1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Fix attribute API call whitelist handling

This commit is contained in:
Lauri Võsandi 2017-03-26 16:58:29 +00:00
parent 13db28aaac
commit 77db728294

View File

@ -1,7 +1,7 @@
import falcon import falcon
import logging import logging
import ipaddress from ipaddress import ip_address
from xattr import getxattr, listxattr from xattr import getxattr, listxattr
from datetime import datetime from datetime import datetime
from certidude import config, authority from certidude import config, authority
@ -17,30 +17,33 @@ class AttributeResource(object):
This not only contains tags and lease information, This not only contains tags and lease information,
but might also contain some other sensitive information. but might also contain some other sensitive information.
""" """
path, buf, cert = authority.get_signed(cn) try:
path, buf, cert = authority.get_signed(cn)
except IOError:
raise falcon.HTTPNotFound()
else:
attribs = dict()
for key in listxattr(path):
if not key.startswith("user."):
continue
value = getxattr(path, key)
current = attribs
if "." in key:
namespace, key = key.rsplit(".", 1)
for component in namespace.split("."):
if component not in current:
current[component] = dict()
current = current[component]
current[key] = value
attribs = dict() whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii"))
for key in listxattr(path):
if not key.startswith("user."):
continue
value = getxattr(path, key)
current = attribs
if "." in key:
namespace, key = key.rsplit(".", 1)
for component in namespace.split("."):
if component not in current:
current[component] = dict()
current = current[component]
current[key] = value
whitelist = attribs.get("user").get("address") if req.context.get("remote_addr") != whitelist:
logger.info("Attribute access denied from %s, expected %s for %s",
req.context.get("remote_addr"),
whitelist,
cn)
raise falcon.HTTPForbidden("Forbidden",
"Attributes only accessible to the machine")
if req.context.get("remote_addr") != whitelist: return attribs
logger.info("Attribute access denied from %s, expected %s for %s",
req.context.get("remote_addr"),
whitelist,
cn)
raise falcon.HTTPForbidden("Forbidden",
"Attributes only accessible to the machine")
return attribs