Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC checking via custom authHandler function + SAF query interpretation #281

Open
wants to merge 82 commits into
base: v1.x/staging
Choose a base branch
from

Conversation

DivergentEuropeans
Copy link
Member

@DivergentEuropeans DivergentEuropeans commented Apr 13, 2021

Similar to what zlux-server-framework\plugins\sso-auth\lib\safprofile.js does

Turns a SAF URL into a SAF query i.e. /plugins GET undefined
->
ZLUX.0.COR.GET.PLUGINS

ZSS now uses RBAC for Http services

List of exclusions:
'/login', '/logout', '/password', '/unixfile', '/datasetContents', '/VSAMdatasetContents', '/datasetMetadata', '/omvs', '/security-mgmt'

PR (1 of 2)
PR 2: zowe/zowe-common-c#218

Signed-off-by: Leanid Astrakou [email protected]

c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
Signed-off-by: Leanid Astrakou <[email protected]>
Copy link
Contributor

@timgerstel timgerstel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay to me

c/authService.c Outdated Show resolved Hide resolved
Signed-off-by: Leanid Astrakou <[email protected]>
c/authService.c Outdated Show resolved Hide resolved
Signed-off-by: Leanid Astrakou <[email protected]>
Copy link
Contributor

@ifakhrutdinov ifakhrutdinov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DivergentEuropeans, please see my comments.

In addition to the comments:

c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
c/authService.c Outdated Show resolved Hide resolved
@DivergentEuropeans

This comment has been minimized.

@DivergentEuropeans DivergentEuropeans changed the title Initial commit for SAF query interpretation methods (WIP) Initial commit for SAF query interpretation + RBAC checking May 24, 2021
Signed-off-by: Leanid Astrakou <[email protected]>
h/authService.h Outdated Show resolved Hide resolved
@DivergentEuropeans
Copy link
Member Author

TODO: When we login, the App server interprets the GET plugins query as

ZLUX.0.COR.GET.PLUGINS

yet ZSS interprets it as

ZLUX.0.COR.GET.SAF-AUTH.ZLUX.0.COR.GET.PLUGINS.READ

for some reason. Need to investigate if this is intended behaviour...

DivergentEuropeans and others added 20 commits August 26, 2021 10:39
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leonty Chudinov <[email protected]>
…tion-for-saf-auth-service

Disable RBAC authorization for saf-auth service
Signed-off-by: Leonty Chudinov <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
Signed-off-by: Leanid Astrakou <[email protected]>
const char *class = SAF_CLASS;

int rc = zisCheckEntity(privilegedServerName, userName, class, entity, access, &reqStatus);
zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add zowedump for reqStatus so you can debug what's happening.

c/authService.c Outdated
while (pathSegment != NULL) {
snprintf(urlSegment, sizeof(urlSegment), "%s", pathSegment->string);
strupcase(urlSegment);
if (rootServiceName == NULL)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can never be NULL. And if it was, you wouldn't want to call snprintf with rootServiceName as the destination.

Comment on lines +268 to +280
case 0:
snprintf(productCode, sizeof(productCode), urlSegment);
break;
case 1:
break;
case 2:
snprintf(pluginID, sizeof(pluginID), urlSegment);
break;
case 3:
break;
case 4:
snprintf(serviceName, sizeof(serviceName), urlSegment);
break;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If these cases are never entered, these buffers will stay uninitialized, this will cause issues in setProfileNameAttribs and makeProfileName.

setProfileNameAttribs(pluginID, serviceName, type, scope, subUrl);
int pluginIDLen = strlen(pluginID);
for (int index = 0; index < pluginIDLen; index++) {
if (pluginID[index] == '.') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pluginID may be uninitialized.

productCode,
instanceID,
pluginID,
rootServiceName,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rootServiceName may be uninitialized.

@@ -188,6 +188,7 @@ void installDatasetContentsService(HttpServer *server) {

HttpService *httpService = makeGeneratedService("datasetContents", "/datasetContents/**");
httpService->authType = SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN;
httpService->authorizationType = SERVICE_AUTHORIZATION_TYPE_NONE;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do 3rd party plugins have to do this as well and then rebuild the binaries, or will everything work without recompilation?

c/zss.c Outdated
RbacAuthorizationData *rbacData = userData;

char method[16];
snprintf(method, sizeof(method), "%s", request->method);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we validate the method length and not proceed if it's too long?

c/zss.c Outdated
return rbacParm;
}

static int getZoweInstanceId() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Declare functions that take no parameters using a void argument, for example:

int foo(void);

Otherwise it's considered "unspecified number of parameters" by the standard.

c/zss.c Outdated
return;
}
RbacAuthorizationData *rbacData = (RbacAuthorizationData*) safeMalloc(sizeof(*rbacData), "Rbac Authorization Data");
if (rbacData) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we report an error and maybe terminate if this is NULL? If we silently do nothing here, ZSS is less protected and that's not going to be discovered.

h/authService.h Outdated
@@ -26,9 +26,37 @@
#include "httpserver.h"
#include "dataservice.h"

#define SAF_CLASS "ZOWE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you be more specific? ZOWE_SAF_CLASS would be clearer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants