From 77db7282949c2acb615edcdba2f3bbbced481c2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 16:58:29 +0000 Subject: [PATCH] Fix attribute API call whitelist handling --- certidude/api/attrib.py | 53 ++++++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 25 deletions(-) diff --git a/certidude/api/attrib.py b/certidude/api/attrib.py index b92d25f..46c4040 100644 --- a/certidude/api/attrib.py +++ b/certidude/api/attrib.py @@ -1,7 +1,7 @@ import falcon import logging -import ipaddress +from ipaddress import ip_address from xattr import getxattr, listxattr from datetime import datetime from certidude import config, authority @@ -17,30 +17,33 @@ class AttributeResource(object): This not only contains tags and lease information, but might also contain some other sensitive information. """ - path, buf, cert = authority.get_signed(cn) + try: + path, buf, cert = authority.get_signed(cn) + except IOError: + raise falcon.HTTPNotFound() + else: + attribs = dict() + for key in listxattr(path): + if not key.startswith("user."): + continue + value = getxattr(path, key) + current = attribs + if "." in key: + namespace, key = key.rsplit(".", 1) + for component in namespace.split("."): + if component not in current: + current[component] = dict() + current = current[component] + current[key] = value - attribs = dict() - for key in listxattr(path): - if not key.startswith("user."): - continue - value = getxattr(path, key) - current = attribs - if "." in key: - namespace, key = key.rsplit(".", 1) - for component in namespace.split("."): - if component not in current: - current[component] = dict() - current = current[component] - current[key] = value + whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii")) - whitelist = attribs.get("user").get("address") + if req.context.get("remote_addr") != whitelist: + logger.info("Attribute access denied from %s, expected %s for %s", + req.context.get("remote_addr"), + whitelist, + cn) + raise falcon.HTTPForbidden("Forbidden", + "Attributes only accessible to the machine") - if req.context.get("remote_addr") != whitelist: - logger.info("Attribute access denied from %s, expected %s for %s", - req.context.get("remote_addr"), - whitelist, - cn) - raise falcon.HTTPForbidden("Forbidden", - "Attributes only accessible to the machine") - - return attribs + return attribs