X-PGPAUTHORIZATION based authentication was previously used for
authorizing client access to the API. This patch adds the option of
using a standard API key as well.
Note that PGP is still required for querying agents. In some cases
though, we may want to integrate other external applications that just
require API access (e.g. to review previous investigations, manage
users, etc). Using PGP for this is problematic and the ability
to instead just use a regular API key for these scenarios remediates
this.
Investigators can now be assigned an key that enables API key based
access to the MIG API. Investigators can also be created without a PGP
key, so they can solely utilize API key based access.
Resolves#239
This removes the previous implementation where an investigator could
either be set to an admin or not, and expands this to per-endpoint
permissions that can be set for individual investigators.
Adds a configuration option to the API to inform the API when it should
use the X-Forwarded-For header value as the public IP of a client. Also
does some validation of the value.
Resolves#247
Adds a request category to the log message to indicate if it is a loader
related request, or a regular investigator. Also updates auth section
for loader requests so it includes the loader name.
Checkpoint commit for initial revision of mig-loader related code. This
change adds functionality supporting agent auto-update using manifests
stored in the API.
Tristan Weir
Aaron Meihm
Sunny Prakash Tiwari
Julien Vehent