diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/Bcfg2/Server/CherryPyCore.py | 7 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Core.py | 4 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Acl.py | 66 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/SSLServer.py | 2 |
4 files changed, 42 insertions, 37 deletions
diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py index 6709a2f10..b4c296d4a 100644 --- a/src/lib/Bcfg2/Server/CherryPyCore.py +++ b/src/lib/Bcfg2/Server/CherryPyCore.py @@ -63,12 +63,13 @@ class Core(BaseCore): username = auth_content password = "" - if not self.check_acls(cherrypy.request.remote.ip): - raise cherrypy.HTTPError(403) - # FIXME: Get client cert cert = None address = (cherrypy.request.remote.ip, cherrypy.request.remote.name) + + if not self.check_acls(address[0]): + raise cherrypy.HTTPError(401) + return self.authenticate(cert, username, password, address) @cherrypy.expose diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py index 9ca540127..e931a7bc0 100644 --- a/src/lib/Bcfg2/Server/Core.py +++ b/src/lib/Bcfg2/Server/Core.py @@ -1075,8 +1075,10 @@ class BaseCore(object): def check_acls(self, client): """ Check if client IP is in list of accepted IPs """ try: - return client in self.plugins['Acl'].config.ips + return (client in self.plugins['Acl'].config.ips or + '*' in self.plugins['Acl'].config) except KeyError: + # No ACL means accept all incoming ips (wildcard) return True @exposed diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py index dd1077da1..71275de27 100644 --- a/src/lib/Bcfg2/Server/Plugins/Acl.py +++ b/src/lib/Bcfg2/Server/Plugins/Acl.py @@ -3,40 +3,40 @@ import logging import Bcfg2.Server.Plugin class AclFile(Bcfg2.Server.Plugin.XMLFileBacked): - """ representation of ACL config.xml """ - - # 'name' error without this tag - __identifier__ = None - - def __init__(self, filename, core=None): - # create config.xml if missing - if not os.path.exists(filename): - LOGGER.warning("Acl: %s missing. " - "Creating empty one for you." % filename) - open(filename, "w").write("<IPs></IPs>") - - try: - fam = core.fam - except AttributeError: - fam = None - - Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam, - should_monitor=True) - self.core = core - self.ips = [] - self.logger = logging.getLogger(self.__class__.__name__) - - def Index(self): - Bcfg2.Server.Plugin.XMLFileBacked.Index(self) - for entry in self.xdata.xpath('//IPs'): - [self.ips.append(i.get('name')) for i in entry.findall('IP')] + """ representation of ACL config.xml """ + + # 'name' error without this tag + __identifier__ = None + + def __init__(self, filename, core=None): + # create config.xml if missing + if not os.path.exists(filename): + LOGGER.warning("Acl: %s missing. " + "Creating empty one for you." % filename) + open(filename, "w").write("<IPs></IPs>") + + try: + fam = core.fam + except AttributeError: + fam = None + + Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam, + should_monitor=True) + self.core = core + self.ips = [] + self.logger = logging.getLogger(self.__class__.__name__) + + def Index(self): + Bcfg2.Server.Plugin.XMLFileBacked.Index(self) + for entry in self.xdata.xpath('//IPs'): + [self.ips.append(i.get('name')) for i in entry.findall('IP')] class Acl(Bcfg2.Server.Plugin.Plugin, - Bcfg2.Server.Plugin.Connector): - """ allow connections to bcfg-server based on IP address """ + Bcfg2.Server.Plugin.Connector): + """ allow connections to bcfg-server based on IP address """ - def __init__(self, core, datastore): - Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore) - Bcfg2.Server.Plugin.Connector.__init__(self) - self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core) + def __init__(self, core, datastore): + Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore) + Bcfg2.Server.Plugin.Connector.__init__(self) + self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core) diff --git a/src/lib/Bcfg2/Server/SSLServer.py b/src/lib/Bcfg2/Server/SSLServer.py index eeaeb9516..c2294eec9 100644 --- a/src/lib/Bcfg2/Server/SSLServer.py +++ b/src/lib/Bcfg2/Server/SSLServer.py @@ -209,6 +209,8 @@ class XMLRPCRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler): password = "" cert = self.request.getpeercert() client_address = self.request.getpeername() + if not self.server.instance.check_acls(client_address[0]): + return False return self.server.instance.authenticate(cert, username, password, client_address) |