Macintosh-HW/RASCSI
1
0
Fork 0
mirror of https://github.com/akuker/RASCSI.git synced 2025-04-17 19:37:16 +00:00
Code Issues Projects Releases Wiki Activity

Optional authentication by access token (#529)

Browse Source 
* Added authentication by access token

* No authentication is required for getting the rascsi version

* Added comment

* Interface description update

* Manpage update

* Added error code

* Enum value update (backwards compatible)

* Error code update

* Error code update

* Added CHECK_AUTHENTICATION

* Comment update

* VERSION_INFO also requires authentication

* rasctl: Made token an optional parameter for -P

* Fixed interface comment
This commit is contained in:
Uwe Seimet 2021-12-19 11:54:10 +01:00 committed by GitHub
parent e32211ef73
commit ec31198d83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 159 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/rascsi.1
View File

@ -5,6 +5,7 @@ rascsi \- Emulates SCSI devices using the Raspberry Pi GPIO pins
.B rascsi .B rascsi
[\fB\-F\f® \fIFOLDER\fR] [\fB\-F\f® \fIFOLDER\fR]
[\fB\-L\f® \fILOG_LEVEL\fR] [\fB\-L\f® \fILOG_LEVEL\fR]
[\fB\-P\f® \fIACCESS_TOKEN_FILE\fR]
[\fB\-R\fR \fISCAN_DEPTH\fR] [\fB\-R\fR \fISCAN_DEPTH\fR]
[\fB\-h\fR] [\fB\-h\fR]
[\fB\-n\fR \fIVENDOR:PRODUCT:REVISION\fR] [\fB\-n\fR \fIVENDOR:PRODUCT:REVISION\fR]
@ -53,8 +54,11 @@ The default folder for image files. For files in this folder no absolute path ne
.BR \-L\fI " " \fILOG_LEVEL .BR \-L\fI " " \fILOG_LEVEL
The rascsi log level (trace, debug, info, warn, err, critical, off). The default log level is 'info'. The rascsi log level (trace, debug, info, warn, err, critical, off). The default log level is 'info'.
.TP .TP
.BR \-P\fI " " \fIACCESS_TOKEN_FILE
Enable authentication and read the access token from the specified file. The access token file must be owned by root and must be readable by root only.
.TP
.BR \-R\fI " " \fISCAN_DEPTH .BR \-R\fI " " \fISCAN_DEPTH
Scan for image files recursively, up to a depth -f SCAN_DEPTH. Be careful when using this option with many sub-folders in the default image folder. Scan for image files recursively, up to a depth of SCAN_DEPTH. Be careful when using this option with many sub-folders in the default image folder.
.TP .TP
.BR \-h\fI " " \fI .BR \-h\fI " " \fI
Show a help page. Show a help page.

14
doc/rascsi_man_page.txt
View File

@ -6,9 +6,10 @@ NAME
rascsi - Emulates SCSI devices using the Raspberry Pi GPIO pins rascsi - Emulates SCSI devices using the Raspberry Pi GPIO pins
SYNOPSIS SYNOPSIS
rascsi [-F[u00AE] FOLDER] [-L[u00AE] LOG_LEVEL] [-R SCAN_DEPTH] [-h] rascsi [-F[u00AE] FOLDER] [-L[u00AE] LOG_LEVEL] [-P[u00AE] ACCESS_TO
[-n VENDOR:PRODUCT:REVISION] [-p[u00AE] PORT] [-r RESERVED_IDS] [-n KEN_FILE] [-R SCAN_DEPTH] [-h] [-n VENDOR:PRODUCT:REVISION] [-p[u00AE]
TYPE] [-v] [-IDn:[u] FILE] [-HDn[:u] FILE]... PORT] [-r RESERVED_IDS] [-n TYPE] [-v] [-IDn:[u] FILE] [-HDn[:u]
FILE]...
DESCRIPTION DESCRIPTION
rascsi Emulates SCSI devices using the Raspberry Pi GPIO pins. rascsi Emulates SCSI devices using the Raspberry Pi GPIO pins.
@ -65,8 +66,13 @@ OPTIONS
The rascsi log level (trace, debug, info, warn, err, critical, The rascsi log level (trace, debug, info, warn, err, critical,
off). The default log level is 'info'. off). The default log level is 'info'.
-P ACCESS_TOKEN_FILE
Enable authentication and read the access token from the speci
fied file. The access token file must be owned by root and must
be readable by root only.
-R SCAN_DEPTH -R SCAN_DEPTH
Scan for image files recursively, up to a depth -f SCAN_DEPTH. Scan for image files recursively, up to a depth of SCAN_DEPTH.
Be careful when using this option with many sub-folders in the Be careful when using this option with many sub-folders in the
default image folder. default image folder.

4
doc/rasctl.1
View File

@ -12,6 +12,7 @@ rasctl \- Sends management commands to the rascsi process
\fB\-I\fR | \fB\-I\fR |
\fB\-L\fR | \fB\-L\fR |
\fB\-O\fR | \fB\-O\fR |
\fB\-P\fR |
\fB\-T\fR | \fB\-T\fR |
\fB\-V\fR | \fB\-V\fR |
\fB\-X\fR | \fB\-X\fR |
@ -72,6 +73,9 @@ Lists all available network interfaces provided that they are up.
.BR \-O\fI .BR \-O\fI
Display the available rascsi server log levels and the current log level. Display the available rascsi server log levels and the current log level.
.TP .TP
.BR \-P\fI
Prompt for the access token in case rascsi requires authentication.
.TP
.BR \-l\fI .BR \-l\fI
List all of the devices that are currently being emulated by RaSCSI, as well as their current status. List all of the devices that are currently being emulated by RaSCSI, as well as their current status.
.TP .TP

11
doc/rasctl_man_page.txt
View File

@ -1,15 +1,13 @@
!! ------ THIS FILE IS AUTO_GENERATED! DO NOT MANUALLY UPDATE!!! !! ------ THIS FILE IS AUTO_GENERATED! DO NOT MANUALLY UPDATE!!!
!! ------ The native file is rasctl.1. Re-run 'make docs' after updating !! ------ The native file is rasctl.1. Re-run 'make docs' after updating\n\n
rascsi(1) General Commands Manual rascsi(1) rascsi(1) General Commands Manual rascsi(1)
NAME NAME
rasctl - Sends management commands to the rascsi process rasctl - Sends management commands to the rascsi process
SYNOPSIS SYNOPSIS
rasctl -e | -l | -m | -s | -v | -D | -I | -L | -O | -T | -V | -X | [-C rasctl -e | -l | -m | -s | -v | -D | -I | -L | -O | -P | -T | -V | -X |
FILENAME:FILESIZE] [-E FILENAME] [-F IMAGE_FOLDER] [-R CUR [-C FILENAME:FILESIZE] [-E FILENAME] [-F IMAGE_FOLDER] [-R CUR
RENT_NAME:NEW_NAME] [-c CMD] [-f FILE|PARAM] [-g LOG_LEVEL] [-h HOST] RENT_NAME:NEW_NAME] [-c CMD] [-f FILE|PARAM] [-g LOG_LEVEL] [-h HOST]
[-i ID [-n NAME] [-p PORT] [-r RESERVED_IDS] [-t TYPE] [-u UNIT] [-x [-i ID [-n NAME] [-p PORT] [-r RESERVED_IDS] [-t TYPE] [-u UNIT] [-x
CURRENT_NAME:NEW_NAME] CURRENT_NAME:NEW_NAME]
@ -55,6 +53,9 @@ OPTIONS
-O Display the available rascsi server log levels and the current -O Display the available rascsi server log levels and the current
log level. log level.
-P Prompt for the access token in case rascsi requires authentica
tion.
-l List all of the devices that are currently being emulated by -l List all of the devices that are currently being emulated by
RaSCSI, as well as their current status. RaSCSI, as well as their current status.

3
src/raspberrypi/protobuf_util.cpp
View File

@ -120,7 +120,7 @@ int protobuf_util::ReadNBytes(int fd, uint8_t *buf, int n)
} }
bool protobuf_util::ReturnStatus(int fd, bool status, const string msg) bool protobuf_util::ReturnStatus(int fd, bool status, const string msg, const PbErrorCode error_code)
{ {
if (!status && !msg.empty()) { if (!status && !msg.empty()) {
LOGERROR("%s", msg.c_str()); LOGERROR("%s", msg.c_str());
@ -142,6 +142,7 @@ bool protobuf_util::ReturnStatus(int fd, bool status, const string msg)
else { else {
PbResult result; PbResult result;
result.set_status(status); result.set_status(status);
result.set_error_code(error_code);
result.set_msg(msg); result.set_msg(msg);
SerializeMessage(fd, result); SerializeMessage(fd, result);
} }

2
src/raspberrypi/protobuf_util.h
View File

@ -29,6 +29,6 @@ namespace protobuf_util
void SerializeMessage(int, const google::protobuf::Message&); void SerializeMessage(int, const google::protobuf::Message&);
void DeserializeMessage(int, google::protobuf::Message&); void DeserializeMessage(int, google::protobuf::Message&);
int ReadNBytes(int, uint8_t *, int); int ReadNBytes(int, uint8_t *, int);
bool ReturnStatus(int, bool = true, const string = ""); bool ReturnStatus(int, bool = true, const string = "", const PbErrorCode error_code = PbErrorCode::NO_ERROR_CODE);
bool ReturnStatus(int, bool, const ostringstream&); bool ReturnStatus(int, bool, const ostringstream&);
} }

57
src/raspberrypi/rascsi.cpp
View File

@ -33,6 +33,7 @@
#include <string> #include <string>
#include <sstream> #include <sstream>
#include <iostream> #include <iostream>
#include <fstream>
#include <list> #include <list>
#include <vector> #include <vector>
#include <map> #include <map>
@ -67,6 +68,7 @@ pthread_t monthread; // Monitor Thread
pthread_mutex_t ctrl_mutex; // Semaphore for the ctrl array pthread_mutex_t ctrl_mutex; // Semaphore for the ctrl array
static void *MonThread(void *param); static void *MonThread(void *param);
string current_log_level; // Some versions of spdlog do not support get_log_level() string current_log_level; // Some versions of spdlog do not support get_log_level()
string access_token;
set<int> reserved_ids; set<int> reserved_ids;
int scan_depth = 0; int scan_depth = 0;
DeviceFactory& device_factory = DeviceFactory::instance(); DeviceFactory& device_factory = DeviceFactory::instance();
@ -374,6 +376,43 @@ bool MapController(Device **map)
return status; return status;
} }
bool ReadAccessToken(const char *filename)
{
struct stat st;
if (stat(filename, &st) || !S_ISREG(st.st_mode)) {
cerr << "Can't access token file '" << optarg << "'" << endl;
return false;
}
if (st.st_uid || st.st_gid || (st.st_mode & (S_IROTH | S_IWOTH | S_IRGRP | S_IWGRP))) {
cerr << "Access token file '" << optarg << "' must be owned by root and readable by root only" << endl;
return false;
}
ifstream token_file(filename, ifstream::in);
if (token_file.fail()) {
cerr << "Can't open access token file '" << optarg << "'" << endl;
return false;
}
getline(token_file, access_token);
if (token_file.fail()) {
token_file.close();
cerr << "Can't read access token file '" << optarg << "'" << endl;
return false;
}
if (access_token.empty()) {
token_file.close();
cerr << "Access token file '" << optarg << "' must not be empty" << endl;
return false;
}
token_file.close();
return true;
}
string ValidateLunSetup(const PbCommand& command, const vector<Device *>& existing_devices) string ValidateLunSetup(const PbCommand& command, const vector<Device *>& existing_devices)
{ {
// Mapping of available LUNs (bit vector) to devices // Mapping of available LUNs (bit vector) to devices
@ -973,7 +1012,8 @@ bool ProcessCmd(int fd, const PbDeviceDefinition& pb_device, const PbCommand& co
assert(dryRun); assert(dryRun);
break; break;
case NONE: case CHECK_AUTHENTICATION:
case NO_OPERATION:
// Do nothing, just log // Do nothing, just log
LOGTRACE("Received %s command", PbOperation_Name(operation).c_str()); LOGTRACE("Received %s command", PbOperation_Name(operation).c_str());
break; break;
@ -1160,7 +1200,7 @@ bool ParseArgument(int argc, char* argv[], int& port)
opterr = 1; opterr = 1;
int opt; int opt;
while ((opt = getopt(argc, argv, "-IiHhb:d:n:p:r:t:D:F:L:R:")) != -1) { while ((opt = getopt(argc, argv, "-IiHhb:d:n:p:r:t:D:F:L:P:R:")) != -1) {
switch (opt) { switch (opt) {
// The three options below are kind of a compound option with two letters // The three options below are kind of a compound option with two letters
case 'i': case 'i':
@ -1223,6 +1263,12 @@ bool ParseArgument(int argc, char* argv[], int& port)
} }
continue; continue;
case 'P':
if (!ReadAccessToken(optarg)) {
return false;
}
continue;
case 'r': { case 'r': {
string error = SetReservedIds(optarg); string error = SetReservedIds(optarg);
if (!error.empty()) { if (!error.empty()) {
@ -1378,6 +1424,13 @@ static void *MonThread(void *param)
PbCommand command; PbCommand command;
DeserializeMessage(fd, command); DeserializeMessage(fd, command);
if (!access_token.empty()) {
if (access_token != GetParam(command, "token")) {
ReturnStatus(fd, false, "Authentication failed", PbErrorCode::UNAUTHORIZED);
continue;
}
}
switch(command.operation()) { switch(command.operation()) {
case LOG_LEVEL: { case LOG_LEVEL: {
LOGTRACE("Received %s command", PbOperation_Name(command.operation()).c_str()); LOGTRACE("Received %s command", PbOperation_Name(command.operation()).c_str());

19
src/raspberrypi/rascsi_interface.proto
View File

@ -2,6 +2,8 @@
// Each rascsi message sent to the rascsi server is preceded by the magic string "RASCSI". // Each rascsi message sent to the rascsi server is preceded by the magic string "RASCSI".
// A message starts with a little endian 32 bit header which contains the protobuf message size. // A message starts with a little endian 32 bit header which contains the protobuf message size.
// Unless explicitly specified the order of repeated data returned is undefined. // Unless explicitly specified the order of repeated data returned is undefined.
// All operations accept an optional access token, specified by the "token" parameter.
// Only the VERSION_INFO operation never requires authentication.
// //
syntax = "proto3"; syntax = "proto3";
@ -29,7 +31,7 @@ enum PbDeviceType {
// rascsi remote operations, returning PbResult // rascsi remote operations, returning PbResult
enum PbOperation { enum PbOperation {
NONE = 0; NO_OPERATION = 0;
// Attach devices and return the new device list (PbDevicesInfo) // Attach devices and return the new device list (PbDevicesInfo)
// Parameters (mutually exclusive): // Parameters (mutually exclusive):
@ -158,6 +160,19 @@ enum PbOperation {
// Parameters: // Parameters:
// "file": The filename, relative to the default image folder. It must not contain a slash. // "file": The filename, relative to the default image folder. It must not contain a slash.
UNPROTECT_IMAGE = 29; UNPROTECT_IMAGE = 29;
// Check whether an authentication token is valid. A client can use this in operation in order to
// find out whether rascsi authentication is enable or to use rascsi authentication for securing
// client-internal operations.
CHECK_AUTHENTICATION = 30;
}
// rascsi special purpose error codes for cases where a textual error message is not sufficient
enum PbErrorCode {
// No error code available
NO_ERROR_CODE = 0;
// Authentication/Authorization error
UNAUTHORIZED = 1;
} }
// The supported file extensions mapped to their respective device types // The supported file extensions mapped to their respective device types
@ -309,6 +324,8 @@ message PbResult {
bool status = 1; bool status = 1;
// An optional error or information message, depending on the status. A string without trailing CR/LF. // An optional error or information message, depending on the status. A string without trailing CR/LF.
string msg = 2; string msg = 2;
// An optional error code. Only to be used in cases where textual information is not sufficient.
PbErrorCode error_code = 13;
// Optional additional result data // Optional additional result data
oneof result { oneof result {
// The result of a SERVER_INFO command // The result of a SERVER_INFO command

17
src/raspberrypi/rasctl.cpp
View File

@ -52,7 +52,7 @@ PbOperation ParseOperation(const char *optarg)
return DEVICES_INFO; return DEVICES_INFO;
default: default:
return NONE; return NO_OPERATION;
} }
} }
@ -101,7 +101,7 @@ int main(int argc, char* argv[])
cerr << "version " << rascsi_get_version_string() << " (" << __DATE__ << ", " << __TIME__ << ")" << endl; cerr << "version " << rascsi_get_version_string() << " (" << __DATE__ << ", " << __TIME__ << ")" << endl;
cerr << "Usage: " << argv[0] << " -i ID [-u UNIT] [-c CMD] [-C FILE] [-t TYPE] [-b BLOCK_SIZE] [-n NAME] [-f FILE|PARAM] "; cerr << "Usage: " << argv[0] << " -i ID [-u UNIT] [-c CMD] [-C FILE] [-t TYPE] [-b BLOCK_SIZE] [-n NAME] [-f FILE|PARAM] ";
cerr << "[-F IMAGE_FOLDER] [-L LOG_LEVEL] [-h HOST] [-p PORT] [-r RESERVED_IDS] "; cerr << "[-F IMAGE_FOLDER] [-L LOG_LEVEL] [-h HOST] [-p PORT] [-r RESERVED_IDS] ";
cerr << "[-C FILENAME:FILESIZE] [-d FILENAME] [-w FILENAME] [-R CURRENT_NAME:NEW_NAME] [-x CURRENT_NAME:NEW_NAME] "; cerr << "[-C FILENAME:FILESIZE] [-d FILENAME] [-w FILENAME] [-P TOKEN] [-R CURRENT_NAME:NEW_NAME] [-x CURRENT_NAME:NEW_NAME] ";
cerr << "[-e] [-E FILENAME] [-D] [-I] [-l] [-L] [-m] [-O] [-s] [-v] [-V] [-y] [-X]" << endl; cerr << "[-e] [-E FILENAME] [-D] [-I] [-l] [-L] [-m] [-O] [-s] [-v] [-V] [-y] [-X]" << endl;
cerr << " where ID := {0-7}" << endl; cerr << " where ID := {0-7}" << endl;
cerr << " UNIT := {0-31}, default is 0" << endl; cerr << " UNIT := {0-31}, default is 0" << endl;
@ -134,11 +134,12 @@ int main(int argc, char* argv[])
string reserved_ids; string reserved_ids;
string image_params; string image_params;
string filename; string filename;
string token;
bool list = false; bool list = false;
opterr = 1; opterr = 1;
int opt; int opt;
while ((opt = getopt(argc, argv, "elmsvDINOTVXa:b:c:d:f:h:i:n:p:r:t:u:x:C:E:F:L:R:")) != -1) { while ((opt = getopt(argc, argv, "elmsvDINOTVXa:b:c:d:f:h:i:n:p:r:t:u:x:C:E:F:L:R:P::")) != -1) {
switch (opt) { switch (opt) {
case 'i': { case 'i': {
int id; int id;
@ -176,7 +177,7 @@ int main(int argc, char* argv[])
case 'c': case 'c':
command.set_operation(ParseOperation(optarg)); command.set_operation(ParseOperation(optarg));
if (command.operation() == NONE) { if (command.operation() == NO_OPERATION) {
cerr << "Error: Unknown operation '" << optarg << "'" << endl; cerr << "Error: Unknown operation '" << optarg << "'" << endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
@ -301,6 +302,10 @@ int main(int argc, char* argv[])
exit(EXIT_SUCCESS); exit(EXIT_SUCCESS);
break; break;
case 'P':
token = optarg ? optarg : getpass("Password: ");
break;
case 'V': case 'V':
command.set_operation(VERSION_INFO); command.set_operation(VERSION_INFO);
break; break;
@ -329,7 +334,7 @@ int main(int argc, char* argv[])
if (list) { if (list) {
PbCommand command_list; PbCommand command_list;
command_list.set_operation(DEVICES_INFO); command_list.set_operation(DEVICES_INFO);
RasctlCommands rasctl_commands(command_list, hostname, port); RasctlCommands rasctl_commands(command_list, hostname, port, token);
rasctl_commands.CommandDevicesInfo(); rasctl_commands.CommandDevicesInfo();
exit(EXIT_SUCCESS); exit(EXIT_SUCCESS);
} }
@ -340,7 +345,7 @@ int main(int argc, char* argv[])
AddParam(*device, "file", param); AddParam(*device, "file", param);
} }
RasctlCommands rasctl_commands(command, hostname, port); RasctlCommands rasctl_commands(command, hostname, port, token);
switch(command.operation()) { switch(command.operation()) {
case LOG_LEVEL: case LOG_LEVEL:

7
src/raspberrypi/rasctl_commands.cpp
View File

@ -25,15 +25,20 @@ using namespace std;
using namespace rascsi_interface; using namespace rascsi_interface;
using namespace protobuf_util; using namespace protobuf_util;
RasctlCommands::RasctlCommands(PbCommand& command, const string& hostname, int port) RasctlCommands::RasctlCommands(PbCommand& command, const string& hostname, int port, const string& token)
{ {
this->command = command; this->command = command;
this->hostname = hostname; this->hostname = hostname;
this->port = port; this->port = port;
this->token = token;
} }
void RasctlCommands::SendCommand() void RasctlCommands::SendCommand()
{ {
if (!token.empty()) {
AddParam(command, "token", token);
}
// Send command // Send command
int fd = -1; int fd = -1;
try { try {

3
src/raspberrypi/rasctl_commands.h
View File

@ -20,7 +20,7 @@ class RasctlCommands
{ {
public: public:
RasctlCommands(PbCommand&, const string&, int); RasctlCommands(PbCommand&, const string&, int, const string&);
~RasctlCommands() {}; ~RasctlCommands() {};
void SendCommand(); void SendCommand();
@ -48,6 +48,7 @@ private:
PbCommand command; PbCommand command;
string hostname; string hostname;
int port; int port;
string token;
PbResult result; PbResult result;