Adding function whitelisting functionality to RPC Server

Summary: Adding stuff to handle configuring a function whitelist for RPC server calls. In the case where no function whitelist is defined this falls back to the old functionality of allowing all functions through. Reviewed By: @jano Differential Revision: D1918265
Manu343726 · Mar 18, 2015 · 52758fe · 52758fe
1 parent e08f192
commit 52758fe
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/hphp/runtime/server/rpc-request-handler.cpp b/hphp/runtime/server/rpc-request-handler.cpp
@@ -117,6 +117,23 @@ void RPCRequestHandler::handleRequest(Transport *transport) {
   StackTraceNoHeap::ExtraLoggingClearer clearer;
   StackTraceNoHeap::AddExtraLogging("RPC-URL", transport->getUrl());
 
+  // Checking functions whitelist
+  const std::set<std::string> &functions = m_serverInfo->getFunctions();
+  if (!functions.empty()) {
+    auto iter = functions.find(transport->getCommand());
+    if (iter == functions.end()) {
+      transport->sendString("Forbidden", 403);
+      transport->onSendEnd();
+      GetAccessLog().log(transport, nullptr);
+      /*
+       * HPHP logs may need to access data in ServerStats, so we have to
+       * clear the hashtable after writing the log entry.
+       */
+      ServerStats::Reset();
+      return;
+    }
+  }
+
   // authentication
   const std::set<std::string> &passwords = m_serverInfo->getPasswords();
   if (!passwords.empty()) {

diff --git a/hphp/runtime/server/satellite-server.cpp b/hphp/runtime/server/satellite-server.cpp
@@ -47,6 +47,7 @@ SatelliteServerInfo::SatelliteServerInfo(const IniSetting::Map& ini, Hdf hdf) {
   m_password = Config::GetString(ini, hdf["Password"], "");
   Config::Get(ini, hdf["Passwords"], m_passwords);
   m_alwaysReset = Config::GetBool(ini, hdf["AlwaysReset"], false);
+  Config::Get(ini, hdf["Functions"], m_functions);
 
   std::string type = Config::GetString(ini, hdf["Type"]);
   if (type == "InternalPageServer") {

diff --git a/hphp/runtime/server/satellite-server.h b/hphp/runtime/server/satellite-server.h
@@ -95,6 +95,7 @@ class SatelliteServerInfo {
   const std::string &getPassword() const { return m_password;}
   const std::set<std::string> &getPasswords() const { return m_passwords;}
   bool alwaysReset() const { return m_alwaysReset;}
+  const std::set<std::string> &getFunctions() const { return m_functions; }
 
 protected:
   std::string m_name;
@@ -110,6 +111,7 @@ class SatelliteServerInfo {
   std::string m_password;
   std::set<std::string> m_passwords;
   bool m_alwaysReset = false;
+  std::set<std::string> m_functions;
 };
 
 ///////////////////////////////////////////////////////////////////////////////