Navigation Menu

Skip to content

Commit

Permalink
Block accesses to the configuration API except priviledged IP range
Browse files Browse the repository at this point in the history
  • Loading branch information
piroor committed Aug 2, 2012
1 parent 9459df3 commit 01836bb
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 5 deletions.
7 changes: 6 additions & 1 deletion bin/gcs
Expand Up @@ -17,12 +17,17 @@ program
'database path [' + defaultDatabasePath + ']',
String,
defaultDatabasePath)
.option('--privilege',
'IP range for privileged clients [' + defaultPrivilegedRange + ']',
String,
defaultPrivilegedRange)
.parse(process.argv);

var server;

server = gcsServer.createServer({
databasePath: program.databasePath
databasePath: program.databasePath,
privilegedRange: program.privilege
});

server.listen(program.port, function() {
Expand Down
26 changes: 25 additions & 1 deletion lib/api/2011-02-01/configuration.js
Expand Up @@ -4,6 +4,7 @@ var Domain = require('../../database').Domain;
var Translator = require('../../batch/translator').Translator;
var dateFormat = require('dateformat');
var xmlbuilder = require('../../xmlbuilder');
var ipv4 = require('../../ipv4');

exports.version = path.basename(__dirname);

Expand Down Expand Up @@ -317,10 +318,33 @@ handlers.UpdateSynonymOptions = function(context, request, response) {
}
};

exports.createHandler = function(context) {
function getClientIp(request) {
var forwardedIps = request.header('x-forwarded-for');
if (forwardedIps) {
var ip = forwardedIps.split(',')[0];
if (ip)
return ip;
}
return request.connection.remoteAddress;
};


exports.createHandler = function(context, config) {
var privilegedRange = config && config.privilegedRange;
return function(request, response, next) {
var message, body;

// GCS specific behaviour: prevent to access this API from specific IP
// range.
if (privilegedRange) {
if (!ipv4.isInRange(getClientIp(request), privilegedRange)) {
message = 'Permission denied.';
body = createCommonErrorResponse('InvalidClientIpRange', message);
response.contentType('application/xml');
return response.send(body, 403);
}
}

// GCS specific behaviour: fallback to other handlers for the endpoint
// if no action is given.
var action = request.query.Action || '';
Expand Down
4 changes: 2 additions & 2 deletions lib/api/2011-02-01/index.js
Expand Up @@ -6,9 +6,9 @@ exports.configuration = require('./configuration');
exports.batch = require('./batch');
exports.search = require('./search');

exports.registerHandlers = function(application, database) {
exports.registerHandlers = function(application, database, config) {
application.get('/',
exports.configuration.createHandler(database));
exports.configuration.createHandler(database, config));

application.post('/' + exports.version + '/documents/batch',
exports.batch.createHandler(database));
Expand Down
2 changes: 1 addition & 1 deletion lib/server.js
Expand Up @@ -14,7 +14,7 @@ exports.createServer = function (config) {
});

api.versions.forEach(function(version) {
api[version].registerHandlers(application, context);
api[version].registerHandlers(application, context, config);
});

application.get('/', dashboard.rootHandler);
Expand Down

0 comments on commit 01836bb

Please sign in to comment.