Add Bearer authentication to /metrics endpoint

Adjust the Grafana examples to include the client error metric and add a variable to select the instance

Author: Jannled

.dockerignore

@@ -21,6 +21,7 @@ conf/
 log_merging_config.json
 dockerComposeMPI.yml
 *.csv
+reversim-conf
 
 # Debugpy logs, WinMerge Backups etc.
 *.log
@@ -29,6 +30,11 @@ dockerComposeMPI.yml
 # Ignore statistics folder
 statistics/
 
+# Hide deployment storage
+tmp/
+secrets/
+
+
 # Maybe ignore unnecessary code	
 # app/statistics
 # app/tests

.gitignore

@@ -21,7 +21,6 @@ __pycache__/
 env/
 venv/
 .venv/
-tmp/
 
 # --- Debugpy logs, WinMerge Backups etc.
 *.log
@@ -44,3 +43,7 @@ reversim-conf
 
 # --- Generated level thumbnails
 doc/levels
+
+# --- Don't push instance relevant configuration
+tmp/
+secrets/

.vscode/settings.json

@@ -143,6 +143,7 @@
 		"hreserver",
 		"hrestudy",
 		"htmlsafe",
+		"httpauth",
 		"iframe",
 		"imgdata",
 		"imgstring",

Dockerfile

@@ -18,7 +18,7 @@ ARG PROMETHEUS_MULTIPROC_DIR="/tmp/prometheus_multiproc"
 MAINTAINER Max Planck Institute for Security and Privacy
 LABEL org.opencontainers.image.authors="Max Planck Institute for Security and Privacy"
 # NOTE Also change the version in config.py
-LABEL org.opencontainers.image.version="2.1.0"
+LABEL org.opencontainers.image.version="2.1.1"
 LABEL org.opencontainers.image.licenses="AGPL-3.0-only"
 LABEL org.opencontainers.image.description="Ready to deploy Docker container to use ReverSim for research. ReverSim is an open-source environment for the browser, originally developed at the Max Planck Institute for Security and Privacy (MPI-SP) to study human aspects in hardware reverse engineering."
 LABEL org.opencontainers.image.source="https://github.com/emsec/ReverSim"
@@ -62,6 +62,7 @@ ENV PROMETHEUS_MULTIPROC_DIR=${PROMETHEUS_MULTIPROC_DIR}
 # Create empty statistics folders
 WORKDIR /usr/var/reversim-instance/statistics/LogFiles
 WORKDIR /usr/var/reversim-instance/statistics/canvasPics
+WORKDIR /usr/var/reversim-instance/secrets
 WORKDIR /usr/src/hregame
 
 # Specify mount points for the statistics folder, levels, researchInfo & disclaimer

app/authentication.py

@@ -0,0 +1,45 @@
+import logging
+import os
+import secrets
+
+from flask_httpauth import HTTPTokenAuth  # type: ignore
+
+from app.config import BEARER_TOKEN_BYTES
+from app.model.ApiKey import ApiKey
+from app.storage.database import db
+from app.utilsGame import safe_join
+
+auth = HTTPTokenAuth(scheme='Bearer')
+
+USER_METRICS = 'api_metrics'
+
+@auth.verify_token # type: ignore
+def verifyToken(token: str) -> ApiKey|None:
+	"""Check if this token exists. If yes return the user object, otherwise return `None`
+
+	https://flask-httpauth.readthedocs.io/en/latest/#flask_httpauth.HTTPTokenAuth.verify_token
+	"""
+
+	return db.session.query(ApiKey).filter_by(token=token).first()
+
+
+def populate_data(instance_path: str):
+	if ApiKey.query.count() < 1:
+		apiKey = ApiKey(secrets.token_urlsafe(BEARER_TOKEN_BYTES), USER_METRICS)
+		db.session.add(apiKey)
+		db.session.commit()
+
+	defaultToken = db.session.query(ApiKey).where(ApiKey.user == USER_METRICS).first()
+	if defaultToken is not None:
+		
+		# Try to write the bearer secret to a file so other containers can use it
+		try:
+			folder = safe_join(instance_path, 'secrets')
+			os.makedirs(folder, exist_ok=True)
+			with open(safe_join(folder, 'bearer_api.txt'), encoding='UTF-8', mode='wt') as f:
+				f.write(defaultToken.token)
+
+		except Exception as e:
+			# When the file can't be created print the bearer to stdout
+			logging.error('Could not write bearer token to file: ' + str(e))
+			logging.info('Bearer token for /metrics endpoint: ' + defaultToken.token)

app/config.py

@@ -16,14 +16,17 @@
 
 # CONFIG Current Log File Version. 
 # NOTE Also change this in the Dockerfile
-LOGFILE_VERSION = "2.1.0" # Major.Milestone.Subversion
+LOGFILE_VERSION = "2.1.1" # Major.Milestone.Subversion
 
 PSEUDONYM_LENGTH = 32
 LEVEL_ENCODING = 'UTF-8' # was Windows-1252
 TIME_DRIFT_THRESHOLD = 200 # ms
 STALE_LOGFILE_TIME = 48 * 60 * 60 # close logfiles after 48h
 MAX_ERROR_LOGS_PER_PLAYER = 25
 
+# The bearer token for the /metrics endpoint
+BEARER_TOKEN_BYTES = 32
+
 # Number of seconds, after which the player is considered disconnected. A "Back Online"
 # message will be printed to the log, if the player connects afterwards. Also used for the
 # Prometheus Online Player Count metric

app/model/ApiKey.py

@@ -0,0 +1,16 @@
+from datetime import datetime, timezone
+from sqlalchemy import DateTime, String
+from sqlalchemy.orm import Mapped, mapped_column
+
+from app.storage.database import db
+
+
+class ApiKey(db.Model):
+	token: Mapped[str] = mapped_column(primary_key=True)
+	user: Mapped[str] = mapped_column(String(64))
+	created: Mapped[datetime] = mapped_column(DateTime)
+
+	def __init__(self, token: str, user: str) -> None:
+		self.token = token
+		self.user = user
+		self.created = datetime.now(timezone.utc)

app/prometheusMetrics.py

@@ -1,6 +1,7 @@
 import logging
 from threading import Thread
 import time
+from typing import Any
 from flask import Flask
 
 # Prometheus Metrics
@@ -14,27 +15,29 @@
 
 class ServerMetrics:
 	@staticmethod
-	def __prometheusFactory():
+	def __prometheusFactory(auth_provider: Any):
 		EXCLUDED_PATHS = ["/?res\\/.*", "/?src\\/.*", "/?doc\\/.*"]
 
 		# Try to use the uWSGI exporter. This will fail, if uWSGI is not installed
 		try:
 			metrics = UWsgiPrometheusMetrics.for_app_factory( # type: ignore
-				excluded_paths=EXCLUDED_PATHS
+				excluded_paths=EXCLUDED_PATHS,
+				metrics_decorator=auth_provider
 			)
 
 		# Use the regular Prometheus exporter
 		except Exception as e:
 			logging.error(e)
 
 			metrics = PrometheusMetrics.for_app_factory( # type: ignore
-				excluded_paths=EXCLUDED_PATHS
+				excluded_paths=EXCLUDED_PATHS,
+				metrics_decorator=auth_provider
 			)
 
 		logging.info(f'Using {type(metrics).__name__} as the Prometheus exporter')
 		return metrics
 
-	metrics = __prometheusFactory()
+	metrics: PrometheusMetrics|UWsgiPrometheusMetrics|None = None
 
 	# ReverSim Prometheus Metrics
 	#met_openLogs = Gauge("reversim_logfile_count", "The number of open logfiles") # type: ignore
@@ -47,8 +50,9 @@ def __prometheusFactory():
 	met_clientErrors: Gauge|None = None
 
 	@classmethod
-	def createPrometheus(cls, app: Flask):
+	def createPrometheus(cls, app: Flask, auth_provider: Any):
 		"""Init Prometheus"""
+		cls.metrics = cls.__prometheusFactory(auth_provider)
 		cls.metrics.init_app(app) # type: ignore
 		cls.metrics.info('app_info', 'Application info', version=gameConfig.LOGFILE_VERSION) # type: ignore
 

docker-compose-build.yml

@@ -10,16 +10,15 @@ volumes:
   # docker volume create reversim_playerdata
   playerdata:
     name: reversim_playerdata
-    external: true
-  
-  # Holds Flask, uWSGI and the game-config and all assets that are needed by the game
-  gameConfig:
+    #external: true
 
   # If enabled in reversim_uwsgi.ini, uWSGI will log the server logs into text files
   # instead of stdout. This way you do not loose the logs when you restart 
   # the Docker container
   #uwsgi_logs:
 
+  metric_secret:
+
 # All containers that belong to this compose file
 services:
   # the container will be named reversim_game when launched
@@ -35,7 +34,7 @@ services:
     # mount your volumes here
     volumes:
       - playerdata:/usr/var/reversim-instance/statistics
-      - gameConfig:/usr/var/reversim-instance/conf:ro
+      - metric_secret:/usr/var/reversim-instance/secrets
       #- uwsgi_logs:/var/log/uwsgi
 
     # add resource limits. You may want to tweak this for your deployment
@@ -82,6 +81,8 @@ services:
         uid: "65534"
     profiles:
       - grafana
+    volumes:
+      - metric_secret:/etc/reversim/secrets:ro
     #entrypoint: ["ls", "-lan", "/etc/prometheus"]
 
   grafana:
@@ -108,9 +109,10 @@ configs:
         evaluation_interval: 15s # Evaluate rules every 15 seconds.
 
       scrape_configs:
-        - job_name: 'prometheus'
+        - job_name: 'reversim'
           static_configs:
             - targets: ['game:8000']
+          bearer_token_file: '/etc/reversim/secrets/bearer_api.txt'
 
   grafana_datasources.yml:
     content: |

docker-compose.yml

@@ -34,7 +34,6 @@ services:
     # mount your volumes here
     volumes:
       - playerdata:/usr/var/reversim-instance/statistics
-      - gameConfig:/usr/var/reversim-instance/conf:ro
       #- uwsgi_logs:/var/log/uwsgi
 
     # add resource limits. You may want to tweak this for your deployment