From: Tom Hughes <tom@compton.nu>
Date: Mon, 25 Oct 2021 17:45:18 +0000 (+0100)
Subject: Add TOTP token enforcement to overpass
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/f351c6a2475050bcadfce28bdbe303eda9654059?ds=sidebyside

Add TOTP token enforcement to overpass
---

diff --git a/cookbooks/overpass/recipes/default.rb b/cookbooks/overpass/recipes/default.rb
index 72b6550a0..4ec94b895 100644
--- a/cookbooks/overpass/recipes/default.rb
+++ b/cookbooks/overpass/recipes/default.rb
@@ -23,6 +23,7 @@ include_recipe "apache"
 
 username = "overpass"
 basedir = data_bag_item("accounts", username)["home"]
+web_passwords = data_bag_item("web", "passwords")
 
 %w[bin site diffs db src].each do |dirname|
   directory "#{basedir}/#{dirname}" do
@@ -71,6 +72,22 @@ end
 
 ## Setup Apache
 
+gem_package "rotp"
+
+directory "#{basedir}/apache" do
+  owner "root"
+  group "root"
+  mode "755"
+end
+
+template "#{basedir}/apache/totp-filter" do
+  source "totp-filter.erb"
+  owner "root"
+  group "root"
+  mode "755"
+  variables :totp_key => web_passwords["totp_key"]
+end
+
 ssl_certificate node[:fqdn] do
   domains [node[:fqdn],
            node[:overpass][:fqdn]]
@@ -79,6 +96,7 @@ end
 
 apache_module "cgi"
 apache_module "headers"
+apache_module "rewrite"
 
 apache_site "default" do
   action :disable
diff --git a/cookbooks/overpass/templates/default/apache.erb b/cookbooks/overpass/templates/default/apache.erb
index fbf82cf04..fea5133fe 100644
--- a/cookbooks/overpass/templates/default/apache.erb
+++ b/cookbooks/overpass/templates/default/apache.erb
@@ -29,6 +29,10 @@
 
         DocumentRoot <%= @directory %>
 
+        RewriteMap totp prg:/srv/query.openstreetmap.org/apache/totp-filter
+        RewriteCond "${totp:%{HTTP_COOKIE}}" "0"
+        RewriteRule ^.*$ - [F,L]
+
 <% if node[:overpass][:restricted_api] -%>
         ScriptAlias /query-features <%= @script_directory %>/interpreter
         SetEnvIf Origin "http.*(osm.org|openstreetmap.org).*" AccessControlAllowOrigin=$0
diff --git a/cookbooks/overpass/templates/default/totp-filter.erb b/cookbooks/overpass/templates/default/totp-filter.erb
new file mode 100644
index 000000000..9fbe790a1
--- /dev/null
+++ b/cookbooks/overpass/templates/default/totp-filter.erb
@@ -0,0 +1,18 @@
+#!/usr/bin/ruby
+
+requrie "cgi"
+require "rotp"
+
+totp = ROTP::TOTP.new("<%= @totp_key %>", :interval => 3600)
+
+STDIN.each_line do |header|
+  cookies = CGI::Cookie.parse(header)
+
+  if totp.verify(cookies["_osm_totp_token"], :drift_behind => 43200, :drift_ahead => 3600)
+    puts "1"
+  else
+    puts "0"
+  end
+end
+
+exit 0