mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
9331eabd7e
Including changes for GitHub -> internal migration -- b5d7e43ddeff9c087d0f67949bea6ac795c5474a by Federico Stazi <34340238+FedericoStazi@users.noreply.github.com>: Initial curl commit -- 24786c44d89b4a6817204aaacd84fc1aa2747434 by Federico Stazi <fstazi@google.com>: Added gitignore and curl submodule -- 6d5cfd575abd05c387f93be060c8fc88fd39e482 by Federico Stazi <fstazi@google.com>: Added new line at the end of files -- c7423c5f8a8d460655d0fafa198758c39d5270d1 by Federico Stazi <fstazi@google.com>: Remove SHARED from add_sapi_library -- 05c0a4b004feba1c0ae1ba6bf519966f48589ba6 by Federico Stazi <fstazi@google.com>: Fix includes -- 5be51fabbef7e7eab032dbfb94239654e44008c3 by Federico Stazi <fstazi@google.com>: Improve comments -- 34338411b845d438a5b7615d990d6539771152eb by Federico Stazi <fstazi@google.com>: Improve style -- 8c68ac221ff158aab3b285d8b2d6158a895ddbf2 by Federico Stazi <fstazi@google.com>: Address review comments -- ac1112ae4de6f5f520054b5608d202a57c296ac4 by Federico Stazi <fstazi@google.com>: Minor fix -- f47e1cc6aceb0365cb2e5352d61980628af7f954 by Federico Stazi <fstazi@google.com>: Implement all curl methods -- 929123127532589ef19f12114b8e450cc2c976a1 by Federico Stazi <fstazi@google.com>: Address reviews and improve code style -- 1b0a8edfd4cdffdc76f3e979a5e1b42cbe289e73 by Federico Stazi <fstazi@google.com>: Minor fix -- cea046d3e29b86e04bd6ce7821ee1409cea2db37 by Federico Stazi <fstazi@google.com>: Implement stricter policy -- cf23888b88b71add3e60524f3db3604f0ab6c386 by Federico Stazi <fstazi@google.com>: Improve and extend examples -- 6167cafbdec1355588c073baa8cdf17fad1fcb9e by Federico Stazi <fstazi@google.com>: Implement tests -- 9fed2ec09798e656cd5c518bc13f45eea1abef2e by Federico Stazi <fstazi@google.com>: Improved error handling -- e446ec81a13d3c567bdebe00285211d9df9dbed1 by Federico Stazi <fstazi@google.com>: Address review comments -- cf41ec4701a6a47ecee3af6765623ca020cebfcd by Federico Stazi <34340238+FedericoStazi@users.noreply.github.com>: Fix project name -- 9a4293a3cfd87b9b13b46a36d5eeee9d575ea519 by Federico Stazi <fstazi@google.com>: Fix project name -- bbebeee1a69fed2c70afc6afa2aa79aad990a778 by Federico Stazi <fstazi@google.com>: Fix test mock server -- eb783de3f5fc35877db5f08fd53c9a33207a416e by Federico Stazi <fstazi@google.com>: Address review comments -- cf6cb89bca2b0275652509afdb4d4e20e9e851ba by Federico Stazi <fstazi@google.com>: Minor mock server fix -- b52d9e6e4fa1f9c07a3027b4b4d564457e7a648f by Federico Stazi <fstazi@google.com>: Address review comments PiperOrigin-RevId: 333292204 Change-Id: I9ff27348028d9f22486492dc92c0859ff8f44d68
167 lines
5.9 KiB
C++
167 lines
5.9 KiB
C++
// Copyright 2020 Google LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// Sandboxed version of simplessl.c
|
|
// HTTPS GET request
|
|
|
|
#include <cstdlib>
|
|
|
|
#include "../sandbox.h" // NOLINT(build/include)
|
|
|
|
class CurlSapiSandboxEx3 : public CurlSapiSandbox {
|
|
public:
|
|
CurlSapiSandboxEx3(std::string ssl_certificate, std::string ssl_key,
|
|
std::string ca_certificates)
|
|
: ssl_certificate(ssl_certificate),
|
|
ssl_key(ssl_key),
|
|
ca_certificates(ca_certificates) {}
|
|
|
|
private:
|
|
std::unique_ptr<sandbox2::Policy> ModifyPolicy(
|
|
sandbox2::PolicyBuilder*) override {
|
|
// Add the syscalls and files missing in CurlSandbox to a new PolicyBuilder
|
|
auto policy_builder = std::make_unique<sandbox2::PolicyBuilder>();
|
|
(*policy_builder)
|
|
.AllowFutexOp(FUTEX_WAIT_PRIVATE)
|
|
.AllowGetPIDs()
|
|
.AllowGetRandom()
|
|
.AllowHandleSignals()
|
|
.AllowSyscall(__NR_sysinfo)
|
|
.AddFile(ssl_certificate)
|
|
.AddFile(ssl_key)
|
|
.AddFile(ca_certificates);
|
|
// Provide the new PolicyBuilder to ModifyPolicy in CurlSandbox
|
|
return CurlSapiSandbox::ModifyPolicy(policy_builder.get());
|
|
}
|
|
|
|
std::string ssl_certificate;
|
|
std::string ssl_key;
|
|
std::string ca_certificates;
|
|
};
|
|
|
|
int main(int argc, char* argv[]) {
|
|
gflags::ParseCommandLineFlags(&argc, &argv, true);
|
|
google::InitGoogleLogging(argv[0]);
|
|
|
|
absl::Status status;
|
|
|
|
// Get input parameters (should be absolute paths)
|
|
if (argc != 5) {
|
|
LOG(FATAL) << "wrong number of arguments (4 expected)";
|
|
}
|
|
std::string ssl_certificate = argv[1];
|
|
std::string ssl_key = argv[2];
|
|
std::string ssl_key_password = argv[3];
|
|
std::string ca_certificates = argv[4];
|
|
|
|
// Initialize sandbox2 and sapi
|
|
CurlSapiSandboxEx3 sandbox(ssl_certificate, ssl_key, ca_certificates);
|
|
status = sandbox.Init();
|
|
if (!status.ok()) {
|
|
LOG(FATAL) << "Couldn't initialize Sandboxed API: " << status;
|
|
}
|
|
CurlApi api(&sandbox);
|
|
|
|
absl::StatusOr<int> curl_code;
|
|
|
|
// Initialize curl (CURL_GLOBAL_DEFAULT = 3)
|
|
curl_code = api.curl_global_init(3l);
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_global_init failed: " << curl_code.status();
|
|
}
|
|
|
|
// Initialize curl easy handle
|
|
absl::StatusOr<CURL*> curl_handle = api.curl_easy_init();
|
|
if (!curl_handle.ok()) {
|
|
LOG(FATAL) << "curl_easy_init failed: " << curl_handle.status();
|
|
}
|
|
sapi::v::RemotePtr curl(curl_handle.value());
|
|
if (!curl.GetValue()) {
|
|
LOG(FATAL) << "curl_easy_init failed: curl is NULL";
|
|
}
|
|
|
|
// Specify URL to get (using HTTPS)
|
|
sapi::v::ConstCStr url("https://example.com");
|
|
curl_code = api.curl_easy_setopt_ptr(&curl, CURLOPT_URL, url.PtrBefore());
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_ptr failed: " << curl_code.status();
|
|
}
|
|
|
|
// Set the SSL certificate type to "PEM"
|
|
sapi::v::ConstCStr ssl_cert_type("PEM");
|
|
curl_code = api.curl_easy_setopt_ptr(&curl, CURLOPT_SSLCERTTYPE,
|
|
ssl_cert_type.PtrBefore());
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_ptr failed: " << curl_code.status();
|
|
}
|
|
|
|
// Set the certificate for client authentication
|
|
sapi::v::ConstCStr sapi_ssl_certificate(ssl_certificate.c_str());
|
|
curl_code = api.curl_easy_setopt_ptr(&curl, CURLOPT_SSLCERT,
|
|
sapi_ssl_certificate.PtrBefore());
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_ptr failed: " << curl_code.status();
|
|
}
|
|
|
|
// Set the private key for client authentication
|
|
sapi::v::ConstCStr sapi_ssl_key(ssl_key.c_str());
|
|
curl_code =
|
|
api.curl_easy_setopt_ptr(&curl, CURLOPT_SSLKEY, sapi_ssl_key.PtrBefore());
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_ptr failed: " << curl_code.status();
|
|
}
|
|
|
|
// Set the password used to protect the private key
|
|
sapi::v::ConstCStr sapi_ssl_key_password(ssl_key_password.c_str());
|
|
curl_code = api.curl_easy_setopt_ptr(&curl, CURLOPT_KEYPASSWD,
|
|
sapi_ssl_key_password.PtrBefore());
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_ptr failed: " << curl_code.status();
|
|
}
|
|
|
|
// Set the file with the certificates vaildating the server
|
|
sapi::v::ConstCStr sapi_ca_certificates(ca_certificates.c_str());
|
|
curl_code = api.curl_easy_setopt_ptr(&curl, CURLOPT_CAINFO,
|
|
sapi_ca_certificates.PtrBefore());
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_ptr failed: " << curl_code.status();
|
|
}
|
|
|
|
// Verify the authenticity of the server
|
|
curl_code = api.curl_easy_setopt_long(&curl, CURLOPT_SSL_VERIFYPEER, 1L);
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_setopt_long failed: " << curl_code.status();
|
|
}
|
|
|
|
// Perform the request
|
|
curl_code = api.curl_easy_perform(&curl);
|
|
if (!curl_code.ok() || curl_code.value() != CURLE_OK) {
|
|
LOG(FATAL) << "curl_easy_perform failed: " << curl_code.status();
|
|
}
|
|
|
|
// Cleanup curl easy handle
|
|
status = api.curl_easy_cleanup(&curl);
|
|
if (!status.ok()) {
|
|
LOG(FATAL) << "curl_easy_cleanup failed: " << status;
|
|
}
|
|
|
|
// Cleanup curl
|
|
status = api.curl_global_cleanup();
|
|
if (!status.ok()) {
|
|
LOG(FATAL) << "curl_global_cleanup failed: " << status;
|
|
}
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|