diff options
| -rw-r--r-- | src/lib/Bcfg2/Server/CherryPyCore.py | 3 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Core.py | 7 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Acl.py | 2 |
3 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py index 936279508..6709a2f10 100644 --- a/src/lib/Bcfg2/Server/CherryPyCore.py +++ b/src/lib/Bcfg2/Server/CherryPyCore.py @@ -63,6 +63,9 @@ class Core(BaseCore): username = auth_content password = "" + if not self.check_acls(cherrypy.request.remote.ip): + raise cherrypy.HTTPError(403) + # FIXME: Get client cert cert = None address = (cherrypy.request.remote.ip, cherrypy.request.remote.name) diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py index 90349ddf9..9ca540127 100644 --- a/src/lib/Bcfg2/Server/Core.py +++ b/src/lib/Bcfg2/Server/Core.py @@ -1072,6 +1072,13 @@ class BaseCore(object): return self.metadata.AuthenticateConnection(acert, user, password, address) + def check_acls(self, client): + """ Check if client IP is in list of accepted IPs """ + try: + return client in self.plugins['Acl'].config.ips + except KeyError: + return True + @exposed def GetDecisionList(self, address, mode): """ Get the decision list for the client with :func:`GetDecisions`. diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py index 61162dfca..dd1077da1 100644 --- a/src/lib/Bcfg2/Server/Plugins/Acl.py +++ b/src/lib/Bcfg2/Server/Plugins/Acl.py @@ -13,7 +13,7 @@ class AclFile(Bcfg2.Server.Plugin.XMLFileBacked): if not os.path.exists(filename): LOGGER.warning("Acl: %s missing. " "Creating empty one for you." % filename) - open(filename, "w").write("<Acl></Acl>") + open(filename, "w").write("<IPs></IPs>") try: fam = core.fam |