Fix attribute API call whitelist handling

2025-10-31 01:19:11 +00:00 · 2017-03-26 16:58:29 +00:00
parent 13db28aaac
commit 77db728294
1 changed files with 28 additions and 25 deletions
--- a/certidude/api/attrib.py
+++ b/certidude/api/attrib.py
@@ -1,7 +1,7 @@

 import falcon
 import logging
-import ipaddress
+from ipaddress import ip_address
 from xattr import getxattr, listxattr
 from datetime import datetime
 from certidude import config, authority
@@ -17,30 +17,33 @@ class AttributeResource(object):
        This not only contains tags and lease information,
        but might also contain some other sensitive information.
        """
-        path, buf, cert = authority.get_signed(cn)
+        try:
+            path, buf, cert = authority.get_signed(cn)
+        except IOError:
+            raise falcon.HTTPNotFound()
+        else:
+            attribs = dict()
+            for key in listxattr(path):
+                if not key.startswith("user."):
+                    continue
+                value = getxattr(path, key)
+                current = attribs
+                if "." in key:
+                    namespace, key = key.rsplit(".", 1)
+                    for component in namespace.split("."):
+                        if component not in current:
+                            current[component] = dict()
+                        current = current[component]
+                current[key] = value

-        attribs = dict()
-        for key in listxattr(path):
-            if not key.startswith("user."):
-                continue
-            value = getxattr(path, key)
-            current = attribs
-            if "." in key:
-                namespace, key = key.rsplit(".", 1)
-                for component in namespace.split("."):
-                    if component not in current:
-                        current[component] = dict()
-                    current = current[component]
-            current[key] = value
+            whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii"))

-        whitelist = attribs.get("user").get("address")
+            if req.context.get("remote_addr") != whitelist:
+                logger.info("Attribute access denied from %s, expected %s for %s",
+                    req.context.get("remote_addr"),
+                    whitelist,
+                    cn)
+                raise falcon.HTTPForbidden("Forbidden",
+                    "Attributes only accessible to the machine")

-        if req.context.get("remote_addr") != whitelist:
-            logger.info("Attribute access denied from %s, expected %s for %s",
-                req.context.get("remote_addr"),
-                whitelist,
-                cn)
-            raise falcon.HTTPForbidden("Forbidden",
-                "Attributes only accessible to the machine")
-
-        return attribs
+            return attribs