API security improvements

[Tbaile]

Due to upcoming NIS2 regulations, several changes are needed to strengthen up the backend of NethSecurity.
Even if there are no evident security issues, the following changes are the first steps towards a more robust and bulletproof backend:

• Limit API calls to the following endpoints chore(ns-api-server): version bump #1079
  • ns-api and all calls made by us with the prefix ns-
  • uci calls with only the following subcalls: get, set, changes and revert
  • luci calls with only the following: getTimezones and setInitAction
  • system calls with: info and board
• Migrate Add SSH Keys call to a dedicated API, removing the "dangerous" file API call refactor!(ns-api): removed file calls for SSH keys #1078
• When changing user password, ask for previous one: fix(ns-api): ask for old password before changing it #1077

Most of this work has been addressed in these repos:

• nethsecurity-api in the api-restrictions branch
• nethsecurity in the nis-corrections branch
• nethsecurity-ui in the nis-corrections branch
• python3-nethsec in the check-user-old-password branch

While the work is mostly done, needs to be distilled from said branches and thoroughly tested.

[Tbaile]

24.10.0-ns.1.4.99-alpha1-4-gda2a652

QA:

• Check that you cannot change user password without filling the old one (this need to be checked even with CLI)
• Ensure that adding SSH keys and deleting them works
• Check that file generated from adding keys (/etc/dropbear/authorized_keys) has the correct permissions (600 and owned by root:root)
• Using the API, ensure no additional command can be called except the listed above and the ns. functions. For example try to call file write.

[cotosso]

1. Check that you cannot change user password without filling the old one (this need to be checked even with CLI)

Verified (UI only)
Old password is written in log, I suggest to avoid storing passwords (even old ones) in logs.

Feb 25 17:08:45 NSec8-VM nethsecurity-api[5416]: nethsecurity_api 2025/02/25 17:08:45 middleware.go:169: [INFO][AUTH] authorization success for user root. POST /api/ubus/call {"path":"ns.account","method":"set-password","payload":{"old_password":"Nethesis,5678","username":"root","password":"XXX"}}
Feb 25 17:08:46 NSec8-VM passwd: password for root changed by root

2. Ensure that adding SSH keys and deleting them works

Verified
The public key is logged during the add and delete phases, but this shouldn't represent an issue.

3. Check that file generated from adding keys (/etc/dropbear/authorized_keys) has the correct permissions (600 and owned by root:root)

Verified

root@NethSec:~# ll /etc/dropbear/authorized_keys 
-rw-------    1 root     root           400 Feb 26 18:09 /etc/dropbear/authorized_keys

[gsanchietti]

Test case 1, partially failed.
The user can't change its own password using the ns.account API if he does not provide the current password.
But he can do it by using the ns.users API:

 echo '{"name":"giacomo","description":"Giacomo Rossi","password":"Giacomo,1234","database":"main","extra":{},"id":"ns_e2afde54"}' | /usr/libexec/rpcd/ns.users call edit-local-user

Possible fix: disable UI and API access to user page for non-root users (alert: this will prevent a correct workflow for all adminsusers!)

[gsanchietti]

Test case 4 verified:

curl 'https://192.168.100.238/api/ubus/call'   -H 'Accept: application/json, text/plain, */*'   -H 'Accept-Language: en-US,en;q=0.6'   -H 'Authorization: Bearer xxx' -H 'Content-Type: application/json' --data-raw '{"path":"uci","method":"set","payload":{"config":"rpcd"}}'   --insecure
{"code":500,"data":"exit status 2","message":"ubus call action failed"}

[gsanchietti]

I'm setting the issue as verified, since behavior found in test case 1 is out of scope for this issue.