diff options
author | Joshua Watt <JPEWhacker@gmail.com> | 2023-11-03 08:26:32 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-11-09 17:33:03 +0000 |
commit | 8cfb94c06cdfe3e6f0ec1ce0154951108bc3df94 (patch) | |
tree | 046a6d0d98b0b1bfb1467b2d3e4bbc29b181eb9b /bitbake | |
parent | 1af725b2eca63fa113cedb6d77eb5c5f1de6e2f0 (diff) | |
download | poky-8cfb94c06cdfe3e6f0ec1ce0154951108bc3df94.tar.gz |
bitbake: hashserv: Add become-user API
Adds API that allows a user admin to impersonate another user in the
system. This makes it easier to write external services that have
external authentication, since they can use a common user account to
access the server, then impersonate the logged in user.
(Bitbake rev: 71e2f5b52b686f34df364ae1f2fc058f45cd5e18)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'bitbake')
-rwxr-xr-x | bitbake/bin/bitbake-hashclient | 3 | ||||
-rw-r--r-- | bitbake/lib/hashserv/client.py | 42 | ||||
-rw-r--r-- | bitbake/lib/hashserv/server.py | 18 | ||||
-rw-r--r-- | bitbake/lib/hashserv/tests.py | 39 |
4 files changed, 97 insertions, 5 deletions
diff --git a/bitbake/bin/bitbake-hashclient b/bitbake/bin/bitbake-hashclient index 328c15cdec..cfbc197e52 100755 --- a/bitbake/bin/bitbake-hashclient +++ b/bitbake/bin/bitbake-hashclient | |||
@@ -166,6 +166,7 @@ def main(): | |||
166 | parser.add_argument('--log', default='WARNING', help='Set logging level') | 166 | parser.add_argument('--log', default='WARNING', help='Set logging level') |
167 | parser.add_argument('--login', '-l', metavar="USERNAME", help="Authenticate as USERNAME") | 167 | parser.add_argument('--login', '-l', metavar="USERNAME", help="Authenticate as USERNAME") |
168 | parser.add_argument('--password', '-p', metavar="TOKEN", help="Authenticate using token TOKEN") | 168 | parser.add_argument('--password', '-p', metavar="TOKEN", help="Authenticate using token TOKEN") |
169 | parser.add_argument('--become', '-b', metavar="USERNAME", help="Impersonate user USERNAME (if allowed) when performing actions") | ||
169 | parser.add_argument('--no-netrc', '-n', action="store_false", dest="netrc", help="Do not use .netrc") | 170 | parser.add_argument('--no-netrc', '-n', action="store_false", dest="netrc", help="Do not use .netrc") |
170 | 171 | ||
171 | subparsers = parser.add_subparsers() | 172 | subparsers = parser.add_subparsers() |
@@ -251,6 +252,8 @@ def main(): | |||
251 | if func: | 252 | if func: |
252 | try: | 253 | try: |
253 | with hashserv.create_client(args.address, login, password) as client: | 254 | with hashserv.create_client(args.address, login, password) as client: |
255 | if args.become: | ||
256 | client.become_user(args.become) | ||
254 | return func(args, client) | 257 | return func(args, client) |
255 | except bb.asyncrpc.InvokeError as e: | 258 | except bb.asyncrpc.InvokeError as e: |
256 | print(f"ERROR: {e}") | 259 | print(f"ERROR: {e}") |
diff --git a/bitbake/lib/hashserv/client.py b/bitbake/lib/hashserv/client.py index 82400fe5aa..4457f8e50d 100644 --- a/bitbake/lib/hashserv/client.py +++ b/bitbake/lib/hashserv/client.py | |||
@@ -18,10 +18,11 @@ class AsyncClient(bb.asyncrpc.AsyncClient): | |||
18 | MODE_GET_STREAM = 1 | 18 | MODE_GET_STREAM = 1 |
19 | 19 | ||
20 | def __init__(self, username=None, password=None): | 20 | def __init__(self, username=None, password=None): |
21 | super().__init__('OEHASHEQUIV', '1.1', logger) | 21 | super().__init__("OEHASHEQUIV", "1.1", logger) |
22 | self.mode = self.MODE_NORMAL | 22 | self.mode = self.MODE_NORMAL |
23 | self.username = username | 23 | self.username = username |
24 | self.password = password | 24 | self.password = password |
25 | self.saved_become_user = None | ||
25 | 26 | ||
26 | async def setup_connection(self): | 27 | async def setup_connection(self): |
27 | await super().setup_connection() | 28 | await super().setup_connection() |
@@ -29,8 +30,13 @@ class AsyncClient(bb.asyncrpc.AsyncClient): | |||
29 | self.mode = self.MODE_NORMAL | 30 | self.mode = self.MODE_NORMAL |
30 | await self._set_mode(cur_mode) | 31 | await self._set_mode(cur_mode) |
31 | if self.username: | 32 | if self.username: |
33 | # Save off become user temporarily because auth() resets it | ||
34 | become = self.saved_become_user | ||
32 | await self.auth(self.username, self.password) | 35 | await self.auth(self.username, self.password) |
33 | 36 | ||
37 | if become: | ||
38 | await self.become_user(become) | ||
39 | |||
34 | async def send_stream(self, msg): | 40 | async def send_stream(self, msg): |
35 | async def proc(): | 41 | async def proc(): |
36 | await self.socket.send(msg) | 42 | await self.socket.send(msg) |
@@ -92,7 +98,14 @@ class AsyncClient(bb.asyncrpc.AsyncClient): | |||
92 | async def get_outhash(self, method, outhash, taskhash, with_unihash=True): | 98 | async def get_outhash(self, method, outhash, taskhash, with_unihash=True): |
93 | await self._set_mode(self.MODE_NORMAL) | 99 | await self._set_mode(self.MODE_NORMAL) |
94 | return await self.invoke( | 100 | return await self.invoke( |
95 | {"get-outhash": {"outhash": outhash, "taskhash": taskhash, "method": method, "with_unihash": with_unihash}} | 101 | { |
102 | "get-outhash": { | ||
103 | "outhash": outhash, | ||
104 | "taskhash": taskhash, | ||
105 | "method": method, | ||
106 | "with_unihash": with_unihash, | ||
107 | } | ||
108 | } | ||
96 | ) | 109 | ) |
97 | 110 | ||
98 | async def get_stats(self): | 111 | async def get_stats(self): |
@@ -120,6 +133,7 @@ class AsyncClient(bb.asyncrpc.AsyncClient): | |||
120 | result = await self.invoke({"auth": {"username": username, "token": token}}) | 133 | result = await self.invoke({"auth": {"username": username, "token": token}}) |
121 | self.username = username | 134 | self.username = username |
122 | self.password = token | 135 | self.password = token |
136 | self.saved_become_user = None | ||
123 | return result | 137 | return result |
124 | 138 | ||
125 | async def refresh_token(self, username=None): | 139 | async def refresh_token(self, username=None): |
@@ -128,13 +142,19 @@ class AsyncClient(bb.asyncrpc.AsyncClient): | |||
128 | if username: | 142 | if username: |
129 | m["username"] = username | 143 | m["username"] = username |
130 | result = await self.invoke({"refresh-token": m}) | 144 | result = await self.invoke({"refresh-token": m}) |
131 | if self.username and result["username"] == self.username: | 145 | if ( |
146 | self.username | ||
147 | and not self.saved_become_user | ||
148 | and result["username"] == self.username | ||
149 | ): | ||
132 | self.password = result["token"] | 150 | self.password = result["token"] |
133 | return result | 151 | return result |
134 | 152 | ||
135 | async def set_user_perms(self, username, permissions): | 153 | async def set_user_perms(self, username, permissions): |
136 | await self._set_mode(self.MODE_NORMAL) | 154 | await self._set_mode(self.MODE_NORMAL) |
137 | return await self.invoke({"set-user-perms": {"username": username, "permissions": permissions}}) | 155 | return await self.invoke( |
156 | {"set-user-perms": {"username": username, "permissions": permissions}} | ||
157 | ) | ||
138 | 158 | ||
139 | async def get_user(self, username=None): | 159 | async def get_user(self, username=None): |
140 | await self._set_mode(self.MODE_NORMAL) | 160 | await self._set_mode(self.MODE_NORMAL) |
@@ -149,12 +169,23 @@ class AsyncClient(bb.asyncrpc.AsyncClient): | |||
149 | 169 | ||
150 | async def new_user(self, username, permissions): | 170 | async def new_user(self, username, permissions): |
151 | await self._set_mode(self.MODE_NORMAL) | 171 | await self._set_mode(self.MODE_NORMAL) |
152 | return await self.invoke({"new-user": {"username": username, "permissions": permissions}}) | 172 | return await self.invoke( |
173 | {"new-user": {"username": username, "permissions": permissions}} | ||
174 | ) | ||
153 | 175 | ||
154 | async def delete_user(self, username): | 176 | async def delete_user(self, username): |
155 | await self._set_mode(self.MODE_NORMAL) | 177 | await self._set_mode(self.MODE_NORMAL) |
156 | return await self.invoke({"delete-user": {"username": username}}) | 178 | return await self.invoke({"delete-user": {"username": username}}) |
157 | 179 | ||
180 | async def become_user(self, username): | ||
181 | await self._set_mode(self.MODE_NORMAL) | ||
182 | result = await self.invoke({"become-user": {"username": username}}) | ||
183 | if username == self.username: | ||
184 | self.saved_become_user = None | ||
185 | else: | ||
186 | self.saved_become_user = username | ||
187 | return result | ||
188 | |||
158 | 189 | ||
159 | class Client(bb.asyncrpc.Client): | 190 | class Client(bb.asyncrpc.Client): |
160 | def __init__(self, username=None, password=None): | 191 | def __init__(self, username=None, password=None): |
@@ -182,6 +213,7 @@ class Client(bb.asyncrpc.Client): | |||
182 | "get_all_users", | 213 | "get_all_users", |
183 | "new_user", | 214 | "new_user", |
184 | "delete_user", | 215 | "delete_user", |
216 | "become_user", | ||
185 | ) | 217 | ) |
186 | 218 | ||
187 | def _get_async_client(self): | 219 | def _get_async_client(self): |
diff --git a/bitbake/lib/hashserv/server.py b/bitbake/lib/hashserv/server.py index f5baa6be78..ca419a1abf 100644 --- a/bitbake/lib/hashserv/server.py +++ b/bitbake/lib/hashserv/server.py | |||
@@ -255,6 +255,7 @@ class ServerClient(bb.asyncrpc.AsyncServerConnection): | |||
255 | "auth": self.handle_auth, | 255 | "auth": self.handle_auth, |
256 | "get-user": self.handle_get_user, | 256 | "get-user": self.handle_get_user, |
257 | "get-all-users": self.handle_get_all_users, | 257 | "get-all-users": self.handle_get_all_users, |
258 | "become-user": self.handle_become_user, | ||
258 | } | 259 | } |
259 | ) | 260 | ) |
260 | 261 | ||
@@ -707,6 +708,23 @@ class ServerClient(bb.asyncrpc.AsyncServerConnection): | |||
707 | 708 | ||
708 | return {"username": username} | 709 | return {"username": username} |
709 | 710 | ||
711 | @permissions(USER_ADMIN_PERM, allow_anon=False) | ||
712 | async def handle_become_user(self, request): | ||
713 | username = str(request["username"]) | ||
714 | |||
715 | user = await self.db.lookup_user(username) | ||
716 | if user is None: | ||
717 | raise bb.asyncrpc.InvokeError(f"User {username} doesn't exist") | ||
718 | |||
719 | self.user = user | ||
720 | |||
721 | self.logger.info("Became user %s", username) | ||
722 | |||
723 | return { | ||
724 | "username": self.user.username, | ||
725 | "permissions": self.return_perms(self.user.permissions), | ||
726 | } | ||
727 | |||
710 | 728 | ||
711 | class Server(bb.asyncrpc.AsyncServer): | 729 | class Server(bb.asyncrpc.AsyncServer): |
712 | def __init__( | 730 | def __init__( |
diff --git a/bitbake/lib/hashserv/tests.py b/bitbake/lib/hashserv/tests.py index f92f37c459..311b7b7772 100644 --- a/bitbake/lib/hashserv/tests.py +++ b/bitbake/lib/hashserv/tests.py | |||
@@ -728,6 +728,45 @@ class HashEquivalenceCommonTests(object): | |||
728 | self.assertEqual(user["username"], "test-user") | 728 | self.assertEqual(user["username"], "test-user") |
729 | self.assertEqual(user["permissions"], permissions) | 729 | self.assertEqual(user["permissions"], permissions) |
730 | 730 | ||
731 | def test_auth_become_user(self): | ||
732 | admin_client = self.start_auth_server() | ||
733 | |||
734 | user = admin_client.new_user("test-user", ["@read", "@report"]) | ||
735 | user_info = user.copy() | ||
736 | del user_info["token"] | ||
737 | |||
738 | with self.auth_perms() as client, self.assertRaises(InvokeError): | ||
739 | client.become_user(user["username"]) | ||
740 | |||
741 | with self.auth_perms("@user-admin") as client: | ||
742 | become = client.become_user(user["username"]) | ||
743 | self.assertEqual(become, user_info) | ||
744 | |||
745 | info = client.get_user() | ||
746 | self.assertEqual(info, user_info) | ||
747 | |||
748 | # Verify become user is preserved across disconnect | ||
749 | client.disconnect() | ||
750 | |||
751 | info = client.get_user() | ||
752 | self.assertEqual(info, user_info) | ||
753 | |||
754 | # test-user doesn't have become_user permissions, so this should | ||
755 | # not work | ||
756 | with self.assertRaises(InvokeError): | ||
757 | client.become_user(user["username"]) | ||
758 | |||
759 | # No self-service of become | ||
760 | with self.auth_client(user) as client, self.assertRaises(InvokeError): | ||
761 | client.become_user(user["username"]) | ||
762 | |||
763 | # Give test user permissions to become | ||
764 | admin_client.set_user_perms(user["username"], ["@user-admin"]) | ||
765 | |||
766 | # It's possible to become yourself (effectively a noop) | ||
767 | with self.auth_perms("@user-admin") as client: | ||
768 | become = client.become_user(client.username) | ||
769 | |||
731 | 770 | ||
732 | class TestHashEquivalenceUnixServer(HashEquivalenceTestSetup, HashEquivalenceCommonTests, unittest.TestCase): | 771 | class TestHashEquivalenceUnixServer(HashEquivalenceTestSetup, HashEquivalenceCommonTests, unittest.TestCase): |
733 | def get_server_addr(self, server_idx): | 772 | def get_server_addr(self, server_idx): |