Module: Foreman::Controller::SmartProxyAuth
- Extended by:
- ActiveSupport::Concern
- Included in:
- FactValuesController, HostsController, ReportsController
- Defined in:
- lib/foreman/controller/smart_proxy_auth.rb
Defined Under Namespace
Modules: ClassMethods
Instance Method Summary collapse
-
#auth_smart_proxy(proxies = SmartProxy.all, require_cert = true) ⇒ Object
Filter requests to only permit from hosts with a registered smart proxy Uses rDNS of the request to match proxy hostnames.
-
#require_puppetmaster_or_login ⇒ Object
Permits registered puppetmasters or a user with permission.
Instance Method Details
#auth_smart_proxy(proxies = SmartProxy.all, require_cert = true) ⇒ Object
Filter requests to only permit from hosts with a registered smart proxy Uses rDNS of the request to match proxy hostnames
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/foreman/controller/smart_proxy_auth.rb', line 36 def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true) request_hosts = nil if request.ssl? dn = request.env[Setting[:ssl_client_dn_env]] if dn && dn =~ /CN=(\S+)/i verify = request.env[Setting[:ssl_client_verify_env]] if verify == 'SUCCESS' request_hosts = [$1] else logger.warn "SSL cert has not been verified (#{verify}) - request from #{request.ip}, #{dn}" end elsif require_cert logger.warn "No SSL cert with CN supplied - request from #{request.ip}, #{dn}" else request_hosts = Resolv.new.getnames(request.ip) end elsif SETTINGS[:require_ssl] logger.warn "SSL is required - request from #{request.ip}" else request_hosts = Resolv.new.getnames(request.ip) end return false unless request_hosts proxies = proxies.map! { |p| URI.parse(p.url).host }.push(*Setting[:trusted_puppetmaster_hosts]) logger.debug("Verifying request from #{request_hosts} against #{proxies.inspect}") unless proxies.detect { |p| request_hosts.include? p } logger.warn "No smart proxy server found on #{request_hosts.inspect} and is not in trusted_puppetmaster_hosts" return false end true end |
#require_puppetmaster_or_login ⇒ Object
Permits registered puppetmasters or a user with permission
20 21 22 23 24 25 26 27 28 29 30 31 32 |
# File 'lib/foreman/controller/smart_proxy_auth.rb', line 20 def require_puppetmaster_or_login if !Setting[:restrict_registered_puppetmasters] or auth_smart_proxy(SmartProxy.puppet_proxies, Setting[:require_ssl_puppetmasters]) set_admin_user return true end require_login unless User.current render_403 unless performed? and api_request? return false end end |