From d8a1b78316559d94b0d42da48945138895eeb5ee Mon Sep 17 00:00:00 2001 From: Ben Thomasson Date: Mon, 30 Apr 2018 13:55:24 -0400 Subject: [PATCH] Adds authentication checking to the network UI websocket. Adds user authentication checking to the websocket connect callback function. This prevents unauthenicated users from making changes to the network canvas or viewing the data on the canvas by getting snapshots of the diagram. --- awx/network_ui/consumers.py | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/awx/network_ui/consumers.py b/awx/network_ui/consumers.py index 36cbb24803..43b0f52005 100644 --- a/awx/network_ui/consumers.py +++ b/awx/network_ui/consumers.py @@ -1,6 +1,6 @@ # Copyright (c) 2017 Red Hat, Inc from channels import Group -from channels.sessions import channel_session +from channels.auth import channel_session_user, channel_session_user_from_http from awx.network_ui.models import Topology, Device, Link, Client, Interface from awx.network_ui.models import TopologyInventory import urlparse @@ -189,8 +189,15 @@ class NetworkingEvents(object): networking_events_dispatcher = NetworkingEvents() -@channel_session +@channel_session_user_from_http def ws_connect(message): + if not message.user.is_authenticated(): + logger.error("Request user is not authenticated to use websocket.") + message.reply_channel.send({"close": True}) + return + else: + message.reply_channel.send({"accept": True}) + data = urlparse.parse_qs(message.content['query_string']) inventory_id = parse_inventory_id(data) topology_ids = list(TopologyInventory.objects.filter(inventory_id=inventory_id).values_list('pk', flat=True)) @@ -268,7 +275,7 @@ def send_snapshot(channel, topology_id): channel.send({"text": json.dumps(["Snapshot", snapshot])}) -@channel_session +@channel_session_user def ws_message(message): # Send to all clients editing the topology Group("topology-%s" % message.channel_session['topology_id']).send({"text": message['text']}) @@ -278,7 +285,7 @@ def ws_message(message): "client": message.channel_session['client_id']}) -@channel_session +@channel_session_user def ws_disconnect(message): if 'topology_id' in message.channel_session: Group("topology-%s" % message.channel_session['topology_id']).discard(message.reply_channel)