anti
30750d294d
The swarm controller (port 8770) exposed 9 routes with zero app-layer auth, and swarmctl --tls defaulted off — anyone able to reach the port could enroll workers (minting CA-signed certs + private keys), deploy, or tear down the fleet. Two fail-closed layers: - require_operator_cert gates every operator route (enroll/deploy/ teardown/hosts/check/deckies). When mTLS is on, the peer cert's CN must be an operator identity (decnet-master/swarmctl); worker and updater@* certs are rejected. Plaintext loopback (single-host master) is accepted as the local operator — the docker.sock boundary. - swarmctl refuses to bind a routable interface without --tls, so a network-exposed plaintext control plane can never start. /heartbeat keeps its worker fingerprint pinning. Closes the two ASVS criticals (control-plane no-auth, unauthenticated cert minting).
30 lines
950 B
Python
30 lines
950 B
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""GET /swarm/hosts/{uuid} — fetch a single worker by UUID."""
|
|
from __future__ import annotations
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
|
|
from decnet.web.db.repository import BaseRepository
|
|
from decnet.web.dependencies import get_repo
|
|
from decnet.web.router.swarm._mtls import PeerCert, require_operator_cert
|
|
from decnet.web.db.models import SwarmHostView
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.get(
|
|
"/hosts/{uuid}",
|
|
response_model=SwarmHostView,
|
|
tags=["Swarm Hosts"],
|
|
responses={404: {"description": "No host with this UUID is enrolled"}},
|
|
)
|
|
async def api_get_host(
|
|
uuid: str,
|
|
repo: BaseRepository = Depends(get_repo),
|
|
_operator: PeerCert = Depends(require_operator_cert),
|
|
) -> SwarmHostView:
|
|
row = await repo.get_swarm_host_by_uuid(uuid)
|
|
if row is None:
|
|
raise HTTPException(status_code=404, detail="host not found")
|
|
return SwarmHostView(**row)
|