From 0010aefafa672f7db85a698c13741da9e2209eb5 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 12 Nov 2018 15:40:46 +0100
Subject: [PATCH] webserver: Refactor ACL into a class var

---
 pdns/webserver.cc   | 8 ++------
 pdns/webserver.hh   | 6 ++++++
 pdns/ws-auth.cc     | 5 +++++
 pdns/ws-recursor.cc | 5 +++++
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index d375dd2a28..64b423e1b2 100644
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -33,7 +33,6 @@
 #include "dns.hh"
 #include "base64.hh"
 #include "json.hh"
-#include "arguments.hh"
 #include <yahttp/router.hpp>
 
 json11::Json HttpRequest::json()
@@ -343,22 +342,19 @@ void WebServer::go()
   if(!d_server)
     return;
   try {
-    NetmaskGroup acl;
-    acl.toMasks(::arg()["webserver-allow-from"]);
-
     while(true) {
       try {
         auto client = d_server->accept();
         if (!client) {
           continue;
         }
-        if (client->acl(acl)) {
+        if (client->acl(d_acl)) {
           std::thread webHandler(WebServerConnectionThreadStart, this, client);
           webHandler.detach();
         } else {
           ComboAddress remote;
           if (client->getRemote(remote))
-            g_log<<Logger::Error<<"Webserver closing socket: remote ("<< remote.toString() <<") does not match 'webserver-allow-from'"<<endl;
+            g_log<<Logger::Error<<"Webserver closing socket: remote ("<< remote.toString() <<") does not match the set ACL("<<d_acl.toString()<<")"<<endl;
         }
       }
       catch(PDNSException &e) {
diff --git a/pdns/webserver.hh b/pdns/webserver.hh
index 196d1bb33e..a147b254c0 100644
--- a/pdns/webserver.hh
+++ b/pdns/webserver.hh
@@ -159,6 +159,10 @@ public:
     d_webserverPassword = password;
   }
 
+  void setACL(const NetmaskGroup &nmg) {
+    d_acl = nmg;
+  }
+
   void bind();
   void go();
 
@@ -186,6 +190,8 @@ protected:
 
   std::string d_webserverPassword;
   bool d_registerWebHandlerCalled{false};
+
+  NetmaskGroup d_acl;
 };
 
 #endif /* WEBSERVER_HH */
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 96f3ac52f1..55ff66ccc3 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -64,6 +64,11 @@ AuthWebServer::AuthWebServer()
     d_ws = new WebServer(arg()["webserver-address"], arg().asNum("webserver-port"));
     d_ws->setApiKey(arg()["api-key"]);
     d_ws->setPassword(arg()["webserver-password"]);
+
+    NetmaskGroup acl;
+    acl.toMasks(::arg()["webserver-allow-from"]);
+    d_ws->setACL(acl);
+
     d_ws->bind();
   }
 }
diff --git a/pdns/ws-recursor.cc b/pdns/ws-recursor.cc
index 012ce3c9b2..6d262656b5 100644
--- a/pdns/ws-recursor.cc
+++ b/pdns/ws-recursor.cc
@@ -452,6 +452,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm)
   d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port"));
   d_ws->setApiKey(arg()["api-key"]);
   d_ws->setPassword(arg()["webserver-password"]);
+
+  NetmaskGroup acl;
+  acl.toMasks(::arg()["webserver-allow-from"]);
+  d_ws->setACL(acl);
+
   d_ws->bind();
 
   // legacy dispatch
-- 
2.47.2