Make it possible to secure the Router

This requires clients to connect using basic authentication.

Author: shs96c

java/server/src/org/openqa/selenium/grid/commands/Hub.java

@@ -20,6 +20,7 @@
 import com.google.auto.service.AutoService;
 import com.google.common.collect.ImmutableSet;
 import org.openqa.selenium.BuildInfo;
+import org.openqa.selenium.UsernameAndPassword;
 import org.openqa.selenium.cli.CliCommand;
 import org.openqa.selenium.events.EventBus;
 import org.openqa.selenium.grid.TemplateGridServerCommand;
@@ -32,6 +33,7 @@
 import org.openqa.selenium.grid.log.LoggingOptions;
 import org.openqa.selenium.grid.router.ProxyCdpIntoGrid;
 import org.openqa.selenium.grid.router.Router;
+import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
 import org.openqa.selenium.grid.security.Secret;
 import org.openqa.selenium.grid.security.SecretOptions;
 import org.openqa.selenium.grid.server.BaseServerOptions;
@@ -180,13 +182,20 @@ protected Handlers createHandlers(Config config) {
     Routable ui = new GridUiRoute();
     Routable routerWithSpecChecks = router.with(networkOptions.getSpecComplianceChecks());
 
-    HttpHandler httpHandler = combine(
+    Routable httpHandler = combine(
       ui,
       routerWithSpecChecks,
       Route.prefix("/wd/hub").to(combine(routerWithSpecChecks)),
       Route.options("/graphql").to(() -> graphqlHandler),
-      Route.post("/graphql").to(() -> graphqlHandler),
-      Route.get("/readyz").to(() -> readinessCheck));
+      Route.post("/graphql").to(() -> graphqlHandler));
+
+    UsernameAndPassword uap = secretOptions.getServerAuthentication();
+    if (uap != null) {
+      httpHandler = httpHandler.with(new BasicAuthenticationFilter(uap.username(), uap.password()));
+    }
+
+    // Allow the liveness endpoint to be reached, since k8s doesn't make it easy to authenticate these checks
+    httpHandler = combine(httpHandler, Route.get("/readyz").to(() -> readinessCheck));
 
     return new Handlers(httpHandler, new ProxyCdpIntoGrid(clientFactory, sessions));
   }

java/server/src/org/openqa/selenium/grid/commands/Standalone.java

@@ -20,6 +20,7 @@
 import com.google.auto.service.AutoService;
 import com.google.common.collect.ImmutableSet;
 import org.openqa.selenium.BuildInfo;
+import org.openqa.selenium.UsernameAndPassword;
 import org.openqa.selenium.cli.CliCommand;
 import org.openqa.selenium.events.EventBus;
 import org.openqa.selenium.grid.TemplateGridServerCommand;
@@ -34,6 +35,7 @@
 import org.openqa.selenium.grid.node.ProxyNodeCdp;
 import org.openqa.selenium.grid.node.config.NodeOptions;
 import org.openqa.selenium.grid.router.Router;
+import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
 import org.openqa.selenium.grid.security.Secret;
 import org.openqa.selenium.grid.security.SecretOptions;
 import org.openqa.selenium.grid.server.BaseServerOptions;
@@ -180,13 +182,20 @@ protected Handlers createHandlers(Config config) {
 
     Routable ui = new GridUiRoute();
 
-    HttpHandler httpHandler = combine(
+    Routable httpHandler = combine(
       ui,
       router,
       Route.prefix("/wd/hub").to(combine(router)),
       Route.options("/graphql").to(() -> graphqlHandler),
-      Route.post("/graphql").to(() -> graphqlHandler),
-      Route.get("/readyz").to(() -> readinessCheck));
+      Route.post("/graphql").to(() -> graphqlHandler));
+
+    UsernameAndPassword uap = secretOptions.getServerAuthentication();
+    if (uap != null) {
+      httpHandler = httpHandler.with(new BasicAuthenticationFilter(uap.username(), uap.password()));
+    }
+
+    // Allow the liveness endpoint to be reached, since k8s doesn't make it easy to authenticate these checks
+    httpHandler = combine(httpHandler, Route.get("/readyz").to(() -> readinessCheck));
 
     Node node = new NodeOptions(config).getNode();
     combinedHandler.addHandler(node);

java/server/src/org/openqa/selenium/grid/router/httpd/RouterFlags.java

@@ -42,6 +42,20 @@ public class RouterFlags implements HasRoles {
   @ConfigValue(section = "network", name = "relax-checks", example = "true")
   private Boolean relaxChecks = false;
 
+  @Parameter(
+    names = "--username",
+    description = "User name clients must use to connect to the server. " +
+                  "Both this and password need to be set in order to be used.")
+  @ConfigValue(section = "router", name = "username", example = "admin")
+  private String username;
+
+  @Parameter(
+    names = "--password",
+    description = "Password clients must use to connect to the server. " +
+      "Both this and the username need to be set in order to be used.")
+  @ConfigValue(section = "router", name = "password", example = "hunter2")
+  private String password;
+
   @Override
   public Set<Role> getRoles() {
     return Collections.singleton(ROUTER_ROLE);

java/server/src/org/openqa/selenium/grid/router/httpd/RouterServer.java

@@ -20,8 +20,8 @@
 import com.google.auto.service.AutoService;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-
 import org.openqa.selenium.BuildInfo;
+import org.openqa.selenium.UsernameAndPassword;
 import org.openqa.selenium.cli.CliCommand;
 import org.openqa.selenium.grid.TemplateGridServerCommand;
 import org.openqa.selenium.grid.config.Config;
@@ -34,6 +34,7 @@
 import org.openqa.selenium.grid.log.LoggingOptions;
 import org.openqa.selenium.grid.router.ProxyCdpIntoGrid;
 import org.openqa.selenium.grid.router.Router;
+import org.openqa.selenium.grid.security.BasicAuthenticationFilter;
 import org.openqa.selenium.grid.security.Secret;
 import org.openqa.selenium.grid.security.SecretOptions;
 import org.openqa.selenium.grid.server.BaseServerOptions;
@@ -47,6 +48,7 @@
 import org.openqa.selenium.grid.web.GridUiRoute;
 import org.openqa.selenium.internal.Require;
 import org.openqa.selenium.remote.http.HttpClient;
+import org.openqa.selenium.remote.http.HttpHandler;
 import org.openqa.selenium.remote.http.HttpResponse;
 import org.openqa.selenium.remote.http.Routable;
 import org.openqa.selenium.remote.http.Route;
@@ -148,15 +150,25 @@ protected Handlers createHandlers(Config config) {
     Routable routerWithSpecChecks = new Router(tracer, clientFactory, sessions, queue, distributor)
       .with(networkOptions.getSpecComplianceChecks());
 
-    Route handler = Route.combine(
+    Routable route = Route.combine(
       ui,
       routerWithSpecChecks,
       Route.prefix("/wd/hub").to(combine(routerWithSpecChecks)),
       Route.options("/graphql").to(() -> graphqlHandler),
-      Route.post("/graphql").to(() -> graphqlHandler),
+      Route.post("/graphql").to(() -> graphqlHandler));
+
+    UsernameAndPassword uap = secretOptions.getServerAuthentication();
+    if (uap != null) {
+      LOG.info("Requiring authentication to connect");
+      route = route.with(new BasicAuthenticationFilter(uap.username(), uap.password()));
+    }
+
+    // Since k8s doesn't make it easy to do an authenticated liveness probe, allow unauthenticated access to it.
+    Routable routeWithLiveness = Route.combine(
+      route,
       get("/readyz").to(() -> req -> new HttpResponse().setStatus(HTTP_NO_CONTENT)));
 
-    return new Handlers(handler, new ProxyCdpIntoGrid(clientFactory, sessions));
+    return new Handlers(routeWithLiveness, new ProxyCdpIntoGrid(clientFactory, sessions));
   }
 
   @Override

java/server/src/org/openqa/selenium/grid/security/SecretOptions.java

@@ -19,16 +19,20 @@
 
 import static java.util.Base64.getEncoder;
 
+import org.openqa.selenium.Credentials;
+import org.openqa.selenium.UsernameAndPassword;
 import org.openqa.selenium.grid.config.Config;
 import org.openqa.selenium.grid.config.ConfigException;
 
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.util.Arrays;
+import java.util.Optional;
 
 public class SecretOptions {
 
+  private static final String ROUTER_SECTION = "router";
   private static final String SERVER_SECTION = "server";
 
   private final Config config;
@@ -54,6 +58,20 @@ public Secret getRegistrationSecret() {
       .map(Secret::new).orElse(new Secret(secret));
   }
 
+  public UsernameAndPassword getServerAuthentication() {
+    Optional<String> username = config.get(ROUTER_SECTION, "username");
+    Optional<String> password = config.get(ROUTER_SECTION, "password");
+
+    System.out.println(username);
+    System.out.println(password);
+
+    if (!username.isPresent() || !password.isPresent()) {
+      return null;
+    }
+
+    return new UsernameAndPassword(username.get(), password.get());
+  }
+
   private boolean isSecure() {
     return config.get(SERVER_SECTION, "https-private-key").isPresent()
            && config.get(SERVER_SECTION, "https-certificate").isPresent();