From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 12 Nov 2018 14:40:46 +0000 (+0100)
Subject: webserver: Refactor ACL into a class var
X-Git-Tag: auth-4.2.0-alpha1~31^2~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0010aefafa672f7db85a698c13741da9e2209eb5;p=thirdparty%2Fpdns.git

webserver: Refactor ACL into a class var
---

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index d375dd2a28..64b423e1b2 100644
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -33,7 +33,6 @@
 #include "dns.hh"
 #include "base64.hh"
 #include "json.hh"
-#include "arguments.hh"
 #include <yahttp/router.hpp>
 
 json11::Json HttpRequest::json()
@@ -343,22 +342,19 @@ void WebServer::go()
   if(!d_server)
     return;
   try {
-    NetmaskGroup acl;
-    acl.toMasks(::arg()["webserver-allow-from"]);
-
     while(true) {
       try {
         auto client = d_server->accept();
         if (!client) {
           continue;
         }
-        if (client->acl(acl)) {
+        if (client->acl(d_acl)) {
           std::thread webHandler(WebServerConnectionThreadStart, this, client);
           webHandler.detach();
         } else {
           ComboAddress remote;
           if (client->getRemote(remote))
-            g_log<<Logger::Error<<"Webserver closing socket: remote ("<< remote.toString() <<") does not match 'webserver-allow-from'"<<endl;
+            g_log<<Logger::Error<<"Webserver closing socket: remote ("<< remote.toString() <<") does not match the set ACL("<<d_acl.toString()<<")"<<endl;
         }
       }
       catch(PDNSException &e) {
diff --git a/pdns/webserver.hh b/pdns/webserver.hh
index 196d1bb33e..a147b254c0 100644
--- a/pdns/webserver.hh
+++ b/pdns/webserver.hh
@@ -159,6 +159,10 @@ public:
     d_webserverPassword = password;
   }
 
+  void setACL(const NetmaskGroup &nmg) {
+    d_acl = nmg;
+  }
+
   void bind();
   void go();
 
@@ -186,6 +190,8 @@ protected:
 
   std::string d_webserverPassword;
   bool d_registerWebHandlerCalled{false};
+
+  NetmaskGroup d_acl;
 };
 
 #endif /* WEBSERVER_HH */
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 96f3ac52f1..55ff66ccc3 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -64,6 +64,11 @@ AuthWebServer::AuthWebServer()
     d_ws = new WebServer(arg()["webserver-address"], arg().asNum("webserver-port"));
     d_ws->setApiKey(arg()["api-key"]);
     d_ws->setPassword(arg()["webserver-password"]);
+
+    NetmaskGroup acl;
+    acl.toMasks(::arg()["webserver-allow-from"]);
+    d_ws->setACL(acl);
+
     d_ws->bind();
   }
 }
diff --git a/pdns/ws-recursor.cc b/pdns/ws-recursor.cc
index 012ce3c9b2..6d262656b5 100644
--- a/pdns/ws-recursor.cc
+++ b/pdns/ws-recursor.cc
@@ -452,6 +452,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm)
   d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port"));
   d_ws->setApiKey(arg()["api-key"]);
   d_ws->setPassword(arg()["webserver-password"]);
+
+  NetmaskGroup acl;
+  acl.toMasks(::arg()["webserver-allow-from"]);
+  d_ws->setACL(acl);
+
   d_ws->bind();
 
   // legacy dispatch