restrict pillar access to hostsharing servers

This commit is contained in:
Peter Hormanns 2019-06-12 15:52:40 +02:00
parent 1b447b3f85
commit d735e8c616
2 changed files with 27 additions and 1 deletions

View File

@ -16,6 +16,8 @@ public class IPv6Trick {
private static final String IPv4_83_223_94 = "83.223.94"; // e-Shelter Berlin private static final String IPv4_83_223_94 = "83.223.94"; // e-Shelter Berlin
private static final String IPv6_PREFIX_ES = "2a01:37:3000::1"; private static final String IPv6_PREFIX_ES = "2a01:37:3000::1";
private static final String IPv6_PREFIX_HS = "2a01:37:";
private static final String IPv6_PREFIX_HS_ALT = "2a01:0037:";
public static String convertIPv4ToIPv6(final String ipv4address) throws ProcessorException { public static String convertIPv4ToIPv6(final String ipv4address) throws ProcessorException {
if (ipv4address == null || ipv4address.length() == 0) { if (ipv4address == null || ipv4address.length() == 0) {
@ -38,6 +40,22 @@ public class IPv6Trick {
throw new ProcessorException("unknown IPv4 address given"); throw new ProcessorException("unknown IPv4 address given");
} }
public static boolean isKnownRemote(final String remoteAddress) {
boolean isKnown = false;
if (remoteAddress.startsWith(IPv6_PREFIX_HS) || remoteAddress.startsWith(IPv6_PREFIX_HS_ALT)) {
// Hostsharing IPv6
isKnown = true;
}
if (remoteAddress.startsWith(IPv4_83_223_78) || remoteAddress.startsWith(IPv4_83_223_94)) {
// e-Shelter
isKnown = true;
}
if (remoteAddress.startsWith(IPv4_83_223_79) || remoteAddress.startsWith(IPv4_83_223_91) || remoteAddress.startsWith(IPv4_83_223_95)) {
// Speedbone Alboin Kontor
isKnown = true;
}
return isKnown;
}
private static String embedIPv4Address(final InetAddress ipv4address, final InetAddress ipv6Mask) throws UnknownHostException { private static String embedIPv4Address(final InetAddress ipv4address, final InetAddress ipv6Mask) throws UnknownHostException {
final byte[] ipv4Bytes = ipv4address.getAddress(); final byte[] ipv4Bytes = ipv4address.getAddress();

View File

@ -12,8 +12,11 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.httpclient.HttpStatus;
import de.hsadmin.core.model.Transaction; import de.hsadmin.core.model.Transaction;
import de.hsadmin.core.qserv.ProcessorException; import de.hsadmin.core.qserv.ProcessorException;
import de.hsadmin.core.util.IPv6Trick;
import de.hsadmin.mods.pac.Hive; import de.hsadmin.mods.pac.Hive;
import de.hsadmin.mods.pac.Pac; import de.hsadmin.mods.pac.Pac;
import de.hsadmin.mods.pac.PacComponent; import de.hsadmin.mods.pac.PacComponent;
@ -24,7 +27,12 @@ public class JsonPillarServlet extends HttpServlet {
@Override @Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
final Transaction transaction = new Transaction("pilalr"); final String remoteAddr = req.getRemoteAddr();
if (!IPv6Trick.isKnownRemote(remoteAddr)) {
resp.sendError(HttpStatus.SC_UNAUTHORIZED);
return;
}
final Transaction transaction = new Transaction("pillar");
final EntityManager em = transaction.getEntityManager(); final EntityManager em = transaction.getEntityManager();
final String hiveFqdn = req.getParameter("hive"); final String hiveFqdn = req.getParameter("hive");
String hiveName = ""; String hiveName = "";