From e8a5500535cb7c23ef3d687304033e50e80dbd3f Mon Sep 17 00:00:00 2001 From: Matt Schwager Date: Mon, 15 Oct 2012 12:34:07 -0400 Subject: IP based ACLs working for CherryPy Server. Still need to implement BuiltinServer and test. --- src/lib/Bcfg2/Server/CherryPyCore.py | 3 +++ src/lib/Bcfg2/Server/Core.py | 7 +++++++ src/lib/Bcfg2/Server/Plugins/Acl.py | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) (limited to 'src/lib/Bcfg2/Server') diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py index 936279508..6709a2f10 100644 --- a/src/lib/Bcfg2/Server/CherryPyCore.py +++ b/src/lib/Bcfg2/Server/CherryPyCore.py @@ -63,6 +63,9 @@ class Core(BaseCore): username = auth_content password = "" + if not self.check_acls(cherrypy.request.remote.ip): + raise cherrypy.HTTPError(403) + # FIXME: Get client cert cert = None address = (cherrypy.request.remote.ip, cherrypy.request.remote.name) diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py index 90349ddf9..9ca540127 100644 --- a/src/lib/Bcfg2/Server/Core.py +++ b/src/lib/Bcfg2/Server/Core.py @@ -1072,6 +1072,13 @@ class BaseCore(object): return self.metadata.AuthenticateConnection(acert, user, password, address) + def check_acls(self, client): + """ Check if client IP is in list of accepted IPs """ + try: + return client in self.plugins['Acl'].config.ips + except KeyError: + return True + @exposed def GetDecisionList(self, address, mode): """ Get the decision list for the client with :func:`GetDecisions`. diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py index 61162dfca..dd1077da1 100644 --- a/src/lib/Bcfg2/Server/Plugins/Acl.py +++ b/src/lib/Bcfg2/Server/Plugins/Acl.py @@ -13,7 +13,7 @@ class AclFile(Bcfg2.Server.Plugin.XMLFileBacked): if not os.path.exists(filename): LOGGER.warning("Acl: %s missing. " "Creating empty one for you." % filename) - open(filename, "w").write("") + open(filename, "w").write("") try: fam = core.fam -- cgit v1.2.3-1-g7c22