From patchwork Tue Sep 15 18:05:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= X-Patchwork-Id: 1364560 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=hlGScnMQ; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=GFbPctL6; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BrWRF3sxHz9sTC for ; Wed, 16 Sep 2020 04:07:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=ILAIQyygraMH7e7M75p0lcYwhbEGTUgw+94sZyZLcxA=; b=hlGScnMQpOHQtXCdqhxmCLE4zO KtDzfTU1IehtRYgMDcy0/YllABB+IT4t+OrCT3zwjv8zn6TZILGjz4pLHNebOkTrPMo3MpM6cFhlZ zHYqvdsiPS98CaSrYT1d56cS/5ku8lVfQEDCsV1tOIa29akNkd/sNnpIvREnIaRCzI4LnzpS2Oc6z 2FP1Qcq2NuCrpdRYgM8LERcQ2j2bhduYggQY4iF1V2ibJXC2XKqPyaFC6gGjY54yjbkix+V5KtBh6 G9tHHUVUezJA2DMFearmrNktecXJVhQ2RTsPg4NZGswkShD1UhZKtvIq7mt4R2p7bdNgBFJ+7qJc3 tYnvNCvg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kIFKa-0008LL-3f; Tue, 15 Sep 2020 18:05:28 +0000 Received: from mail-lf1-x141.google.com ([2a00:1450:4864:20::141]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kIFKX-0008KY-DW for openwrt-devel@lists.openwrt.org; Tue, 15 Sep 2020 18:05:26 +0000 Received: by mail-lf1-x141.google.com with SMTP id w11so4121362lfn.2 for ; Tue, 15 Sep 2020 11:05:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=HhrAWJ4kF0A6GxyZautOivEdppl278Bpbz2iUObls3E=; b=GFbPctL6gkMmVDt30TXBhkWxpfbOf0rSH6SB607mRm/lG7uw8PcJR0yggr0lr3Kjmh DEZGyU82z+VKS5VxnzVA2zlKSxEpPZ7bEDMkt3QduSdAeIR21Vhq0Qkhp1VlMexWaV0D j7AflYwDyvZPtNMvGrj46o1q2naWR95Zhihh6XL2+FY2R/fpFnRqQemUkJpv1qvGmCBF qy2KEd22UXOySy4SxEsfc6TN0+pnUpYSv7AiSZNNgqmiuxpvViO2BVMmXG0EGOYZDUFD swHNqPbeKq1puIh67sr8S8jkKcE3jHfmlMU3BRZRHDuqYjsnlumLx+f7OAZbldv+9Q7n NREg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=HhrAWJ4kF0A6GxyZautOivEdppl278Bpbz2iUObls3E=; b=jzk4R5LDPijX7njeSpPPIY8HWcQ3kzeNXgtQvWhHMVvbcLB6TW1ArbHXN+kZgeEVPc YB+7emnQl9ToDSW8u3ho3re+HvMmf6eDtqxje5Mf7LnaCJDvMd7AfyIc8FxDnMmV1nvV WmEanDKs9Kwa/fjG2yuhwWG+UQSYlFbAmZszVxi6ff0/o/Qg0+p0yjOHqksHeS6EBIcw xiXyykk185Q4b2fKIjKJPZHba3TRQ1rKrV2O3uM1qe4a8ax7Jv9mb6Hv6vxGbQt/GUc5 yZPrUMiUt78qQURcY3JByzYVJeZeg6QnMwu7plJHo9+SE0rckk4A5aZcvetM8Yg8pj6z Mnjg== X-Gm-Message-State: AOAM532yfC6rbov9KZBEW3vJelUKA9BXzg5q7fFbKzo8NJOv1U5eyro2 XV6A6vDYQMevtBgHHlOe32qR7rD/Jq8= X-Google-Smtp-Source: ABdhPJwagJOiKtFHz9CpC4NocxhTY5yLIvhNOhGnBAqLG2BKmjAfqkn4EaT/3newz1eewkre4BMFzA== X-Received: by 2002:a19:2346:: with SMTP id j67mr5967899lfj.449.1600193122622; Tue, 15 Sep 2020 11:05:22 -0700 (PDT) Received: from localhost.localdomain (ip-194-187-74-233.konfederacka.maverick.com.pl. [194.187.74.233]) by smtp.gmail.com with ESMTPSA id w17sm4438710lfr.31.2020.09.15.11.05.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Sep 2020 11:05:22 -0700 (PDT) From: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= To: openwrt-devel@lists.openwrt.org Subject: [PATCH] ubus: add ACL support for "subscribe" request Date: Tue, 15 Sep 2020 20:05:11 +0200 Message-Id: <20200915180511.22491-1-zajec5@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200915_140525_471948_22968F08 X-CRM114-Status: GOOD ( 18.81 ) X-Spam-Score: 0.1 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:141 listed in] [list.dnswl.org] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [zajec5[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [zajec5[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= , Jo-Philipp Wich Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Rafał Miłecki With this change ubus will allow users with access to the object pseudo method ":subscribe" to subscribe for notifications. 1. Move uh_ubus_allowed() up in the code 2. Export "Authorization" parsing code to the uh_ubus_get_auth() 3. Check for ":subscribe" method access Right now this depends on "Authorization" HTTP header which browsers don't allow setting for the EventSource. An alternative method of submitting session token remains to be implemented. Signed-off-by: Rafał Miłecki --- ubus.c | 119 +++++++++++++++++++++++++++++++-------------------------- 1 file changed, 64 insertions(+), 55 deletions(-) diff --git a/ubus.c b/ubus.c index ccddbbd..1cf5c5f 100644 --- a/ubus.c +++ b/ubus.c @@ -112,6 +112,30 @@ enum cors_hdr { __HDR_MAX }; +enum ubus_hdr { + HDR_AUTHORIZATION, + __HDR_UBUS_MAX +}; + +static const char *uh_ubus_get_auth(const struct blob_attr *attr) +{ + static const struct blobmsg_policy hdr_policy[__HDR_UBUS_MAX] = { + [HDR_AUTHORIZATION] = { "authorization", BLOBMSG_TYPE_STRING }, + }; + struct blob_attr *tb[__HDR_UBUS_MAX]; + + blobmsg_parse(hdr_policy, __HDR_UBUS_MAX, tb, blob_data(attr), blob_len(attr)); + + if (tb[HDR_AUTHORIZATION]) { + const char *tmp = blobmsg_get_string(tb[HDR_AUTHORIZATION]); + + if (!strncasecmp(tmp, "Bearer ", 7)) + return tmp + 7; + } + + return UH_UBUS_DEFAULT_SID; +} + static void __uh_ubus_next_batched_request(struct uloop_timeout *timeout); static void uh_ubus_next_batched_request(struct client *cl) @@ -239,6 +263,39 @@ static void uh_ubus_ubus_error(struct client *cl, int err) uh_ubus_error(cl, err, ubus_strerror(err)); } +static void uh_ubus_allowed_cb(struct ubus_request *req, int type, struct blob_attr *msg) +{ + struct blob_attr *tb[__SES_MAX]; + bool *allow = (bool *)req->priv; + + if (!msg) + return; + + blobmsg_parse(ses_policy, __SES_MAX, tb, blob_data(msg), blob_len(msg)); + + if (tb[SES_ACCESS]) + *allow = blobmsg_get_bool(tb[SES_ACCESS]); +} + +static bool uh_ubus_allowed(const char *sid, const char *obj, const char *fun) +{ + uint32_t id; + bool allow = false; + static struct blob_buf req; + + if (ubus_lookup_id(ctx, "session", &id)) + return false; + + blob_buf_init(&req, 0); + blobmsg_add_string(&req, "ubus_rpc_session", sid); + blobmsg_add_string(&req, "object", obj); + blobmsg_add_string(&req, "function", fun); + + ubus_invoke(ctx, id, "access", req.head, uh_ubus_allowed_cb, &allow, conf.script_timeout * 500); + + return allow; +} + /* GET requests handling */ static void uh_ubus_list_cb(struct ubus_context *ctx, struct ubus_object_data *obj, void *priv); @@ -303,14 +360,16 @@ static void uh_ubus_subscription_notification_remove_cb(struct ubus_context *ctx ops->request_done(cl); } -static void uh_ubus_handle_get_subscribe(struct client *cl, const char *sid, const char *path) +static void uh_ubus_handle_get_subscribe(struct client *cl, const char *path) { struct dispatch_ubus *du = &cl->dispatch.ubus; + const char *sid; uint32_t id; int err; - /* TODO: add ACL support */ - if (!conf.ubus_noauth) { + sid = uh_ubus_get_auth(cl->hdr.head); + + if (!conf.ubus_noauth && !uh_ubus_allowed(sid, path, ":subscribe")) { uh_ubus_send_header(cl, 200, "OK", "application/json"); uh_ubus_posix_error(cl, EACCES); return; @@ -364,7 +423,7 @@ static void uh_ubus_handle_get(struct client *cl) } else if (!strncmp(url, "/subscribe/", strlen("/subscribe/"))) { url += strlen("/subscribe"); - uh_ubus_handle_get_subscribe(cl, NULL, url + 1); + uh_ubus_handle_get_subscribe(cl, url + 1); } else { ops->http_header(cl, 404, "Not Found"); ustream_printf(cl->us, "\r\n"); @@ -682,39 +741,6 @@ static void uh_ubus_complete_batch(struct client *cl) ops->request_done(cl); } -static void uh_ubus_allowed_cb(struct ubus_request *req, int type, struct blob_attr *msg) -{ - struct blob_attr *tb[__SES_MAX]; - bool *allow = (bool *)req->priv; - - if (!msg) - return; - - blobmsg_parse(ses_policy, __SES_MAX, tb, blob_data(msg), blob_len(msg)); - - if (tb[SES_ACCESS]) - *allow = blobmsg_get_bool(tb[SES_ACCESS]); -} - -static bool uh_ubus_allowed(const char *sid, const char *obj, const char *fun) -{ - uint32_t id; - bool allow = false; - static struct blob_buf req; - - if (ubus_lookup_id(ctx, "session", &id)) - return false; - - blob_buf_init(&req, 0); - blobmsg_add_string(&req, "ubus_rpc_session", sid); - blobmsg_add_string(&req, "object", obj); - blobmsg_add_string(&req, "function", fun); - - ubus_invoke(ctx, id, "access", req.head, uh_ubus_allowed_cb, &allow, conf.script_timeout * 500); - - return allow; -} - static void uh_ubus_handle_request_object(struct client *cl, struct json_object *obj) { struct dispatch_ubus *du = &cl->dispatch.ubus; @@ -851,18 +877,9 @@ out: uh_client_unref(cl); } -enum ubus_hdr { - HDR_AUTHORIZATION, - __HDR_UBUS_MAX -}; - static void uh_ubus_handle_post(struct client *cl) { - static const struct blobmsg_policy hdr_policy[__HDR_UBUS_MAX] = { - [HDR_AUTHORIZATION] = { "authorization", BLOBMSG_TYPE_STRING }, - }; struct dispatch_ubus *du = &cl->dispatch.ubus; - struct blob_attr *tb[__HDR_UBUS_MAX]; const char *url = du->url_path; const char *auth; @@ -873,15 +890,7 @@ static void uh_ubus_handle_post(struct client *cl) return; } - blobmsg_parse(hdr_policy, __HDR_UBUS_MAX, tb, blob_data(cl->hdr.head), blob_len(cl->hdr.head)); - - auth = UH_UBUS_DEFAULT_SID; - if (tb[HDR_AUTHORIZATION]) { - const char *tmp = blobmsg_get_string(tb[HDR_AUTHORIZATION]); - - if (!strncasecmp(tmp, "Bearer ", 7)) - auth = tmp + 7; - } + auth = uh_ubus_get_auth(cl->hdr.head); url += strlen(conf.ubus_prefix);