Revision 24de57c0
Added by Dominic Cleal over 11 years ago
- ID 24de57c0d694307a1abdede40fb96fea39259845
config/settings.yaml.example | ||
---|---|---|
# because they are cached at startup.
|
||
#
|
||
:unattended: true
|
||
:login: false
|
||
:login: true
|
||
:require_ssl: false
|
||
:locations_enabled: false
|
||
:organizations_enabled: false
|
lib/foreman/controller/smart_proxy_auth.rb | ||
---|---|---|
require 'uri'
|
||
|
||
module Foreman::Controller::SmartProxyAuth
|
||
extend ActiveSupport::Concern
|
||
|
||
module ClassMethods
|
||
def add_puppetmaster_filters(actions)
|
||
skip_before_filter :require_login, :only => actions
|
||
... | ... | |
end
|
||
end
|
||
|
||
def self.included(base)
|
||
base.extend(ClassMethods)
|
||
end
|
||
|
||
# Permits registered puppetmasters or a user with permission
|
||
def require_puppetmaster_or_login
|
||
if !Setting[:restrict_registered_puppetmasters] or auth_smart_proxy(SmartProxy.puppet_proxies, Setting[:require_ssl_puppetmasters])
|
||
set_admin_user
|
||
return true
|
||
end
|
||
module InstanceMethods
|
||
# Permits registered puppetmasters or a user with permission
|
||
def require_puppetmaster_or_login
|
||
if !Setting[:restrict_registered_puppetmasters] or auth_smart_proxy(SmartProxy.puppet_proxies, Setting[:require_ssl_puppetmasters])
|
||
set_admin_user
|
||
return true
|
||
end
|
||
|
||
require_login
|
||
unless User.current
|
||
render_403
|
||
return false
|
||
require_login
|
||
unless User.current
|
||
render_403
|
||
return false
|
||
end
|
||
authorize
|
||
end
|
||
authorize
|
||
end
|
||
|
||
# Filter requests to only permit from hosts with a registered smart proxy
|
||
# Uses rDNS of the request to match proxy hostnames
|
||
def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true)
|
||
request_hosts = nil
|
||
if request.ssl?
|
||
if cn = request.env[Setting[:ssl_client_cn_env]]
|
||
if request.env[Setting[:ssl_client_verify_env]] == 'SUCCESS'
|
||
request_hosts = [cn]
|
||
# Filter requests to only permit from hosts with a registered smart proxy
|
||
# Uses rDNS of the request to match proxy hostnames
|
||
def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true)
|
||
request_hosts = nil
|
||
if request.ssl?
|
||
if cn = request.env[Setting[:ssl_client_cn_env]]
|
||
if request.env[Setting[:ssl_client_verify_env]] == 'SUCCESS'
|
||
request_hosts = [cn]
|
||
else
|
||
logger.warn "SSL cert for #{cn} has not been verified - request from #{request.ip}"
|
||
end
|
||
elsif require_cert
|
||
logger.warn "No SSL cert with CN supplied - request from #{request.ip}"
|
||
else
|
||
logger.warn "SSL cert for #{cn} has not been verified - request from #{request.ip}"
|
||
request_hosts = Resolv.new.getnames(request.ip)
|
||
end
|
||
elsif require_cert
|
||
logger.warn "No SSL cert with CN supplied - request from #{request.ip}"
|
||
elsif SETTINGS[:require_ssl]
|
||
logger.warn "SSL is required - request from #{request.ip}"
|
||
else
|
||
request_hosts = Resolv.new.getnames(request.ip)
|
||
end
|
||
elsif SETTINGS[:require_ssl]
|
||
logger.warn "SSL is required - request from #{request.ip}"
|
||
else
|
||
request_hosts = Resolv.new.getnames(request.ip)
|
||
end
|
||
return false unless request_hosts
|
||
return false unless request_hosts
|
||
|
||
logger.debug("Verifying request from #{request_hosts} against #{proxies.map {|p| URI.parse(p.url).host}.inspect}")
|
||
unless proxies.detect { |p| request_hosts.include? URI.parse(p.url).host }
|
||
logger.warn "No smart proxy server found on #{request_hosts.inspect}"
|
||
return false
|
||
logger.debug("Verifying request from #{request_hosts} against #{proxies.map { |p| URI.parse(p.url).host }.inspect}")
|
||
unless proxies.detect { |p| request_hosts.include? URI.parse(p.url).host }
|
||
logger.warn "No smart proxy server found on #{request_hosts.inspect}"
|
||
return false
|
||
end
|
||
true
|
||
end
|
||
true
|
||
end
|
||
end
|
Also available in: Unified diff
refs #2069 - enable auth by default
Without authentication, sensitive information and power is available to all,
so improve security out of the box.