diff --git a/rust/openvasd/src/controller/entry.rs b/rust/openvasd/src/controller/entry.rs index f1cdc411a..d832880e4 100644 --- a/rust/openvasd/src/controller/entry.rs +++ b/rust/openvasd/src/controller/entry.rs @@ -192,6 +192,21 @@ where let kp = KnownPaths::from_path(req.uri().path(), &ctx.mode); let cid: Option = { match &*cid { + ClientIdentifier::Disabled => { + if let Some(key) = ctx.api_key.as_ref() { + match req.headers().get("x-api-key") { + Some(v) if v == key => ctx.api_key.as_ref().map(|x| x.into()), + Some(v) => { + tracing::debug!("{} {} invalid key: {:?}", req.method(), kp, v); + None + } + None => None, + } + } else { + Some("disabled".into()) + } + } + ClientIdentifier::Known(cid) => Some(cid.clone()), ClientIdentifier::Unknown => { if let Some(key) = ctx.api_key.as_ref() { match req.headers().get("x-api-key") { @@ -200,13 +215,14 @@ where tracing::debug!("{} {} invalid key: {:?}", req.method(), kp, v); None } - _ => None, + None => None, } } else { + // We don't allow no api key and no client certs when we have a server + // certificate to prevent accidental misconfiguration. None } } - ClientIdentifier::Known(cid) => Some(cid.clone()), } }; diff --git a/rust/openvasd/src/controller/mod.rs b/rust/openvasd/src/controller/mod.rs index 15dca3f64..119589e1e 100644 --- a/rust/openvasd/src/controller/mod.rs +++ b/rust/openvasd/src/controller/mod.rs @@ -42,6 +42,8 @@ pub enum ClientIdentifier { /// When there in no information available #[default] Unknown, + /// Purposely disabled + Disabled, /// Contains a hashed number of an identifier /// /// openvasd uses the identifier as a key for results. This key is usually calculated by an @@ -82,6 +84,9 @@ where None } }; + if tlsc.is_none() && ctx.api_key.is_none() { + tracing::warn!("Neither mTLS nor an API key are set. /scans endpoint is unsecured."); + } let addr = config.listener.address; let addr: SocketAddr = addr; let incoming = TcpListener::bind(&addr).await?; @@ -131,7 +136,7 @@ where let (tcp_stream, _remote_addr) = incoming.accept().await?; let ctx = controller.clone(); tokio::spawn(async move { - let cci = ClientIdentifier::Unknown; + let cci = ClientIdentifier::Disabled; let service = entry::EntryPoint::new(ctx, Arc::new(cci)); if let Err(err) = Builder::new() .serve_connection(TokioIo::new(tcp_stream), service) @@ -534,7 +539,7 @@ mod tests { .method(Method::POST) .body(serde_json::to_string(&scan).unwrap().into()) .unwrap(); - let cid = Arc::new(ClientIdentifier::Unknown); + let cid = Arc::new(ClientIdentifier::Disabled); let resp = entrypoint(req, Arc::clone(&controller), cid).await.unwrap(); assert_eq!(resp.status(), 401); @@ -544,7 +549,7 @@ mod tests { .method(Method::POST) .body(serde_json::to_string(&scan).unwrap().into()) .unwrap(); - let cid = Arc::new(ClientIdentifier::Unknown); + let cid = Arc::new(ClientIdentifier::Disabled); let resp = entrypoint(req, Arc::clone(&controller), cid).await.unwrap(); assert_eq!(resp.status(), 201); }