Add security by token and optional domain

lg.cfg

@@ -5,6 +5,8 @@ LOG_LEVEL="WARNING"
 
 DOMAIN = "tetaneutral.net"
 
+SECURITY_TOKEN = "ThisTokenIsNotSecret"
+
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000
 

lg.py

@@ -144,16 +144,24 @@ def bird_proxy(host, proto, service, query):
         return False, 'Host "%s" invalid' % host
     elif not path:
         return False, 'Proto "%s" invalid' % proto
-    else:
+    
-        url = "http://%s.%s:%d/%s?q=%s" % (host, app.config["DOMAIN"], port, path, quote(query))
+    url = "http://%s" % (host)
-        try:
+    if "DOMAIN" in app.config:
-            f = urlopen(url)
+        url = "%s.%s" % (url, app.config["DOMAIN"])
-            resultat = f.read()
+    url = "%s:%d/%s?" % (url, port, path)
-            status = True                # retreive remote status
+    if "SECURITY_TOKEN" in app.config:
-        except IOError:
+        url = "%stoken=%s&" % (url, app.config["SECURITY_TOKEN"])
-            resultat = "Failed retreive url: %s" % url
+    url = "%sq=%s" % (url, quote(query))
-            status = False
+
-        return status, resultat
+    try:
+        f = urlopen(url)
+        resultat = f.read()
+        status = True                # retreive remote status
+    except IOError:
+        resultat = "Failed retreive url: %s" % url
+        status = False
+    
+    return status, resultat
 
 
 @app.context_processor
@@ -455,7 +463,10 @@ def show_bgpmap():
         return edges[edge_tuple]
 
     for host, asmaps in data.iteritems():
-        add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9")
+        if "DOMAIN" in app.config:
+            add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9")
+        else:
+            add_node(host, label= "%s" % (host.upper()), shape="box", fillcolor="#F5A9A9")
 
         as_number = app.config["AS_NUMBER"].get(host, None)
         if as_number:

lgproxy.cfg

@@ -5,6 +5,7 @@ LOG_LEVEL="WARNING"
 BIND_IP = "0.0.0.0"
 BIND_PORT = 5000
 ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"]
+SECURITY_TOKEN = "ThisTokenIsNotSecret"
 IPV4_SOURCE=""
 IPV6_SOURCE=""
 BIRD_SOCKET="/var/run/bird/bird.ctl"

lgproxy.py

@@ -48,14 +48,21 @@ def access_log_after(response, *args, **kwargs):
     app.logger.info("[%s] reponse %s, %s", request.remote_addr,  request.url, response.status_code)
     return response
 
-def check_accesslist():
+def check_security():
-    if  app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]:
+    if "ACCESS_LIST" in app.config:
-        abort(401)
+        if request.remote_addr not in app.config["ACCESS_LIST"]:
+            app.logger.warning("Your remote address is not valid")
+            abort(401)
+
+    if "SECURITY_TOKEN" in app.config:
+        if request.args.get("token") != app.config["SECURITY_TOKEN"]:
+            app.logger.warning("Your security token is not valid")
+            abort(401)
 
 @app.route("/traceroute")
 @app.route("/traceroute6")
 def traceroute():
-    check_accesslist()
+    check_security()
     
     if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'):
         traceroute4 = [ 'traceroute' ]
@@ -94,7 +101,7 @@ def traceroute():
 @app.route("/bird")
 @app.route("/bird6")
 def bird():
-    check_accesslist()
+    check_security()
 
     if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET"))
     elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET"))