Skip to content

Commit

Permalink
Do not log private method calls initialized by systemd
Browse files Browse the repository at this point in the history
  • Loading branch information
@themylogin
themylogin committed Dec 16, 2024
1 parent f7e470d commit 6ba57cd
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 2 deletions.
15 changes: 13 additions & 2 deletions src/middlewared/middlewared/api/base/server/ws_handler/rpc.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,13 +273,24 @@ async def process_message(self, app: RpcWebSocketApp, message: Any):
if method is None:
app.send_error(id_, JSONRPCError.METHOD_NOT_FOUND.value, "Method does not exist")
return
if not app.private_methods and method.private:
if not app.private_methods and method.private and not self._can_call_private_methods(app):
# FIXME: Eventually, prohibit this
self.middleware.logger.warning("Private method %r called on a connection without private_methods "
self.middleware.logger.warning("Private method %r called on a connection without private_methods "
"enabled", method.name)

asyncio.ensure_future(self.process_method_call(app, id_, method, message.get("params", [])))

def _can_call_private_methods(self, app: RpcWebSocketApp):
if app.origin.uid == 33:
# Proxied HexOS calls
return False

if app.origin.loginuid() is None:
# System-initiated calls to `midclt`
return True

return False

async def process_method_call(self, app: RpcWebSocketApp, id_: Any, method: Method, params: list):
try:
async with app.softhardsemaphore:
Expand Down
16 changes: 16 additions & 0 deletions src/middlewared/middlewared/utils/origin.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from dataclasses import dataclass
from functools import cached_property
from socket import AF_INET, AF_INET6, AF_UNIX, SO_PEERCRED, SOL_SOCKET
from struct import calcsize, unpack

Expand Down Expand Up @@ -97,6 +98,21 @@ def is_ha_connection(self) -> bool:
self.rem_addr and self.rem_addr in HA_HEARTBEAT_IPS
)

def loginuid(self) -> int | None:
if self.pid is None:
return None

try:
with open(f"/proc/{self.pid}/loginuid") as f:
loginuid = int(f.read())
except (FileNotFoundError, ValueError):
return None

if loginuid == 4294967295:
return None

return loginuid


def get_tcp_ip_info(sock, request) -> tuple:
# All API connections are terminated by nginx reverse
Expand Down

0 comments on commit 6ba57cd

Please sign in to comment.