Provide the infrastructure to whitelist given URL from REST server
Added a plug-in which runs on each request and checks if the requested
URL consists of whitelisted URL, if so, allows the access, otherwise
fails with an error message.
It gets whitelisted URL info from json file.
Resolves openbmc/openbmc#2378
Change-Id: I95e5fd080e03616a1cba2b86d951414669338b08
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f92a67a..f761df9 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py
@@ -31,6 +31,7 @@
import tempfile
import re
import mimetypes
+import fnmatch
have_wsock = True
try:
from geventwebsocket import WebSocketError
@@ -1450,6 +1451,36 @@
return self.Checker(content_type, callback)
+class CheckURLPlugin(object):
+ ''' Ensures that anything read and written using only urls listed in
+ the url_config.json config file would allowed. '''
+ name = 'url_checker'
+ api = 2
+
+ def __init__(self):
+ config_path = '/usr/share/rest-dbus/url_config.json'
+ url_config = {}
+ urls = {}
+ self.pattern = {}
+ if os.path.exists(config_path):
+ try:
+ with open(config_path) as data_file:
+ url_config = json.load(data_file)
+ urls = url_config.get("urls", ["*"])
+ self.pattern = '|'.join(fnmatch.translate(p) for p in urls)
+ self.pattern = re.compile(self.pattern)
+ except ValueError as e:
+ abort(404, str(e))
+ else:
+ abort(404, "Config file path not found for Whitelisted URLs")
+
+ def apply(self, callback, route):
+
+ def wrap(*a, **kw):
+ if self.pattern.match(request.path):
+ return callback(*a, **kw)
+ abort(404,"Trying to access Blocked URL")
+ return wrap
class App(Bottle):
def __init__(self, **kw):
@@ -1478,6 +1509,7 @@
self.install(JsonApiResponsePlugin(self))
self.install(JsonApiRequestPlugin())
self.install(JsonApiRequestTypePlugin())
+ self.install(CheckURLPlugin())
def install_hooks(self):
self.error_handler_type = type(self.default_error_handler)