Wire API auth token stuff.

3 files changed, 46 insertions, 3 deletions

diff --git a/service/ControlPlane.cpp b/service/ControlPlane.cpp
index 3d37a90a..8957e344 100644
--- a/service/ControlPlane.cpp
+++ b/service/ControlPlane.cpp
@@ -248,7 +248,18 @@ unsigned int ControlPlane::handleRequest(
 		ps.push_back(std::string("index.html"));
 	}
 
-	bool isAuth = true; // TODO: auth tokens
+	bool isAuth = false;
+	{
+		Mutex::Lock _l(_authTokens_m);
+		std::map<std::string,std::string>::const_iterator ah(headers.find("x-zt1-auth"));
+		if ((ah != headers.end())&&(_authTokens.count(ah->second) > 0))
+			isAuth = true;
+		else {
+			ah = urlArgs.find("auth");
+			if ((ah != urlArgs.end())&&(_authTokens.count(ah->second) > 0))
+				isAuth = true;
+		}
+	}
 
 	if (httpMethod == HTTP_GET) {
 
diff --git a/service/ControlPlane.hpp b/service/ControlPlane.hpp
index 96d11762..b6f1ca7d 100644
--- a/service/ControlPlane.hpp
+++ b/service/ControlPlane.hpp
@@ -28,12 +28,14 @@
 #ifndef ZT_ONE_CONTROLPLANE_HPP
 #define ZT_ONE_CONTROLPLANE_HPP
 
-#include "../include/ZeroTierOne.h"
-
 #include <string>
 #include <map>
 #include <set>
 
+#include "../include/ZeroTierOne.h"
+
+#include "../node/Mutex.hpp"
+
 namespace ZeroTier {
 
 class OneService;
@@ -50,6 +52,15 @@ public:
 	~ControlPlane();
 
 	/**
+	 * Add an authentication token for API access
+	 */
+	inline void addAuthToken(const char *tok)
+	{
+		Mutex::Lock _l(_authTokens_m);
+		_authTokens.insert(std::string(tok));
+	}
+
+	/**
 	 * Handle HTTP request
 	 *
 	 * @param fromAddress Originating IP address of request
@@ -74,6 +85,7 @@ private:
 	OneService *const _svc;
 	Node *const _node;
 	std::set<std::string> _authTokens;
+	Mutex _authTokens_m;
 };
 
 } // namespace ZeroTier
diff --git a/service/OneService.cpp b/service/OneService.cpp
index f84af0ae..1ba7a8c5 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -173,6 +173,25 @@ public:
 	virtual ReasonForTermination run()
 	{
 		try {
+			std::string authToken;
+			{
+				std::string authTokenPath(_homePath + ZT_PATH_SEPARATOR_S + "authtoken.secret");
+				if (!OSUtils::readFile(authTokenPath.c_str(),authToken)) {
+					unsigned char foo[24];
+					Utils::getSecureRandom(foo,sizeof(foo));
+					authToken = "";
+					for(unsigned int i=0;i<sizeof(foo);++i)
+						authToken.push_back("abcdefghijklmnopqrstuvwxyz0123456789"[(unsigned long)foo[i] % 36]);
+					if (!OSUtils::writeFile(authTokenPath.c_str(),authToken)) {
+						Mutex::Lock _l(_termReason_m);
+						_termReason = ONE_UNRECOVERABLE_ERROR;
+						_fatalErrorMessage = "authtoken.secret could not be written";
+						return _termReason;
+					} else OSUtils::lockDownFile(authTokenPath.c_str(),false);
+				}
+			}
+			authToken = Utils::trim(authToken);
+
 			_node = new Node(
 				OSUtils::now(),
 				this,
@@ -188,6 +207,7 @@ public:
 				_node->setNetconfMaster((void *)_master);
 
 			_controlPlane = new ControlPlane(this,_node);
+			_controlPlane->addAuthToken(authToken.c_str());
 
 			{	// Remember networks from previous session
 				std::vector<std::string> networksDotD(OSUtils::listDirectory((_homePath + ZT_PATH_SEPARATOR_S + "networks.d").c_str()));