Project

General

Profile

« Previous | Next » 

Revision 24de57c0

Added by Dominic Cleal over 11 years ago

  • ID 24de57c0d694307a1abdede40fb96fea39259845

refs #2069 - enable auth by default

Without authentication, sensitive information and power is available to all,
so improve security out of the box.

View differences:

config/settings.yaml.example
# because they are cached at startup.
#
:unattended: true
:login: false
:login: true
:require_ssl: false
:locations_enabled: false
:organizations_enabled: false
lib/foreman/controller/smart_proxy_auth.rb
require 'uri'
module Foreman::Controller::SmartProxyAuth
extend ActiveSupport::Concern
module ClassMethods
def add_puppetmaster_filters(actions)
skip_before_filter :require_login, :only => actions
......
end
end
def self.included(base)
base.extend(ClassMethods)
end
# Permits registered puppetmasters or a user with permission
def require_puppetmaster_or_login
if !Setting[:restrict_registered_puppetmasters] or auth_smart_proxy(SmartProxy.puppet_proxies, Setting[:require_ssl_puppetmasters])
set_admin_user
return true
end
module InstanceMethods
# Permits registered puppetmasters or a user with permission
def require_puppetmaster_or_login
if !Setting[:restrict_registered_puppetmasters] or auth_smart_proxy(SmartProxy.puppet_proxies, Setting[:require_ssl_puppetmasters])
set_admin_user
return true
end
require_login
unless User.current
render_403
return false
require_login
unless User.current
render_403
return false
end
authorize
end
authorize
end
# Filter requests to only permit from hosts with a registered smart proxy
# Uses rDNS of the request to match proxy hostnames
def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true)
request_hosts = nil
if request.ssl?
if cn = request.env[Setting[:ssl_client_cn_env]]
if request.env[Setting[:ssl_client_verify_env]] == 'SUCCESS'
request_hosts = [cn]
# Filter requests to only permit from hosts with a registered smart proxy
# Uses rDNS of the request to match proxy hostnames
def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true)
request_hosts = nil
if request.ssl?
if cn = request.env[Setting[:ssl_client_cn_env]]
if request.env[Setting[:ssl_client_verify_env]] == 'SUCCESS'
request_hosts = [cn]
else
logger.warn "SSL cert for #{cn} has not been verified - request from #{request.ip}"
end
elsif require_cert
logger.warn "No SSL cert with CN supplied - request from #{request.ip}"
else
logger.warn "SSL cert for #{cn} has not been verified - request from #{request.ip}"
request_hosts = Resolv.new.getnames(request.ip)
end
elsif require_cert
logger.warn "No SSL cert with CN supplied - request from #{request.ip}"
elsif SETTINGS[:require_ssl]
logger.warn "SSL is required - request from #{request.ip}"
else
request_hosts = Resolv.new.getnames(request.ip)
end
elsif SETTINGS[:require_ssl]
logger.warn "SSL is required - request from #{request.ip}"
else
request_hosts = Resolv.new.getnames(request.ip)
end
return false unless request_hosts
return false unless request_hosts
logger.debug("Verifying request from #{request_hosts} against #{proxies.map {|p| URI.parse(p.url).host}.inspect}")
unless proxies.detect { |p| request_hosts.include? URI.parse(p.url).host }
logger.warn "No smart proxy server found on #{request_hosts.inspect}"
return false
logger.debug("Verifying request from #{request_hosts} against #{proxies.map { |p| URI.parse(p.url).host }.inspect}")
unless proxies.detect { |p| request_hosts.include? URI.parse(p.url).host }
logger.warn "No smart proxy server found on #{request_hosts.inspect}"
return false
end
true
end
true
end
end

Also available in: Unified diff