forked from Velocidex/velociraptor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocs.go
71 lines (48 loc) · 2.45 KB
/
docs.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package api
/*
# How does the Velociraptor server work?
The Velociraptor server presents a GRPC API for manipulating and
presenting data. We chose gRPC because:
1. It has mutual two way authentication - the server presents a
certificate to identify itself and the caller must also present a
properly signed certificate.
2. Communication is encrypted using TLS
3. Each RPC call can include a complex well defined API with protocol
buffers as inputs and outputs.
4. GRPC has a streaming mode which is useful for real time
communications (e.g. via the Query API point).
The server's API surface is well defined in api/proto/api.proto and
implemented in this "api" module.
By tightening down the server api surface it is easier to ensure that
ACLs are properly enforced.
## ACLs and permissions
The API endpoints enforce the permission model based on the identity
of the caller. In the gRPC API the caller's identity is found by
examining the Common Name in the certificate that the user presented.
The user identity is recovered using the users service
users.GetUserFromContext(ctx)
## How is the GUI implemented?
The GUI is a simple react app which communicates with the server using
AJAX calls, such as GET or POST. As such the GUI can not make direct
gRPC calls to the API server.
To translate between REST calls to gRPC we use the grpc gateway
proxy. This proxy service exposes HTTP handlers on /api/ URLs. When a
HTTP connection occurs, the gateway proxy will bundle the data into
protocol buffers and make a proper gRPC call into the API.
The gateway's gRPC connections are made using the gateway identity
(certificates generated in GUI.gw_certificate and
GUI.gw_private_key. The real identity of the calling user is injected
in the gRPC metadata channel under the "USER" parameter.
From the API server's perspective, the user identity is:
1. If the identity is not utils.GetGatewayName() then the identity is
fetched from the caller's X509 certificates. (After verifying the
certificates are issued by the internal CA)
2. If the caller is really the Gateway, then the real identity of the
user is retrieved from the gRPC metadata "USER" variable (passed in
the context)
This logic is implemented in services/users/grpc.go:GetGRPCUserInfo()
NOTE: The gateway's certificates are critical to protect - if an actor
makes an API connection using these certificate they can just claim
to be anyone by injecting any username into the "USER" gRPC
metadata.
*/