Skip to content

Commit

Permalink
SDSTOR-8367 : add is_secure_zone for local API call (#1118)
Browse files Browse the repository at this point in the history 
Check authorization when the http API call is from local host
  • Loading branch information
@shosseinimotlagh
shosseinimotlagh authored and GitHub Enterprise committed Nov 24, 2022
1 parent 17ac4d8 commit 6716e25
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 1 deletion.
2 changes: 1 addition & 1 deletion conanfile.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

class HomestoreConan(ConanFile):
name = "homestore"
version = "3.5.12"
version = "3.5.13"

homepage = "https://github.corp.ebay.com/SDS/homestore"
description = "HomeStore"
Expand Down
73 changes: 73 additions & 0 deletions src/homeblks/homeblks_http_server.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,13 +86,21 @@ void HomeBlksHttpServer::start() {
handler_info("/api/v1/moveVolOnline", HomeBlksHttpServer::move_vol_online, (void*)this));
#endif
}
bool HomeBlksHttpServer::is_secure_zone() {
return IM_DYNAMIC_CONFIG(io_env->encryption) || IM_DYNAMIC_CONFIG(io_env->authorization);
}

bool HomeBlksHttpServer::is_local_addr(struct sockaddr* addr) {
std::string client_ip = inet_ntoa(((struct sockaddr_in*)addr)->sin_addr);
return (std::find(m_iface_list.begin(), m_iface_list.end(), client_ip) != m_iface_list.end());
}

void HomeBlksHttpServer::get_version(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto vers{sisl::VersionMgr::getVersions()};
std::string ver_str{""};
for (auto v : vers) {
Expand All @@ -107,11 +115,21 @@ void HomeBlksHttpServer::get_metrics(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::get_prometheus_metrics(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
std::string msg = sisl::MetricsFarm::getInstance().report(sisl::ReportFormat::kTextFormat);
ioenvironment.get_http_server()->respond_OK(cd, EVHTP_RES_OK, msg);
}

void HomeBlksHttpServer::get_obj_life(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
nlohmann::json j;
sisl::ObjCounterRegistry::foreach ([&j](const std::string& name, int64_t created, int64_t alive) {
std::stringstream ss;
Expand All @@ -122,6 +140,11 @@ void HomeBlksHttpServer::get_obj_life(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::set_log_level(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

const evhtp_kv_t* _new_log_level = nullptr;
Expand Down Expand Up @@ -153,6 +176,11 @@ void HomeBlksHttpServer::set_log_level(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::get_log_level(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

const evhtp_kv_t* _log_module = nullptr;
Expand Down Expand Up @@ -182,6 +210,11 @@ void HomeBlksHttpServer::dump_stack_trace(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::get_malloc_stats(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
ioenvironment.get_http_server()->respond_OK(cd, EVHTP_RES_OK, sisl::get_malloc_stats_detailed().dump(2));
}

Expand All @@ -200,6 +233,11 @@ void HomeBlksHttpServer::verify_hs(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::get_config(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
nlohmann::json j;
j = sisl::SettingsFactoryRegistry::instance().get_json();
j["static"] = homestore::HomeStoreStaticConfig::instance().to_json();
Expand Down Expand Up @@ -242,6 +280,11 @@ bool HomeBlksHttpServer::verify_and_get_verbosity(const evhtp_request_t* req, st
}

void HomeBlksHttpServer::verify_metablk_store(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

const auto hb = to_homeblks(cd);
Expand All @@ -256,6 +299,11 @@ void HomeBlksHttpServer::verify_metablk_store(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::dump_disk_metablks(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

std::vector< std::string > clients;
Expand All @@ -282,6 +330,11 @@ void HomeBlksHttpServer::dump_disk_metablks(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::get_status(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

std::vector< std::string > modules;
Expand Down Expand Up @@ -317,6 +370,11 @@ void HomeBlksHttpServer::verify_bitmap(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::wakeup_init(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto hb = to_homeblks(cd);
hb->wakeup_init();
std::string resp{"completed"};
Expand All @@ -325,6 +383,11 @@ void HomeBlksHttpServer::wakeup_init(iomgr::HttpCallData cd) {

#ifdef _PRERELEASE
void HomeBlksHttpServer::crash_system(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req{cd->request()};

const evhtp_kv_t* _crash_type{nullptr};
Expand All @@ -345,6 +408,11 @@ void HomeBlksHttpServer::crash_system(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::move_vol_online(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

std::string vol_uuid;
Expand All @@ -368,6 +436,11 @@ void HomeBlksHttpServer::move_vol_online(iomgr::HttpCallData cd) {
}

void HomeBlksHttpServer::move_vol_offline(iomgr::HttpCallData cd) {
if (is_secure_zone() && !is_local_addr(cd->request()->conn->saddr)) {
ioenvironment.get_http_server()->respond_NOTOK(cd, EVHTP_RES_FORBIDDEN,
"Access not allowed from external host");
return;
}
auto req = cd->request();

std::string vol_uuid;
Expand Down
1 change: 1 addition & 0 deletions src/homeblks/homeblks_http_server.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ class HomeBlksHttpServer {
void register_api_post_start();

static bool is_local_addr(struct sockaddr* addr);
static bool is_secure_zone();

static void get_version(iomgr::HttpCallData cd);
static void get_metrics(iomgr::HttpCallData cd);
Expand Down

0 comments on commit 6716e25

Please sign in to comment.