certidude/certidude/api/utils/firewall.py


import falcon
import logging
from asn1crypto import pem, x509

logger = logging.getLogger("api")

def whitelist_subnets(subnets):
    """
    Validate source IP address of API call against subnet list
    """
    def wrapper(func):
        def wrapped(self, req, resp, *args, **kwargs):
            # Check for administration subnet whitelist
            for subnet in subnets:
                if req.context.get("remote_addr") in subnet:
                    break
            else:
                logger.info("Rejected access to administrative call %s by %s from %s, source address not whitelisted",
                    req.env["PATH_INFO"],
                    req.context.get("user", "unauthenticated user"),
                    req.context.get("remote_addr"))
                raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % req.context.get("remote_addr"))

            return func(self, req, resp, *args, **kwargs)
        return wrapped
    return wrapper

def whitelist_content_types(*content_types):
    def wrapper(func):
        def wrapped(self, req, resp, *args, **kwargs):
            for content_type in content_types:
                if req.get_header("Content-Type") == content_type:
                    return func(self, req, resp, *args, **kwargs)
            raise falcon.HTTPUnsupportedMediaType(
                "This API call accepts only %s content type" % ", ".join(content_types))
        return wrapped
    return wrapper

def whitelist_subject(func):
    def wrapped(self, req, resp, cn, *args, **kwargs):
        from ipaddress import ip_address
        from certidude import authority
        from xattr import getxattr
        try:
            path, buf, cert, signed, expires = authority.get_signed(cn)
        except IOError:
            raise falcon.HTTPNotFound()
        else:
            # First attempt to authenticate client with certificate
            buf = req.get_header("X-SSL-CERT")
            if buf:
                header, _, der_bytes = pem.unarmor(buf.replace("\t", "").encode("ascii"))
                origin_cert = x509.Certificate.load(der_bytes)
                if origin_cert.native == cert.native:
                    logger.debug("Subject authenticated using certificates")
                    return func(self, req, resp, cn, *args, **kwargs)

            # For backwards compatibility check source IP address
            # TODO: make it disableable
            try:
                inner_address = getxattr(path, "user.lease.inner_address").decode("ascii")
            except IOError:
                raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % req.context.get("remote_addr"))
            else:
                if req.context.get("remote_addr") != ip_address(inner_address):
                    raise falcon.HTTPForbidden("Forbidden", "Remote address %s mismatch" % req.context.get("remote_addr"))
                else:
                    return func(self, req, resp, cn, *args, **kwargs)
    return wrapped
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`import falcon`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`import logging`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00			`from asn1crypto import pem, x509`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
			`logger = logging.getLogger("api")`

			`def whitelist_subnets(subnets):`
			`"""`
			`Validate source IP address of API call against subnet list`
			`"""`
			`def wrapper(func):`
			`def wrapped(self, req, resp, args, *kwargs):`
			`# Check for administration subnet whitelist`
			`for subnet in subnets:`
			`if req.context.get("remote_addr") in subnet:`
			`break`
			`else:`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`logger.info("Rejected access to administrative call %s by %s from %s, source address not whitelisted",`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`req.env["PATH_INFO"],`
			`req.context.get("user", "unauthenticated user"),`
			`req.context.get("remote_addr"))`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % req.context.get("remote_addr"))`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
			`return func(self, req, resp, args, *kwargs)`
			`return wrapped`
			`return wrapper`

			`def whitelist_content_types(*content_types):`
			`def wrapper(func):`
			`def wrapped(self, req, resp, args, *kwargs):`
			`for content_type in content_types:`
			`if req.get_header("Content-Type") == content_type:`
			`return func(self, req, resp, args, *kwargs)`
			`raise falcon.HTTPUnsupportedMediaType(`
			`"This API call accepts only %s content type" % ", ".join(content_types))`
			`return wrapped`
			`return wrapper`

Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`def whitelist_subject(func):`
			`def wrapped(self, req, resp, cn, args, *kwargs):`
			`from ipaddress import ip_address`
			`from certidude import authority`
			`from xattr import getxattr`
			`try:`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`path, buf, cert, signed, expires = authority.get_signed(cn)`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`except IOError:`
			`raise falcon.HTTPNotFound()`
			`else:`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00			`# First attempt to authenticate client with certificate`
			`buf = req.get_header("X-SSL-CERT")`
			`if buf:`
			`header, _, der_bytes = pem.unarmor(buf.replace("\t", "").encode("ascii"))`
			`origin_cert = x509.Certificate.load(der_bytes)`
			`if origin_cert.native == cert.native:`
api.utils.firewall: Drop click usage and remove unneeded imports 2018-02-03 12:33:45 +00:00			`logger.debug("Subject authenticated using certificates")`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00			`return func(self, req, resp, cn, args, *kwargs)`

			`# For backwards compatibility check source IP address`
			`# TODO: make it disableable`
Bugfixes and test for SCEP 2017-07-05 21:22:02 +00:00			`try:`
			`inner_address = getxattr(path, "user.lease.inner_address").decode("ascii")`
			`except IOError:`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`raise falcon.HTTPForbidden("Forbidden", "Remote address %s not whitelisted" % req.context.get("remote_addr"))`
Bugfixes and test for SCEP 2017-07-05 21:22:02 +00:00			`else:`
			`if req.context.get("remote_addr") != ip_address(inner_address):`
			`raise falcon.HTTPForbidden("Forbidden", "Remote address %s mismatch" % req.context.get("remote_addr"))`
			`else:`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00			`return func(self, req, resp, cn, args, *kwargs)`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`return wrapped`