session: setup a persistent NULL section and implement login procedure

2013-09-10 19:41:29 +02:00 · 2013-09-10 19:41:29 +02:00 · 5a101fcc08
commit 5a101fcc08
parent 22fbf13086
4 changed files with 392 additions and 2 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,5 +1,7 @@
 cmake_minimum_required(VERSION 2.6)
 INCLUDE(CheckFunctionExists)
 PROJECT(rpcd C)
 ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations -Iinclude)
@ -13,10 +15,19 @@ IF(APPLE)
  LINK_DIRECTORIES(/opt/local/lib)
 ENDIF()
 CHECK_FUNCTION_EXISTS(getspnam HAVE_SHADOW)
 IF(HAVE_SHADOW)
  ADD_DEFINITIONS(-DHAVE_SHADOW)
 ENDIF()
 FIND_LIBRARY(json NAMES json-c json)
 FIND_LIBRARY(crypt NAMES crypt)
 IF(crypt STREQUAL "LIBS-NOTFOUND")
  SET(crypt "")
 ENDIF()
 ADD_EXECUTABLE(rpcd main.c exec.c session.c uci.c plugin.c)
-TARGET_LINK_LIBRARIES(rpcd ubox ubus uci dl blobmsg_json ${json})
+TARGET_LINK_LIBRARIES(rpcd ubox ubus uci dl blobmsg_json ${json} ${crypt})
 SET(PLUGINS "")
--- a/include/rpcd/session.h
+++ b/include/rpcd/session.h
@ -32,7 +32,9 @@
 #define RPC_SID_LEN	32
 #define RPC_DEFAULT_SESSION_TIMEOUT	300
 #define RPC_DEFAULT_SESSION_ID	"00000000000000000000000000000000"
 #define RPC_SESSION_DIRECTORY	"/var/run/rpcd/sessions"
 #define RPC_SESSION_ACL_DIR		"/usr/share/rpcd/acl.d"
 struct rpc_session {
 	struct avl_node avl;
--- a/session.c
+++ b/session.c
@ -17,10 +17,19 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #define _GNU_SOURCE	/* crypt() */
 #include <libubox/avl-cmp.h>
 #include <libubox/blobmsg.h>
 #include <libubox/utils.h>
 #include <libubus.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <uci.h>
 #ifdef HAVE_SHADOW
 #include <shadow.h>
 #endif
 #include <rpcd/session.h>
@ -100,6 +109,18 @@ static const struct blobmsg_policy dump_policy[__RPC_DUMP_MAX] = {
 	[RPC_DUMP_DATA] = { .name = "data", .type = BLOBMSG_TYPE_TABLE },
 };
 enum {
 	RPC_L_USERNAME,
 	RPC_L_PASSWORD,
 	RPC_L_TIMEOUT,
 	__RPC_L_MAX,
 };
 static const struct blobmsg_policy login_policy[__RPC_L_MAX] = {
 	[RPC_L_USERNAME] = { .name = "username", .type = BLOBMSG_TYPE_STRING },
 	[RPC_L_PASSWORD] = { .name = "password", .type = BLOBMSG_TYPE_STRING },
 	[RPC_L_TIMEOUT]  = { .name = "timeout", .type = BLOBMSG_TYPE_INT32 },
 };
 /*
 * Keys in the AVL tree contain all pattern characters up to the first wildcard.
 * To look up entries, start with the last entry that has a key less than or
@ -215,7 +236,8 @@ rpc_session_dump(struct rpc_session *ses, struct ubus_context *ctx,
 static void
 rpc_touch_session(struct rpc_session *ses)
 {
-	uloop_timeout_set(&ses->t, ses->timeout * 1000);
+	if (ses->timeout > 0)
 		uloop_timeout_set(&ses->t, ses->timeout * 1000);
 }
 static void
@ -739,6 +761,332 @@ rpc_handle_destroy(struct ubus_context *ctx, struct ubus_object *obj,
 }
 static bool
 rpc_login_test_password(const char *hash, const char *password)
 {
 	char *crypt_hash;
 	/* password is not set */
 	if (!hash || !*hash || !strcmp(hash, "!") || !strcmp(hash, "x"))
 	{
 		return true;
 	}
 	/* password hash refers to shadow/passwd */
 	else if (!strncmp(hash, "$p$", 3))
 	{
 #ifdef HAVE_SHADOW
 		struct spwd *sp = getspnam(hash + 3);
 		if (!sp)
 			return false;
 		return rpc_login_test_password(sp->sp_pwdp, password);
 #else
 		struct passwd *pw = getpwnam(hash + 3);
 		if (!pw)
 			return false;
 		return rpc_login_test_password(pw->pw_passwd, password);
 #endif
 	}
 	crypt_hash = crypt(hash, password);
 	return !strcmp(crypt_hash, hash);
 }
 static struct uci_section *
 rpc_login_test_login(struct uci_context *uci,
                     const char *username, const char *password)
 {
 	struct uci_package *p;
 	struct uci_section *s;
 	struct uci_element *e;
 	struct uci_ptr ptr = { .package = "rpcd" };
 	uci_load(uci, ptr.package, &p);
 	if (!p)
 		return false;
 	uci_foreach_element(&p->sections, e)
 	{
 		s = uci_to_section(e);
 		if (strcmp(s->type, "login"))
 			continue;
 		ptr.section = s->e.name;
 		ptr.s = NULL;
 		/* test for matching username */
 		ptr.option = "username";
 		ptr.o = NULL;
 		if (uci_lookup_ptr(uci, &ptr, NULL, true))
 			continue;
 		if (ptr.o->type != UCI_TYPE_STRING)
 			continue;
 		if (strcmp(ptr.o->v.string, username))
 			continue;
 		/* test for matching password */
 		ptr.option = "password";
 		ptr.o = NULL;
 		if (uci_lookup_ptr(uci, &ptr, NULL, true))
 			continue;
 		if (ptr.o->type != UCI_TYPE_STRING)
 			continue;
 		if (rpc_login_test_password(ptr.o->v.string, password))
 			return ptr.s;
 	}
 	return NULL;
 }
 static bool
 rpc_login_test_permission(struct uci_section *s,
                          const char *perm, const char *group)
 {
 	struct uci_option *o;
 	struct uci_element *e, *l;
 	/* If the login section is not provided, we're setting up acls for the
 	 * default session, in this case uncondionally allow access to the
 	 * "unauthenticated" access group */
 	if (!s) {
 		return !strcmp(group, "unauthenticated");
 	}
 	uci_foreach_element(&s->options, e)
 	{
 		o = uci_to_option(e);
 		if (o->type != UCI_TYPE_LIST)
 			continue;
 		if (strcmp(o->e.name, perm))
 			continue;
 		uci_foreach_element(&o->v.list, l)
 			if (l->name && !fnmatch(l->name, group, 0))
 				return true;
 	}
 	/* make sure that write permission implies read permission */
 	if (!strcmp(perm, "read"))
 		return rpc_login_test_permission(s, "write", group);
 	return false;
 }
 static void
 rpc_login_setup_acl_scope(struct rpc_session *ses,
                          struct blob_attr *acl_perm,
                          struct blob_attr *acl_scope)
 {
 	struct blob_attr *acl_obj, *acl_func;
 	int rem, rem2;
 	/*
 	 * Parse ACL scopes in table notation.
 	 *
 	 *	"<scope>": {
 	 *		"<object>": [
 	 *			"<function>",
 	 *			"<function>",
 	 *			...
 	 *		]
 	 *	}
 	 */
 	if (blob_id(acl_scope) == BLOBMSG_TYPE_TABLE) {
 		blobmsg_for_each_attr(acl_obj, acl_scope, rem) {
 			if (blob_id(acl_obj) != BLOBMSG_TYPE_ARRAY)
 				continue;
 			blobmsg_for_each_attr(acl_func, acl_obj, rem2) {
 				if (blob_id(acl_func) != BLOBMSG_TYPE_STRING)
 					continue;
 				rpc_session_grant(ses, NULL, blobmsg_name(acl_scope),
 				                             blobmsg_name(acl_obj),
 				                             blobmsg_data(acl_func));
 			}
 		}
 	}
 	/*
 	 * Parse ACL scopes in array notation. The permission ("read" or "write")
 	 * will be used as function name for each object.
 	 *
 	 *	"<scope>": [
 	 *		"<object>",
 	 *		"<object>",
 	 *		...
 	 *	]
 	 */
 	else if (blob_id(acl_scope) == BLOBMSG_TYPE_ARRAY) {
 		blobmsg_for_each_attr(acl_obj, acl_scope, rem) {
 			if (blob_id(acl_obj) != BLOBMSG_TYPE_STRING)
 				continue;
 			rpc_session_grant(ses, NULL, blobmsg_name(acl_scope),
 				                         blobmsg_data(acl_obj),
 				                         blobmsg_name(acl_perm));
 		}
 	}
 }
 static void
 rpc_login_setup_acl_file(struct rpc_session *ses, struct uci_section *login,
                         const char *path)
 {
 	struct blob_buf acl = { 0 };
 	struct blob_attr *acl_group, *acl_perm, *acl_scope;
 	int rem, rem2, rem3;
 	blob_buf_init(&acl, 0);
 	if (!blobmsg_add_json_from_file(&acl, path)) {
 		fprintf(stderr, "Failed to parse %s\n", path);
 		goto out;
 	}
 	/* Iterate access groups in toplevel object */
 	blob_for_each_attr(acl_group, acl.head, rem) {
 		/* Iterate permission objects in each access group object */
 		blobmsg_for_each_attr(acl_perm, acl_group, rem2) {
 			if (blob_id(acl_perm) != BLOBMSG_TYPE_TABLE)
 				continue;
 			/* Only "read" and "write" permissions are defined */
 			if (strcmp(blobmsg_name(acl_perm), "read") &&
 				strcmp(blobmsg_name(acl_perm), "write"))
 				continue;
 			/*
 			 * Check if the current user context specifies the current
 			 * "read" or "write" permission in the given access group.
 			 */
 			if (!rpc_login_test_permission(login, blobmsg_name(acl_perm),
 			                                      blobmsg_name(acl_group)))
 				continue;
 			/* Iterate scope objects within the permission object */
 			blobmsg_for_each_attr(acl_scope, acl_perm, rem3) {
 				/* Setup the scopes of the access group */
 				rpc_login_setup_acl_scope(ses, acl_perm, acl_scope);
 				/*
 				 * Add the access group itself as object to the "access-group"
 				 * meta scope and the the permission level ("read" or "write")
 				 * as function, so
 				 *	"<group>": {
 				 *		"<permission>": {
 				 *			"<scope>": ...
 				 *		}
 				 *	}
 				 * becomes
 				 *	"access-group": {
 				 *		"<group>": [
 				 *			"<permission>"
 				 *		]
 				 *	}
 				 *
 				 * This allows session clients to easily query the allowed
 				 * access groups without having to test access of each single
 				 * <scope>/<object>/<function> tuple defined in a group.
 				 */
 				rpc_session_grant(ses, NULL, "access-group",
 				                             blobmsg_name(acl_group),
 				                             blobmsg_name(acl_perm));
 			}
 		}
 	}
 out:
 	blob_buf_free(&acl);
 }
 static void
 rpc_login_setup_acls(struct rpc_session *ses, struct uci_section *login)
 {
 	int i;
 	glob_t gl;
 	if (glob(RPC_SESSION_ACL_DIR "/*.json", 0, NULL, &gl))
 		return;
 	for (i = 0; i < gl.gl_pathc; i++)
 		rpc_login_setup_acl_file(ses, login, gl.gl_pathv[i]);
 	globfree(&gl);
 }
 static int
 rpc_handle_login(struct ubus_context *ctx, struct ubus_object *obj,
                 struct ubus_request_data *req, const char *method,
                 struct blob_attr *msg)
 {
 	struct uci_context *uci = NULL;
 	struct uci_section *login;
 	struct rpc_session *ses;
 	struct blob_attr *tb[__RPC_L_MAX];
 	int timeout = RPC_DEFAULT_SESSION_TIMEOUT;
 	int rv = 0;
 	blobmsg_parse(acl_policy, __RPC_L_MAX, tb, blob_data(msg), blob_len(msg));
 	if (!tb[RPC_L_USERNAME] || !tb[RPC_L_PASSWORD]) {
 		rv = UBUS_STATUS_INVALID_ARGUMENT;
 		goto out;
 	}
 	uci = uci_alloc_context();
 	if (!uci) {
 		rv = UBUS_STATUS_UNKNOWN_ERROR;
 		goto out;
 	}
 	login = rpc_login_test_login(uci, blobmsg_get_string(tb[RPC_L_USERNAME]),
 	                                  blobmsg_get_string(tb[RPC_L_PASSWORD]));
 	if (!login) {
 		rv = UBUS_STATUS_PERMISSION_DENIED;
 		goto out;
 	}
 	if (tb[RPC_L_TIMEOUT])
 		timeout = blobmsg_get_u32(tb[RPC_L_TIMEOUT]);
 	ses = rpc_session_create(timeout);
 	if (!ses) {
 		rv = UBUS_STATUS_UNKNOWN_ERROR;
 		goto out;
 	}
 	rpc_login_setup_acls(ses, login);
 	rpc_session_set(ses, "user", tb[RPC_L_USERNAME]);
 	rpc_session_dump(ses, ctx, req);
 out:
 	if (uci)
 		uci_free_context(uci);
 	return rv;
 }
 static bool
 rpc_validate_sid(const char *id)
 {
@ -868,6 +1216,8 @@ rpc_session_from_blob(struct blob_attr *attr)
 int rpc_session_api_init(struct ubus_context *ctx)
 {
 	struct rpc_session *ses;
 	static const struct ubus_method session_methods[] = {
 		UBUS_METHOD("create",  rpc_handle_create,  &new_policy),
 		UBUS_METHOD("list",    rpc_handle_list,    &sid_policy),
@ -878,6 +1228,7 @@ int rpc_session_api_init(struct ubus_context *ctx)
 		UBUS_METHOD("get",     rpc_handle_get,     get_policy),
 		UBUS_METHOD("unset",   rpc_handle_unset,   get_policy),
 		UBUS_METHOD("destroy", rpc_handle_destroy, &sid_policy),
 		UBUS_METHOD("login",   rpc_handle_login,   login_policy),
 	};
 	static struct ubus_object_type session_type =
@ -892,6 +1243,15 @@ int rpc_session_api_init(struct ubus_context *ctx)
 	avl_init(&sessions, avl_strcmp, false, NULL);
 	/* setup the default session */
 	ses = rpc_session_new();
 	if (ses) {
 		strcpy(ses->id, RPC_DEFAULT_SESSION_ID);
 		rpc_login_setup_acls(ses, NULL);
 		avl_insert(&sessions, &ses->avl);
 	}
 	return ubus_add_object(ctx, &obj);
 }
@ -928,6 +1288,10 @@ void rpc_session_freeze(void)
 		mkdir(RPC_SESSION_DIRECTORY, 0700);
 	avl_for_each_element(&sessions, ses, avl) {
 		/* skip default session */
 		if (!strcmp(ses->id, RPC_DEFAULT_SESSION_ID))
 			continue;
 		snprintf(path, sizeof(path) - 1, RPC_SESSION_DIRECTORY "/%s", ses->id);
 		rpc_session_to_blob(ses);
 		rpc_blob_to_file(path, buf.head);
--- a/unauthenticated.json
+++ b/unauthenticated.json
@ -0,0 +1,13 @@
 {
 	"unauthenticated": {
 		"description": "Access controls for unauthenticated requests",
 		"read": {
 			"ubus": {
 				"session": [
 					"access",
 					"login"
 				]
 			}
 		}
 	}
 }