diff options
Diffstat (limited to 'func/minion/server.py')
-rwxr-xr-x | func/minion/server.py | 30 |
1 files changed, 4 insertions, 26 deletions
diff --git a/func/minion/server.py b/func/minion/server.py index c511598..c371680 100755 --- a/func/minion/server.py +++ b/func/minion/server.py @@ -36,6 +36,7 @@ import codes import module_loader import func.utils as futils import func.minion.utils as fmutils +import func.minion.acls as acls_mod from certmaster import utils from certmaster import requester @@ -183,6 +184,8 @@ class FuncSSLXMLRPCServer(AuthedXMLRPCServer.AuthedSSLXMLRPCServer, self.ca = "%s/ca.cert" % self.cm_config.cert_dir self._our_ca = certs.retrieve_cert_from_file(self.ca) + + self.acls = acls_mod.Acls(acldir=self.config.acl_dir) AuthedXMLRPCServer.AuthedSSLXMLRPCServer.__init__(self, ("", 51234), self.key, self.cert, @@ -214,7 +217,7 @@ class FuncSSLXMLRPCServer(AuthedXMLRPCServer.AuthedSSLXMLRPCServer, async_dispatch = True method = method.replace("async.","",1) - if not self._check_acl(peer_cert, ip, method, params): + if not self.acls.check(self._our_ca, peer_cert, ip, method, params): raise codes.AccessToMethodDenied # Recognize ipython's tab completion calls @@ -239,31 +242,6 @@ class FuncSSLXMLRPCServer(AuthedXMLRPCServer.AuthedSSLXMLRPCServer, peer_cert = request.get_peer_certificate() return peer_cert.get_subject().CN - def _check_acl(self, cert, ip, method, params): - acls = fmutils.get_acls_from_config(acldir=self.config.acl_dir) - - # certmaster always gets to run things - ca_cn = self._our_ca.get_subject().CN - ca_hash = self._our_ca.subject_name_hash() - ca_key = '%s-%s' % (ca_cn, ca_hash) - acls[ca_key] = ['*'] - - cn = cert.get_subject().CN - sub_hash = cert.subject_name_hash() - if acls: - allow_list = [] - hostkey = '%s-%s' % (cn, sub_hash) - # search all the keys, match to 'cn-subhash' - for hostmatch in acls.keys(): - if fnmatch.fnmatch(hostkey, hostmatch): - allow_list.extend(acls[hostmatch]) - # go through the allow_list and make sure this method is in there - for methodmatch in allow_list: - if fnmatch.fnmatch(method, methodmatch): - return True - - return False - def main(argv): |