summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/Bcfg2/Server/CherryPyCore.py7
-rw-r--r--src/lib/Bcfg2/Server/Core.py4
-rw-r--r--src/lib/Bcfg2/Server/Plugins/Acl.py66
-rw-r--r--src/lib/Bcfg2/Server/SSLServer.py2
4 files changed, 42 insertions, 37 deletions
diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py
index 6709a2f10..b4c296d4a 100644
--- a/src/lib/Bcfg2/Server/CherryPyCore.py
+++ b/src/lib/Bcfg2/Server/CherryPyCore.py
@@ -63,12 +63,13 @@ class Core(BaseCore):
username = auth_content
password = ""
- if not self.check_acls(cherrypy.request.remote.ip):
- raise cherrypy.HTTPError(403)
-
# FIXME: Get client cert
cert = None
address = (cherrypy.request.remote.ip, cherrypy.request.remote.name)
+
+ if not self.check_acls(address[0]):
+ raise cherrypy.HTTPError(401)
+
return self.authenticate(cert, username, password, address)
@cherrypy.expose
diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py
index 9ca540127..e931a7bc0 100644
--- a/src/lib/Bcfg2/Server/Core.py
+++ b/src/lib/Bcfg2/Server/Core.py
@@ -1075,8 +1075,10 @@ class BaseCore(object):
def check_acls(self, client):
""" Check if client IP is in list of accepted IPs """
try:
- return client in self.plugins['Acl'].config.ips
+ return (client in self.plugins['Acl'].config.ips or
+ '*' in self.plugins['Acl'].config)
except KeyError:
+ # No ACL means accept all incoming ips (wildcard)
return True
@exposed
diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py
index dd1077da1..71275de27 100644
--- a/src/lib/Bcfg2/Server/Plugins/Acl.py
+++ b/src/lib/Bcfg2/Server/Plugins/Acl.py
@@ -3,40 +3,40 @@ import logging
import Bcfg2.Server.Plugin
class AclFile(Bcfg2.Server.Plugin.XMLFileBacked):
- """ representation of ACL config.xml """
-
- # 'name' error without this tag
- __identifier__ = None
-
- def __init__(self, filename, core=None):
- # create config.xml if missing
- if not os.path.exists(filename):
- LOGGER.warning("Acl: %s missing. "
- "Creating empty one for you." % filename)
- open(filename, "w").write("<IPs></IPs>")
-
- try:
- fam = core.fam
- except AttributeError:
- fam = None
-
- Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam,
- should_monitor=True)
- self.core = core
- self.ips = []
- self.logger = logging.getLogger(self.__class__.__name__)
-
- def Index(self):
- Bcfg2.Server.Plugin.XMLFileBacked.Index(self)
- for entry in self.xdata.xpath('//IPs'):
- [self.ips.append(i.get('name')) for i in entry.findall('IP')]
+ """ representation of ACL config.xml """
+
+ # 'name' error without this tag
+ __identifier__ = None
+
+ def __init__(self, filename, core=None):
+ # create config.xml if missing
+ if not os.path.exists(filename):
+ LOGGER.warning("Acl: %s missing. "
+ "Creating empty one for you." % filename)
+ open(filename, "w").write("<IPs></IPs>")
+
+ try:
+ fam = core.fam
+ except AttributeError:
+ fam = None
+
+ Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam,
+ should_monitor=True)
+ self.core = core
+ self.ips = []
+ self.logger = logging.getLogger(self.__class__.__name__)
+
+ def Index(self):
+ Bcfg2.Server.Plugin.XMLFileBacked.Index(self)
+ for entry in self.xdata.xpath('//IPs'):
+ [self.ips.append(i.get('name')) for i in entry.findall('IP')]
class Acl(Bcfg2.Server.Plugin.Plugin,
- Bcfg2.Server.Plugin.Connector):
- """ allow connections to bcfg-server based on IP address """
+ Bcfg2.Server.Plugin.Connector):
+ """ allow connections to bcfg-server based on IP address """
- def __init__(self, core, datastore):
- Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
- Bcfg2.Server.Plugin.Connector.__init__(self)
- self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core)
+ def __init__(self, core, datastore):
+ Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
+ Bcfg2.Server.Plugin.Connector.__init__(self)
+ self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core)
diff --git a/src/lib/Bcfg2/Server/SSLServer.py b/src/lib/Bcfg2/Server/SSLServer.py
index eeaeb9516..c2294eec9 100644
--- a/src/lib/Bcfg2/Server/SSLServer.py
+++ b/src/lib/Bcfg2/Server/SSLServer.py
@@ -209,6 +209,8 @@ class XMLRPCRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
password = ""
cert = self.request.getpeercert()
client_address = self.request.getpeername()
+ if not self.server.instance.check_acls(client_address[0]):
+ return False
return self.server.instance.authenticate(cert, username,
password, client_address)