smart_proxy_dynflow 0.1.10 → 0.1.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/smart_proxy_dynflow/api.rb +37 -2
- data/lib/smart_proxy_dynflow/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 37c4ca86391e9bae63acf0d0f1168e6d8ac2f9ae
|
4
|
+
data.tar.gz: d81e1d7194797eebf44b9aba08ec01600ef42b9e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 370eed460b96d422d1465100ffe0f5dc74a7a39d1d1d0a09dde1c96848322b183bd893eb8c4e34e2d567d7c0d583f36ef7f01e614248789be17cb25ded4f7de7
|
7
|
+
data.tar.gz: 328ac8a3a3148f744425c814ce23107ed2ff4c61b3bbfd32e7721c41080ebaef72abd5da8cc187e401a1a58f3e8f196871abec5a34f825acc0b1e73511d623a8
|
@@ -6,18 +6,53 @@ module Proxy
|
|
6
6
|
class Dynflow
|
7
7
|
class Api < ::Sinatra::Base
|
8
8
|
helpers ::Proxy::Helpers
|
9
|
+
helpers ::Proxy::Log
|
9
10
|
helpers ::Proxy::Dynflow::Helpers
|
10
11
|
|
11
12
|
before do
|
12
|
-
logger = Proxy::LogBuffer::Decorator.instance
|
13
13
|
content_type :json
|
14
14
|
if request.env['HTTP_AUTHORIZATION'] && request.env['PATH_INFO'].end_with?('/done')
|
15
15
|
# Halt running before callbacks if a token is provided and the request is notifying about task being done
|
16
16
|
return
|
17
|
+
else
|
18
|
+
do_authorize_with_ssl_client
|
19
|
+
do_authorize_with_trusted_hosts
|
17
20
|
end
|
18
21
|
end
|
19
22
|
|
20
|
-
|
23
|
+
|
24
|
+
# TODO: move this to foreman-proxy to reduce code duplicities
|
25
|
+
def do_authorize_with_trusted_hosts
|
26
|
+
# When :trusted_hosts is given, we check the client against the list
|
27
|
+
# HTTPS: test the certificate CN
|
28
|
+
# HTTP: test the reverse DNS entry of the remote IP
|
29
|
+
trusted_hosts = Proxy::SETTINGS.trusted_hosts
|
30
|
+
if trusted_hosts
|
31
|
+
if [ 'yes', 'on', 1 ].include? request.env['HTTPS'].to_s
|
32
|
+
fqdn = https_cert_cn
|
33
|
+
source = 'SSL_CLIENT_CERT'
|
34
|
+
else
|
35
|
+
fqdn = remote_fqdn(Proxy::SETTINGS.forward_verify)
|
36
|
+
source = 'REMOTE_ADDR'
|
37
|
+
end
|
38
|
+
fqdn = fqdn.downcase
|
39
|
+
logger.debug "verifying remote client #{fqdn} (based on #{source}) against trusted_hosts #{trusted_hosts}"
|
40
|
+
|
41
|
+
unless Proxy::SETTINGS.trusted_hosts.include?(fqdn)
|
42
|
+
log_halt 403, "Untrusted client #{fqdn} attempted to access #{request.path_info}. Check :trusted_hosts: in settings.yml"
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def do_authorize_with_ssl_client
|
48
|
+
if ['yes', 'on', '1'].include? request.env['HTTPS'].to_s
|
49
|
+
if request.env['SSL_CLIENT_CERT'].to_s.empty?
|
50
|
+
log_halt 403, "No client SSL certificate supplied"
|
51
|
+
end
|
52
|
+
else
|
53
|
+
logger.debug('require_ssl_client_verification: skipping, non-HTTPS request')
|
54
|
+
end
|
55
|
+
end
|
21
56
|
|
22
57
|
post "/*" do
|
23
58
|
relay_request
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: smart_proxy_dynflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.11
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ivan Nečas
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-09-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|