Controller: hardening and database refactor #1300
Open
Description
Description
This issue tracks the implementation of a comprehensive security hardening and architectural refactoring of the controller. The work involves migrating the database, enhancing encryption, implementing a more robust permissions model, and updating the API. The core purpose of these technical changes is to achieve two critical security goals: limiting user access to units and restricting controller access by IP.
Key Security Objectives
These are the primary drivers behind all the implementation tasks:
-
Limit User Access to Units:
This objective will be achieved through the introduction of "unit groups".- An administrator will create a group (e.g., "Rome Office Firewalls").
- The administrator will then assign one or more units to that group.
- Finally, the administrator will associate one or more users with that group.
- As a result, a user will only be able to see and manage the units that are part of the groups they've been assigned to, providing precise access control.
-
Restrict Controller Access by IP:
This will be implemented by combining two new configuration options:ALLOWED_IPSandPUBLIC_ENDPOINTS.ALLOWED_IPS: This option will allow you to set a comma-separated list of authorized IP addresses (e.g., your office IP). Only these specified IPs will be able to access the controller's interface.PUBLIC_ENDPOINTS: This option will define exceptions to theALLOWED_IPSrule. Crucially, the/api/units/registerendpoint will be included here.- This setup ensures the controller's interface is locked down to specified IPs, but a new unit from any network can still complete its initial registration. Immediately after registration, all subsequent unit traffic will be routed securely through the VPN connection, maintaining a robust security posture.
Implementation Tasks
Core Backend & Database
- Migrate Database: Move all user management and VPN configurations from SQLite to the main TimescaleDB database.
- Implement Automatic Migration: Create a script that automatically migrates old configuration files to the database upon application startup.
- Refactor VPN Container: Rework the VPN container to read from and write configurations directly to the database, completely removing the dependency on CCD files.
- Encrypt Sensitive Data: Implement AES encryption for storing 2FA keys and unit credentials in the database.
- Implement In-Memory JWT Storage: Modify token handling to store JWTs exclusively in memory, removing them from the filesystem.
- Add New Environment Variables: Implement support for
ENCRYPTION_KEY(for data encryption) andPLATFORM_INFO(for platform metadata). - Clean Up Filesystem: Remove the now-unused
tokensandcredentialsdirectories.
Networking & API
- Upgrade VPN Container: Update the VPN container to OpenVPN version 2.6.x and refresh the Alpine base image.
- Implement IP-based Access Control:
- Add the
ALLOWED_IPSconfiguration option (as a comma-separated list) to restrict access to the controller. - Add the
PUBLIC_ENDPOINTSoption to exempt essential endpoints (e.g.,/register,/api/ingest) from theALLOWED_IPSrule.
- Add the
- Support Multiple Listen Addresses: Modify the
LISTEN_ADDRESSvariable to accept a comma-separated list of addresses. - Develop Unit Group Management API: Create GET, POST, PUT, and DELETE endpoints for managing unit groups.
- Create Platform Endpoint: Add a
/platformendpoint to expose NS8 information for consumption by the UI. - Create Health Check Endpoint: Add an
/authendpoint to serve as a health check for process managers like Podman. - Enhance Register Endpoint: Add
vpn_addressandapi_portto the response payload of the/registerendpoint.
Breaking Changes & Dependent Tasks
- Controller UI Task: The UI needs to be updated to:
- display the information retrieved from the new
/platformendpoint - manage admin users with group association
- manage unit groups
- display the information retrieved from the new
- NS8 Module Task: The new configuration options (
ALLOWED_IPS,PUBLIC_ENDPOINTS, etc.) must be integrated into the NS8 module.