From c9df255e92d0c609ccf07881ca4676eac4396da0 Mon Sep 17 00:00:00 2001
From: Frederic PAUT <frederic.paut@linux.intel.com>
Date: Wed, 3 Jul 2013 14:59:32 +0200
Subject: [PATCH] dbus service : adding security feature (provided by a list of
 allowed service name)

---
 cloudeebus/cloudeebus.js | 17 +++++++++++++++--
 cloudeebus/cloudeebus.py | 32 +++++++++++++++++++++++++++++---
 2 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/cloudeebus/cloudeebus.js b/cloudeebus/cloudeebus.js
index f3a7996..08528eb 100644
--- a/cloudeebus/cloudeebus.js
+++ b/cloudeebus/cloudeebus.js
@@ -45,10 +45,18 @@ cloudeebus.log = function(msg) {
 };
 
 cloudeebus.getError = function(error) {
+	if (error.desc && error.uri)
+		return error.desc + " : " + error.uri;
 	if (error.desc)
 		return error.desc;
+	if (error.uri)
+		return error.uri;
+	if (error.name && error.message)
+		return error.name + " : " + error.message;
 	if (error.message)
 		return error.message;
+	if (error.name)
+		return error.name;
 	return error;
 };
 
@@ -102,11 +110,13 @@ cloudeebus.connect = function(uri, manifest, successCB, errorCB) {
 	
 	function onWAMPSessionConnectedCB(session) {
 		cloudeebus.wampSession = session;
-		if (manifest)
+		if (manifest) {
 			cloudeebus.wampSession.authreq(
 					manifest.name, 
-					{permissions: manifest.permissions}
+					{permissions: manifest.permissions, 
+						 services: manifest.services}
 				).then(onWAMPSessionChallengedCB, onWAMPSessionAuthErrorCB);
+		}
 		else
 			cloudeebus.wampSession.authreq().then(function() {
 				cloudeebus.wampSession.auth().then(onWAMPSessionAuthenticatedCB, onWAMPSessionAuthErrorCB);
@@ -158,6 +168,9 @@ cloudeebus.BusConnection.prototype.getObject = function(busName, objectPath, int
 
 cloudeebus.BusConnection.prototype.addService = function(serviceName) {
 	var self = this;
+
+	if (!serviceName)
+		serviceName = "";
 	
 	var promise = new cloudeebus.Promise(function (resolver) {
 		var cloudeebusService = new cloudeebus.Service(self.wampSession, self, serviceName);
diff --git a/cloudeebus/cloudeebus.py b/cloudeebus/cloudeebus.py
index 903ece1..f99153b 100755
--- a/cloudeebus/cloudeebus.py
+++ b/cloudeebus/cloudeebus.py
@@ -55,6 +55,7 @@ VERSION = "0.5.99"
 OPENDOOR = False
 CREDENTIALS = {}
 WHITELIST = []
+SERVICELIST = []
 NETMASK =  []
 
 ###############################################################################
@@ -435,6 +436,7 @@ class CloudeebusService:
         self.permissions = {};
         self.permissions['permissions'] = permissions['permissions']
         self.permissions['authextra'] = permissions['authextra']
+        self.permissions['services'] = permissions['services']
         self.proxyObjects = {}
         self.proxyMethods = {}
         self.pendingCalls = []
@@ -594,7 +596,10 @@ class CloudeebusService:
         busName = list[0]
         self.bus =  cache.dbusConnexion( busName )
         self.srvName = list[1]
-        if (self.services.has_key(self.srvName) == False):            
+        if not OPENDOOR and (SERVICELIST == [] or SERVICELIST != [] and self.permissions['services'] == None):
+            SERVICELIST.index(self.srvName)
+            
+        if (self.services.has_key(self.srvName) == False):
             self.services[self.srvName] = dbus.service.BusName(name = self.srvName, bus = self.bus)
         return self.srvName
 
@@ -671,7 +676,8 @@ class CloudeebusServerProtocol(WampCraServerProtocol):
     
     def getAuthPermissions(self, key, extra):
          return {'permissions': extra.get("permissions", None),
-                 'authextra': extra.get("authextra", None)}   
+                 'authextra': extra.get("authextra", None),
+                 'services': extra.get("services", None)}   
     
     def getAuthSecret(self, key):
         secret = CREDENTIALS.get(key, None)
@@ -697,8 +703,13 @@ class CloudeebusServerProtocol(WampCraServerProtocol):
             if key is None:
                 raise Exception("Authentication failed")
             # check permissions, array.index throws exception
-            for req in permissions['permissions']:
+            if (permissions['permissions'] != None):
+                for req in permissions['permissions']:
                     WHITELIST.index(req);
+            # check allowed service creation, array.index throws exception
+            if (permissions['services'] != None):
+                for req in permissions['services']:
+                    SERVICELIST.index(req);
         # create cloudeebus service instance
         self.cloudeebusService = CloudeebusService(permissions)
         # register it for RPC
@@ -733,6 +744,8 @@ if __name__ == '__main__':
         help='path to credentials file')
     parser.add_argument('-w', '--whitelist',
         help='path to whitelist file')
+    parser.add_argument('-s', '--servicelist',
+        help='path to servicelist file')
     parser.add_argument('-n', '--netmask',
         help='netmask,IP filter (comma separated.) eg. : -n 127.0.0.1,192.168.2.0/24,10.12.16.0/255.255.255.0')
     
@@ -757,6 +770,11 @@ if __name__ == '__main__':
         WHITELIST = json.load(jfile)
         jfile.close()
         
+    if args.servicelist:
+        jfile = open(args.servicelist)
+        SERVICELIST = json.load(jfile)
+        jfile.close()
+        
     if args.netmask:
         iplist = args.netmask.split(",")
         for ip in iplist:
@@ -769,6 +787,14 @@ if __name__ == '__main__':
                 mask = "255.255.255.255" 
             NETMASK.append( {'ipAllowed': ipV4ToHex(ipAllowed), 'mask' : ipV4ToHex(mask)} )
     
+    if args.debug:
+        print "OPENDOOR='" + str(OPENDOOR) + "'" 
+        print "CREDENTIALS='" + str(args.credentials) + "'" 
+        print "WHITELIST='" + str(args.whitelist) + "'"
+        print "SERVICELIST='" + str(args.servicelist) + "'" 
+        print "NETMASK='" + str(args.netmask) + "'"
+        print 
+        
     uri = "ws://localhost:" + args.port
     
     factory = WampServerFactory(uri, debugWamp = args.debug)
-- 
2.7.4