Add security by token and optional domain

2025-03-25 21:44:27 +01:00 · 2020-04-21 16:58:34 +02:00 · 2020-04-21 16:58:34 +02:00 · bfd09a7955
commit bfd09a7955
parent e5a866b89b
4 changed files with 37 additions and 16 deletions
--- a/lg.cfg
+++ b/lg.cfg
@ -5,6 +5,8 @@ LOG_LEVEL="WARNING"

 DOMAIN = "tetaneutral.net"

+SECURITY_TOKEN = "ThisTokenIsNotSecret"
+
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000

--- a/lg.py
+++ b/lg.py
@ -144,16 +144,24 @@ def bird_proxy(host, proto, service, query):
        return False, 'Host "%s" invalid' % host
    elif not path:
        return False, 'Proto "%s" invalid' % proto
-    else:
-        url = "http://%s.%s:%d/%s?q=%s" % (host, app.config["DOMAIN"], port, path, quote(query))
-        try:
-            f = urlopen(url)
-            resultat = f.read()
-            status = True                # retreive remote status
-        except IOError:
-            resultat = "Failed retreive url: %s" % url
-            status = False
-        return status, resultat
+    
+    url = "http://%s" % (host)
+    if "DOMAIN" in app.config:
+        url = "%s.%s" % (url, app.config["DOMAIN"])
+    url = "%s:%d/%s?" % (url, port, path)
+    if "SECURITY_TOKEN" in app.config:
+        url = "%stoken=%s&" % (url, app.config["SECURITY_TOKEN"])
+    url = "%sq=%s" % (url, quote(query))
+
+    try:
+        f = urlopen(url)
+        resultat = f.read()
+        status = True                # retreive remote status
+    except IOError:
+        resultat = "Failed retreive url: %s" % url
+        status = False
+    
+    return status, resultat


@app.context_processor
@ -455,7 +463,10 @@ def show_bgpmap():
        return edges[edge_tuple]

    for host, asmaps in data.iteritems():
-        add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9")
+        if "DOMAIN" in app.config:
+            add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9")
+        else:
+            add_node(host, label= "%s" % (host.upper()), shape="box", fillcolor="#F5A9A9")

        as_number = app.config["AS_NUMBER"].get(host, None)
        if as_number:
--- a/lgproxy.cfg
+++ b/lgproxy.cfg
@ -5,6 +5,7 @@ LOG_LEVEL="WARNING"
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000
 ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"]
+SECURITY_TOKEN = "ThisTokenIsNotSecret"
 IPV4_SOURCE=""
 IPV6_SOURCE=""
 BIRD_SOCKET="/var/run/bird/bird.ctl"
--- a/lgproxy.py
+++ b/lgproxy.py
@ -48,14 +48,21 @@ def access_log_after(response, *args, **kwargs):
    app.logger.info("[%s] reponse %s, %s", request.remote_addr,  request.url, response.status_code)
    return response

-def check_accesslist():
-    if  app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
-        abort(401)
+def check_security():
+    if "ACCESS_LIST" in app.config:
+        if request.remote_addr not in app.config["ACCESS_LIST"]:
+            app.logger.warning("Your remote address is not valid")
+            abort(401)
+
+    if "SECURITY_TOKEN" in app.config:
+        if request.args.get("token") != app.config["SECURITY_TOKEN"]:
+            app.logger.warning("Your security token is not valid")
+            abort(401)

@app.route("/traceroute")
@app.route("/traceroute6")
 def traceroute():
-    check_accesslist()
+    check_security()
    
    if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'):
        traceroute4 = [ 'traceroute' ]
@ -94,7 +101,7 @@ def traceroute():
@app.route("/bird")
@app.route("/bird6")
 def bird():
-    check_accesslist()
+    check_security()

    if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET"))
    elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))