adding ip restrictions

Adding code to restrict access based on a simple list of IP addresses. Added new "tool" (salt_ip_verify_tool) and reading the list of allowed IPs from the salt master config.
2024-11-08 17:33:54 +00:00 · 2013-08-06 12:55:10 -07:00 · 2013-08-06 12:55:10 -07:00 · 2001669011
commit 2001669011
parent 8aedd948e3
1 changed files with 29 additions and 2 deletions
--- a/saltapi/netapi/rest_cherrypy/app.py
+++ b/saltapi/netapi/rest_cherrypy/app.py
@ -197,6 +197,32 @@ def salt_token_tool():
        cherrypy.request.cookie['session_id'] = x_auth


+def salt_ip_verify_tool():
+    '''
+    If there is a list of restricted IPs, verify current
+    client is coming from one of those IPs.
+    '''
+    # This is overly cumbersome and crude,
+    # But, it's also safe... ish...
+    salt_config = cherrypy.config.get('saltopts', None)
+    if salt_config:
+        cherrypy_conf = salt_config.get('rest_cherrypy', None)
+        if cherrypy_conf:
+            auth_ip_list = cherrypy_conf.get('authorized_ips', None)
+            if auth_ip_list:
+                print auth_ip_list
+                logger.debug("Found IP list: {0}".format(auth_ip_list))
+                rem_ip = cherrypy.request.headers.get('Remote-Addr', None)
+                logger.debug("Request from IP: {0}".format(rem_ip))
+                if not rem_ip in auth_ip_list:
+                    logger.error("Blocked IP: {0}".format(rem_ip))
+                    cherrypy.response.status = 403
+                    return {
+                        'status': cherrypy.response.status,
+                        'return': "Bad IP",
+                    }
+
+
 def salt_auth_tool():
    '''
    Redirect all unauthenticated requests to the login page
@ -205,8 +231,6 @@ def salt_auth_tool():
    if not cherrypy.session.has_key('token'):
        raise cherrypy.InternalRedirect('/login')

-    print cherrypy.config
-
    # Session is authenticated; inform caches
    cherrypy.response.headers['Cache-Control'] = 'private'

@ -393,6 +417,7 @@ class LowDataAdapter(object):

        'tools.hypermedia_out.on': True,
        'tools.hypermedia_in.on': True,
+        'tools.salt_ip_verify.on': True,
    }

    def __init__(self):
@ -1143,5 +1168,7 @@ def get_app(opts):
            salt_auth_tool, priority=60)
    cherrypy.tools.hypermedia_out = cherrypy.Tool('before_handler',
            hypermedia_out)
+    cherrypy.tools.salt_ip_verify = cherrypy.Tool('before_handler',
+            salt_ip_verify_tool)

    return root, apiopts, cpyopts