apiserver: add network configure endpoint with netdog integration

Adds POST /actions/network/configure endpoint to write network configuration
content directly to /.bottlerocket/net.toml. Includes error handling for
UTF-8 validation, directory creation, and file writing operations.

The endpoint integrates with netdog commit functionality to apply network
configuration changes.

Signed-off-by: Yutong Sun <yutongsu@amazon.com>
Signed-off-by: Kyle Sessions <kssessio@amazon.com>

Author: ytsssun

sources/api/apiclient/src/network.rs

@@ -30,64 +30,67 @@ pub async fn get_content<S>(input_source: Option<S>) -> Result<String>
 where
     S: Into<String>,
 {
-    get_content_with_reader(input_source, tokio::io::stdin()).await
+    match input_source {
+        Some(source) => get_content_from_source(source.into()).await,
+        None => get_content_with_stdin(tokio::io::stdin()).await,
+    }
 }
 
-/// Internal function that accepts a custom reader
-async fn get_content_with_reader<S, R>(input_source: Option<S>, mut reader: R) -> Result<String>
+/// Reads network configuration content from the provided reader.
+async fn get_content_with_stdin<R>(mut reader: R) -> Result<String>
 where
-    S: Into<String>,
     R: tokio::io::AsyncRead + Unpin,
 {
-    let input_source = match input_source {
-        Some(source) => source.into(),
-        // Read from provided reader when no input source is provided
-        None => {
-            let mut output = String::new();
-            reader
-                .read_to_string(&mut output)
-                .await
-                .context(error::StdinReadSnafu)?;
-            return Ok(output);
-        }
-    };
+    let mut output = String::new();
+    reader
+        .read_to_string(&mut output)
+        .await
+        .context(error::StdinReadSnafu)?;
+    Ok(output)
+}
 
+/// Retrieves network configuration content from a source URI.
+///
+/// Supports file:// and base64: URI schemes.
+async fn get_content_from_source(input_source: String) -> Result<String> {
     if let Some(base64_data) = input_source.strip_prefix("base64:") {
-        let decoded_bytes = engine::general_purpose::STANDARD
-            .decode(base64_data.as_bytes())
-            .context(error::Base64DecodeSnafu {
-                input_source: &input_source,
-            })?;
-
-        let decoded_string = String::from_utf8(decoded_bytes).context(error::Base64Utf8Snafu {
-            input_source: &input_source,
-        })?;
-
-        return Ok(decoded_string);
+        return get_content_from_base64(base64_data, &input_source);
     }
 
     let uri = Url::parse(&input_source).context(error::UriSnafu {
         input_source: &input_source,
     })?;
 
-    if uri.scheme() == "file" {
-        let path = uri.to_file_path().ok().context(error::FileUriSnafu {
-            input_source: &input_source,
-        })?;
-        tokio::fs::read_to_string(path)
-            .await
-            .context(error::FileReadSnafu { input_source })
-    } else {
-        // Only file:// and base64: schemes are supported.
-        // Expect this case to be updated when we expand the support for more schemes.
-        error::UnsupportedUriSchemeSnafu {
+    match uri.scheme() {
+        "file" => get_content_from_file(uri, &input_source).await,
+        scheme => error::UnsupportedUriSchemeSnafu {
             input_source: &input_source,
-            scheme: uri.scheme(),
+            scheme,
         }
-        .fail()
+        .fail(),
     }
 }
 
+/// Decodes and returns content from a base64-encoded string.
+fn get_content_from_base64(base64_data: &str, input_source: &str) -> Result<String> {
+    let decoded_bytes = engine::general_purpose::STANDARD
+        .decode(base64_data.as_bytes())
+        .context(error::Base64DecodeSnafu { input_source })?;
+
+    String::from_utf8(decoded_bytes).context(error::Base64Utf8Snafu { input_source })
+}
+
+/// Reads content from a file URI.
+async fn get_content_from_file(uri: Url, input_source: &str) -> Result<String> {
+    let path = uri
+        .to_file_path()
+        .ok()
+        .context(error::FileUriSnafu { input_source })?;
+    tokio::fs::read_to_string(path)
+        .await
+        .context(error::FileReadSnafu { input_source })
+}
+
 mod error {
     use snafu::Snafu;
 
@@ -162,11 +165,16 @@ mod tests {
         use std::io::Cursor;
 
         // Given network config content to simulate stdin input
-        let test_content = "version = 2\n\n[eth0]\ndhcp4 = true\nprimary = true\n";
+        let test_content = r"version = 2
+
+[eth0]
+dhcp4 = true
+primary = true
+";
         let mock_stdin = tokio::io::BufReader::new(Cursor::new(test_content.as_bytes()));
 
-        // When reading from mock stdin (None input source)
-        let result = get_content_with_reader::<String, _>(None, mock_stdin).await;
+        // When reading from mock stdin
+        let result = get_content_with_stdin(mock_stdin).await;
 
         // Then content should be read successfully
         assert!(result.is_ok());
@@ -181,7 +189,7 @@ mod tests {
         let mock_stdin = tokio::io::BufReader::new(Cursor::new(b""));
 
         // When reading from empty mock stdin
-        let result = get_content_with_reader::<String, _>(None, mock_stdin).await;
+        let result = get_content_with_stdin(mock_stdin).await;
 
         // Then should return empty string successfully
         assert!(result.is_ok());
@@ -192,13 +200,16 @@ mod tests {
     async fn test_stdin_vs_uri_behavior() {
         use std::io::Cursor;
 
-        let content = "version = 2\n\n[eth0]\ndhcp4 = true";
+        let content = r"version = 2
+
+[eth0]
+dhcp4 = true";
         let mock_stdin = tokio::io::BufReader::new(Cursor::new(content.as_bytes()));
 
-        // Test that None input reads from stdin
-        let stdin_result = get_content_with_reader::<String, _>(None, mock_stdin).await;
+        // Test that stdin reader works
+        let stdin_result = get_content_with_stdin(mock_stdin).await;
 
-        // Test that Some input ignores stdin and uses URI
+        // Test that Some input uses URI processing
         let uri_result =
             get_content(Some("base64:dmVyc2lvbiA9IDIKCltldGgwXQpkaGNwNCA9IHRydWU=")).await;
 

sources/api/apiserver/src/server/error.rs

@@ -220,6 +220,18 @@ pub enum Error {
 
     // =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
+    // Network configuration errors
+    #[snafu(display("Network configuration content is not valid UTF-8"))]
+    NetworkConfigContent { source: std::string::FromUtf8Error },
+
+    #[snafu(display("Failed to validate network configuration: {}", source))]
+    NetworkConfigValidation { source: std::io::Error },
+
+    #[snafu(display("Invalid network configuration: {}", stderr))]
+    NetworkConfigInvalid { stderr: String },
+
+    // =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
     // Update related errors
     #[snafu(display("Unable to start the update dispatcher: {} ", source))]
     UpdateDispatcher { source: io::Error },

sources/api/apiserver/src/server/mod.rs

@@ -14,7 +14,7 @@ use actix_web::{
 use datastore::{serialize_scalar, Committed, FilesystemDataStore, Key, KeyType, Value};
 use error::Result;
 use http::StatusCode;
-use log::info;
+use log::{debug, info};
 use model::ephemeral_storage::{Bind, Init};
 use model::generator::{RawSettingsGenerator, Strength};
 use model::{ConfigurationFiles, Model, Report, Services, Settings};
@@ -24,6 +24,7 @@ use snafu::{ensure, OptionExt, ResultExt};
 use std::collections::{HashMap, HashSet};
 use std::env;
 use std::fs::{set_permissions, File, Permissions};
+use std::io::Write;
 use std::os::unix::fs::PermissionsExt;
 use std::os::unix::process::ExitStatusExt;
 use std::path::{Path, PathBuf};
@@ -36,7 +37,7 @@ use tokio::process::Command as AsyncCommand;
 const BLOODHOUND_BIN: &str = "/usr/bin/bloodhound";
 const BLOODHOUND_K8S_CHECKS: &str = "/usr/libexec/cis-checks/kubernetes";
 const BLOODHOUND_FIPS_CHECKS: &str = "/usr/libexec/fips-checks/bottlerocket";
-
+const NETDOG_BIN: &str = "/usr/bin/netdog";
 // =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
 // sd_notify helper
@@ -137,6 +138,7 @@ where
                     .route("/prepare-update", web::post().to(prepare_update))
                     .route("/activate-update", web::post().to(activate_update))
                     .route("/deactivate-update", web::post().to(deactivate_update))
+                    .route("/network/configure", web::post().to(configure_network))
                     .route(
                         "/ephemeral-storage/init",
                         web::post().to(initialize_ephemeral_storage),
@@ -687,6 +689,43 @@ async fn reboot() -> Result<HttpResponse> {
     Ok(HttpResponse::NoContent().finish())
 }
 
+/// Configures network settings by invoking netdog commit.
+/// The configuration will be applied at next boot - a reboot is required for changes to take effect.
+async fn configure_network(body: web::Bytes) -> Result<HttpResponse> {
+    debug!("Configuring network settings");
+
+    // Convert the body bytes to a UTF-8 string
+    let content = String::from_utf8(body.to_vec()).context(error::NetworkConfigContentSnafu)?;
+
+    info!("Invoking netdog commit to validate and write network configuration");
+
+    // Validate and write net.toml using netdog commit
+    let validation_result = std::process::Command::new(NETDOG_BIN)
+        .arg("commit")
+        .stdin(std::process::Stdio::piped())
+        .stdout(std::process::Stdio::piped())
+        .stderr(std::process::Stdio::piped())
+        .spawn()
+        .and_then(|mut child| {
+            if let Some(stdin) = child.stdin.as_mut() {
+                stdin.write_all(content.as_bytes())?;
+            }
+            child.wait_with_output()
+        })
+        .context(error::NetworkConfigValidationSnafu)?;
+
+    if !validation_result.status.success() {
+        let stderr = String::from_utf8_lossy(&validation_result.stderr);
+        error!(
+            "netdog commit failed: network configuration validation failed: {}",
+            stderr
+        );
+        return error::NetworkConfigInvalidSnafu { stderr }.fail();
+    }
+
+    Ok(HttpResponse::NoContent().finish())
+}
+
 /// Gets the set of report types supported by this host.
 async fn list_reports() -> Result<ReportListResponse> {
     // Add each report to list response when adding a new handler
@@ -965,6 +1004,9 @@ impl ResponseError for error::Error {
             InvalidPrefix { .. } => StatusCode::BAD_REQUEST,
             DeserializeJson { .. } => StatusCode::BAD_REQUEST,
             InvalidKeyPair { .. } => StatusCode::BAD_REQUEST,
+            NetworkConfigContent { .. } => StatusCode::BAD_REQUEST,
+            NetworkConfigValidation { .. } => StatusCode::BAD_REQUEST,
+            NetworkConfigInvalid { .. } => StatusCode::BAD_REQUEST,
 
             // 404 Not Found
             MissingData { .. } => StatusCode::NOT_FOUND,

sources/api/openapi.yaml

@@ -722,6 +722,30 @@ paths:
         423:
           description: "Update write lock held. Try again in a moment"
 
+  /actions/network/configure:
+    post:
+      summary: "Configure network settings from net.toml content"
+      operationId: "configure_network"
+      requestBody:
+        required: true
+        content:
+          text/plain:
+            schema:
+              type: string
+            example: |
+              version = 2
+
+              [eth0]
+              dhcp4 = true
+              primary = true
+      responses:
+        204:
+          description: "Network configuration successfully written"
+        400:
+          description: "Invalid UTF-8 content or malformed configuration"
+        500:
+          description: "Server error writing configuration"
+
   /updates/status:
     get:
       summary: "Get update status"