smart_proxy_dynflow 0.1.10 → 0.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/smart_proxy_dynflow/api.rb +37 -2
- data/lib/smart_proxy_dynflow/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 37c4ca86391e9bae63acf0d0f1168e6d8ac2f9ae
|
|
4
|
+
data.tar.gz: d81e1d7194797eebf44b9aba08ec01600ef42b9e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 370eed460b96d422d1465100ffe0f5dc74a7a39d1d1d0a09dde1c96848322b183bd893eb8c4e34e2d567d7c0d583f36ef7f01e614248789be17cb25ded4f7de7
|
|
7
|
+
data.tar.gz: 328ac8a3a3148f744425c814ce23107ed2ff4c61b3bbfd32e7721c41080ebaef72abd5da8cc187e401a1a58f3e8f196871abec5a34f825acc0b1e73511d623a8
|
|
@@ -6,18 +6,53 @@ module Proxy
|
|
|
6
6
|
class Dynflow
|
|
7
7
|
class Api < ::Sinatra::Base
|
|
8
8
|
helpers ::Proxy::Helpers
|
|
9
|
+
helpers ::Proxy::Log
|
|
9
10
|
helpers ::Proxy::Dynflow::Helpers
|
|
10
11
|
|
|
11
12
|
before do
|
|
12
|
-
logger = Proxy::LogBuffer::Decorator.instance
|
|
13
13
|
content_type :json
|
|
14
14
|
if request.env['HTTP_AUTHORIZATION'] && request.env['PATH_INFO'].end_with?('/done')
|
|
15
15
|
# Halt running before callbacks if a token is provided and the request is notifying about task being done
|
|
16
16
|
return
|
|
17
|
+
else
|
|
18
|
+
do_authorize_with_ssl_client
|
|
19
|
+
do_authorize_with_trusted_hosts
|
|
17
20
|
end
|
|
18
21
|
end
|
|
19
22
|
|
|
20
|
-
|
|
23
|
+
|
|
24
|
+
# TODO: move this to foreman-proxy to reduce code duplicities
|
|
25
|
+
def do_authorize_with_trusted_hosts
|
|
26
|
+
# When :trusted_hosts is given, we check the client against the list
|
|
27
|
+
# HTTPS: test the certificate CN
|
|
28
|
+
# HTTP: test the reverse DNS entry of the remote IP
|
|
29
|
+
trusted_hosts = Proxy::SETTINGS.trusted_hosts
|
|
30
|
+
if trusted_hosts
|
|
31
|
+
if [ 'yes', 'on', 1 ].include? request.env['HTTPS'].to_s
|
|
32
|
+
fqdn = https_cert_cn
|
|
33
|
+
source = 'SSL_CLIENT_CERT'
|
|
34
|
+
else
|
|
35
|
+
fqdn = remote_fqdn(Proxy::SETTINGS.forward_verify)
|
|
36
|
+
source = 'REMOTE_ADDR'
|
|
37
|
+
end
|
|
38
|
+
fqdn = fqdn.downcase
|
|
39
|
+
logger.debug "verifying remote client #{fqdn} (based on #{source}) against trusted_hosts #{trusted_hosts}"
|
|
40
|
+
|
|
41
|
+
unless Proxy::SETTINGS.trusted_hosts.include?(fqdn)
|
|
42
|
+
log_halt 403, "Untrusted client #{fqdn} attempted to access #{request.path_info}. Check :trusted_hosts: in settings.yml"
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def do_authorize_with_ssl_client
|
|
48
|
+
if ['yes', 'on', '1'].include? request.env['HTTPS'].to_s
|
|
49
|
+
if request.env['SSL_CLIENT_CERT'].to_s.empty?
|
|
50
|
+
log_halt 403, "No client SSL certificate supplied"
|
|
51
|
+
end
|
|
52
|
+
else
|
|
53
|
+
logger.debug('require_ssl_client_verification: skipping, non-HTTPS request')
|
|
54
|
+
end
|
|
55
|
+
end
|
|
21
56
|
|
|
22
57
|
post "/*" do
|
|
23
58
|
relay_request
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: smart_proxy_dynflow
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.11
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ivan Nečas
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-09-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|