Class: Proxy::Dynflow::Api
- Inherits:
-
Sinatra::Base
- Object
- Sinatra::Base
- Proxy::Dynflow::Api
- Defined in:
- lib/smart_proxy_dynflow/api.rb
Instance Method Summary collapse
- #do_authorize_with_ssl_client ⇒ Object
-
#do_authorize_with_trusted_hosts ⇒ Object
TODO: move this to foreman-proxy to reduce code duplicities.
Instance Method Details
#do_authorize_with_ssl_client ⇒ Object
47 48 49 50 51 52 53 54 55 |
# File 'lib/smart_proxy_dynflow/api.rb', line 47 def if %w[yes on 1].include? request.env['HTTPS'].to_s if request.env['SSL_CLIENT_CERT'].to_s.empty? log_halt 403, "No client SSL certificate supplied" end else logger.debug('require_ssl_client_verification: skipping, non-HTTPS request') end end |
#do_authorize_with_trusted_hosts ⇒ Object
TODO: move this to foreman-proxy to reduce code duplicities
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
# File 'lib/smart_proxy_dynflow/api.rb', line 24 def # When :trusted_hosts is given, we check the client against the list # HTTPS: test the certificate CN # HTTP: test the reverse DNS entry of the remote IP trusted_hosts = Proxy::SETTINGS.trusted_hosts if trusted_hosts if ['yes', 'on', 1].include? request.env['HTTPS'].to_s fqdn = https_cert_cn source = 'SSL_CLIENT_CERT' else fqdn = remote_fqdn(Proxy::SETTINGS.forward_verify) source = 'REMOTE_ADDR' end fqdn = fqdn.downcase logger.debug "verifying remote client #{fqdn} (based on #{source}) against trusted_hosts #{trusted_hosts}" unless Proxy::SETTINGS.trusted_hosts.include?(fqdn) log_halt 403, "Untrusted client #{fqdn} attempted " \ "to access #{request.path_info}. Check :trusted_hosts: in settings.yml" end end end |