From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 12 Nov 2018 15:01:55 +0000 (+0100)
Subject: ixfrdist: implement webserver ACL
X-Git-Tag: auth-4.2.0-alpha1~31^2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f517da5762a915fe3023f487c0546a7bb4dd3c2;p=thirdparty%2Fpdns.git

ixfrdist: implement webserver ACL
---

diff --git a/pdns/ixfrdist-web.cc b/pdns/ixfrdist-web.cc
index 3b38c346f0..506d8c4646 100644
--- a/pdns/ixfrdist-web.cc
+++ b/pdns/ixfrdist-web.cc
@@ -22,13 +22,15 @@
 #include "ixfrdist-web.hh"
 #include <thread>
 #include "threadname.hh"
+#include "iputils.hh"
 #include "ixfrdist-stats.hh"
 
 string doGetStats();
 
-IXFRDistWebServer::IXFRDistWebServer(const ComboAddress &listenAddress) {
+IXFRDistWebServer::IXFRDistWebServer(const ComboAddress &listenAddress, const NetmaskGroup &acl) {
   // TODO wrap in smart pointer
   d_ws = new WebServer(listenAddress.toString() , listenAddress.getPort());
+  d_ws->setACL(acl);
   d_ws->bind();
 }
 
diff --git a/pdns/ixfrdist-web.hh b/pdns/ixfrdist-web.hh
index a921e182d1..e6aaae398c 100644
--- a/pdns/ixfrdist-web.hh
+++ b/pdns/ixfrdist-web.hh
@@ -27,7 +27,7 @@
 class IXFRDistWebServer
 {
   public:
-    explicit IXFRDistWebServer(const ComboAddress &listenAddress);
+    explicit IXFRDistWebServer(const ComboAddress &listenAddress, const NetmaskGroup &acl);
     void go();
 
   private:
diff --git a/pdns/ixfrdist.cc b/pdns/ixfrdist.cc
index 8f412a8d67..d82f513843 100644
--- a/pdns/ixfrdist.cc
+++ b/pdns/ixfrdist.cc
@@ -100,6 +100,26 @@ struct convert<DNSName> {
     }
   }
 };
+
+template<>
+struct convert<Netmask> {
+  static Node encode(const Netmask& rhs) {
+    return Node(rhs.toString());
+  }
+  static bool decode(const Node& node, Netmask& rhs) {
+    if (!node.IsScalar()) {
+      return false;
+    }
+    try {
+      rhs = Netmask(node.as<string>());
+      return true;
+    } catch(const runtime_error &e) {
+      return false;
+    } catch (const PDNSException &e) {
+      return false;
+    }
+  }
+};
 } // namespace YAML
 
 struct ixfrdiff_t {
@@ -1084,6 +1104,16 @@ static bool parseAndCheckConfig(const string& configpath, YAML::Node& config) {
     }
   }
 
+  if (config["webserver-acl"]) {
+    try {
+      config["webserver-acl"].as<vector<Netmask>>();
+    }
+    catch (const runtime_error &e) {
+      g_log<<Logger::Error<<"Unable to read 'webserver-address' value: "<<e.what()<<endl;
+      retval = false;
+    }
+  }
+
   return retval;
 }
 
@@ -1215,7 +1245,18 @@ int main(int argc, char** argv) {
   }
 
   if (config["webserver-address"]) {
-    auto ws = IXFRDistWebServer(config["webserver-address"].as<ComboAddress>());
+    NetmaskGroup wsACL;
+    wsACL.addMask("127.0.0.0/8");
+    wsACL.addMask("::1/128");
+
+    if (config["webserver-acl"]) {
+      wsACL.clear();
+      for (const auto &acl : config["webserver-acl"].as<vector<Netmask>>()) {
+        wsACL.addMask(acl);
+      }
+    }
+
+    auto ws = IXFRDistWebServer(config["webserver-address"].as<ComboAddress>(), wsACL);
     ws.go();
   }
 
diff --git a/pdns/ixfrdist.example.yml b/pdns/ixfrdist.example.yml
index 67e1320a9f..e7c8c4e7d7 100644
--- a/pdns/ixfrdist.example.yml
+++ b/pdns/ixfrdist.example.yml
@@ -75,6 +75,13 @@ tcp-in-threads: 10
 #
 webserver-address: 127.0.0.1:8080
 
+# The IP address(masks) that allowed to access the webserver. When not set,
+# it defaults to 127.0.0.0/8, ::1/128
+#
+webserver-acl:
+  - 127.0.0.0/8
+  - ::1/128
+
 # The domains to redistribute, the 'master' and 'domains' keys are mandatory.
 # When no port is specified, 53 is used. When specifying ports for IPv6, use the
 # "bracket" notation: