From 96c33da44690adba5c257863ffcf993bcffe7ab5 Mon Sep 17 00:00:00 2001
From: Guillaume Marsay <guillaume.marsay@openevents.fr>
Date: Mon, 15 Jun 2020 13:27:26 +0200
Subject: [PATCH] Add SHARED_SECRET

---
 lg.cfg      |  3 +++
 lg.py       |  3 ++-
 lgproxy.cfg |  9 +++++++++
 lgproxy.py  | 13 +++++++++----
 4 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/lg.cfg b/lg.cfg
index 2cc3388..5ddfc5d 100644
--- a/lg.cfg
+++ b/lg.cfg
@@ -5,6 +5,9 @@ LOG_LEVEL="WARNING"
 
 DOMAIN = "tetaneutral.net"
 
+# Used for restrict access on lgproxy - must be same in lgproxy.cfg
+SHARED_SECRET="ThisTokenIsNotSecret"
+
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000
 
diff --git a/lg.py b/lg.py
index 3be6307..e9ea3e5 100644
--- a/lg.py
+++ b/lg.py
@@ -153,7 +153,8 @@ def bird_proxy(host, proto, service, query):
     if "DOMAIN" in app.config:
         url = "%s.%s" % (url, app.config["DOMAIN"])
     url = "%s:%d/%s?" % (url, port, path)
-
+    if "SHARED_SECRET" in app.config:
+        url = "%ssecret=%s&" % (url, app.config["SHARED_SECRET"])
     url = "%sq=%s" % (url, quote(query))
 
     try:
diff --git a/lgproxy.cfg b/lgproxy.cfg
index e7a6e8a..7019e52 100644
--- a/lgproxy.cfg
+++ b/lgproxy.cfg
@@ -1,12 +1,21 @@
 
 DEBUG=False
+
 LOG_FILE="/var/log/lg-proxy/lg-proxy.log"
 LOG_LEVEL="WARNING"
+
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000
+
+# Used for restrict access on lgproxy - Empty list = all allowed
 ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"]
+
+# Used for restrict access on lgproxy - Must be same in lg.cfg
+SHARED_SECRET="ThisTokenIsNotSecret"
+
 IPV4_SOURCE=""
 IPV6_SOURCE=""
+
 BIRD_SOCKET="/var/run/bird/bird.ctl"
 BIRD6_SOCKET="/var/run/bird/bird6.ctl"
 
diff --git a/lgproxy.py b/lgproxy.py
index e1b3cdb..a81abb9 100644
--- a/lgproxy.py
+++ b/lgproxy.py
@@ -54,14 +54,19 @@ def access_log_after(response, *args, **kwargs):
     app.logger.info("[%s] reponse %s, %s", request.remote_addr,  request.url, response.status_code)
     return response
 
-def check_accesslist():
-    if  app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
+def check_security():
+    if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
+        app.logger.info("Your remote address is not valid")
+        abort(401)
+
+    if app.config.get('SHARED_SECRET') and request.args.get("secret") != app.config["SHARED_SECRET"]:
+        app.logger.info("Your shared secret is not valid")
         abort(401)
 
 @app.route("/traceroute")
 @app.route("/traceroute6")
 def traceroute():
-    check_accesslist()
+    check_security()
     
     if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'):
         traceroute4 = [ 'traceroute' ]
@@ -100,7 +105,7 @@ def traceroute():
 @app.route("/bird")
 @app.route("/bird6")
 def bird():
-    check_accesslist()
+    check_security()
 
     if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET"))
     elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))