groonga/gcs [master] Block accesses to the configuration API except priviledged IP range (Groonga-commit) - Groonga - fulltext search engine.

SHIMODA Hiroshi	2012-08-02 18:20:51 +0900 (Thu, 02 Aug 2012)

  New Revision: 01836bb74bcbf66497e47e7bf4e299ec52106baf
  https://github.com/groonga/gcs/commit/01836bb74bcbf66497e47e7bf4e299ec52106baf

  Log:
    Block accesses to the configuration API except priviledged IP range

  Modified files:
    bin/gcs
    lib/api/2011-02-01/configuration.js
    lib/api/2011-02-01/index.js
    lib/server.js

  Modified: bin/gcs (+6 -1)
===================================================================

--- bin/gcs    2012-08-02 18:07:38 +0900 (1fce77b)
+++ bin/gcs    2012-08-02 18:20:51 +0900 (ac11340)
@@ -17,12 +17,17 @@ program
           'database path [' + defaultDatabasePath + ']',
           String,
           defaultDatabasePath)
+  .option('--privilege',
+          'IP range for privileged clients [' + defaultPrivilegedRange + ']',
+          String,
+          defaultPrivilegedRange)
   .parse(process.argv);
 
 var server;
 
 server = gcsServer.createServer({
-  databasePath: program.databasePath
+  databasePath:    program.databasePath,
+  privilegedRange: program.privilege
 });
 
 server.listen(program.port, function() {

  Modified: lib/api/2011-02-01/configuration.js (+25 -1)
===================================================================
--- lib/api/2011-02-01/configuration.js    2012-08-02 18:07:38 +0900 (64b6728)
+++ lib/api/2011-02-01/configuration.js    2012-08-02 18:20:51 +0900 (b43821b)
@@ -4,6 +4,7 @@ var Domain = require('../../database').Domain;
 var Translator = require('../../batch/translator').Translator;
 var dateFormat = require('dateformat');
 var xmlbuilder = require('../../xmlbuilder');
+var ipv4 = require('../../ipv4');
 
 exports.version = path.basename(__dirname);
 
@@ -317,10 +318,33 @@ handlers.UpdateSynonymOptions = function(context, request, response) {
   }
 };
 
-exports.createHandler = function(context) {
+function getClientIp(request) {
+  var forwardedIps = request.header('x-forwarded-for');
+  if (forwardedIps) {
+    var ip = forwardedIps.split(',')[0];
+    if (ip)
+      return ip;
+  }
+  return request.connection.remoteAddress;
+};
+
+
+exports.createHandler = function(context, config) {
+  var privilegedRange = config && config.privilegedRange;
   return function(request, response, next) {
     var message, body;
 
+    // GCS specific behaviour: prevent to access this API from specific IP
+    // range.
+    if (privilegedRange) {
+      if (!ipv4.isInRange(getClientIp(request), privilegedRange)) {
+        message = 'Permission denied.';
+        body = createCommonErrorResponse('InvalidClientIpRange', message);
+        response.contentType('application/xml');
+        return response.send(body, 403);
+      }
+    }
+
     // GCS specific behaviour: fallback to other handlers for the endpoint
     // if no action is given.
     var action = request.query.Action || '';

  Modified: lib/api/2011-02-01/index.js (+2 -2)
===================================================================
--- lib/api/2011-02-01/index.js    2012-08-02 18:07:38 +0900 (645a532)
+++ lib/api/2011-02-01/index.js    2012-08-02 18:20:51 +0900 (37dbe50)
@@ -6,9 +6,9 @@ exports.configuration = require('./configuration');
 exports.batch = require('./batch');
 exports.search = require('./search');
 
-exports.registerHandlers = function(application, database) {
+exports.registerHandlers = function(application, database, config) {
   application.get('/',
-                  exports.configuration.createHandler(database));
+                  exports.configuration.createHandler(database, config));
 
   application.post('/' + exports.version + '/documents/batch',
                    exports.batch.createHandler(database));

  Modified: lib/server.js (+1 -1)
===================================================================
--- lib/server.js    2012-08-02 18:07:38 +0900 (7b4ec1f)
+++ lib/server.js    2012-08-02 18:20:51 +0900 (3afbebf)
@@ -14,7 +14,7 @@ exports.createServer = function (config) {
   });
 
   api.versions.forEach(function(version) {
-    api[version].registerHandlers(application, context);
+    api[version].registerHandlers(application, context, config);
   });
 
   application.get('/', dashboard.rootHandler);
-------------- next part --------------
HTML$B$NE:IU%U%!%$%k$rJ]4I$7$^$7$?(B...
Download 


Groonga - fulltext search engine.

[Groonga-commit] groonga/gcs [master] Block accesses to the configuration API except priviledged IP range