Added basic command whitelist functionality

dteteruk · dteteruk · commit e1454e292e1e · 2013-10-15T16:55:36.000+03:00
diff --git a/inc/webdriver_access.h b/inc/webdriver_access.h
@@ -0,0 +1,37 @@
+#ifndef WEBDRIVER_ACCESS_H
+#define WEBDRIVER_ACCESS_H
+
+#include <string>
+#include <vector>
+#include "base/file_util.h"
+
+namespace webdriver {
+
+struct AccessCommandTable
+{
+    std::string method;
+    std::string url;
+};
+
+struct AccessRule {
+    long host_ip;
+    bool allowed;
+    std::vector<AccessCommandTable> commandList;
+};
+
+class AccessValidator
+{
+public:
+    AccessValidator();
+    ~AccessValidator();
+    void setWhiteList(FilePath &xmlPath);
+    bool isAllowed(const long &remote_ip, const std::string &url, const std::string &method);
+
+private:
+    bool convertIpString(const char *str_ip, long *int_ip);
+    std::vector<AccessRule> accessList;
+};
+
+}  // namespace webdriver
+
+#endif // WEBDRIVER_ACCESS_H
diff --git a/inc/webdriver_server.h b/inc/webdriver_server.h
@@ -61,6 +61,7 @@ For all options please refer:
 #include "base/command_line.h"
 #include "base/memory/singleton.h"
 #include "base/values.h"
+#include "webdriver_access.h"
 
 struct mg_context;
 struct mg_connection;
@@ -127,6 +128,7 @@ class Server {
     std::string url_base_;
     struct mg_context* mg_ctx_;
     State state_;
+    AccessValidator accessValidor;
 
     void DispatchCommand(const std::string& matched_route,
                          Command* command_ptr,
diff --git a/inc/webdriver_switches.h b/inc/webdriver_switches.h
@@ -79,6 +79,13 @@ class Switches {
     /// if parameter specified, user input device enabled
     static const char kUserInputDevice[];
 
+    /// \page page_webdriver_switches WD Server switches
+    /// - <b>config</b><br>
+    /// The path to whitelist file (e.g. whitelist.xml) in
+    /// XML format with specified list of IP with allowed/disallowed
+    /// commands for each of them
+    static const char kWhiteList[];
+
 };
 
 }  // namespace webdriver
diff --git a/src/webdriver/webdriver_access.cc b/src/webdriver/webdriver_access.cc
@@ -0,0 +1,176 @@
+#include "webdriver_access.h"
+#include "webdriver_logging.h"
+#include <base/string_util.h>
+#include "third_party/pugixml/pugixml.hpp"
+
+namespace webdriver {
+
+AccessValidator::AccessValidator(){
+}
+
+AccessValidator::~AccessValidator(){
+}
+
+bool AccessValidator::isAllowed(const long &remote_ip, const std::string &url, const std::string &method)
+{
+    if (accessList.empty())
+        return true;
+    bool result = false;
+    for (std::vector<AccessRule>::iterator it = accessList.begin(); it != accessList.end(); ++it)
+    {
+        AccessRule host = *it;
+        if (host.host_ip == remote_ip)
+        {
+            if (!host.allowed) {
+                for (std::vector<AccessCommandTable>::iterator it = host.commandList.begin(); it != host.commandList.end(); ++it) {
+                    AccessCommandTable table = *it;
+                    if (MatchPattern(url, table.url) && MatchPattern(method, table.method))
+                        return false;
+                }
+                return true;
+            } else {
+                if (host.commandList.empty())
+                    return true;
+                for (std::vector<AccessCommandTable>::iterator it = host.commandList.begin(); it != host.commandList.end(); ++it) {
+                    AccessCommandTable table = *it;
+                    if (MatchPattern(url, table.url) && MatchPattern(method, table.method))
+                        return true;
+                }
+                return false;
+            }
+        }
+    }
+    return result;
+}
+
+void AccessValidator::setWhiteList(FilePath &xmlPath)
+{
+    std::string white_list;
+
+    if (file_util::ReadFileToString(xmlPath, &white_list))
+    {
+        const void* content = white_list.c_str();
+        int content_size = white_list.size();
+
+        pugi::xml_document doc;
+        pugi::xml_parse_result result = doc.load_buffer(content, content_size);
+
+        if (result) {
+            // Select host nodes
+            pugi::xpath_query query_nodes("/hosts/host");
+            pugi::xpath_node_set found_nodes = query_nodes.evaluate_node_set(doc);
+
+            if ( (NULL == query_nodes.result().error) &&
+                 (pugi::xpath_type_node_set == query_nodes.return_type()) ) {
+                for (pugi::xpath_node_set::const_iterator it = found_nodes.begin(); it != found_nodes.end(); ++it) {
+                    pugi::xpath_node node = *it;
+                    pugi::xml_node xnode = node.node();
+                    pugi::xml_attribute atr = xnode.attribute("ip");
+
+                    AccessRule rule;
+                    if (!convertIpString(atr.value(), &rule.host_ip)) {
+                        std::string error_descr = "WhiteList: "+ std::string(atr.value()) + " is not a valid ip address";
+                        GlobalLogger::Log(kWarningLogLevel, error_descr);
+                        continue;
+                    }
+
+                    rule.allowed = true;
+                    pugi::xpath_query query_nodes("./deny");
+                    pugi::xpath_node_set deny_nodes = query_nodes.evaluate_node_set(xnode);
+                    if ( (NULL == query_nodes.result().error) &&
+                         (pugi::xpath_type_node_set == query_nodes.return_type()) ) {
+                        for (pugi::xpath_node_set::const_iterator it = deny_nodes.begin(); it != deny_nodes.end(); ++it) {
+                            pugi::xpath_node node = *it;
+                            pugi::xml_node xnode = node.node();
+                            pugi::xml_attribute atr = xnode.attribute("url");
+
+                            AccessCommandTable rt;
+                            rt.url = atr.value();
+                            atr = xnode.attribute("method");
+                            rt.method = atr.value();
+                            rule.commandList.push_back(rt);
+                            rule.allowed = false;
+                        }
+                    }
+                    if (rule.allowed)
+                    {
+                        pugi::xpath_query query_nodes("./allow");
+                        pugi::xpath_node_set allow_nodes = query_nodes.evaluate_node_set(xnode);
+                        if ( (NULL == query_nodes.result().error) &&
+                             (pugi::xpath_type_node_set == query_nodes.return_type()) ) {
+                            for (pugi::xpath_node_set::const_iterator it = allow_nodes.begin(); it != allow_nodes.end(); ++it) {
+                                pugi::xpath_node node = *it;
+                                pugi::xml_node xnode = node.node();
+                                pugi::xml_attribute atr = xnode.attribute("url");
+                                AccessCommandTable rt;
+                                rt.url = atr.value();
+                                atr = xnode.attribute("method");
+                                rt.method = atr.value();
+                                rule.commandList.push_back(rt);
+                            }
+                        }
+                    }
+
+                    accessList.push_back(rule);
+                }
+            } else {
+                std::string error_descr = "WhiteList: Cant evaluate XPath to node set: ";
+                error_descr += query_nodes.result().description();
+                GlobalLogger::Log(kWarningLogLevel, error_descr);
+            }
+        }
+        else
+        {
+            std::string error_descr = "   Error description: ";
+            error_descr += result.description();
+            GlobalLogger::Log(kWarningLogLevel, "WhiteList: XML parsed with errors:");
+            GlobalLogger::Log(kWarningLogLevel, error_descr);
+        }
+
+        // destroy tree
+        doc.reset();
+    }
+    else
+    {
+        GlobalLogger::Log(kWarningLogLevel, "WhiteList: Can't read file");
+    }
+}
+
+bool AccessValidator::convertIpString(const char *str_ip, long *int_ip)
+{
+    bool result = false;
+    char *p, c;
+    long octet, n;
+
+    *int_ip = 0;
+    octet = 0;
+    n = 0;
+
+    char buff[sizeof "000.000.000.000"];
+    if (strlen(str_ip) < sizeof buff) {
+        strcpy(buff, str_ip);
+    }
+
+    for (p = buff; *p != '\0' ; ++p) {
+        c = *p;
+        if (c >= '0' && c <= '9') {
+            octet = octet * 10 + (c - '0');
+            continue;
+        }
+        if (c == '.' && octet < 256) {
+            *int_ip = (*int_ip << 8) + octet;
+            octet = 0;
+            n++;
+            continue;
+        }
+        return result;
+    }
+
+    if (n == 3 && octet < 256) {
+        *int_ip = (*int_ip << 8) + octet;
+        result = true;
+    }
+    return result;
+}
+
+}  // namespace webdriver
diff --git a/src/webdriver/webdriver_server.cc b/src/webdriver/webdriver_server.cc
@@ -33,7 +33,6 @@
 #include "webdriver_view_enumerator.h"
 #include "webdriver_view_executor.h"
 
-
 namespace webdriver {
 
 Server::Server()
@@ -80,6 +79,13 @@ int Server::Configure(const CommandLine &options) {
                             "\nBuild Time: "+ VersionInfo::BuildDateTime() ;
     GlobalLogger::Log(kInfoLogLevel, driver_info);
 
+    if (options.HasSwitch(webdriver::Switches::kWhiteList))
+    {
+        FilePath xmlPath(options_->GetSwitchValueNative(webdriver::Switches::kWhiteList));
+        accessValidor.setWhiteList(xmlPath);
+    }
+
+
     // set default route table
     routeTable_.reset(new DefaultRouteTable());
 
@@ -426,6 +432,14 @@ bool Server::ParseRequestInfo(const struct mg_request_info* const request_info,
 
     base::SplitString(uri, '/', path_segments);
 
+    if (!accessValidor.isAllowed(request_info->remote_ip, uri, *method))
+    {
+        response->SetError(new Error(
+                               kUnknownCommand,
+                               "Command was restricted by whitelist"));
+        return false;
+    }
+
     if (*method == "POST") {
         std::string json;
         ReadRequestBody(request_info, connection, &json);
diff --git a/src/webdriver/webdriver_switches.cc b/src/webdriver/webdriver_switches.cc
@@ -26,4 +26,6 @@ const char Switches::kVNCLogin[] = "vnc-login";
 
 const char Switches::kUserInputDevice[] = "uinput";
 
+const char Switches::kWhiteList[] = "white-list";
+
 }  // namespace webdriver
diff --git a/wd_core.gyp b/wd_core.gyp
@@ -58,6 +58,7 @@
         'src/webdriver/frame_path.cc',
         'src/webdriver/http_response.cc',
         'src/webdriver/value_conversion_traits.cc',
+        'src/webdriver/webdriver_access.cc',
         'src/webdriver/webdriver_basic_types.cc',
         'src/webdriver/webdriver_capabilities_parser.cc',
         'src/webdriver/webdriver_element_id.cc',
@@ -78,6 +79,7 @@
         'src/webdriver/url_command_wrapper.cc',
         'src/webdriver/versioninfo.cc',
         'src/webdriver/webdriver_version.cc',
+        'src/third_party/pugixml/pugixml.cpp'
       ],
 
       'conditions': [
diff --git a/wd_ext_qt.gyp b/wd_ext_qt.gyp
@@ -55,7 +55,6 @@
         'src/webdriver/extension_qt/vnc_event_dispatcher.cc',
         'src/webdriver/extension_qt/wd_event_dispatcher.cc',
         'src/webdriver/extension_qt/uinput_event_dispatcher.cc',
-        'src/third_party/pugixml/pugixml.cpp'
       ],
 
       'conditions': [
