TT#77256 ngcp-api-tools: Fix credentials usage

When using credentials from /etc/default/ngcp-api, we need to use the "api_admin_system" realm, which gets enabled by passing the «NGCP-UserAgent: NGCP::API::Client» header to the request. This though only works for the matching endpoint (host and port) specified in that file. Otherwise when we using the credentials from the legacy $HOME/.ngcp-api file and to preserve backwards compatibility, we should use the "api_admin_http" realm, which is the default, by not passing the above header in the request. To make this behavior more clear, we try to validate the free-form URL passed by the user and error out if it does not match when using the new credentials. Change-Id: Ic80d2724a20ec951918c88d7f2994c85b5b63910
5 years ago · a621bd5920
parent f411c102dd
commit a621bd5920
6 changed files with 32 additions and 0 deletions
--- a/tools/ngcp-api.inc
+++ b/tools/ngcp-api.inc
@ -29,3 +29,20 @@ importcreds () {
    exit 1
  fi
 }
+
+validateurl() {
+  local URL=$1
+
+  # If we are using the legacy credentials, stop any validation.
+  if [ -z "${APIREALM}" ]; then
+    return
+  fi
+
+  local NGCP_API_HOST
+  NGCP_API_HOST="$(getent hosts "${NGCP_API_IP}" | awk '{ print $2 }')"
+  if ! [[ "${URL}" =~ ^https://${NGCP_API_IP}:${NGCP_API_PORT} ]] &&
+     ! [[ "${URL}" =~ ^https://${NGCP_API_HOST}:${NGCP_API_PORT} ]]; then
+    echo "Error: specified URL does not match expected URL for API credentials (https://${NGCP_API_IP}:${NGCP_API_PORT}/)" >&2
+    exit 1
+  fi
+}
--- a/tools_bin/ngcp-api-delete
+++ b/tools_bin/ngcp-api-delete
@ -25,6 +25,7 @@ if [ -z "${APIUSER}" ]; then
    if [ -z "${APIUSER}" ]; then
      importcreds "${SYSCREDS}" 0440
      APIUSER="${AUTH_SYSTEM_LOGIN}:${AUTH_SYSTEM_PASSWORD}"
+      APIREALM=(-H 'NGCP-UserAgent: NGCP::API::Client')
    fi
  fi
  if [ -z "${APIUSER}" ]; then
@ -53,7 +54,9 @@ URL="$1"
 if [ -z "${URL}" ] ; then
  usage
 fi
+validateurl "$URL"

 ${CURL} -i ${VERBOSE} -X DELETE \
+  "${APIREALM[@]}" \
  -H 'Connection: close' \
  "${HEADERS}" --user "${APIUSER}" --insecure "${URL}"
--- a/tools_bin/ngcp-api-get
+++ b/tools_bin/ngcp-api-get
@ -25,6 +25,7 @@ if [ -z "${APIUSER}" ]; then
    if [ -z "${APIUSER}" ]; then
      importcreds "${SYSCREDS}" 0440
      APIUSER="${AUTH_SYSTEM_LOGIN}:${AUTH_SYSTEM_PASSWORD}"
+      APIREALM=(-H 'NGCP-UserAgent: NGCP::API::Client')
    fi
  fi
  if [ -z "${APIUSER}" ]; then
@ -53,7 +54,9 @@ URL="$1"
 if [ -z "${URL}" ]; then
  usage
 fi
+validateurl "$URL"

 ${CURL} -i ${VERBOSE} -X GET \
+  "${APIREALM[@]}" \
  -H 'Connection: close' \
  --user "${APIUSER}" --insecure "${URL}"
--- a/tools_bin/ngcp-api-patch
+++ b/tools_bin/ngcp-api-patch
@ -27,6 +27,7 @@ if [ -z "${APIUSER}" ]; then
    if [ -z "${APIUSER}" ]; then
      importcreds "${SYSCREDS}" 0440
      APIUSER="${AUTH_SYSTEM_LOGIN}:${AUTH_SYSTEM_PASSWORD}"
+      APIREALM=(-H 'NGCP-UserAgent: NGCP::API::Client')
    fi
  fi
  if [ -z "${APIUSER}" ]; then
@ -69,8 +70,10 @@ URL="$1"
 if [ -z "${URL}" ] ; then
  usage
 fi
+validateurl "$URL"

 ${CURL} -i ${VERBOSE} -X PATCH \
+  "${APIREALM[@]}"
  -H 'Connection: close' -H "Prefer: return=${PREFER}" \
  -H "Content-Type: ${CTYPE}" \
  --user "${APIUSER}" --insecure "${FILE_INPUT[@]}" "${URL}" "${INPUT[@]}"
--- a/tools_bin/ngcp-api-post
+++ b/tools_bin/ngcp-api-post
@ -26,6 +26,7 @@ if [ -z "${APIUSER}" ]; then
    if [ -z "${APIUSER}" ]; then
      importcreds "${SYSCREDS}" 0440
      APIUSER="${AUTH_SYSTEM_LOGIN}:${AUTH_SYSTEM_PASSWORD}"
+      APIREALM=(-H 'NGCP-UserAgent: NGCP::API::Client')
    fi
  fi
  if [ -z "${APIUSER}" ]; then
@ -63,9 +64,11 @@ URL="$1"
 if [ -z "${URL}" ]; then
  usage
 fi
+validateurl "$URL"
 CTYPE=${2:-application/json}

 ${CURL} -i ${VERBOSE} -X POST \
+  "${APIREALM[@]}" \
  -H 'Connection: close' -H 'Prefer: return=representation' \
  -H "Content-Type: ${CTYPE}" \
  --user "${APIUSER}" --insecure "${FILE_INPUT[@]}" "${URL}" "${INPUT[@]}"
--- a/tools_bin/ngcp-api-put
+++ b/tools_bin/ngcp-api-put
@ -26,6 +26,7 @@ if [ -z "${APIUSER}" ]; then
    if [ -z "${APIUSER}" ]; then
      importcreds "${SYSCREDS}" 0440
      APIUSER="${AUTH_SYSTEM_LOGIN}:${AUTH_SYSTEM_PASSWORD}"
+      APIREALM=(-H 'NGCP-UserAgent: NGCP::API::Client')
    fi
  fi
  if [ -z "${APIUSER}" ]; then
@ -63,9 +64,11 @@ URL="$1"
 if [ -z "${URL}" ] ; then
  usage
 fi
+validateurl "$URL"
 CTYPE=${2:-application/json}

 ${CURL} -i ${VERBOSE} -X PUT \
+  "${APIREALM[@]}" \
  -H 'Connection: close' -H 'Prefer: return=representation' \
  -H "Content-Type: ${CTYPE}" \
  --user "${APIUSER}" --insecure "${FILE_INPUT[@]}" "${URL}" "${INPUT[@]}"