updated to code to enforce access rules to the control channel
This commit is contained in:
parent
148dfbcfe1
commit
16327fc576
@ -3,6 +3,8 @@ package hodu
|
||||
import "encoding/json"
|
||||
import "fmt"
|
||||
import "net/http"
|
||||
import "net/netip"
|
||||
import "path/filepath"
|
||||
import "strings"
|
||||
import "time"
|
||||
|
||||
@ -82,15 +84,40 @@ func (ctl *server_ctl) Id() string {
|
||||
func (ctl *server_ctl) Authenticate(req *http.Request) (int, string) {
|
||||
var s *Server
|
||||
var rule HttpAccessRule
|
||||
var raddrport netip.AddrPort
|
||||
var raddr netip.Addr
|
||||
var err error
|
||||
|
||||
s = ctl.s
|
||||
|
||||
raddrport, err = netip.ParseAddrPort(req.RemoteAddr)
|
||||
if err == nil { raddr = raddrport.Addr() }
|
||||
|
||||
for _, rule = range s.cfg.CtlAuth.AccessRules {
|
||||
if req.URL.Path == rule.Prefix || strings.HasPrefix(req.URL.Path, rule.Prefix + "/") {
|
||||
if rule.Action == HTTP_ACCESS_ACCEPT {
|
||||
return http.StatusOK, ""
|
||||
} else if rule.Action == HTTP_ACCESS_REJECT {
|
||||
return http.StatusForbidden, ""
|
||||
// i don't take into account X-Forwarded-For and similar headers
|
||||
if req.URL.Path == rule.Prefix || strings.HasPrefix(req.URL.Path, filepath.Clean(rule.Prefix + "/")) {
|
||||
var org_net_ok bool
|
||||
|
||||
if len(rule.OrgNets) > 0 && raddr.IsValid() {
|
||||
var netpfx netip.Prefix
|
||||
|
||||
org_net_ok = false
|
||||
for _, netpfx = range rule.OrgNets {
|
||||
if err == nil && netpfx.Contains(raddr) {
|
||||
org_net_ok = true
|
||||
break
|
||||
}
|
||||
}
|
||||
} else {
|
||||
org_net_ok = true
|
||||
}
|
||||
|
||||
if org_net_ok {
|
||||
if rule.Action == HTTP_ACCESS_ACCEPT {
|
||||
return http.StatusOK, ""
|
||||
} else if rule.Action == HTTP_ACCESS_REJECT {
|
||||
return http.StatusForbidden, ""
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -980,8 +980,11 @@ func (s *Server) wrap_http_handler(handler ServerHttpHandler) http.Handler {
|
||||
status_code, realm = handler.Authenticate(req)
|
||||
if status_code == http.StatusUnauthorized && realm != "" {
|
||||
w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic Realm=\"%s\"", realm))
|
||||
WriteEmptyRespHeader(w, status_code)
|
||||
} else if status_code == http.StatusOK {
|
||||
status_code, err = handler.ServeHTTP(w, req)
|
||||
} else {
|
||||
WriteEmptyRespHeader(w, status_code)
|
||||
}
|
||||
time_taken = time.Now().Sub(start_time)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user