Add admin password check (#847)

Fixes #846
2026-04-29 15:37:53 +00:00 · 2023-10-03 17:22:37 +01:00
parent e2cc56d25a
commit 0818b6ce5b
22 changed files with 478 additions and 117 deletions
--- a/src/web/impl/AdminVerificationStrategy.cpp
+++ b/src/web/impl/AdminVerificationStrategy.cpp
@@ -0,0 +1,58 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of clio: https://github.com/XRPLF/clio
+    Copyright (c) 2023, the clio developers.
+
+    Permission to use, copy, modify, and distribute this software for any
+    purpose with or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL,  DIRECT,  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <web/impl/AdminVerificationStrategy.h>
+
+namespace web::detail {
+
+bool
+IPAdminVerificationStrategy::isAdmin(RequestType const&, std::string_view ip) const
+{
+    return ip == "127.0.0.1";
+}
+
+PasswordAdminVerificationStrategy::PasswordAdminVerificationStrategy(std::string password)
+    : password_(std::move(password))
+{
+}
+
+bool
+PasswordAdminVerificationStrategy::isAdmin(RequestType const& request, std::string_view) const
+{
+    auto it = request.find(boost::beast::http::field::authorization);
+    if (it == request.end())
+    {
+        // No Authorization header
+        return false;
+    }
+
+    return it->value() == password_;
+}
+
+std::unique_ptr<AdminVerificationStrategy>
+make_AdminVerificationStrategy(std::optional<std::string> password)
+{
+    if (password.has_value())
+    {
+        return std::make_unique<PasswordAdminVerificationStrategy>(std::move(*password));
+    }
+    return std::make_unique<IPAdminVerificationStrategy>();
+}
+
+}  // namespace web::detail
--- a/src/web/impl/AdminVerificationStrategy.h
+++ b/src/web/impl/AdminVerificationStrategy.h
@@ -0,0 +1,82 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of clio: https://github.com/XRPLF/clio
+    Copyright (c) 2023, the clio developers.
+
+    Permission to use, copy, modify, and distribute this software for any
+    purpose with or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL,  DIRECT,  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#pragma once
+
+#include <boost/beast/http.hpp>
+
+#include <string>
+#include <string_view>
+
+namespace web::detail {
+
+class AdminVerificationStrategy
+{
+public:
+    using RequestType = boost::beast::http::request<boost::beast::http::string_body>;
+    virtual ~AdminVerificationStrategy() = default;
+
+    /**
+     * @brief Checks whether request is from a host that is considered authorized as admin.
+     *
+     * @param request The http request from the client
+     * @param ip The ip addr of the client
+     * @return true if authorized; false otherwise
+     */
+    virtual bool
+    isAdmin(RequestType const& request, std::string_view ip) const = 0;
+};
+
+class IPAdminVerificationStrategy : public AdminVerificationStrategy
+{
+public:
+    /**
+     * @brief Checks whether request is from a host that is considered authorized as admin
+     * by checking the ip address.
+     *
+     * @param ip The ip addr of the client
+     * @return true if authorized; false otherwise
+     */
+    bool
+    isAdmin(RequestType const&, std::string_view ip) const override;
+};
+
+class PasswordAdminVerificationStrategy : public AdminVerificationStrategy
+{
+private:
+    std::string password_;
+
+public:
+    PasswordAdminVerificationStrategy(std::string password);
+
+    /**
+     * @brief Checks whether request is from a host that is considered authorized as admin using
+     * the password (if any) from the request.
+     *
+     * @param request The request from a host
+     * @return true if the password from request matches admin password from config
+     */
+    bool
+    isAdmin(RequestType const& request, std::string_view) const override;
+};
+
+std::unique_ptr<AdminVerificationStrategy>
+make_AdminVerificationStrategy(std::optional<std::string> password);
+
+}  // namespace web::detail
--- a/src/web/impl/HttpBase.h
+++ b/src/web/impl/HttpBase.h
@@ -22,6 +22,7 @@
 #include <main/Build.h>
 #include <util/log/Logger.h>
 #include <web/DOSGuard.h>
+#include <web/impl/AdminVerificationStrategy.h>
 #include <web/interface/Concepts.h>
 #include <web/interface/ConnectionBase.h>

@@ -86,6 +87,7 @@ class HttpBase : public ConnectionBase

    std::shared_ptr<void> res_;
    SendLambda sender_;
+    std::unique_ptr<AdminVerificationStrategy> adminVerification_;

 protected:
    boost::beast::flat_buffer buffer_;
@@ -130,11 +132,13 @@ public:
    HttpBase(
        std::string const& ip,
        std::reference_wrapper<util::TagDecoratorFactory const> tagFactory,
+        std::optional<std::string> adminPassword,
        std::reference_wrapper<web::DOSGuard> dosGuard,
        std::shared_ptr<HandlerType> const& handler,
        boost::beast::flat_buffer buffer)
        : ConnectionBase(tagFactory, ip)
        , sender_(*this)
+        , adminVerification_(make_AdminVerificationStrategy(std::move(adminPassword)))
        , buffer_(std::move(buffer))
        , dosGuard_(dosGuard)
        , handler_(handler)
@@ -178,6 +182,9 @@ public:
        if (ec)
            return httpFail(ec, "read");

+        // Update isAdmin property of the connection
+        ConnectionBase::isAdmin_ = adminVerification_->isAdmin(req_, this->clientIp);
+
        if (boost::beast::websocket::is_upgrade(req_))
        {
            upgraded = true;