Security¶

Vulnerabilities should be reported via https://intel.com/security

CORS¶

You’ll want to configure the domains that should be able to request the API via the CORS flag, if you are putting this on a different domain.

For example if you are hosting the API service on https://dffml.example-api.com and you’re web UI on https://dffml.example.com, you’ll need to add the URL of the web UI to the CORS list.

$ dffml service http server -cors 'https://dffml.example-api.com'

You may just want to throw all of this CORS business out the window when developing (we don’t blame you). In which case you could enable connections from all origins via *.

$ dffml service http server -cors '*'

Atomic Mode¶

The -mc-atomic flag will disable all routes other than those registered via -mc-config. If you want the server to only respond using the specified dataflows, and provide no other functionality, use this option.

Multitenancy¶

The HTTP API service is not intended for multi-tenant use, and most likely never will be.

This means that its currently assumed that anyone allowed to connect to the server (TLS client authentication protects anyone you haven’t given a .key and .pem file to from connecting. So two people could access it at the same time, but they won’t be stopped from clobbering each other’s work.

File, Network, Etc. Access¶

Since this just exposes existing DFFML APIs, its damn near impossible for use to lock everything down within all the plugins of DFFML you might choose to expose via this HTTP API. So we’re not going to try. What this means is that if you’re running this you should sandbox it appropriately.

For example, if you expose the DFFML CSV source using this API, it takes a filename parameter, which is the file containing the CSV data. Now if you say that filename is at /root/some/file.csv and you’re running this as root then it’s going to have access to that file therefore, DO NOT RUN THIS AS ROOT, as anyone who is able to connect will have read write access to all files on your system, you do not want to take this chance!

Similarly, if you expose the DFFML MySQL source, when you initialize new MySQL protocol connections they will be originating from whatever machine is running the HTTP API. So that means it might have access to internal databases or something listing only on 127.0.0.1.

Authentication¶

TLS client authentication is currently used. There are scripts to generate basic functioning certs. These certs should not be used in a production capacity.

In the future, we’ll probably support JSON Web Tokens (JWT) signed with a public key. And then you’ll be able to provision your certs in a more reasonable way (cert-manager if Kubernetes or something else). But for now this is what we’ve got.

First, generate the server key and cert. The cert generated is only valid for 127.0.0.1. This will produce the server’s private key file, server.key, and the server’s certificate, server.pem.

$ dffml service http createtls server
Generating a RSA private key
......................................++++
.................................++++
writing new private key to 'server.key'
-----

Then, generate the client key and cert. It will be signed by the server cert to make it acceptable to the server. This will produce the client’s private key file, client.key, the client’s certificate, client.pem, and the client’s certificate signing request client.csr (which is unnecessary after the command is run because it’s already been used to create client.pem).

$ dffml service http createtls client
Generating a RSA private key
.................................................++++
........++++
writing new private key to 'client.key'
-----
Signature ok
subject=CN = RealUser
Getting CA Private Key

Now you can run the server without the -insecure flag.

$ dffml service http server -port 5000
$ curl -w '\n' \
    --cacert server.pem \
    --cert client.pem \
    --key client.key \
    https://127.0.0.1:5000/list/sources
... JSON output ...