RBAC checking via custom authHandler function + SAF query interpretation#281
RBAC checking via custom authHandler function + SAF query interpretation#281DivergentEuropeans wants to merge 82 commits intov1.x/stagingfrom
Conversation
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
DivergentEuropeans
requested review from
a team,
1000TurquoisePogs,
ifakhrutdinov,
lchudinov and
timgerstel
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
There was a problem hiding this comment.
@DivergentEuropeans, please see my comments.
In addition to the comments:
- Please add some documentation (preferably Doxygen) to the function prototypes, it helps to understand what they try to achieve. For example, https://github.com/zowe/zowe-common-c/blob/master/h/radmin.h#L520 ✔️
- Consider splitting
getProfileNameFromRequest, it's huge and hard to follow ✔️ - You don't need to reinvent all that URL parsing, the HTTP request already has a split URL, see https://github.com/zowe/zss/blob/staging/c/securityService.c#L579. Can you use or re-use any of that? ✔️
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
DivergentEuropeans
changed the title
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Rbac code cleanup
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
…into RBAC-support Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
|
TODO: When we login, the App server interprets the GET plugins query as ZLUX.0.COR.GET.PLUGINS yet ZSS interprets it as ZLUX.0.COR.GET.SAF-AUTH.ZLUX.0.COR.GET.PLUGINS.READ for some reason. Need to investigate if this is intended behaviour... |
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
…tion-for-saf-auth-service Disable RBAC authorization for saf-auth service
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
Fix buffer size
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
Signed-off-by: Leanid Astrakou <lastrakou@rocketsoftware.com>
| const char *class = SAF_CLASS; | ||
|
|
||
| int rc = zisCheckEntity(privilegedServerName, userName, class, entity, access, &reqStatus); | ||
| zowelog(NULL, LOG_COMP_ID_SECURITY, ZOWE_LOG_DEBUG2, |
There was a problem hiding this comment.
I'd add zowedump for reqStatus so you can debug what's happening.
c/authService.c
Outdated
| while (pathSegment != NULL) { | ||
| snprintf(urlSegment, sizeof(urlSegment), "%s", pathSegment->string); | ||
| strupcase(urlSegment); | ||
| if (rootServiceName == NULL) |
There was a problem hiding this comment.
This can never be NULL. And if it was, you wouldn't want to call snprintf with rootServiceName as the destination.
| case 0: | ||
| snprintf(productCode, sizeof(productCode), urlSegment); | ||
| break; | ||
| case 1: | ||
| break; | ||
| case 2: | ||
| snprintf(pluginID, sizeof(pluginID), urlSegment); | ||
| break; | ||
| case 3: | ||
| break; | ||
| case 4: | ||
| snprintf(serviceName, sizeof(serviceName), urlSegment); | ||
| break; |
There was a problem hiding this comment.
If these cases are never entered, these buffers will stay uninitialized, this will cause issues in setProfileNameAttribs and makeProfileName.
| setProfileNameAttribs(pluginID, serviceName, type, scope, subUrl); | ||
| int pluginIDLen = strlen(pluginID); | ||
| for (int index = 0; index < pluginIDLen; index++) { | ||
| if (pluginID[index] == '.') { |
There was a problem hiding this comment.
pluginID may be uninitialized.
| productCode, | ||
| instanceID, | ||
| pluginID, | ||
| rootServiceName, |
There was a problem hiding this comment.
rootServiceName may be uninitialized.
|
|
||
| HttpService *httpService = makeGeneratedService("datasetContents", "/datasetContents/**"); | ||
| httpService->authType = SERVICE_AUTH_NATIVE_WITH_SESSION_TOKEN; | ||
| httpService->authorizationType = SERVICE_AUTHORIZATION_TYPE_NONE; |
There was a problem hiding this comment.
Do 3rd party plugins have to do this as well and then rebuild the binaries, or will everything work without recompilation?
c/zss.c
Outdated
| RbacAuthorizationData *rbacData = userData; | ||
|
|
||
| char method[16]; | ||
| snprintf(method, sizeof(method), "%s", request->method); |
There was a problem hiding this comment.
Should we validate the method length and not proceed if it's too long?
c/zss.c
Outdated
| return rbacParm; | ||
| } | ||
|
|
||
| static int getZoweInstanceId() { |
There was a problem hiding this comment.
Declare functions that take no parameters using a void argument, for example:
int foo(void);Otherwise it's considered "unspecified number of parameters" by the standard.
c/zss.c
Outdated
| return; | ||
| } | ||
| RbacAuthorizationData *rbacData = (RbacAuthorizationData*) safeMalloc(sizeof(*rbacData), "Rbac Authorization Data"); | ||
| if (rbacData) { |
There was a problem hiding this comment.
Shouldn't we report an error and maybe terminate if this is NULL? If we silently do nothing here, ZSS is less protected and that's not going to be discovered.
h/authService.h
Outdated
| #include "httpserver.h" | ||
| #include "dataservice.h" | ||
|
|
||
| #define SAF_CLASS "ZOWE" |
There was a problem hiding this comment.
Can you be more specific? ZOWE_SAF_CLASS would be clearer.
Signed-off-by: Leonty Chudinov <lchudinov@rocketsoftware.com>
4 participants
Similar to what zlux-server-framework\plugins\sso-auth\lib\safprofile.js does
Turns a SAF URL into a SAF query i.e. /plugins GET undefined
->
ZLUX.0.COR.GET.PLUGINS
ZSS now uses RBAC for Http services
List of exclusions:
'/login', '/logout', '/password', '/unixfile', '/datasetContents', '/VSAMdatasetContents', '/datasetMetadata', '/omvs', '/security-mgmt'
PR (1 of 2)
PR 2: zowe/zowe-common-c#218
Signed-off-by: Leanid Astrakou lastrakou@rocketsoftware.com