summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNagaraju Goruganti <ngorugan@in.ibm.com>2018-04-17 22:27:08 -0500
committerNagaraju Goruganti <ngorugan@in.ibm.com>2018-06-21 01:30:03 +0000
commit0cf702c3948487089723d539efc59275b958bf34 (patch)
treefffa5141620b773f46b0fd7bd40fbf54795c6d74
parentbec10c202e2484fd36070ae4be26ddc2bd7267d1 (diff)
downloadphosphor-rest-server-0cf702c3948487089723d539efc59275b958bf34.zip
phosphor-rest-server-0cf702c3948487089723d539efc59275b958bf34.tar.gz
Provide the infrastructure to whitelist given URL from REST server
Added a plug-in which runs on each request and checks if the requested URL consists of whitelisted URL, if so, allows the access, otherwise fails with an error message. It gets whitelisted URL info from json file. Resolves openbmc/openbmc#2378 Change-Id: I95e5fd080e03616a1cba2b86d951414669338b08 Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
-rw-r--r--module/obmc/wsgi/apps/rest_dbus.py32
1 files changed, 32 insertions, 0 deletions
diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f92a67a..f761df9 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py
@@ -31,6 +31,7 @@ import crypt
import tempfile
import re
import mimetypes
+import fnmatch
have_wsock = True
try:
from geventwebsocket import WebSocketError
@@ -1450,6 +1451,36 @@ class ContentCheckerPlugin(object):
return self.Checker(content_type, callback)
+class CheckURLPlugin(object):
+ ''' Ensures that anything read and written using only urls listed in
+ the url_config.json config file would allowed. '''
+ name = 'url_checker'
+ api = 2
+
+ def __init__(self):
+ config_path = '/usr/share/rest-dbus/url_config.json'
+ url_config = {}
+ urls = {}
+ self.pattern = {}
+ if os.path.exists(config_path):
+ try:
+ with open(config_path) as data_file:
+ url_config = json.load(data_file)
+ urls = url_config.get("urls", ["*"])
+ self.pattern = '|'.join(fnmatch.translate(p) for p in urls)
+ self.pattern = re.compile(self.pattern)
+ except ValueError as e:
+ abort(404, str(e))
+ else:
+ abort(404, "Config file path not found for Whitelisted URLs")
+
+ def apply(self, callback, route):
+
+ def wrap(*a, **kw):
+ if self.pattern.match(request.path):
+ return callback(*a, **kw)
+ abort(404,"Trying to access Blocked URL")
+ return wrap
class App(Bottle):
def __init__(self, **kw):
@@ -1478,6 +1509,7 @@ class App(Bottle):
self.install(JsonApiResponsePlugin(self))
self.install(JsonApiRequestPlugin())
self.install(JsonApiRequestTypePlugin())
+ self.install(CheckURLPlugin())
def install_hooks(self):
self.error_handler_type = type(self.default_error_handler)
OpenPOWER on IntegriCloud