hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1354: Take REST API authorization into use

Browse Source 
GET requests are allowed for all users while POST, PATCH, DELETE and PUT
requests are reserved for administrative users.
This commit is contained in:
Markus Mäkelä
2017-08-14 14:15:50 +03:00
parent 06afbd14eb
commit a48758a9d8
2 changed files with 40 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
server/core/admin.cc
View File

@ -79,6 +79,17 @@ static bool modifies_data(MHD_Connection *connection, string method)
request_data_length(connection); request_data_length(connection);
} }
static void send_auth_error(MHD_Connection *connection)
{
static char error_resp[] = "{\"errors\": [ { \"detail\": \"Access denied\" } ] }";
MHD_Response *resp =
MHD_create_response_from_buffer(sizeof(error_resp) - 1, error_resp,
MHD_RESPMEM_PERSISTENT);
MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
MHD_destroy_response(resp);
}
int Client::process(string url, string method, const char* upload_data, size_t *upload_size) int Client::process(string url, string method, const char* upload_data, size_t *upload_size)
{ {
json_t* json = NULL; json_t* json = NULL;
@ -160,7 +171,7 @@ void close_client(void *cls,
delete client; delete client;
} }
bool do_auth(MHD_Connection *connection, const char* url) bool do_auth(MHD_Connection* connection, const char* url, const char* method)
{ {
bool rval = true; bool rval = true;
@ -173,17 +184,23 @@ bool do_auth(MHD_Connection *connection, const char* url)
{ {
if (config_get_global_options()->admin_log_auth_failures) if (config_get_global_options()->admin_log_auth_failures)
{ {
MXS_WARNING("Authentication failed for '%s', %s. Request: %s", user ? user : "", MXS_WARNING("Authentication failed for '%s', %s. Request: %s %s",
pw ? "using password" : "no password", url); user ? user : "", pw ? "using password" : "no password",
method, url);
} }
send_auth_error(connection);
rval = false;
}
else if (!admin_is_admin_user(user) && modifies_data(connection, method))
{
if (config_get_global_options()->admin_log_auth_failures)
{
MXS_WARNING("Authorization failed for '%s', request requires "
"administrative privileges. Request: %s %s",
user, method, url);
}
send_auth_error(connection);
rval = false; rval = false;
static char error_resp[] = "{\"errors\": [ { \"detail\": \"Access denied\" } ] }";
MHD_Response *resp =
MHD_create_response_from_buffer(sizeof(error_resp) - 1, error_resp,
MHD_RESPMEM_PERSISTENT);
MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
MHD_destroy_response(resp);
} }
else else
{ {
@ -207,7 +224,7 @@ int handle_client(void *cls,
void **con_cls) void **con_cls)
{ {
if (!do_auth(connection, url)) if (!do_auth(connection, url, method))
{ {
return MHD_YES; return MHD_YES;
} }

12
server/core/adminusers.cc
View File

@ -572,6 +572,18 @@ admin_verify_inet_user(const char *username, const char *password)
return rv; return rv;
} }
bool admin_is_admin_user(const char* username)
{
bool rval = true; // The default `admin:mariadb` user has all permissions
if (inet_users)
{
rval = users_is_admin(inet_users, username);
}
return rval;
}
/** /**
* Print Linux and and inet users * Print Linux and and inet users
* *