From d735e8c6167aec726eee14a1f8fcf259a2fdb1ae Mon Sep 17 00:00:00 2001
From: Peter Hormanns <peter.hormanns@jalin.de>
Date: Wed, 12 Jun 2019 15:52:40 +0200
Subject: [PATCH] restrict pillar access to hostsharing servers

---
 hsarback/src/de/hsadmin/core/util/IPv6Trick.java      |   18 ++++++++++++++++++
 hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java |   10 +++++++++-
 2 files changed, 27 insertions(+), 1 deletions(-)

diff --git a/hsarback/src/de/hsadmin/core/util/IPv6Trick.java b/hsarback/src/de/hsadmin/core/util/IPv6Trick.java
index abecded..835331a 100644
--- a/hsarback/src/de/hsadmin/core/util/IPv6Trick.java
+++ b/hsarback/src/de/hsadmin/core/util/IPv6Trick.java
@@ -16,6 +16,8 @@
 	private static final String IPv4_83_223_94 = "83.223.94"; 	// e-Shelter Berlin
 	private static final String IPv6_PREFIX_ES = "2a01:37:3000::1";
 
+	private static final String IPv6_PREFIX_HS = "2a01:37:";
+	private static final String IPv6_PREFIX_HS_ALT = "2a01:0037:";
 	
 	public static String convertIPv4ToIPv6(final String ipv4address) throws ProcessorException {
 		if (ipv4address == null || ipv4address.length() == 0) {
@@ -38,6 +40,22 @@
 		throw new ProcessorException("unknown IPv4 address given");
 	}
 
+	public static boolean isKnownRemote(final String remoteAddress) {
+		boolean isKnown = false;
+		if (remoteAddress.startsWith(IPv6_PREFIX_HS) || remoteAddress.startsWith(IPv6_PREFIX_HS_ALT)) {
+			// Hostsharing IPv6
+			isKnown = true;
+		}
+		if (remoteAddress.startsWith(IPv4_83_223_78) || remoteAddress.startsWith(IPv4_83_223_94)) {
+			// e-Shelter
+			isKnown = true;
+		}
+		if (remoteAddress.startsWith(IPv4_83_223_79) || remoteAddress.startsWith(IPv4_83_223_91) || remoteAddress.startsWith(IPv4_83_223_95)) {
+			// Speedbone Alboin Kontor
+			isKnown = true;
+		}
+		return isKnown;
+	}
 
 	private static String embedIPv4Address(final InetAddress ipv4address, final InetAddress ipv6Mask) throws UnknownHostException {
 		final byte[] ipv4Bytes = ipv4address.getAddress();
diff --git a/hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java b/hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java
index a90d863..3b3465f 100644
--- a/hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java
+++ b/hsarback/src/de/hsadmin/pillar/JsonPillarServlet.java
@@ -12,8 +12,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.httpclient.HttpStatus;
+
 import de.hsadmin.core.model.Transaction;
 import de.hsadmin.core.qserv.ProcessorException;
+import de.hsadmin.core.util.IPv6Trick;
 import de.hsadmin.mods.pac.Hive;
 import de.hsadmin.mods.pac.Pac;
 import de.hsadmin.mods.pac.PacComponent;
@@ -24,7 +27,12 @@
 
 	@Override
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-		final Transaction transaction = new Transaction("pilalr");
+		final String remoteAddr = req.getRemoteAddr();
+		if (!IPv6Trick.isKnownRemote(remoteAddr)) {
+			resp.sendError(HttpStatus.SC_UNAUTHORIZED);
+			return;
+		}
+		final Transaction transaction = new Transaction("pillar");
 		final EntityManager em = transaction.getEntityManager();
 		final String hiveFqdn = req.getParameter("hive");
 		String hiveName = "";

--
Gitblit v1.9.0-SNAPSHOT