RBAC checking via custom authHandler function + SAF query interpretation#281
Open
DivergentEuropeans wants to merge 82 commits intov1.x/stagingfrom
Open
RBAC checking via custom authHandler function + SAF query interpretation#281DivergentEuropeans wants to merge 82 commits intov1.x/stagingfrom
DivergentEuropeans wants to merge 82 commits intov1.x/stagingfrom
Conversation
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
DivergentEuropeans
requested review from
a team,
1000TurquoisePogs,
ifakhrutdinov,
lchudinov and
timgerstel
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
lchudinov
previously requested changes
Apr 13, 2021
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
lchudinov
reviewed
Apr 15, 2021
ifakhrutdinov
previously requested changes
Apr 15, 2021
Contributor
There was a problem hiding this comment.
@DivergentEuropeans, please see my comments.
In addition to the comments:
- Please add some documentation (preferably Doxygen) to the function prototypes, it helps to understand what they try to achieve. For example, https://github.com/zowe/zowe-common-c/blob/master/h/radmin.h#L520 ✔️
- Consider splitting
getProfileNameFromRequest, it's huge and hard to follow ✔️ - You don't need to reinvent all that URL parsing, the HTTP request already has a split URL, see https://github.com/zowe/zss/blob/staging/c/securityService.c#L579. Can you use or re-use any of that? ✔️
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
DivergentEuropeans
changed the title
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Rbac code cleanup
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
…into RBAC-support Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Member
Author
|
TODO: When we login, the App server interprets the GET plugins query as ZLUX.0.COR.GET.PLUGINS yet ZSS interprets it as ZLUX.0.COR.GET.SAF-AUTH.ZLUX.0.COR.GET.PLUGINS.READ for some reason. Need to investigate if this is intended behaviour... |
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
…tion-for-saf-auth-service Disable RBAC authorization for saf-auth service
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Fix buffer size
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
| const char *class = SAF_CLASS; | ||
|
|
||
| int rc = zisCheckEntity(privilegedServerName, userName, class, entity, access, &reqStatus); | ||
| zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2, |
Contributor
There was a problem hiding this comment.
I'd add zowedump for reqStatus so you can debug what's happening.
| while (pathSegment != NULL) { | ||
| snprintf(urlSegment, sizeof(urlSegment), "%s", pathSegment->string); | ||
| strupcase(urlSegment); | ||
| if (rootServiceName == NULL) |
Contributor
There was a problem hiding this comment.
This can never be NULL. And if it was, you wouldn't want to call snprintf with rootServiceName as the destination.
Comment on lines
+268
to
+280
| case 0: | ||
| snprintf(productCode, sizeof(productCode), urlSegment); | ||
| break; | ||
| case 1: | ||
| break; | ||
| case 2: | ||
| snprintf(pluginID, sizeof(pluginID), urlSegment); | ||
| break; | ||
| case 3: | ||
| break; | ||
| case 4: | ||
| snprintf(serviceName, sizeof(serviceName), urlSegment); | ||
| break; |
Contributor
There was a problem hiding this comment.
If these cases are never entered, these buffers will stay uninitialized, this will cause issues in setProfileNameAttribs and makeProfileName.
| setProfileNameAttribs(pluginID, serviceName, type, scope, subUrl); | ||
| int pluginIDLen = strlen(pluginID); | ||
| for (int index = 0; index < pluginIDLen; index++) { | ||
| if (pluginID[index] == '.') { |
Contributor
There was a problem hiding this comment.
pluginID may be uninitialized.
| productCode, | ||
| instanceID, | ||
| pluginID, | ||
| rootServiceName, |
Contributor
There was a problem hiding this comment.
rootServiceName may be uninitialized.
|
|
||
| HttpService *httpService = makeGeneratedService("datasetContents", "/datasetContents/**"); | ||
| httpService->authType = SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN; | ||
| httpService->authorizationType = SERVICE_AUTHORIZATION_TYPE_NONE; |
Contributor
There was a problem hiding this comment.
Do 3rd party plugins have to do this as well and then rebuild the binaries, or will everything work without recompilation?
| RbacAuthorizationData *rbacData = userData; | ||
|
|
||
| char method[16]; | ||
| snprintf(method, sizeof(method), "%s", request->method); |
Contributor
There was a problem hiding this comment.
Should we validate the method length and not proceed if it's too long?
| return rbacParm; | ||
| } | ||
|
|
||
| static int getZoweInstanceId() { |
Contributor
There was a problem hiding this comment.
Declare functions that take no parameters using a void argument, for example:
int foo(void);Otherwise it's considered "unspecified number of parameters" by the standard.
| return; | ||
| } | ||
| RbacAuthorizationData *rbacData = (RbacAuthorizationData*) safeMalloc(sizeof(*rbacData), "Rbac Authorization Data"); | ||
| if (rbacData) { |
Contributor
There was a problem hiding this comment.
Shouldn't we report an error and maybe terminate if this is NULL? If we silently do nothing here, ZSS is less protected and that's not going to be discovered.
| #include "httpserver.h" | ||
| #include "dataservice.h" | ||
|
|
||
| #define SAF_CLASS "ZOWE" |
Contributor
There was a problem hiding this comment.
Can you be more specific? ZOWE_SAF_CLASS would be clearer.
added 2 commits
November 29, 2021 10:27
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Similar to what zlux-server-framework\plugins\sso-auth\lib\safprofile.js does
Turns a SAF URL into a SAF query i.e. /plugins GET undefined
->
ZLUX.0.COR.GET.PLUGINS
ZSS now uses RBAC for Http services
List of exclusions:
'/login', '/logout', '/password', '/unixfile', '/datasetContents', '/VSAMdatasetContents', '/datasetMetadata', '/omvs', '/security-mgmt'
PR (1 of 2)
PR 2: zowe/zowe-common-c#218
Signed-off-by: Leanid Astrakou lastrakou@rocketsoftware.com