Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

Add in the ability to configure IP restrictions for the UAA and Login Server #547

Merged
merged 1 commit into from
Dec 3, 2014
Merged

Add in the ability to configure IP restrictions for the UAA and Login Server #547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions jobs/login/spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,3 +198,6 @@ properties:
scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications
scope.cloud_controller.read: View details of your applications and services
scope.cloud_controller.write: Push applications to your account and create and bind services
login.restricted_ips_regex:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When specifying the property in the manifest you can use the default property to define what the default value should be. This allows us to remove the ternary from the tomcat.server.xml.erb job template. This also consolidates the default values to one location, rather than having to look for their usages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We initially had this, but decided against it. Even with a default in place, we need the ternary operator in case someone accidentally merges in a null value from a template. So rather than specifying the default in two places, it is just in one place.

description: "A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server."
default: "10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"
3 changes: 1 addition & 2 deletions jobs/login/templates/tomcat.server.xml.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,8 @@
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
protocolHeader="x-forwarded-proto"
internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"
internalProxies="<%= properties.login.restricted_ips_regex ? properties.login.restricted_ips_regex : "10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}" %>"
/>

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="/var/vcap/sys/log/login"
prefix="localhost_access." suffix=".log" rotatable="true" pattern="%h %l %u %t &quot;%r&quot; %s %b"/>

Expand Down
3 changes: 3 additions & 0 deletions jobs/uaa/spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,3 +228,6 @@ properties:
description: "See uaa.spring_profiles - login.spring_profiles is used for backwards compatibility to enable ldap from login config"
login.protocol:
description: "The protocol that the Login Server uses. http/https"
uaa.restricted_ips_regex:
description: "A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server."
default: "10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"
3 changes: 1 addition & 2 deletions jobs/uaa/templates/tomcat.server.xml.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,8 @@
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
protocolHeader="x-forwarded-proto"
internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"
internalProxies="<%= properties.uaa.restricted_ips_regex ? properties.uaa.restricted_ips_regex : "10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}" %>"
/>

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="/var/vcap/sys/log/uaa"
prefix="localhost_access." suffix=".log" rotatable="true" pattern="%h %l %u %t &quot;%r&quot; %s %b"/>

Expand Down
2 changes: 2 additions & 0 deletions spec/fixtures/aws/cf-manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -802,6 +802,7 @@ properties:
notifications:
url: null
protocol: https
restricted_ips_regex: null
saml: null
signups_enabled: null
smtp:
Expand Down Expand Up @@ -926,6 +927,7 @@ properties:
ldap: null
login: null
no_ssl: false
restricted_ips_regex: null
scim:
external_groups: null
userids_enabled: false
Expand Down
2 changes: 2 additions & 0 deletions spec/fixtures/openstack/cf-manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -797,6 +797,7 @@ properties:
notifications:
url: null
protocol: https
restricted_ips_regex: null
saml: null
signups_enabled: null
smtp:
Expand Down Expand Up @@ -920,6 +921,7 @@ properties:
ldap: null
login: null
no_ssl: false
restricted_ips_regex: null
scim:
external_groups: null
userids_enabled: false
Expand Down
2 changes: 2 additions & 0 deletions spec/fixtures/vsphere/cf-manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -807,6 +807,7 @@ properties:
notifications:
url: null
protocol: http
restricted_ips_regex: null
saml: null
signups_enabled: null
smtp:
Expand Down Expand Up @@ -929,6 +930,7 @@ properties:
ldap: null
login: null
no_ssl: false
restricted_ips_regex: null
scim:
external_groups: null
userids_enabled: false
Expand Down
2 changes: 2 additions & 0 deletions spec/fixtures/warden/cf-manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2538,6 +2538,7 @@ properties:
notifications:
url: null
protocol: http
restricted_ips_regex: null
saml: null
signups_enabled: null
smtp:
Expand Down Expand Up @@ -2716,6 +2717,7 @@ properties:
ldap: null
login: null
no_ssl: true
restricted_ips_regex: null
scim:
external_groups: null
userids_enabled: false
Expand Down
4 changes: 4 additions & 0 deletions templates/cf-properties.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,8 @@ properties:

saml: ~

restricted_ips_regex: ~

uaa:
catalina_opts: (( merge ))

Expand Down Expand Up @@ -305,3 +307,5 @@ properties:
override: true
authorities: uaa.resource
secret: (( merge ))

restricted_ips_regex: ~