IP based ACLs working for CherryPy and Builtin Server. Rudimentary tests performed and passed.

author: Matt Schwager <schwag09@gmail.com> 2012-10-17 13:44:43 -0400
committer: Chris St. Pierre <chris.a.st.pierre@gmail.com> 2013-02-12 08:35:32 -0500
commit: 168aa5f9d31f310caa2d8fb87b5d46d6e23b5821 (patch)
tree: ac35385b07db6ac87c828b6181c5f9c679b53ee1 /src/lib
parent: e8a5500535cb7c23ef3d687304033e50e80dbd3f (diff)
download: bcfg2-168aa5f9d31f310caa2d8fb87b5d46d6e23b5821.tar.gz
bcfg2-168aa5f9d31f310caa2d8fb87b5d46d6e23b5821.tar.bz2
bcfg2-168aa5f9d31f310caa2d8fb87b5d46d6e23b5821.zip
4 files changed, 42 insertions, 37 deletions
diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py
index 6709a2f10..b4c296d4a 100644
--- a/src/lib/Bcfg2/Server/CherryPyCore.py
+++ b/src/lib/Bcfg2/Server/CherryPyCore.py
@@ -63,12 +63,13 @@ class Core(BaseCore):
             username = auth_content
             password = ""
 
-        if not self.check_acls(cherrypy.request.remote.ip):
-            raise cherrypy.HTTPError(403)
-
         # FIXME: Get client cert
         cert = None
         address = (cherrypy.request.remote.ip, cherrypy.request.remote.name)
+
+        if not self.check_acls(address[0]):
+            raise cherrypy.HTTPError(401)
+
         return self.authenticate(cert, username, password, address)
 
     @cherrypy.expose
diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py
index 9ca540127..e931a7bc0 100644
--- a/src/lib/Bcfg2/Server/Core.py
+++ b/src/lib/Bcfg2/Server/Core.py
@@ -1075,8 +1075,10 @@ class BaseCore(object):
     def check_acls(self, client):
         """ Check if client IP is in list of accepted IPs """
         try:
-            return client in self.plugins['Acl'].config.ips
+            return (client in self.plugins['Acl'].config.ips or
+					'*' in self.plugins['Acl'].config)
         except KeyError:
+            # No ACL means accept all incoming ips (wildcard)
             return True
 
     @exposed
diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py
index dd1077da1..71275de27 100644
--- a/src/lib/Bcfg2/Server/Plugins/Acl.py
+++ b/src/lib/Bcfg2/Server/Plugins/Acl.py
@@ -3,40 +3,40 @@ import logging
 import Bcfg2.Server.Plugin
 
 class AclFile(Bcfg2.Server.Plugin.XMLFileBacked):
-	""" representation of ACL config.xml """
-
-	# 'name' error without this tag
-	__identifier__ = None
-
-	def __init__(self, filename, core=None):
-		# create config.xml if missing
-		if not os.path.exists(filename):
-			LOGGER.warning("Acl: %s missing. "
-						   "Creating empty one for you." % filename)
-			open(filename, "w").write("<IPs></IPs>")
-
-		try:
-			fam = core.fam
-		except AttributeError:
-			fam = None
-
-		Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam,
-												   should_monitor=True)
-		self.core = core
-		self.ips = []
-		self.logger = logging.getLogger(self.__class__.__name__)
-	
-	def Index(self):
-		Bcfg2.Server.Plugin.XMLFileBacked.Index(self)
-		for entry in self.xdata.xpath('//IPs'):
-			[self.ips.append(i.get('name')) for i in entry.findall('IP')]
+    """ representation of ACL config.xml """
+
+    # 'name' error without this tag
+    __identifier__ = None
+
+    def __init__(self, filename, core=None):
+        # create config.xml if missing
+        if not os.path.exists(filename):
+            LOGGER.warning("Acl: %s missing. "
+                           "Creating empty one for you." % filename)
+            open(filename, "w").write("<IPs></IPs>")
+
+        try:
+            fam = core.fam
+        except AttributeError:
+            fam = None
+
+        Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam,
+                                                   should_monitor=True)
+        self.core = core
+        self.ips = []
+        self.logger = logging.getLogger(self.__class__.__name__)
+    
+    def Index(self):
+        Bcfg2.Server.Plugin.XMLFileBacked.Index(self)
+        for entry in self.xdata.xpath('//IPs'):
+            [self.ips.append(i.get('name')) for i in entry.findall('IP')]
 
 class Acl(Bcfg2.Server.Plugin.Plugin,
-		  Bcfg2.Server.Plugin.Connector):
-	""" allow connections to bcfg-server based on IP address """
+          Bcfg2.Server.Plugin.Connector):
+    """ allow connections to bcfg-server based on IP address """
 
-	def __init__(self, core, datastore):
-		Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
-		Bcfg2.Server.Plugin.Connector.__init__(self)
-		self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core)
+    def __init__(self, core, datastore):
+        Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
+        Bcfg2.Server.Plugin.Connector.__init__(self)
+        self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core)
 
diff --git a/src/lib/Bcfg2/Server/SSLServer.py b/src/lib/Bcfg2/Server/SSLServer.py
index eeaeb9516..c2294eec9 100644
--- a/src/lib/Bcfg2/Server/SSLServer.py
+++ b/src/lib/Bcfg2/Server/SSLServer.py
@@ -209,6 +209,8 @@ class XMLRPCRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
             password = ""
         cert = self.request.getpeercert()
         client_address = self.request.getpeername()
+        if not self.server.instance.check_acls(client_address[0]):
+            return False
         return self.server.instance.authenticate(cert, username,
                                                  password, client_address)
author	Matt Schwager <schwag09@gmail.com>	2012-10-17 13:44:43 -0400
committer	Chris St. Pierre <chris.a.st.pierre@gmail.com>	2013-02-12 08:35:32 -0500
commit	168aa5f9d31f310caa2d8fb87b5d46d6e23b5821 (patch)
tree	ac35385b07db6ac87c828b6181c5f9c679b53ee1 /src/lib
parent	e8a5500535cb7c23ef3d687304033e50e80dbd3f (diff)
download	bcfg2-168aa5f9d31f310caa2d8fb87b5d46d6e23b5821.tar.gz bcfg2-168aa5f9d31f310caa2d8fb87b5d46d6e23b5821.tar.bz2 bcfg2-168aa5f9d31f310caa2d8fb87b5d46d6e23b5821.zip