Macintosh-HW/RASCSI
1
0
Fork 0
mirror of https://github.com/akuker/RASCSI.git synced 2025-01-02 09:35:58 +00:00
Code Issues Projects Releases Wiki Activity

Optional authentication by access token (#529)

Browse Source 
* Added authentication by access token

* No authentication is required for getting the rascsi version

* Added comment

* Interface description update

* Manpage update

* Added error code

* Enum value update (backwards compatible)

* Error code update

* Error code update

* Added CHECK_AUTHENTICATION

* Comment update

* VERSION_INFO also requires authentication

* rasctl: Made token an optional parameter for -P

* Fixed interface comment
This commit is contained in:
Uwe Seimet 2021-12-19 11:54:10 +01:00 committed by GitHub
parent e32211ef73
commit ec31198d83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 159 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/rascsi.1
View File

@ -5,6 +5,7 @@ rascsi \- Emulates SCSI devices using the Raspberry Pi GPIO pins
.B rascsi
[\fB\-F\f® \fIFOLDER\fR]
[\fB\-L\f® \fILOG_LEVEL\fR]
[\fB\-P\f® \fIACCESS_TOKEN_FILE\fR]
[\fB\-R\fR \fISCAN_DEPTH\fR]
[\fB\-h\fR]
[\fB\-n\fR \fIVENDOR:PRODUCT:REVISION\fR]
@ -53,8 +54,11 @@ The default folder for image files. For files in this folder no absolute path ne
.BR \-L\fI " " \fILOG_LEVEL
The rascsi log level (trace, debug, info, warn, err, critical, off). The default log level is 'info'.
.TP
.BR \-P\fI " " \fIACCESS_TOKEN_FILE
Enable authentication and read the access token from the specified file. The access token file must be owned by root and must be readable by root only.
.TP
.BR \-R\fI " " \fISCAN_DEPTH
Scan for image files recursively, up to a depth -f SCAN_DEPTH. Be careful when using this option with many sub-folders in the default image folder.
Scan for image files recursively, up to a depth of SCAN_DEPTH. Be careful when using this option with many sub-folders in the default image folder.
.TP
.BR \-h\fI " " \fI
Show a help page.

14
doc/rascsi_man_page.txt
View File

@ -6,9 +6,10 @@ NAME
rascsi - Emulates SCSI devices using the Raspberry Pi GPIO pins
SYNOPSIS
rascsi [-F[u00AE] FOLDER] [-L[u00AE] LOG_LEVEL] [-R SCAN_DEPTH] [-h]
[-n VENDOR:PRODUCT:REVISION] [-p[u00AE] PORT] [-r RESERVED_IDS] [-n
TYPE] [-v] [-IDn:[u] FILE] [-HDn[:u] FILE]...
rascsi [-F[u00AE] FOLDER] [-L[u00AE] LOG_LEVEL] [-P[u00AE] ACCESS_TO
KEN_FILE] [-R SCAN_DEPTH] [-h] [-n VENDOR:PRODUCT:REVISION] [-p[u00AE]
PORT] [-r RESERVED_IDS] [-n TYPE] [-v] [-IDn:[u] FILE] [-HDn[:u]
FILE]...
DESCRIPTION
rascsi Emulates SCSI devices using the Raspberry Pi GPIO pins.
@ -65,8 +66,13 @@ OPTIONS
The rascsi log level (trace, debug, info, warn, err, critical,
off). The default log level is 'info'.
-P ACCESS_TOKEN_FILE
Enable authentication and read the access token from the speci
fied file. The access token file must be owned by root and must
be readable by root only.
-R SCAN_DEPTH
Scan for image files recursively, up to a depth -f SCAN_DEPTH.
Scan for image files recursively, up to a depth of SCAN_DEPTH.
Be careful when using this option with many sub-folders in the
default image folder.

4
doc/rasctl.1
View File

@ -12,6 +12,7 @@ rasctl \- Sends management commands to the rascsi process
\fB\-I\fR |
\fB\-L\fR |
\fB\-O\fR |
\fB\-P\fR |
\fB\-T\fR |
\fB\-V\fR |
\fB\-X\fR |
@ -72,6 +73,9 @@ Lists all available network interfaces provided that they are up.
.BR \-O\fI
Display the available rascsi server log levels and the current log level.
.TP
.BR \-P\fI
Prompt for the access token in case rascsi requires authentication.
.TP
.BR \-l\fI
List all of the devices that are currently being emulated by RaSCSI, as well as their current status.
.TP

11
doc/rasctl_man_page.txt
View File

@ -1,15 +1,13 @@
!! ------ THIS FILE IS AUTO_GENERATED! DO NOT MANUALLY UPDATE!!!
!! ------ The native file is rasctl.1. Re-run 'make docs' after updating
!! ------ The native file is rasctl.1. Re-run 'make docs' after updating\n\n
rascsi(1) General Commands Manual rascsi(1)
NAME
rasctl - Sends management commands to the rascsi process
SYNOPSIS
rasctl -e | -l | -m | -s | -v | -D | -I | -L | -O | -T | -V | -X | [-C
FILENAME:FILESIZE] [-E FILENAME] [-F IMAGE_FOLDER] [-R CUR
rasctl -e | -l | -m | -s | -v | -D | -I | -L | -O | -P | -T | -V | -X |
[-C FILENAME:FILESIZE] [-E FILENAME] [-F IMAGE_FOLDER] [-R CUR
RENT_NAME:NEW_NAME] [-c CMD] [-f FILE|PARAM] [-g LOG_LEVEL] [-h HOST]
[-i ID [-n NAME] [-p PORT] [-r RESERVED_IDS] [-t TYPE] [-u UNIT] [-x
CURRENT_NAME:NEW_NAME]
@ -55,6 +53,9 @@ OPTIONS
-O Display the available rascsi server log levels and the current
log level.
-P Prompt for the access token in case rascsi requires authentica
tion.
-l List all of the devices that are currently being emulated by
RaSCSI, as well as their current status.

3
src/raspberrypi/protobuf_util.cpp
View File

@ -120,7 +120,7 @@ int protobuf_util::ReadNBytes(int fd, uint8_t *buf, int n)
}
bool protobuf_util::ReturnStatus(int fd, bool status, const string msg)
bool protobuf_util::ReturnStatus(int fd, bool status, const string msg, const PbErrorCode error_code)
{
if (!status && !msg.empty()) {
LOGERROR("%s", msg.c_str());
@ -142,6 +142,7 @@ bool protobuf_util::ReturnStatus(int fd, bool status, const string msg)
else {
PbResult result;
result.set_status(status);
result.set_error_code(error_code);
result.set_msg(msg);
SerializeMessage(fd, result);
}

2
src/raspberrypi/protobuf_util.h
View File

@ -29,6 +29,6 @@ namespace protobuf_util
void SerializeMessage(int, const google::protobuf::Message&);
void DeserializeMessage(int, google::protobuf::Message&);
int ReadNBytes(int, uint8_t *, int);
bool ReturnStatus(int, bool = true, const string = "");
bool ReturnStatus(int, bool = true, const string = "", const PbErrorCode error_code = PbErrorCode::NO_ERROR_CODE);
bool ReturnStatus(int, bool, const ostringstream&);
}

57
src/raspberrypi/rascsi.cpp
View File

@ -33,6 +33,7 @@
#include <string>
#include <sstream>
#include <iostream>
#include <fstream>
#include <list>
#include <vector>
#include <map>
@ -67,6 +68,7 @@ pthread_t monthread; // Monitor Thread
pthread_mutex_t ctrl_mutex; // Semaphore for the ctrl array
static void *MonThread(void *param);
string current_log_level; // Some versions of spdlog do not support get_log_level()
string access_token;
set<int> reserved_ids;
int scan_depth = 0;
DeviceFactory& device_factory = DeviceFactory::instance();
@ -374,6 +376,43 @@ bool MapController(Device **map)
return status;
}
bool ReadAccessToken(const char *filename)
{
struct stat st;
if (stat(filename, &st) || !S_ISREG(st.st_mode)) {
cerr << "Can't access token file '" << optarg << "'" << endl;
return false;
}
if (st.st_uid || st.st_gid || (st.st_mode & (S_IROTH | S_IWOTH | S_IRGRP | S_IWGRP))) {
cerr << "Access token file '" << optarg << "' must be owned by root and readable by root only" << endl;
return false;
}
ifstream token_file(filename, ifstream::in);
if (token_file.fail()) {
cerr << "Can't open access token file '" << optarg << "'" << endl;
return false;
}
getline(token_file, access_token);
if (token_file.fail()) {
token_file.close();
cerr << "Can't read access token file '" << optarg << "'" << endl;
return false;
}
if (access_token.empty()) {
token_file.close();
cerr << "Access token file '" << optarg << "' must not be empty" << endl;
return false;
}
token_file.close();
return true;
}
string ValidateLunSetup(const PbCommand& command, const vector<Device *>& existing_devices)
{
// Mapping of available LUNs (bit vector) to devices
@ -973,7 +1012,8 @@ bool ProcessCmd(int fd, const PbDeviceDefinition& pb_device, const PbCommand& co
assert(dryRun);
break;
case NONE:
case CHECK_AUTHENTICATION:
case NO_OPERATION:
// Do nothing, just log
LOGTRACE("Received %s command", PbOperation_Name(operation).c_str());
break;
@ -1160,7 +1200,7 @@ bool ParseArgument(int argc, char* argv[], int& port)
opterr = 1;
int opt;
while ((opt = getopt(argc, argv, "-IiHhb:d:n:p:r:t:D:F:L:R:")) != -1) {
while ((opt = getopt(argc, argv, "-IiHhb:d:n:p:r:t:D:F:L:P:R:")) != -1) {
switch (opt) {
// The three options below are kind of a compound option with two letters
case 'i':
@ -1223,6 +1263,12 @@ bool ParseArgument(int argc, char* argv[], int& port)
}
continue;
case 'P':
if (!ReadAccessToken(optarg)) {
return false;
}
continue;
case 'r': {
string error = SetReservedIds(optarg);
if (!error.empty()) {
@ -1378,6 +1424,13 @@ static void *MonThread(void *param)
PbCommand command;
DeserializeMessage(fd, command);
if (!access_token.empty()) {
if (access_token != GetParam(command, "token")) {
ReturnStatus(fd, false, "Authentication failed", PbErrorCode::UNAUTHORIZED);
continue;
}
}
switch(command.operation()) {
case LOG_LEVEL: {
LOGTRACE("Received %s command", PbOperation_Name(command.operation()).c_str());

19
src/raspberrypi/rascsi_interface.proto
View File

@ -2,6 +2,8 @@
// Each rascsi message sent to the rascsi server is preceded by the magic string "RASCSI".
// A message starts with a little endian 32 bit header which contains the protobuf message size.
// Unless explicitly specified the order of repeated data returned is undefined.
// All operations accept an optional access token, specified by the "token" parameter.
// Only the VERSION_INFO operation never requires authentication.
//
syntax = "proto3";
@ -29,7 +31,7 @@ enum PbDeviceType {
// rascsi remote operations, returning PbResult
enum PbOperation {
NONE = 0;
NO_OPERATION = 0;
// Attach devices and return the new device list (PbDevicesInfo)
// Parameters (mutually exclusive):
@ -158,6 +160,19 @@ enum PbOperation {
// Parameters:
// "file": The filename, relative to the default image folder. It must not contain a slash.
UNPROTECT_IMAGE = 29;
// Check whether an authentication token is valid. A client can use this in operation in order to
// find out whether rascsi authentication is enable or to use rascsi authentication for securing
// client-internal operations.
CHECK_AUTHENTICATION = 30;
}
// rascsi special purpose error codes for cases where a textual error message is not sufficient
enum PbErrorCode {
// No error code available
NO_ERROR_CODE = 0;
// Authentication/Authorization error
UNAUTHORIZED = 1;
}
// The supported file extensions mapped to their respective device types
@ -309,6 +324,8 @@ message PbResult {
bool status = 1;
// An optional error or information message, depending on the status. A string without trailing CR/LF.
string msg = 2;
// An optional error code. Only to be used in cases where textual information is not sufficient.
PbErrorCode error_code = 13;
// Optional additional result data
oneof result {
// The result of a SERVER_INFO command

17
src/raspberrypi/rasctl.cpp
View File

@ -52,7 +52,7 @@ PbOperation ParseOperation(const char *optarg)
return DEVICES_INFO;
default:
return NONE;
return NO_OPERATION;
}
}
@ -101,7 +101,7 @@ int main(int argc, char* argv[])
cerr << "version " << rascsi_get_version_string() << " (" << __DATE__ << ", " << __TIME__ << ")" << endl;
cerr << "Usage: " << argv[0] << " -i ID [-u UNIT] [-c CMD] [-C FILE] [-t TYPE] [-b BLOCK_SIZE] [-n NAME] [-f FILE|PARAM] ";
cerr << "[-F IMAGE_FOLDER] [-L LOG_LEVEL] [-h HOST] [-p PORT] [-r RESERVED_IDS] ";
cerr << "[-C FILENAME:FILESIZE] [-d FILENAME] [-w FILENAME] [-R CURRENT_NAME:NEW_NAME] [-x CURRENT_NAME:NEW_NAME] ";
cerr << "[-C FILENAME:FILESIZE] [-d FILENAME] [-w FILENAME] [-P TOKEN] [-R CURRENT_NAME:NEW_NAME] [-x CURRENT_NAME:NEW_NAME] ";
cerr << "[-e] [-E FILENAME] [-D] [-I] [-l] [-L] [-m] [-O] [-s] [-v] [-V] [-y] [-X]" << endl;
cerr << " where ID := {0-7}" << endl;
cerr << " UNIT := {0-31}, default is 0" << endl;
@ -134,11 +134,12 @@ int main(int argc, char* argv[])
string reserved_ids;
string image_params;
string filename;
string token;
bool list = false;
opterr = 1;
int opt;
while ((opt = getopt(argc, argv, "elmsvDINOTVXa:b:c:d:f:h:i:n:p:r:t:u:x:C:E:F:L:R:")) != -1) {
while ((opt = getopt(argc, argv, "elmsvDINOTVXa:b:c:d:f:h:i:n:p:r:t:u:x:C:E:F:L:R:P::")) != -1) {
switch (opt) {
case 'i': {
int id;
@ -176,7 +177,7 @@ int main(int argc, char* argv[])
case 'c':
command.set_operation(ParseOperation(optarg));
if (command.operation() == NONE) {
if (command.operation() == NO_OPERATION) {
cerr << "Error: Unknown operation '" << optarg << "'" << endl;
exit(EXIT_FAILURE);
}
@ -301,6 +302,10 @@ int main(int argc, char* argv[])
exit(EXIT_SUCCESS);
break;
case 'P':
token = optarg ? optarg : getpass("Password: ");
break;
case 'V':
command.set_operation(VERSION_INFO);
break;
@ -329,7 +334,7 @@ int main(int argc, char* argv[])
if (list) {
PbCommand command_list;
command_list.set_operation(DEVICES_INFO);
RasctlCommands rasctl_commands(command_list, hostname, port);
RasctlCommands rasctl_commands(command_list, hostname, port, token);
rasctl_commands.CommandDevicesInfo();
exit(EXIT_SUCCESS);
}
@ -340,7 +345,7 @@ int main(int argc, char* argv[])
AddParam(*device, "file", param);
}
RasctlCommands rasctl_commands(command, hostname, port);
RasctlCommands rasctl_commands(command, hostname, port, token);
switch(command.operation()) {
case LOG_LEVEL:

7
src/raspberrypi/rasctl_commands.cpp
View File

@ -25,15 +25,20 @@ using namespace std;
using namespace rascsi_interface;
using namespace protobuf_util;
RasctlCommands::RasctlCommands(PbCommand& command, const string& hostname, int port)
RasctlCommands::RasctlCommands(PbCommand& command, const string& hostname, int port, const string& token)
{
this->command = command;
this->hostname = hostname;
this->port = port;
this->token = token;
}
void RasctlCommands::SendCommand()
{
if (!token.empty()) {
AddParam(command, "token", token);
}
// Send command
int fd = -1;
try {

3
src/raspberrypi/rasctl_commands.h
View File

@ -20,7 +20,7 @@ class RasctlCommands
{
public:
RasctlCommands(PbCommand&, const string&, int);
RasctlCommands(PbCommand&, const string&, int, const string&);
~RasctlCommands() {};
void SendCommand();
@ -48,6 +48,7 @@ private:
PbCommand command;
string hostname;
int port;
string token;
PbResult result;