Add security by token and optional domain

This commit is contained in:
Guillaume Marsay 2020-04-21 16:58:34 +02:00
parent e5a866b89b
commit bfd09a7955
4 changed files with 37 additions and 16 deletions

2
lg.cfg
View File

@ -5,6 +5,8 @@ LOG_LEVEL="WARNING"
DOMAIN = "tetaneutral.net" DOMAIN = "tetaneutral.net"
SECURITY_TOKEN = "ThisTokenIsNotSecret"
BIND_IP = "0.0.0.0" BIND_IP = "0.0.0.0"
BIND_PORT = 5000 BIND_PORT = 5000

33
lg.py
View File

@ -144,16 +144,24 @@ def bird_proxy(host, proto, service, query):
return False, 'Host "%s" invalid' % host return False, 'Host "%s" invalid' % host
elif not path: elif not path:
return False, 'Proto "%s" invalid' % proto return False, 'Proto "%s" invalid' % proto
else:
url = "http://%s.%s:%d/%s?q=%s" % (host, app.config["DOMAIN"], port, path, quote(query)) url = "http://%s" % (host)
try: if "DOMAIN" in app.config:
f = urlopen(url) url = "%s.%s" % (url, app.config["DOMAIN"])
resultat = f.read() url = "%s:%d/%s?" % (url, port, path)
status = True # retreive remote status if "SECURITY_TOKEN" in app.config:
except IOError: url = "%stoken=%s&" % (url, app.config["SECURITY_TOKEN"])
resultat = "Failed retreive url: %s" % url url = "%sq=%s" % (url, quote(query))
status = False
return status, resultat try:
f = urlopen(url)
resultat = f.read()
status = True # retreive remote status
except IOError:
resultat = "Failed retreive url: %s" % url
status = False
return status, resultat
@app.context_processor @app.context_processor
@ -455,7 +463,10 @@ def show_bgpmap():
return edges[edge_tuple] return edges[edge_tuple]
for host, asmaps in data.iteritems(): for host, asmaps in data.iteritems():
add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9") if "DOMAIN" in app.config:
add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9")
else:
add_node(host, label= "%s" % (host.upper()), shape="box", fillcolor="#F5A9A9")
as_number = app.config["AS_NUMBER"].get(host, None) as_number = app.config["AS_NUMBER"].get(host, None)
if as_number: if as_number:

View File

@ -5,6 +5,7 @@ LOG_LEVEL="WARNING"
BIND_IP = "0.0.0.0" BIND_IP = "0.0.0.0"
BIND_PORT = 5000 BIND_PORT = 5000
ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"] ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"]
SECURITY_TOKEN = "ThisTokenIsNotSecret"
IPV4_SOURCE="" IPV4_SOURCE=""
IPV6_SOURCE="" IPV6_SOURCE=""
BIRD_SOCKET="/var/run/bird/bird.ctl" BIRD_SOCKET="/var/run/bird/bird.ctl"

View File

@ -48,14 +48,21 @@ def access_log_after(response, *args, **kwargs):
app.logger.info("[%s] reponse %s, %s", request.remote_addr, request.url, response.status_code) app.logger.info("[%s] reponse %s, %s", request.remote_addr, request.url, response.status_code)
return response return response
def check_accesslist(): def check_security():
if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]: if "ACCESS_LIST" in app.config:
abort(401) if request.remote_addr not in app.config["ACCESS_LIST"]:
app.logger.warning("Your remote address is not valid")
abort(401)
if "SECURITY_TOKEN" in app.config:
if request.args.get("token") != app.config["SECURITY_TOKEN"]:
app.logger.warning("Your security token is not valid")
abort(401)
@app.route("/traceroute") @app.route("/traceroute")
@app.route("/traceroute6") @app.route("/traceroute6")
def traceroute(): def traceroute():
check_accesslist() check_security()
if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'): if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'):
traceroute4 = [ 'traceroute' ] traceroute4 = [ 'traceroute' ]
@ -94,7 +101,7 @@ def traceroute():
@app.route("/bird") @app.route("/bird")
@app.route("/bird6") @app.route("/bird6")
def bird(): def bird():
check_accesslist() check_security()
if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET")) if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET"))
elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET")) elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))