smart_proxy_dynflow 0.1.10 → 0.1.11

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 111612f85395ef80b5f3a770b5d7bb4d47bc68e9
4
- data.tar.gz: c59df9511f4cd1a69a49774bc6bfab4ca973b3eb
3
+ metadata.gz: 37c4ca86391e9bae63acf0d0f1168e6d8ac2f9ae
4
+ data.tar.gz: d81e1d7194797eebf44b9aba08ec01600ef42b9e
5
5
  SHA512:
6
- metadata.gz: a8ef0cf4fbceff16a834f9a9e74d9ad2f19800615de47af82bba4ca34003f09f90645fa529067ea5cf0b3bdeb749b4ba1e0a3b1a3b572a6ee8e74d65ad707ab9
7
- data.tar.gz: dfc585800bb40f0e9493059a24ae16815953711ae126f302f47c416bbccde2576b0ba4411f4d78df1ff78196bf24aab9557e279b6c45e2bb3bf741daf3a119db
6
+ metadata.gz: 370eed460b96d422d1465100ffe0f5dc74a7a39d1d1d0a09dde1c96848322b183bd893eb8c4e34e2d567d7c0d583f36ef7f01e614248789be17cb25ded4f7de7
7
+ data.tar.gz: 328ac8a3a3148f744425c814ce23107ed2ff4c61b3bbfd32e7721c41080ebaef72abd5da8cc187e401a1a58f3e8f196871abec5a34f825acc0b1e73511d623a8
@@ -6,18 +6,53 @@ module Proxy
6
6
  class Dynflow
7
7
  class Api < ::Sinatra::Base
8
8
  helpers ::Proxy::Helpers
9
+ helpers ::Proxy::Log
9
10
  helpers ::Proxy::Dynflow::Helpers
10
11
 
11
12
  before do
12
- logger = Proxy::LogBuffer::Decorator.instance
13
13
  content_type :json
14
14
  if request.env['HTTP_AUTHORIZATION'] && request.env['PATH_INFO'].end_with?('/done')
15
15
  # Halt running before callbacks if a token is provided and the request is notifying about task being done
16
16
  return
17
+ else
18
+ do_authorize_with_ssl_client
19
+ do_authorize_with_trusted_hosts
17
20
  end
18
21
  end
19
22
 
20
- helpers Sinatra::Authorization
23
+
24
+ # TODO: move this to foreman-proxy to reduce code duplicities
25
+ def do_authorize_with_trusted_hosts
26
+ # When :trusted_hosts is given, we check the client against the list
27
+ # HTTPS: test the certificate CN
28
+ # HTTP: test the reverse DNS entry of the remote IP
29
+ trusted_hosts = Proxy::SETTINGS.trusted_hosts
30
+ if trusted_hosts
31
+ if [ 'yes', 'on', 1 ].include? request.env['HTTPS'].to_s
32
+ fqdn = https_cert_cn
33
+ source = 'SSL_CLIENT_CERT'
34
+ else
35
+ fqdn = remote_fqdn(Proxy::SETTINGS.forward_verify)
36
+ source = 'REMOTE_ADDR'
37
+ end
38
+ fqdn = fqdn.downcase
39
+ logger.debug "verifying remote client #{fqdn} (based on #{source}) against trusted_hosts #{trusted_hosts}"
40
+
41
+ unless Proxy::SETTINGS.trusted_hosts.include?(fqdn)
42
+ log_halt 403, "Untrusted client #{fqdn} attempted to access #{request.path_info}. Check :trusted_hosts: in settings.yml"
43
+ end
44
+ end
45
+ end
46
+
47
+ def do_authorize_with_ssl_client
48
+ if ['yes', 'on', '1'].include? request.env['HTTPS'].to_s
49
+ if request.env['SSL_CLIENT_CERT'].to_s.empty?
50
+ log_halt 403, "No client SSL certificate supplied"
51
+ end
52
+ else
53
+ logger.debug('require_ssl_client_verification: skipping, non-HTTPS request')
54
+ end
55
+ end
21
56
 
22
57
  post "/*" do
23
58
  relay_request
@@ -1,5 +1,5 @@
1
1
  module Proxy
2
2
  class Dynflow
3
- VERSION = '0.1.10'
3
+ VERSION = '0.1.11'
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: smart_proxy_dynflow
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.10
4
+ version: 0.1.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ivan Nečas
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-27 00:00:00.000000000 Z
11
+ date: 2018-09-20 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler