vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 02:29:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #73 from safing/feature/api-auth-upgrade

Browse source 
Minor api auth improvements following new portbase version
This commit is contained in:
Daniel 2020-06-05 14:51:04 +02:00 committed by GitHub
commit 6ffca6e411
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
firewall/api.go
View file

@ -20,7 +20,10 @@ import (
const ( const (
deniedMsgUnidentified = `%wFailed to identify the requesting process. deniedMsgUnidentified = `%wFailed to identify the requesting process.
You can enable the Development Mode to disable API authentication for development purposes.` You can enable the Development Mode to disable API authentication for development purposes.
If you are seeing this message in the Portmaster App, please restart the app or right-click and select "Reload".
In the future, this issue will be remediated automatically.`
deniedMsgSystem = `%wSystem access to the Portmaster API is not permitted. deniedMsgSystem = `%wSystem access to the Portmaster API is not permitted.
You can enable the Development Mode to disable API authentication for development purposes.` You can enable the Development Mode to disable API authentication for development purposes.`
@ -56,7 +59,7 @@ func startAPIAuth() {
log.Tracef("filter: api port set to %d", apiPort) log.Tracef("filter: api port set to %d", apiPort)
} }
func apiAuthenticator(s *http.Server, r *http.Request) (err error) { func apiAuthenticator(ctx context.Context, s *http.Server, r *http.Request) (err error) {
if devMode() { if devMode() {
return nil return nil
} }
@ -73,9 +76,7 @@ func apiAuthenticator(s *http.Server, r *http.Request) (err error) {
return fmt.Errorf("failed to get remote IP/Port: %s", err) return fmt.Errorf("failed to get remote IP/Port: %s", err)
} }
ctx, tracer := log.AddTracer(r.Context()) log.Tracer(r.Context()).Tracef("filter: authenticating API request from %s", r.RemoteAddr)
tracer.Tracef("filter: authenticating API request from %s", r.RemoteAddr)
defer tracer.Submit()
// It is very important that this works, retry extensively (every 250ms for 5s) // It is very important that this works, retry extensively (every 250ms for 5s)
var retry bool var retry bool
@ -112,6 +113,7 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
return true, fmt.Errorf("failed to get process: %s", err) return true, fmt.Errorf("failed to get process: %s", err)
} }
originalPid := proc.Pid originalPid := proc.Pid
var previousPid int
// go up up to two levels, if we don't match // go up up to two levels, if we don't match
for i := 0; i < 5; i++ { for i := 0; i < 5; i++ {
@ -130,11 +132,20 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
procsChecked = append(procsChecked, proc.Path) procsChecked = append(procsChecked, proc.Path)
if i < 4 { if i < 4 {
// save previous PID
previousPid = proc.Pid
// get parent process // get parent process
proc, err = process.GetOrFindProcess(ctx, proc.ParentPid) proc, err = process.GetOrFindProcess(ctx, proc.ParentPid)
if err != nil { if err != nil {
return true, fmt.Errorf("failed to get process: %s", err) return true, fmt.Errorf("failed to get process: %s", err)
} }
// abort if we are looping
if proc.Pid == previousPid {
// this also catches -1 pid loops
break
}
} }
} }