bool useMask,
         else {
             snprintf(line, 1024, "Host: %s:%d\r\n", host, port); ::send(sockfd, line, strlen(line), 0);
         }
-        snprintf(line, 1024, "User-Agent: %s\r\n", userAgent.c_str()); ::send(sockfd, line, strlen(line), 0);
+        snprintf(line, 1024, "User-Agent: %s\r\n", user_agent.c_str()); ::send(sockfd, line, strlen(line), 0);
+        snprintf(line, 1024, "X-Api-Key: %s\r\n", api_key.c_str()); ::send(sockfd, line, strlen(line), 0);
         snprintf(line, 1024, "Upgrade: websocket\r\n"); ::send(sockfd, line, strlen(line), 0);
         snprintf(line, 1024, "Connection: Upgrade\r\n"); ::send(sockfd, line, strlen(line), 0);
         if (!origin.empty()) {
@@ -544,12 +545,12 @@ WebSocket::pointer WebSocket::create_dummy() {
 }
 
 
-WebSocket::pointer WebSocket::from_url(const std::string& url, const std::string& userAgent, const std::string& origin) {
-    return ::from_url(url, true, origin, userAgent);
+WebSocket::pointer WebSocket::from_url(const std::string& url, const std::string& user_agent, const std::string& api_key, const std::string& origin) {
+    return ::from_url(url, true, origin, user_agent, api_key);
 }
 
-WebSocket::pointer WebSocket::from_url_no_mask(const std::string& url, const std::string& userAgent, const std::string& origin) {
-    return ::from_url(url, false, origin, userAgent);
+WebSocket::pointer WebSocket::from_url_no_mask(const std::string& url, const std::string& user_agent, const std::string& api_key, const std::string& origin) {
+    return ::from_url(url, false, origin, user_agent, api_key);
 }
 
 

diff --git a/GuildWarsPartySearch.Bot/Dependencies/easywsclient/easywsclient.hpp b/GuildWarsPartySearch.Bot/Dependencies/easywsclient/easywsclient.hpp
@@ -23,8 +23,8 @@ class WebSocket {
 
     // Factories:
     static pointer create_dummy();
-    static pointer from_url(const std::string& url, const std::string& userAgent, const std::string& origin = std::string());
-    static pointer from_url_no_mask(const std::string& url, const std::string& userAgent, const std::string& origin = std::string());
+    static pointer from_url(const std::string& url, const std::string& user_agent, const std::string& api_key, const std::string& origin = std::string());
+    static pointer from_url_no_mask(const std::string& url, const std::string& user_agent, const std::string& api_key, const std::string& origin = std::string());
 
     // Interfaces:
     virtual ~WebSocket() { }

diff --git a/GuildWarsPartySearch.Bot/main.cpp b/GuildWarsPartySearch.Bot/main.cpp
@@ -50,6 +50,7 @@ extern "C" {
 
 struct BotConfiguration {
     std::string         web_socket_url = "";
+    std::string         api_key = "development";
     uint32_t            map_id = 857; // Embark beach
     District            district = District::DISTRICT_AMERICAN;
     uint32_t            district_number = 0;
@@ -333,6 +334,10 @@ static void load_configuration() {
                 bot_configuration.connection_retries = stoi(get_next_argument(i));
                 i++;
             }
+            else if (arg == "-api-key") {
+                bot_configuration.api_key = get_next_argument(i);
+                i++;
+            }
         }
     }
     catch (std::exception) {
@@ -420,7 +425,7 @@ static easywsclient::WebSocket::pointer connect_websocket() {
         disconnect_websocket();
 
         LogInfo("Attempting to connect. Try %d/%d", i + 1, connect_retries);
-        ws = easywsclient::WebSocket::from_url(bot_configuration.web_socket_url, user_agent);
+        ws = easywsclient::WebSocket::from_url(bot_configuration.web_socket_url, user_agent, bot_configuration.api_key);
         if (!ws) {
             // Sleep before retry
             time_sleep_sec(5);

diff --git a/GuildWarsPartySearch/Config.Debug.json b/GuildWarsPartySearch/Config.Debug.json
@@ -29,6 +29,9 @@
       "localhost"
     ]
   },
+  "ApiWhitelistOptions": {
+    "Key": "development"
+  },
   "ContentOptions": {
     "StagingFolder": "Content"
   }

diff --git a/GuildWarsPartySearch/Config.Production.json b/GuildWarsPartySearch/Config.Production.json
@@ -29,6 +29,9 @@
       "localhost"
     ]
   },
+  "ApiWhitelistOptions": {
+    "Key": "development"
+  },
   "ContentOptions": {
     "StagingFolder": "Content"
   }

diff --git a/GuildWarsPartySearch/Endpoints/PostPartySearch.cs b/GuildWarsPartySearch/Endpoints/PostPartySearch.cs
@@ -10,7 +10,7 @@
 
 namespace GuildWarsPartySearch.Server.Endpoints;
 
-[ServiceFilter<IpWhitelistFilter>]
+[ServiceFilter<ApiWhitelistFilter>]
 [ServiceFilter<UserAgentRequired>]
 public sealed class PostPartySearch : WebSocketRouteBase<PostPartySearchRequest, PostPartySearchResponse>
 {

diff --git a/GuildWarsPartySearch/Endpoints/StatusController.cs b/GuildWarsPartySearch/Endpoints/StatusController.cs
@@ -22,10 +22,10 @@ public StatusController(
     }
 
     [HttpGet("bot-activity/all")]
-    [ServiceFilter<IpWhitelistFilter>]
+    [ServiceFilter<ApiWhitelistFilter>]
     [ProducesResponseType(200)]
     [ProducesResponseType(403)]
-    [SwaggerOperation(Description = $"Protected by *IP whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
+    [SwaggerOperation(Description = $"Protected by *API Key whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
     public async Task<IActionResult> GetAllBotActivity()
     {
         if (this.environment.IsProduction())
@@ -37,10 +37,10 @@ public async Task<IActionResult> GetAllBotActivity()
     }
 
     [HttpGet("bot-activity/bots/{botName}")]
-    [ServiceFilter<IpWhitelistFilter>]
+    [ServiceFilter<ApiWhitelistFilter>]
     [ProducesResponseType(200)]
     [ProducesResponseType(403)]
-    [SwaggerOperation(Description = $"Protected by *IP whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
+    [SwaggerOperation(Description = $"Protected by *API Key whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
     public async Task<IActionResult> GetBotActivityByName(string botName)
     {
         if (this.environment.IsProduction())
@@ -52,10 +52,10 @@ public async Task<IActionResult> GetBotActivityByName(string botName)
     }
 
     [HttpGet("bot-activity/maps/{map}")]
-    [ServiceFilter<IpWhitelistFilter>]
+    [ServiceFilter<ApiWhitelistFilter>]
     [ProducesResponseType(200)]
     [ProducesResponseType(403)]
-    [SwaggerOperation(Description = $"Protected by *IP whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
+    [SwaggerOperation(Description = $"Protected by *API Key whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
     public async Task<IActionResult> GetBotActivityByMap(string map)
     {
         if (this.environment.IsProduction())
@@ -74,10 +74,10 @@ public async Task<IActionResult> GetBotActivityByMap(string map)
     }
 
     [HttpGet("bots")]
-    [ServiceFilter<IpWhitelistFilter>]
+    [ServiceFilter<ApiWhitelistFilter>]
     [ProducesResponseType(200)]
     [ProducesResponseType(403)]
-    [SwaggerOperation(Description = $"Protected by *IP whitelisting*.\r\n\r\n")]
+    [SwaggerOperation(Description = $"Protected by *API Key whitelisting*.\r\n\r\n Disabled in *Production* \r\n\r\n")]
     public async Task<IActionResult> GetBotStatus()
     {
         if (this.environment.IsProduction())

diff --git a/GuildWarsPartySearch/Filters/ApiWhitelistFilter.cs b/GuildWarsPartySearch/Filters/ApiWhitelistFilter.cs
@@ -0,0 +1,44 @@
+using GuildWarsPartySearch.Server.Options;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.Options;
+using System.Core.Extensions;
+using System.Extensions;
+
+namespace GuildWarsPartySearch.Server.Filters
+{
+    public class ApiWhitelistFilter : IAsyncActionFilter
+    {
+        private const string XApiKeyHeaderKey = "X-Api-Key";
+
+        private readonly ApiWhitelistOptions apiWhitelistOptions;
+        private readonly ILogger<ApiWhitelistFilter> logger;
+
+        public ApiWhitelistFilter(
+            IOptions<ApiWhitelistOptions> options,
+            ILogger<ApiWhitelistFilter> logger)
+        {
+            this.apiWhitelistOptions = options.ThrowIfNull().Value.ThrowIfNull();
+            this.logger = logger.ThrowIfNull();
+        }
+
+        public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
+        {
+            var address = context.HttpContext.Connection.RemoteIpAddress?.ToString();
+            var scopedLogger = this.logger.CreateScopedLogger(nameof(this.OnActionExecutionAsync), address ?? string.Empty);
+            scopedLogger.LogDebug($"Received request");
+            if (context.HttpContext.Request.Headers.TryGetValue(XApiKeyHeaderKey, out var xApiKeyvalues))
+            {
+                scopedLogger.LogDebug($"X-Api-Key {string.Join(',', xApiKeyvalues.Select(s => s))}");
+            }
+
+            if (xApiKeyvalues.None(k => k == this.apiWhitelistOptions.Key))
+            {
+                context.Result = new ForbiddenResponseActionResult("Forbidden");
+                return;
+            }
+
+            await next();
+        }
+    }
+
+}
diff --git a/GuildWarsPartySearch/Launch/ServerConfiguration.cs b/GuildWarsPartySearch/Launch/ServerConfiguration.cs
@@ -60,7 +60,8 @@ public static WebApplicationBuilder SetupOptions(this WebApplicationBuilder buil
             .ConfigureExtended<ServerOptions>()
             .ConfigureExtended<IpWhitelistOptions>()
             .ConfigureExtended<BotHistoryDatabaseOptions>()
-            .ConfigureExtended<SQLiteDatabaseOptions>();
+            .ConfigureExtended<SQLiteDatabaseOptions>()
+            .ConfigureExtended<ApiWhitelistOptions>();
     }
 
     public static IServiceCollection SetupServices(this IServiceCollection services)
@@ -83,6 +84,7 @@ public static IServiceCollection SetupServices(this IServiceCollection services)
         services.AddSingleton<IBotHistoryDatabase, BotHistorySqliteDatabase>();
         services.AddScoped<UserAgentRequired>();
         services.AddScoped<IpWhitelistFilter>();
+        services.AddScoped<ApiWhitelistFilter>();
         services.AddScoped<IPartySearchService, PartySearchService>();
         services.AddScoped<ICharNameValidator, CharNameValidator>();
         return services;

diff --git a/GuildWarsPartySearch/Options/ApiWhitelistOptions.cs b/GuildWarsPartySearch/Options/ApiWhitelistOptions.cs
@@ -0,0 +1,6 @@
+namespace GuildWarsPartySearch.Server.Options;
+
+public class ApiWhitelistOptions
+{
+    public string? Key { get; set; }
+}