mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Fix attribute API call whitelist handling
This commit is contained in:
parent
13db28aaac
commit
77db728294
@ -1,7 +1,7 @@
|
|||||||
|
|
||||||
import falcon
|
import falcon
|
||||||
import logging
|
import logging
|
||||||
import ipaddress
|
from ipaddress import ip_address
|
||||||
from xattr import getxattr, listxattr
|
from xattr import getxattr, listxattr
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
from certidude import config, authority
|
from certidude import config, authority
|
||||||
@ -17,30 +17,33 @@ class AttributeResource(object):
|
|||||||
This not only contains tags and lease information,
|
This not only contains tags and lease information,
|
||||||
but might also contain some other sensitive information.
|
but might also contain some other sensitive information.
|
||||||
"""
|
"""
|
||||||
path, buf, cert = authority.get_signed(cn)
|
try:
|
||||||
|
path, buf, cert = authority.get_signed(cn)
|
||||||
|
except IOError:
|
||||||
|
raise falcon.HTTPNotFound()
|
||||||
|
else:
|
||||||
|
attribs = dict()
|
||||||
|
for key in listxattr(path):
|
||||||
|
if not key.startswith("user."):
|
||||||
|
continue
|
||||||
|
value = getxattr(path, key)
|
||||||
|
current = attribs
|
||||||
|
if "." in key:
|
||||||
|
namespace, key = key.rsplit(".", 1)
|
||||||
|
for component in namespace.split("."):
|
||||||
|
if component not in current:
|
||||||
|
current[component] = dict()
|
||||||
|
current = current[component]
|
||||||
|
current[key] = value
|
||||||
|
|
||||||
attribs = dict()
|
whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii"))
|
||||||
for key in listxattr(path):
|
|
||||||
if not key.startswith("user."):
|
|
||||||
continue
|
|
||||||
value = getxattr(path, key)
|
|
||||||
current = attribs
|
|
||||||
if "." in key:
|
|
||||||
namespace, key = key.rsplit(".", 1)
|
|
||||||
for component in namespace.split("."):
|
|
||||||
if component not in current:
|
|
||||||
current[component] = dict()
|
|
||||||
current = current[component]
|
|
||||||
current[key] = value
|
|
||||||
|
|
||||||
whitelist = attribs.get("user").get("address")
|
if req.context.get("remote_addr") != whitelist:
|
||||||
|
logger.info("Attribute access denied from %s, expected %s for %s",
|
||||||
|
req.context.get("remote_addr"),
|
||||||
|
whitelist,
|
||||||
|
cn)
|
||||||
|
raise falcon.HTTPForbidden("Forbidden",
|
||||||
|
"Attributes only accessible to the machine")
|
||||||
|
|
||||||
if req.context.get("remote_addr") != whitelist:
|
return attribs
|
||||||
logger.info("Attribute access denied from %s, expected %s for %s",
|
|
||||||
req.context.get("remote_addr"),
|
|
||||||
whitelist,
|
|
||||||
cn)
|
|
||||||
raise falcon.HTTPForbidden("Forbidden",
|
|
||||||
"Attributes only accessible to the machine")
|
|
||||||
|
|
||||||
return attribs
|
|
||||||
|
Loading…
Reference in New Issue
Block a user