Disable snapshot read endpoints by-default, require a per-interface opt-in to enable new OperatorFeature (#7440)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>

Author: 3 people

CHANGELOG.md

@@ -33,6 +33,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - CheckQuorum now requires a quorum in every configuration (#7375)
 
+### Changed
+
+- The snapshot-serving endpoints required for `fetch_recent_snapshot` behaviour are now disabled-by-default to avoid public DoS requests. They should be enabled on a per-interface basis by adding `"enabled_operator_features": ["SnapshotRead"]` to the interface's configuration, on an interface with local visibility used for node-to-node join requests.
+
 ## [7.0.0-dev4]
 
 [7.0.0-dev4]: https://github.com/microsoft/CCF/releases/tag/ccf-7.0.0-dev4

doc/host_config_schema/cchost_config.json

@@ -134,6 +134,14 @@
                   }
                 },
                 "additionalProperties": false
+              },
+              "enabled_operator_features": {
+                "type": "array",
+                "items": {
+                  "enum": ["SnapshotRead"],
+                  "type": "string"
+                },
+                "description": "An array of features which should be enabled on this interface, providing access to endpoints with specific security or performance constraints. The only feature currently supported is 'SnapshotRead', which gates access to the /snapshot/* endpoints used to fetch snapshots directly from nodes. Since these require disk IO and produce large responses, this feature should not be enabled on interfaces with public access, and instead restricted to interfaces with local connectivity for node-to-node and operator access."
               }
             },
             "required": ["bind_address"]

doc/schemas/node_openapi.json

@@ -526,6 +526,9 @@
           "bind_address": {
             "$ref": "#/components/schemas/string"
           },
+          "enabled_operator_features": {
+            "$ref": "#/components/schemas/OperatorFeature_set"
+          },
           "endorsement": {
             "$ref": "#/components/schemas/Endorsement"
           },
@@ -586,6 +589,18 @@
         ],
         "type": "string"
       },
+      "OperatorFeature": {
+        "enum": [
+          "SnapshotRead"
+        ],
+        "type": "string"
+      },
+      "OperatorFeature_set": {
+        "items": {
+          "$ref": "#/components/schemas/OperatorFeature"
+        },
+        "type": "array"
+      },
       "ParserConfiguration": {
         "properties": {
           "initial_window_size": {

include/ccf/endpoint.h

@@ -8,6 +8,7 @@
 #include "ccf/http_consts.h"
 #include "ccf/rest_verb.h"
 #include "ccf/service/map.h"
+#include "ccf/service/operator_feature.h"
 
 #include <string>
 #include <utility>
@@ -232,6 +233,8 @@ namespace ccf::endpoints
      * @see ccf::any_cert_auth_policy
      */
     AuthnPolicies authn_policies;
+
+    std::set<OperatorFeature> required_operator_features;
   };
 
   using EndpointDefinitionPtr = std::shared_ptr<const EndpointDefinition>;
@@ -312,6 +315,14 @@ namespace ccf::endpoints
      */
     Endpoint& set_openapi_hidden(bool hidden);
 
+    /** Add an opt-in feature which this endpoint uses. The endpoint will only
+     * be available on interfaces which have opted in to enabling all required
+     * features.
+     *
+     * @return This Endpoint for further modification
+     */
+    Endpoint& require_operator_feature(OperatorFeature feature);
+
     /** Sets the JSON schema that the request parameters must comply with.
      *
      * @param j Request parameters JSON schema

include/ccf/service/node_info_network.h

@@ -6,6 +6,7 @@
 #include "ccf/ds/json.h"
 #include "ccf/ds/nonstd.h"
 #include "ccf/http_configuration.h"
+#include "ccf/service/operator_feature.h"
 
 #include <string>
 
@@ -109,6 +110,11 @@ namespace ccf
       /// Timeout for forwarded RPC calls (in milliseconds)
       std::optional<size_t> forwarding_timeout_ms = std::nullopt;
 
+      /// Features enabled for this interface. Any endpoint with required
+      /// features will be inaccessible (on this interface) if this does not
+      /// contain those features.
+      std::set<ccf::endpoints::OperatorFeature> enabled_operator_features;
+
       struct Redirections
       {
         RedirectionResolverConfig to_primary;
@@ -130,6 +136,7 @@ namespace ccf
           http_configuration == other.http_configuration &&
           accepted_endpoints == other.accepted_endpoints &&
           forwarding_timeout_ms == other.forwarding_timeout_ms &&
+          enabled_operator_features == other.enabled_operator_features &&
           redirections == other.redirections;
       }
     };
@@ -165,6 +172,7 @@ namespace ccf
     http_configuration,
     accepted_endpoints,
     forwarding_timeout_ms,
+    enabled_operator_features,
     redirections);
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(NodeInfoNetwork_v2);
   DECLARE_JSON_REQUIRED_FIELDS(

include/ccf/service/operator_feature.h

@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+#pragma once
+
+#include "ccf/ds/json.h"
+
+namespace ccf::endpoints
+{
+  enum class OperatorFeature : uint8_t
+  {
+    SnapshotRead,
+  };
+
+  DECLARE_JSON_ENUM(
+    OperatorFeature,
+    {
+      {OperatorFeature::SnapshotRead, "SnapshotRead"},
+    });
+}

src/ds/pending_io.h

@@ -79,7 +79,9 @@ struct PendingIO
    */
   static void clear_empty(std::vector<PendingIO<T>>& list)
   {
-    std::remove_if(
-      list.begin(), list.end(), [](PendingIO<T>& p) { return p.clear; });
+    list.erase(
+      std::remove_if(
+        list.begin(), list.end(), [](PendingIO<T>& p) { return p.clear; }),
+      list.end());
   }
 };

src/endpoints/endpoint.cpp

@@ -13,6 +13,12 @@ namespace ccf::endpoints
     return *this;
   }
 
+  Endpoint& Endpoint::require_operator_feature(OperatorFeature feature)
+  {
+    required_operator_features.insert(feature);
+    return *this;
+  }
+
   Endpoint& Endpoint::set_params_schema(const nlohmann::json& j)
   {
     params_schema = j;

src/node/node_state.h

@@ -1767,6 +1767,11 @@ namespace ccf
         consensus->can_replicate());
     }
 
+    std::optional<ccf::NodeId> get_primary() override
+    {
+      return consensus->primary();
+    }
+
     bool is_in_initialised_state() const override
     {
       return sm.check(NodeStartupState::initialized);