diff options
-rw-r--r-- | schemas/acl.xsd | 2 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Core.py | 7 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Acl.py | 10 |
3 files changed, 15 insertions, 4 deletions
diff --git a/schemas/acl.xsd b/schemas/acl.xsd index af0d8e318..0c3e3ecdd 100644 --- a/schemas/acl.xsd +++ b/schemas/acl.xsd @@ -14,6 +14,8 @@ <xsd:choice minOccurs="1" maxOccurs="unbounded"> <xsd:element name="IP" type="xsd:string" minOccurs="1" maxOccurs="unbounded"/> + <xsd:element name="CIDR" type="xsd:string" minOccurs="0" + maxOccurs="unbounded"/> </xsd:choice> </xsd:complexType> diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py index c9fd76325..c01b493de 100644 --- a/src/lib/Bcfg2/Server/Core.py +++ b/src/lib/Bcfg2/Server/Core.py @@ -1072,13 +1072,12 @@ class BaseCore(object): return self.metadata.AuthenticateConnection(acert, user, password, address) - def check_acls(self, client): + def check_acls(self, client_ip): """ Check if client IP is in list of accepted IPs """ try: - return (client in self.plugins['Acl'].config.ips or - '*' in self.plugins['Acl'].config.ips) + return self.plugins['Acl'].config.check_acl(client_ip) except KeyError: - # No ACL means accept all incoming ips (wildcard) + # No ACL means accept all incoming ips return True @exposed diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py index 71275de27..1f7b27b53 100644 --- a/src/lib/Bcfg2/Server/Plugins/Acl.py +++ b/src/lib/Bcfg2/Server/Plugins/Acl.py @@ -1,5 +1,6 @@ import os import logging +import netaddr import Bcfg2.Server.Plugin class AclFile(Bcfg2.Server.Plugin.XMLFileBacked): @@ -23,6 +24,7 @@ class AclFile(Bcfg2.Server.Plugin.XMLFileBacked): Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam, should_monitor=True) self.core = core + self.cidr_ips = [] self.ips = [] self.logger = logging.getLogger(self.__class__.__name__) @@ -30,6 +32,14 @@ class AclFile(Bcfg2.Server.Plugin.XMLFileBacked): Bcfg2.Server.Plugin.XMLFileBacked.Index(self) for entry in self.xdata.xpath('//IPs'): [self.ips.append(i.get('name')) for i in entry.findall('IP')] + [self.cidr_ips.append(i.get('name')) for i in entry.findall('CIDR')] + + def check_acl(self, ip): + if ('*' in self.ips or + ip in self.ips or + IP(ip) in [CIDR(cidr_ip) for cidr_ip in self.cidr_ips]): + return True + return False class Acl(Bcfg2.Server.Plugin.Plugin, Bcfg2.Server.Plugin.Connector): |