RBAC checking via custom authHandler function + SAF query interpretation #281
Conversation
Signed-off-by: Leanid Astrakou <[email protected]>
DivergentEuropeans
requested review from
timgerstel,
1000TurquoisePogs,
ifakhrutdinov,
lchudinov and
a team
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
There was a problem hiding this comment.
@DivergentEuropeans, please see my comments.
In addition to the comments:
- Please add some documentation (preferably Doxygen) to the function prototypes, it helps to understand what they try to achieve. For example, https://github.com/zowe/zowe-common-c/blob/master/h/radmin.h#L520 ✔️
- Consider splitting
getProfileNameFromRequest, it's huge and hard to follow ✔️ - You don't need to reinvent all that URL parsing, the HTTP request already has a split URL, see https://github.com/zowe/zss/blob/staging/c/securityService.c#L579. Can you use or re-use any of that? ✔️
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
DivergentEuropeans
changed the title
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Rbac code cleanup
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
…into RBAC-support Signed-off-by: Leanid Astrakou <[email protected]>
|
TODO: When we login, the App server interprets the GET plugins query as ZLUX.0.COR.GET.PLUGINS yet ZSS interprets it as ZLUX.0.COR.GET.SAF-AUTH.ZLUX.0.COR.GET.PLUGINS.READ for some reason. Need to investigate if this is intended behaviour... |
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
…tion-for-saf-auth-service Disable RBAC authorization for saf-auth service
Signed-off-by: Leonty Chudinov <[email protected]>
Fix buffer size
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
| const char *class = SAF_CLASS; | ||
|
|
||
| int rc = zisCheckEntity(privilegedServerName, userName, class, entity, access, &reqStatus); | ||
| zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2, |
There was a problem hiding this comment.
I'd add zowedump for reqStatus so you can debug what's happening.
c/authService.c
Outdated
| while (pathSegment != NULL) { | ||
| snprintf(urlSegment, sizeof(urlSegment), "%s", pathSegment->string); | ||
| strupcase(urlSegment); | ||
| if (rootServiceName == NULL) |
There was a problem hiding this comment.
This can never be NULL. And if it was, you wouldn't want to call snprintf with rootServiceName as the destination.
| case 0: | ||
| snprintf(productCode, sizeof(productCode), urlSegment); | ||
| break; | ||
| case 1: | ||
| break; | ||
| case 2: | ||
| snprintf(pluginID, sizeof(pluginID), urlSegment); | ||
| break; | ||
| case 3: | ||
| break; | ||
| case 4: | ||
| snprintf(serviceName, sizeof(serviceName), urlSegment); | ||
| break; |
There was a problem hiding this comment.
If these cases are never entered, these buffers will stay uninitialized, this will cause issues in setProfileNameAttribs and makeProfileName.
| setProfileNameAttribs(pluginID, serviceName, type, scope, subUrl); | ||
| int pluginIDLen = strlen(pluginID); | ||
| for (int index = 0; index < pluginIDLen; index++) { | ||
| if (pluginID[index] == '.') { |
There was a problem hiding this comment.
pluginID may be uninitialized.
| productCode, | ||
| instanceID, | ||
| pluginID, | ||
| rootServiceName, |
There was a problem hiding this comment.
rootServiceName may be uninitialized.
| @@ -188,6 +188,7 @@ void installDatasetContentsService(HttpServer *server) { | |||
|
|
|||
| HttpService *httpService = makeGeneratedService("datasetContents", "/datasetContents/**"); | |||
| httpService->authType = SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN; | |||
| httpService->authorizationType = SERVICE_AUTHORIZATION_TYPE_NONE; | |||
There was a problem hiding this comment.
Do 3rd party plugins have to do this as well and then rebuild the binaries, or will everything work without recompilation?
c/zss.c
Outdated
| RbacAuthorizationData *rbacData = userData; | ||
|
|
||
| char method[16]; | ||
| snprintf(method, sizeof(method), "%s", request->method); |
There was a problem hiding this comment.
Should we validate the method length and not proceed if it's too long?
c/zss.c
Outdated
| return rbacParm; | ||
| } | ||
|
|
||
| static int getZoweInstanceId() { |
There was a problem hiding this comment.
Declare functions that take no parameters using a void argument, for example:
int foo(void);Otherwise it's considered "unspecified number of parameters" by the standard.
c/zss.c
Outdated
| return; | ||
| } | ||
| RbacAuthorizationData *rbacData = (RbacAuthorizationData*) safeMalloc(sizeof(*rbacData), "Rbac Authorization Data"); | ||
| if (rbacData) { |
There was a problem hiding this comment.
Shouldn't we report an error and maybe terminate if this is NULL? If we silently do nothing here, ZSS is less protected and that's not going to be discovered.
h/authService.h
Outdated
| @@ -26,9 +26,37 @@ | |||
| #include "httpserver.h" | |||
| #include "dataservice.h" | |||
|
|
|||
| #define SAF_CLASS "ZOWE" | |||
There was a problem hiding this comment.
Can you be more specific? ZOWE_SAF_CLASS would be clearer.
Signed-off-by: Leonty Chudinov <[email protected]>
Similar to what zlux-server-framework\plugins\sso-auth\lib\safprofile.js does
Turns a SAF URL into a SAF query i.e. /plugins GET undefined
->
ZLUX.0.COR.GET.PLUGINS
ZSS now uses RBAC for Http services
List of exclusions:
'/login', '/logout', '/password', '/unixfile', '/datasetContents', '/VSAMdatasetContents', '/datasetMetadata', '/omvs', '/security-mgmt'
PR (1 of 2)
PR 2: zowe/zowe-common-c#218
Signed-off-by: Leanid Astrakou [email protected]