ARCHIVE/rippled
1
0
Fork 0
mirror of https://github.com/XRPLF/rippled.git synced 2025-12-06 17:27:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Secure gateway:

Browse Source 
This is designed for use by proxies in front of rippled. Configured IPs
can forward identifying user data in HTTP headers, including
user name and origin IP. If the user name exists, then resource limits
are lifted for that session. However, administrative commands are still
reserved only for administrative sessions.
This commit is contained in:
Mark Travis
2015-11-24 17:17:56 -08:00
committed by Nik Bougalis
parent 810175ae95
commit 496fea5995
47 changed files with 538 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/ripple/server/impl/Peer.h
View File

@@ -87,6 +87,8 @@ protected:
boost::asio::io_service::strand strand_;
waitable_timer timer_;
endpoint_type remote_address_;
std::string forwarded_for_;
std::string user_;
beast::Journal journal_;
std::string id_;
@@ -183,6 +185,18 @@ protected:
return beast::IPAddressConversion::from_asio(remote_address_);
}
std::string
user() override
{
return user_;
}
std::string
forwarded_for() override
{
return forwarded_for_;
}
beast::http::message&
request() override
{
@@ -376,9 +390,20 @@ Peer<Impl>::do_read (yield_context yield)
if (! ec)
{
if (parser.complete())
{
auto const iter = message_.headers.find ("X-Forwarded-For");
if (iter != message_.headers.end())
forwarded_for_ = iter->second;
auto const iter2 = message_.headers.find ("X-User");
if (iter2 != message_.headers.end())
user_ = iter2->second;
return do_request();
}
else if (eof)
{
ec = boost::asio::error::eof; // incomplete request
}
}
if (ec)

49
src/ripple/server/impl/Port.cpp Normal file
View File

@@ -0,0 +1,49 @@
//------------------------------------------------------------------------------
/*
This file is part of rippled: https://github.com/ripple/rippled
Copyright (c) 2012, 2013 Ripple Labs Inc.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL , DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
//==============================================================================
#include <ripple/server/Port.h>
namespace ripple {
namespace HTTP {
std::ostream&
operator<< (std::ostream& os, Port const& p)
{
os << "'" << p.name << "' (ip=" << p.ip << ":" << p.port << ", ";
if (! p.admin_ip.empty ())
{
os << "admin IPs:";
for (auto const& ip : p.admin_ip)
os << ip.to_string () << ", ";
}
if (! p.secure_gateway_ip.empty ())
{
os << "secure_gateway IPs:";
for (auto const& ip : p.secure_gateway_ip)
os << ip.to_string () << ", ";
}
os << p.protocols () << ")";
return os;
}
} // HTTP
} // ripple

56
src/ripple/server/impl/Role.cpp
View File

@@ -56,25 +56,59 @@ isAdmin (HTTP::Port const& port, Json::Value const& params,
Role
requestRole (Role const& required, HTTP::Port const& port,
Json::Value const& params, beast::IP::Endpoint const& remoteIp)
Json::Value const& params, beast::IP::Endpoint const& remoteIp,
std::string const& user)
{
Role role (Role::GUEST);
if (isAdmin(port, params, remoteIp.address ()))
role = Role::ADMIN;
if (required == Role::ADMIN && role != required)
role = Role::FORBID;
return role;
if (isAdmin(port, params, remoteIp.address()))
return Role::ADMIN;
if (required == Role::ADMIN)
return Role::FORBID;
if (isIdentified(port, remoteIp.address(), user))
return Role::IDENTIFIED;
return Role::GUEST;
}
/**
* ADMIN and IDENTIFIED roles shall have unlimited resources.
*/
bool
isUnlimited (Role const& required, HTTP::Port const& port,
Json::Value const&params, beast::IP::Endpoint const& remoteIp,
std::string const& user)
{
Role role = requestRole(required, port, params, remoteIp, user);
if (role == Role::ADMIN || role == Role::IDENTIFIED)
return true;
else
return false;
}
bool
isUnlimited (Role const& role)
{
return role == Role::ADMIN || role == Role::IDENTIFIED;
}
Resource::Consumer
requestInboundEndpoint (Resource::Manager& manager,
beast::IP::Endpoint const& remoteAddress,
HTTP::Port const& port)
HTTP::Port const& port, std::string const& user)
{
if (requestRole (Role::GUEST, port, Json::Value(), remoteAddress) ==
Role::ADMIN)
return manager.newAdminEndpoint (to_string (remoteAddress));
if (isUnlimited (Role::GUEST, port, Json::Value(), remoteAddress, user))
return manager.newUnlimitedEndpoint (to_string (remoteAddress));
return manager.newInboundEndpoint(remoteAddress);
}
bool
isIdentified (HTTP::Port const& port, beast::IP::Address const& remoteIp,
std::string const& user)
{
return ! user.empty() && ipAllowed (remoteIp, port.secure_gateway_ip);
}
}

130
src/ripple/server/impl/ServerHandlerImp.cpp
View File

@@ -204,7 +204,8 @@ ServerHandlerImp::processSession (std::shared_ptr<HTTP::Session> const& session,
std::shared_ptr<JobCoro> jobCoro)
{
processRequest (session->port(), to_string (session->body()),
session->remoteAddress().at_port (0), makeOutput (*session), jobCoro);
session->remoteAddress().at_port (0), makeOutput (*session), jobCoro,
session->forwarded_for(), session->user());
if (session->request().keep_alive())
session->complete();
@@ -215,7 +216,8 @@ ServerHandlerImp::processSession (std::shared_ptr<HTTP::Session> const& session,
void
ServerHandlerImp::processRequest (HTTP::Port const& port,
std::string const& request, beast::IP::Endpoint const& remoteIPAddress,
Output&& output, std::shared_ptr<JobCoro> jobCoro)
Output&& output, std::shared_ptr<JobCoro> jobCoro,
std::string forwardedFor, std::string user)
{
auto rpcJ = app_.journal ("RPC");
// Move off the webserver thread onto the JobQueue.
@@ -260,18 +262,28 @@ ServerHandlerImp::processRequest (HTTP::Port const& port,
jsonRPC["params"][Json::UInt(0)].isObject())
{
role = requestRole(required, port, jsonRPC["params"][Json::UInt(0)],
remoteIPAddress);
remoteIPAddress, user);
}
else
{
role = requestRole(required, port, Json::objectValue,
remoteIPAddress);
remoteIPAddress, user);
}
/**
* Clear header-assigned values if not positively identified from a
* secure_gateway.
*/
if (role != Role::IDENTIFIED)
{
forwardedFor.clear();
user.clear();
}
Resource::Consumer usage;
if (role == Role::ADMIN)
usage = m_resourceManager.newAdminEndpoint (
if (isUnlimited (role))
usage = m_resourceManager.newUnlimitedEndpoint (
remoteIPAddress.to_string());
else
usage = m_resourceManager.newInboundEndpoint(remoteIPAddress);
@@ -338,7 +350,8 @@ ServerHandlerImp::processRequest (HTTP::Port const& port,
auto const start (std::chrono::high_resolution_clock::now ());
RPC::Context context {m_journal, params, app_, loadType, m_networkOPs,
app_.getLedgerMaster(), role, jobCoro};
app_.getLedgerMaster(), role, jobCoro, InfoSub::pointer(),
{user, forwardedFor}};
Json::Value result;
RPC::doCommand (context, result);
@@ -474,8 +487,73 @@ struct ParsedPort
boost::optional<boost::asio::ip::address> ip;
boost::optional<std::uint16_t> port;
boost::optional<std::vector<beast::IP::Address>> admin_ip;
boost::optional<std::vector<beast::IP::Address>> secure_gateway_ip;
};
void
populate (Section const& section, std::string const& field, std::ostream& log,
boost::optional<std::vector<beast::IP::Address>>& ips,
bool allowAllIps, std::vector<beast::IP::Address> const& admin_ip)
{
auto const result = section.find(field);
if (result.second)
{
std::stringstream ss (result.first);
std::string ip;
bool has_any (false);
ips.emplace();
while (std::getline (ss, ip, ','))
{
auto const addr = beast::IP::Endpoint::from_string_checked (ip);
if (! addr.second)
{
log << "Invalid value '" << ip << "' for key '" << field <<
"' in [" << section.name () << "]\n";
Throw<std::exception> ();
}
if (is_unspecified (addr.first))
{
if (! allowAllIps)
{
log << "0.0.0.0 not allowed'" <<
"' for key '" << field << "' in [" <<
section.name () << "]\n";
throw std::exception ();
}
else
{
has_any = true;
}
}
if (has_any && ! ips->empty ())
{
log << "IP specified along with 0.0.0.0 '" << ip <<
"' for key '" << field << "' in [" <<
section.name () << "]\n";
Throw<std::exception> ();
}
auto const& address = addr.first.address();
if (std::find_if (admin_ip.begin(), admin_ip.end(),
[&address] (beast::IP::Address const& ip)
{
return address == ip;
}
) != admin_ip.end())
{
log << "IP specified for " << field << " is also for " <<
"admin: " << ip << " in [" << section.name() << "]\n";
throw std::exception();
}
ips->emplace_back (addr.first.address ());
}
}
}
void
parse_Port (ParsedPort& port, Section const& section, std::ostream& log)
{
@@ -527,39 +605,9 @@ parse_Port (ParsedPort& port, Section const& section, std::ostream& log)
}
}
{
auto const result = section.find("admin");
if (result.second)
{
std::stringstream ss (result.first);
std::string ip;
bool has_any (false);
port.admin_ip.emplace ();
while (std::getline (ss, ip, ','))
{
auto const addr = beast::IP::Endpoint::from_string_checked (ip);
if (! addr.second)
{
log << "Invalid value '" << ip << "' for key 'admin' in ["
<< section.name () << "]\n";
Throw<std::exception> ();
}
if (is_unspecified (addr.first))
has_any = true;
if (has_any && ! port.admin_ip->empty ())
{
log << "IP specified along with 0.0.0.0 '" << ip <<
"' for key 'admin' in [" << section.name () << "]\n";
Throw<std::exception> ();
}
port.admin_ip->emplace_back (addr.first.address ());
}
}
}
populate (section, "admin", log, port.admin_ip, true, {});
populate (section, "secure_gateway", log, port.secure_gateway_ip, false,
port.admin_ip.get_value_or({}));
set(port.user, "user", section);
set(port.password, "password", section);
@@ -596,6 +644,8 @@ to_Port(ParsedPort const& parsed, std::ostream& log)
p.port = *parsed.port;
if (parsed.admin_ip)
p.admin_ip = *parsed.admin_ip;
if (parsed.secure_gateway_ip)
p.secure_gateway_ip = *parsed.secure_gateway_ip;
if (parsed.protocol.empty())
{

3
src/ripple/server/impl/ServerHandlerImp.h
View File

@@ -114,7 +114,8 @@ private:
void
processRequest (HTTP::Port const& port, std::string const& request,
beast::IP::Endpoint const& remoteIPAddress, Output&&,
std::shared_ptr<JobCoro> jobCoro);
std::shared_ptr<JobCoro> jobCoro,
std::string forwardedFor, std::string user);
//
// PropertyStream