Class: Proxy::Dynflow::Api

Inherits:
Sinatra::Base
  • Object
show all
Defined in:
lib/smart_proxy_dynflow/api.rb

Instance Method Summary collapse

Instance Method Details

#do_authorize_with_ssl_clientObject 



47
48
49
50
51
52
53
54
55
 
# File 'lib/smart_proxy_dynflow/api.rb', line 47

def do_authorize_with_ssl_client
  if %w[yes on 1].include? request.env['HTTPS'].to_s
    if request.env['SSL_CLIENT_CERT'].to_s.empty?
      log_halt 403, "No client SSL certificate supplied"
    end
  else
    logger.debug('require_ssl_client_verification: skipping, non-HTTPS request')
  end
end

#do_authorize_with_trusted_hostsObject

TODO: move this to foreman-proxy to reduce code duplicities



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/smart_proxy_dynflow/api.rb', line 24

def do_authorize_with_trusted_hosts
  # When :trusted_hosts is given, we check the client against the list
  # HTTPS: test the certificate CN
  # HTTP: test the reverse DNS entry of the remote IP
  trusted_hosts = Proxy::SETTINGS.trusted_hosts
  if trusted_hosts
    if ['yes', 'on', 1].include? request.env['HTTPS'].to_s
      fqdn = https_cert_cn
      source = 'SSL_CLIENT_CERT'
    else
      fqdn = remote_fqdn(Proxy::SETTINGS.forward_verify)
      source = 'REMOTE_ADDR'
    end
    fqdn = fqdn.downcase
    logger.debug "verifying remote client #{fqdn} (based on #{source}) against trusted_hosts #{trusted_hosts}"

    unless Proxy::SETTINGS.trusted_hosts.include?(fqdn)
      log_halt 403, "Untrusted client #{fqdn} attempted " \
                    "to access #{request.path_info}. Check :trusted_hosts: in settings.yml"
    end
  end
end