Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC checking via custom authHandler function + SAF query interpretation #281

Open
wants to merge 82 commits into
base: v1.x/staging
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
3a8e00b
Initial commit for SAF query interpretation methods
DivergentEuropeans Apr 13, 2021
94742a0
Increase buffer size for subUrl
DivergentEuropeans Apr 13, 2021
278dc2b
Changed buffer size for some other strings
DivergentEuropeans Apr 13, 2021
35fe4be
Code review comments regarding NULL & buffer size
DivergentEuropeans Apr 14, 2021
f4fb448
Added safeMalloc
DivergentEuropeans Apr 14, 2021
9a191ad
strcpy -> snprintf to avoid possible overflow
DivergentEuropeans Apr 14, 2021
2b271d7
Increased buffer for some variables
DivergentEuropeans Apr 14, 2021
40c0770
sprintf --> snprintf to avoid overflow
DivergentEuropeans Apr 14, 2021
7df8380
Small typo
DivergentEuropeans Apr 14, 2021
21eb96d
Changed snprintf method usage
DivergentEuropeans Apr 15, 2021
038b915
Revert
DivergentEuropeans Apr 15, 2021
0d154ad
Addressed more code review like NULL checks
DivergentEuropeans Apr 25, 2021
c91b2dc
Some prototype RBAC checking + unfinished comments
DivergentEuropeans May 24, 2021
54a35c5
Merge branch 'staging' of github.com:zowe/zss into RBAC-support
DivergentEuropeans May 24, 2021
a618f31
Annoying char change
DivergentEuropeans May 24, 2021
a6ef66e
Updated dep
DivergentEuropeans May 24, 2021
245cdbc
Added check for rbac: true | false
DivergentEuropeans May 25, 2021
98cd911
Merge github.com:zowe/zss into RBAC-support
DivergentEuropeans May 25, 2021
a7a4e1e
Updated zowe-common-c
DivergentEuropeans May 31, 2021
b0f8914
Moved core RBAC auth logic from zowe-common-c into ZSS
DivergentEuropeans Jun 3, 2021
2b55af4
Merge branch 'staging' of https://github.com/zowe/zss into RBAC-support
DivergentEuropeans Jun 3, 2021
63ce32f
Fixed merge conflicts
DivergentEuropeans Jun 5, 2021
a132c8b
Updated zowe-common-c
DivergentEuropeans Jun 7, 2021
0c1b0f5
Changed authType to string
DivergentEuropeans Jun 7, 2021
4c50186
Missed a few things
DivergentEuropeans Jun 7, 2021
8da7246
Removed comments
DivergentEuropeans Jun 7, 2021
f11219f
Updated zowe-common-c
DivergentEuropeans Jun 7, 2021
efde2a2
Removed leftover comments
DivergentEuropeans Jun 7, 2021
0add3ec
Code review adjustments from Irek
DivergentEuropeans Jun 11, 2021
3eaf7a0
Don't use URL query params in SAF query
DivergentEuropeans Jun 11, 2021
f35aa89
Changed #define value name to be more relevant
DivergentEuropeans Jun 11, 2021
357f0d0
Rename
DivergentEuropeans Jun 11, 2021
06a16ef
Removed regEx to use parsedFile instead
DivergentEuropeans Jun 16, 2021
86ee872
Re-added bypass services for NO RBAC
DivergentEuropeans Jun 18, 2021
21b1496
Removed comments + clean up unused variables
DivergentEuropeans Jun 18, 2021
970cd23
Some code cleanup
Jun 20, 2021
8a7ad43
Address code review
Jun 22, 2021
60f1e4c
More code cleanup
Jun 23, 2021
4beeca2
Respect env variable for RBAC too
DivergentEuropeans Jun 25, 2021
c537201
Added some useful debug logging
DivergentEuropeans Jun 25, 2021
371319a
Merge branch 'staging' of https://github.com/zowe/zss into RBAC-support
DivergentEuropeans Jun 25, 2021
a9f1ed1
Remove mistakenly added file
Jul 1, 2021
7840318
Update pointer to zowe-common-c
Jul 1, 2021
954f921
Remove SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN_NO_RBAC
Jul 1, 2021
11ff99f
Refactor authorization code
Jul 1, 2021
9590ce1
Register RBAC handler only if RBAC enabled
Jul 1, 2021
ac967f2
Refactoring + use rbacAuthorization only when username is on request
Jul 2, 2021
5ade5c9
Detect ZOWE_INSTANCE
Jul 2, 2021
ef8b441
Fix username check
Jul 2, 2021
ef78692
Rafactor SAF profile check
Jul 2, 2021
894bc65
ServerStatusServer has respect ZWED_dataserviceAuthentication_rbac en…
Jul 2, 2021
f0d839a
Minor fixes
Jul 5, 2021
5f4f553
Update pointer to zowe-common-c
Jul 5, 2021
f9e437d
Add const for getProfileNameFromRequest args
Jul 7, 2021
1a63674
Add profileNameBufSize arg
Jul 7, 2021
961b7a7
Add const for arguments
Jul 7, 2021
f774e80
Merge pull request #310 from lchudinov/rbac-code-cleanup
DivergentEuropeans Aug 19, 2021
a4ad82a
Merge branch 'staging' of github.com:zowe/zss into RBAC-support
DivergentEuropeans Aug 19, 2021
f3b8d91
Updated with more of Irek's suggested code changes
DivergentEuropeans Aug 23, 2021
ddf0408
Merge branch 'refactor-rbac-code' of https://github.com/lchudinov/zss…
DivergentEuropeans Aug 26, 2021
e2ed56e
Removed 'class' as an arg
DivergentEuropeans Aug 26, 2021
47a8af9
Merge branch 'staging' of github.com:zowe/zss into RBAC-support
DivergentEuropeans Aug 29, 2021
4fc145c
PassTicket REST API skeleton
Aug 6, 2021
542f458
Implement PassTicket generation
Aug 9, 2021
414466c
Refactoring for PassTicket
Aug 11, 2021
ad39d3b
Add passTicketService.c to build_zss.sh
Aug 11, 2021
3b10697
Update Changelog
Aug 11, 2021
918bf99
Cleanup includes
Aug 12, 2021
6b1f6b4
Merge branch 'feature/passticket-service' of https://github.com/lchud…
DivergentEuropeans Aug 30, 2021
b83e85e
Disable RBAC authorization for saf-auth service
Aug 31, 2021
42acd8e
Update pointer to zowe-common-c
Aug 31, 2021
a4b56df
Update pointer to zowe-common-c
Aug 31, 2021
909ecb2
Merge pull request #331 from lchudinov/feature/disable-rbac-authoriza…
lchudinov Aug 31, 2021
0899ef7
Fix buffer size
Aug 31, 2021
7c6cd42
Merge pull request #332 from lchudinov/bugfix/fix-buffer-size
lchudinov Aug 31, 2021
acf074c
Updated zowe-common-c
DivergentEuropeans Sep 24, 2021
46e527d
Merge branch 'RBAC-support' of github.com:zowe/zss into RBAC-support
DivergentEuropeans Sep 24, 2021
ea23113
Merge branch 'staging' of github.com:zowe/zss into RBAC-support
DivergentEuropeans Sep 24, 2021
65e909e
Updated zowe-common-c
DivergentEuropeans Sep 24, 2021
6a66374
Small changelog typo
DivergentEuropeans Sep 24, 2021
47b6665
Merge remote-tracking branch 'origin/staging' into RBAC-support
Nov 29, 2021
8160346
Adderss code review
Nov 29, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ All notable changes to the ZSS package will be documented in this file.
## `1.22.0`

### New features and enhancements
- Added RBAC capability via SAF checks

- Bugfix: Dataset contents API doesn't skip empty records while reading a dataset

Expand Down
249 changes: 245 additions & 4 deletions c/authService.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include <iconv.h>
#include <dirent.h>
#include <pthread.h>
#include <regex.h>

#include "authService.h"
#include "zowetypes.h"
Expand Down Expand Up @@ -64,7 +65,22 @@
* }
*/

static int serveAuthCheck(HttpService *service, HttpResponse *response);
int serveAuthCheck(HttpService *service, HttpResponse *response);

int serveAuthCheckByParams(HttpService *service, char *userName, char *Class, char* entity, int access);

const char* getProfileNameFromRequest(char *profileName, char *url, const char *method, int instanceID);

static const char* makeProfileName(
const char *type,
const char *productCode,
int instanceID,
const char *pluginID,
const char *rootServiceName,
const char *serviceName,
const char *method,
const char *scope,
char subUrl[15][1024]);

int installAuthCheckService(HttpServer *server) {
// zowelog(NULL, 0, ZOWE_LOG_DEBUG2, "begin %s\n",
Expand Down Expand Up @@ -155,11 +171,16 @@ static void respond(HttpResponse *res, int rc, const ZISAuthServiceStatus
finishResponse(res);
}

static int serveAuthCheck(HttpService *service, HttpResponse *res) {
int serveAuthCheck(HttpService *service, HttpResponse *res) {
HttpRequest *req = res->request;
char *entity, *accessStr;
int access = 0;
int rc = 0, rsn = 0, safStatus = 0;
char *uri = safeMalloc(1024, "uri");
snprintf(uri, 1024, "%s", req->uri);
destructivelyNativize(uri);
// TODO: Remove printf's for a merge
printf("\n\n\nBegin with this URI %s\n\n\n", uri);
ZISAuthServiceStatus reqStatus = {0};
CrossMemoryServerName *privilegedServerName;
const char *userName = req->username, *class = SAF_CLASS;
Expand All @@ -173,16 +194,236 @@ static int serveAuthCheck(HttpService *service, HttpResponse *res) {
respondWithError(res, HTTP_STATUS_BAD_REQUEST, "Unexpected access level");
return 0;
}
/* printf("query: user %s, class %s, entity %s, access %d\n", userName, class,
entity, access); */
printf("\n\n\naccessStr - %s : entity - %s : rc - %d : parsedFile - %s\n\n\n", accessStr, entity, rc, req->parsedFile);

// printf("\n\nquery: user %s, class %s, entity %s, access %d accessStr %s\n", userName, class,
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
// entity, access, accessStr);
privilegedServerName = getConfiguredProperty(service->server,
HTTP_SERVER_PRIVILEGED_SERVER_PROPERTY);
rc = zisCheckEntity(privilegedServerName, userName, class, entity, access,
&reqStatus);
printf("\n\n\nRESULTS OF ZISCHECKENTITY privilegedServerName - %s : userName - %s : class - %s : entity - %s : access - %d: reqstatus - %s : rc - %d\n\n\n", privilegedServerName, userName, class, entity, access,
&reqStatus, rc);

respond(res, rc, &reqStatus);
return 0;
}

int serveAuthCheckByParams(HttpService *service, char *userName, char *Class, char *entity, int access) {
int rc = 0;
CrossMemoryServerName *privilegedServerName = getConfiguredProperty(service->server,
HTTP_SERVER_PRIVILEGED_SERVER_PROPERTY);
ZISAuthServiceStatus reqStatus = {0};
rc = zisCheckEntity(privilegedServerName, userName, Class, entity, access,
&reqStatus);
printf("\n\n\nRESULTS OF serveAuthCheckByParams privilegedServerName - %s : userName - %s : class - %s : entity - %s : access - %d: reqstatus - %s : rc - %d\n\n\n", privilegedServerName, userName, Class, entity, access,
&reqStatus, rc);
return rc;
}

const char* getProfileNameFromRequest(char *profileName, char *url, char *method, int instanceID) {
char type[8]; // core || config || service
char productCode[1024];
char rootServiceName[1024];
char subUrl[15][1024];
char scope[1024];
char placeHolder1[1024], pluginID[1024], placeHolder2[1024], serviceName[1024], placeHolder3[1024];
char regexStr[] = "^/[A-Za-z0-9]*/plugins/";

regex_t regex;
int value;
value = regcomp(&regex, regexStr, REG_EXTENDED);

if (profileName == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_SEVERE,
"safeMalloc failed. Not enough memory");
return NULL;
}
if (value != 0) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2,
"RegEx compiled successfully.");
} else {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2,
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
"RegEx compilation error %s.", regexStr);
}
value = regexec(&regex, url, 0, NULL, 0);
char urlCpy[1024];
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
snprintf(urlCpy, 1024, url);
int index = 0;
while (urlCpy[index]) { // Capitalize query
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
urlCpy[index] = toupper(urlCpy[index]);
index++;
}
if (instanceID < 0) { // Set instanceID
instanceID = 0;
}
if (value == REG_NOMATCH) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2,
"RegEx didn't match.");
char * token = strtok(urlCpy, "/");
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
int subUrlIndex = -1;
while( token != NULL ) {
if (rootServiceName == NULL)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can never be NULL. And if it was, you wouldn't want to call snprintf with rootServiceName as the destination.

{
snprintf(rootServiceName, 1024, token);
} else {
snprintf(subUrl[subUrlIndex], 1024, token);
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
}
subUrlIndex++;
token = strtok(NULL, "/");
}
snprintf(productCode, 1024, "ZLUX");
snprintf(type, 1024, "core");
}
else if (!value) {
char * token = strtok(urlCpy, "/");
int subUrlIndex;
subUrlIndex = 0;
while( token != NULL ) {
switch(subUrlIndex) {
case 0:
snprintf(productCode, 1024, token);
break;
case 1:
snprintf(placeHolder1, 1024, token);
break;
case 2:
snprintf(pluginID, 1024, token);
break;
case 3:
snprintf(placeHolder2, 1024, token);
break;
case 4:
snprintf(serviceName, 1024, token);
break;
case 5:
snprintf(placeHolder3, 1024, token);
break;
default:
snprintf(subUrl[subUrlIndex-6], 1024, token); // subtract 6 from maximum index to begin init subUrl array at 0
}

subUrlIndex++;
token = strtok(NULL, "/");
}
if ((strcmp(pluginID, "ORG.ZOWE.CONFIGJS") == 0) && (strcmp(serviceName, "DATA") == 0))
{
snprintf(type, 1024, "config");
snprintf(pluginID, 1024, subUrl[0]);
snprintf(scope, 1024, subUrl[1]);

} else {
snprintf(type, 1024, "service");
}
char* ch;
char* chReplace;
ch = ".";
chReplace = "_";
for (index = 0; index <= strlen(pluginID); index++)
{
if (pluginID[index] == *ch)
{
pluginID[index] = *chReplace;
}
}
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2,
"RegEx match OK.");
}
else {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"RegEx match failed.");
}
snprintf(profileName, 1024, makeProfileName(type,
productCode,
instanceID,
pluginID,
rootServiceName,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rootServiceName may be uninitialized.

serviceName,
method,
scope,
subUrl));

/* Free memory allocated to the pattern buffer by regcomp() */
regfree(&regex);

return profileName;
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
}

static const char* makeProfileName(
const char *type,
const char *productCode,
int instanceID,
const char *pluginID,
const char *rootServiceName,
const char *serviceName,
const char *method,
const char *scope,
char subUrl[15][1024]) {
char *profileName = safeMalloc(1024, "profileNameInner");
if (profileName == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_SEVERE,
"safeMalloc failed. Not enough memory");
return NULL;
}
if (productCode == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing product code.");
return NULL;
}
if (instanceID == -1) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it ever -1? getProfileNameFromRequest does the following:

  if (instanceID < 0) { // Set instanceID
    instanceID = 0;
  }

zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing instance ID.");
return NULL;
}
if (method == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing method.");
return NULL;
}
// char someString[1024] = { snprintf(*someString, 1024, type) };
if (strcmp(type, "service") == 0) {
if (pluginID == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible that someone malicious will send multiple malformed requests flooding the log?

"Broken SAF query. Missing plugin ID.");
return NULL;
}
if (serviceName == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing service name.");
return NULL;
}
snprintf(profileName, 1024, "%s.%d.SVC.%s.%s.%s", productCode, instanceID, pluginID, serviceName, method);
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
} else if (strcmp(type, "config") == 0) {
if (pluginID == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing plugin ID.");
return NULL;
}
if (scope == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing scope.");
return NULL;
}
snprintf(profileName, 1024, "%s.%d.CFG.%s.%s.%s", productCode, instanceID, pluginID, method, scope);
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
} else if (strcmp(type, "core") == 0) {
if (rootServiceName == NULL) {
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_WARNING,
"Broken SAF query. Missing root service name.");
return NULL;
}
snprintf(profileName, 1024, "%s.%d.COR.%s.%s", productCode, instanceID, method, rootServiceName);
}
// Child endpoints housed via subUrl
int index = 0;
while (index < 15 && strcmp(subUrl[index], "") != 0) {
snprintf(profileName, 1024, "%s.%s", profileName, subUrl[index]);
index++;
}
return profileName;
}

/* Method goes here to do the same thing serveAuthCheck is doing except w/o input HttpService */

void respondWithJsonStatus(HttpResponse *response, const char *status, int statusCode, const char *statusMessage) {
jsonPrinter *out = respondWithJsonPrinter(response);
setResponseStatus(response,statusCode,(char *)statusMessage);
Expand Down
2 changes: 1 addition & 1 deletion deps/zowe-common-c
Submodule zowe-common-c updated 3 files
+26 −19 c/datasetjson.c
+129 −75 c/httpserver.c
+0 −1 c/tls.c
4 changes: 4 additions & 0 deletions h/authService.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@

int installAuthCheckService(HttpServer *server);
void installZosPasswordService(HttpServer *server);
const char* getProfileNameFromRequest(char *profileName, char *url, char *method, int instanceID);
int serveAuthCheck(HttpService *service, HttpResponse *res);
DivergentEuropeans marked this conversation as resolved.
Show resolved Hide resolved
int serveAuthCheckByParams(HttpService *service, char *userName, char *Class, char *entity, int access);


#endif

Expand Down