From 168aa5f9d31f310caa2d8fb87b5d46d6e23b5821 Mon Sep 17 00:00:00 2001
From: Matt Schwager <schwag09@gmail.com>
Date: Wed, 17 Oct 2012 13:44:43 -0400
Subject: IP based ACLs working for CherryPy and Builtin Server. Rudimentary
 tests performed and passed.

---
 src/lib/Bcfg2/Server/CherryPyCore.py |  7 ++--
 src/lib/Bcfg2/Server/Core.py         |  4 ++-
 src/lib/Bcfg2/Server/Plugins/Acl.py  | 66 ++++++++++++++++++------------------
 src/lib/Bcfg2/Server/SSLServer.py    |  2 ++
 4 files changed, 42 insertions(+), 37 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py
index 6709a2f10..b4c296d4a 100644
--- a/src/lib/Bcfg2/Server/CherryPyCore.py
+++ b/src/lib/Bcfg2/Server/CherryPyCore.py
@@ -63,12 +63,13 @@ class Core(BaseCore):
             username = auth_content
             password = ""
 
-        if not self.check_acls(cherrypy.request.remote.ip):
-            raise cherrypy.HTTPError(403)
-
         # FIXME: Get client cert
         cert = None
         address = (cherrypy.request.remote.ip, cherrypy.request.remote.name)
+
+        if not self.check_acls(address[0]):
+            raise cherrypy.HTTPError(401)
+
         return self.authenticate(cert, username, password, address)
 
     @cherrypy.expose
diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py
index 9ca540127..e931a7bc0 100644
--- a/src/lib/Bcfg2/Server/Core.py
+++ b/src/lib/Bcfg2/Server/Core.py
@@ -1075,8 +1075,10 @@ class BaseCore(object):
     def check_acls(self, client):
         """ Check if client IP is in list of accepted IPs """
         try:
-            return client in self.plugins['Acl'].config.ips
+            return (client in self.plugins['Acl'].config.ips or
+					'*' in self.plugins['Acl'].config)
         except KeyError:
+            # No ACL means accept all incoming ips (wildcard)
             return True
 
     @exposed
diff --git a/src/lib/Bcfg2/Server/Plugins/Acl.py b/src/lib/Bcfg2/Server/Plugins/Acl.py
index dd1077da1..71275de27 100644
--- a/src/lib/Bcfg2/Server/Plugins/Acl.py
+++ b/src/lib/Bcfg2/Server/Plugins/Acl.py
@@ -3,40 +3,40 @@ import logging
 import Bcfg2.Server.Plugin
 
 class AclFile(Bcfg2.Server.Plugin.XMLFileBacked):
-	""" representation of ACL config.xml """
-
-	# 'name' error without this tag
-	__identifier__ = None
-
-	def __init__(self, filename, core=None):
-		# create config.xml if missing
-		if not os.path.exists(filename):
-			LOGGER.warning("Acl: %s missing. "
-						   "Creating empty one for you." % filename)
-			open(filename, "w").write("<IPs></IPs>")
-
-		try:
-			fam = core.fam
-		except AttributeError:
-			fam = None
-
-		Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam,
-												   should_monitor=True)
-		self.core = core
-		self.ips = []
-		self.logger = logging.getLogger(self.__class__.__name__)
-	
-	def Index(self):
-		Bcfg2.Server.Plugin.XMLFileBacked.Index(self)
-		for entry in self.xdata.xpath('//IPs'):
-			[self.ips.append(i.get('name')) for i in entry.findall('IP')]
+    """ representation of ACL config.xml """
+
+    # 'name' error without this tag
+    __identifier__ = None
+
+    def __init__(self, filename, core=None):
+        # create config.xml if missing
+        if not os.path.exists(filename):
+            LOGGER.warning("Acl: %s missing. "
+                           "Creating empty one for you." % filename)
+            open(filename, "w").write("<IPs></IPs>")
+
+        try:
+            fam = core.fam
+        except AttributeError:
+            fam = None
+
+        Bcfg2.Server.Plugin.XMLFileBacked.__init__(self, filename, fam=fam,
+                                                   should_monitor=True)
+        self.core = core
+        self.ips = []
+        self.logger = logging.getLogger(self.__class__.__name__)
+    
+    def Index(self):
+        Bcfg2.Server.Plugin.XMLFileBacked.Index(self)
+        for entry in self.xdata.xpath('//IPs'):
+            [self.ips.append(i.get('name')) for i in entry.findall('IP')]
 
 class Acl(Bcfg2.Server.Plugin.Plugin,
-		  Bcfg2.Server.Plugin.Connector):
-	""" allow connections to bcfg-server based on IP address """
+          Bcfg2.Server.Plugin.Connector):
+    """ allow connections to bcfg-server based on IP address """
 
-	def __init__(self, core, datastore):
-		Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
-		Bcfg2.Server.Plugin.Connector.__init__(self)
-		self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core)
+    def __init__(self, core, datastore):
+        Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
+        Bcfg2.Server.Plugin.Connector.__init__(self)
+        self.config = AclFile(os.path.join(self.data, 'config.xml'), core=core)
 
diff --git a/src/lib/Bcfg2/Server/SSLServer.py b/src/lib/Bcfg2/Server/SSLServer.py
index eeaeb9516..c2294eec9 100644
--- a/src/lib/Bcfg2/Server/SSLServer.py
+++ b/src/lib/Bcfg2/Server/SSLServer.py
@@ -209,6 +209,8 @@ class XMLRPCRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
             password = ""
         cert = self.request.getpeercert()
         client_address = self.request.getpeername()
+        if not self.server.instance.check_acls(client_address[0]):
+            return False
         return self.server.instance.authenticate(cert, username,
                                                  password, client_address)
 
-- 
cgit v1.2.3-1-g7c22