From 0cf702c3948487089723d539efc59275b958bf34 Mon Sep 17 00:00:00 2001
From: Nagaraju Goruganti <ngorugan@in.ibm.com>
Date: Tue, 17 Apr 2018 22:27:08 -0500
Subject: Provide the infrastructure to whitelist given URL from REST server

Added a plug-in which runs on each request and checks if the requested
URL consists of whitelisted URL, if so, allows the access, otherwise
fails with an error message.

It gets whitelisted URL info from json file.

Resolves openbmc/openbmc#2378

Change-Id: I95e5fd080e03616a1cba2b86d951414669338b08
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
---
 module/obmc/wsgi/apps/rest_dbus.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'module/obmc/wsgi/apps')

diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f92a67a..f761df9 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py
@@ -31,6 +31,7 @@ import crypt
 import tempfile
 import re
 import mimetypes
+import fnmatch
 have_wsock = True
 try:
     from geventwebsocket import WebSocketError
@@ -1450,6 +1451,36 @@ class ContentCheckerPlugin(object):
 
         return self.Checker(content_type, callback)
 
+class CheckURLPlugin(object):
+    ''' Ensures that anything read and written using only urls listed in
+        the url_config.json config file would allowed. '''
+    name = 'url_checker'
+    api = 2
+
+    def __init__(self):
+        config_path = '/usr/share/rest-dbus/url_config.json'
+        url_config = {}
+        urls = {}
+        self.pattern = {}
+        if os.path.exists(config_path):
+            try:
+                with open(config_path) as data_file:
+                    url_config = json.load(data_file)
+                    urls = url_config.get("urls", ["*"])
+                    self.pattern = '|'.join(fnmatch.translate(p) for p in urls)
+                    self.pattern = re.compile(self.pattern)
+            except ValueError as e:
+                    abort(404, str(e))
+        else:
+            abort(404, "Config file path not found for Whitelisted URLs")
+
+    def apply(self, callback, route):
+
+        def wrap(*a, **kw):
+                if self.pattern.match(request.path):
+                    return callback(*a, **kw)
+                abort(404,"Trying to access Blocked URL")
+        return wrap
 
 class App(Bottle):
     def __init__(self, **kw):
@@ -1478,6 +1509,7 @@ class App(Bottle):
         self.install(JsonApiResponsePlugin(self))
         self.install(JsonApiRequestPlugin())
         self.install(JsonApiRequestTypePlugin())
+        self.install(CheckURLPlugin())
 
     def install_hooks(self):
         self.error_handler_type = type(self.default_error_handler)
-- 
cgit v1.2.1