restrict pillar access to hostsharing servers

2019-06-12 15:52:40 +02:00 · 2019-06-12 15:52:40 +02:00 · d735e8c616
commit d735e8c616
parent 1b447b3f85
2 changed files with 27 additions and 1 deletions
--- a/hsarback/src/de/hsadmin/core/util/IPv6Trick.java
+++ b/hsarback/src/de/hsadmin/core/util/IPv6Trick.java
@ -16,6 +16,8 @@ public class IPv6Trick {
 	private static final String IPv4_83_223_94 = "83.223.94"; 	// e-Shelter Berlin
 	private static final String IPv6_PREFIX_ES = "2a01:37:3000::1";

+	private static final String IPv6_PREFIX_HS = "2a01:37:";
+	private static final String IPv6_PREFIX_HS_ALT = "2a01:0037:";
 	
 	public static String convertIPv4ToIPv6(final String ipv4address) throws ProcessorException {
 		if (ipv4address == null || ipv4address.length() == 0) {
@ -38,6 +40,22 @@ public class IPv6Trick {
 		throw new ProcessorException("unknown IPv4 address given");
 	}

+	public static boolean isKnownRemote(final String remoteAddress) {
+		boolean isKnown = false;
+		if (remoteAddress.startsWith(IPv6_PREFIX_HS) || remoteAddress.startsWith(IPv6_PREFIX_HS_ALT)) {
+			// Hostsharing IPv6
+			isKnown = true;
+		}
+		if (remoteAddress.startsWith(IPv4_83_223_78) || remoteAddress.startsWith(IPv4_83_223_94)) {
+			// e-Shelter
+			isKnown = true;
+		}
+		if (remoteAddress.startsWith(IPv4_83_223_79) || remoteAddress.startsWith(IPv4_83_223_91) || remoteAddress.startsWith(IPv4_83_223_95)) {
+			// Speedbone Alboin Kontor
+			isKnown = true;
+		}
+		return isKnown;
+	}

 	private static String embedIPv4Address(final InetAddress ipv4address, final InetAddress ipv6Mask) throws UnknownHostException {
 		final byte[] ipv4Bytes = ipv4address.getAddress();
--- a/hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java
+++ b/hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java
@ -12,8 +12,11 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

+import org.apache.commons.httpclient.HttpStatus;
+
 import de.hsadmin.core.model.Transaction;
 import de.hsadmin.core.qserv.ProcessorException;
+import de.hsadmin.core.util.IPv6Trick;
 import de.hsadmin.mods.pac.Hive;
 import de.hsadmin.mods.pac.Pac;
 import de.hsadmin.mods.pac.PacComponent;
@ -24,7 +27,12 @@ public class JsonPillarServlet extends HttpServlet {

 	@Override
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-		final Transaction transaction = new Transaction("pilalr");
+		final String remoteAddr = req.getRemoteAddr();
+		if (!IPv6Trick.isKnownRemote(remoteAddr)) {
+			resp.sendError(HttpStatus.SC_UNAUTHORIZED);
+			return;
+		}
+		final Transaction transaction = new Transaction("pillar");
 		final EntityManager em = transaction.getEntityManager();
 		final String hiveFqdn = req.getParameter("hive");
 		String hiveName = "";