sipwise
/
ngcp-panel
mirror of https://github.com/sipwise/ngcp-panel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TT#16922 Check MAC in SSL DN while autoprov

Browse Source 
Change-Id: Icdd13afd265e8e04c7314004cd88c5fe034d7982
changes/84/20984/4
Andreas Granig 8 years ago
parent b8809516c6
commit 99c856fd31
1 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File

27
lib/NGCP/Panel/Controller/Device.pm
Unescape View File

@ -1116,16 +1116,12 @@ sub dev_field_config :Chained('/') :PathPart('device/autoprov/config') :Args() {
$c->response->headers->remove_header('X-Catalyst');
$c->response->headers->push_header('Last-Modified' => DateTime::Format::HTTP->format_datetime());
# this is going to be used if we want to do the cert check on the server,
# the format is like this:
# /C=US/ST=708105B37234/L=CBT153908BX/O=Cisco Systems, Inc./OU=cisco.com/CN=SPA-525G2, MAC: 708105B37234, Serial: CBT153908BX/emailAddress=linksys-certadmin@cisco.com
# however, we should do it on nginx, but we need a proper CA cert
# from cisco for checking the client cert?
$c->log->debug("SSL_CLIENT_M_DN: " . ($c->request->env->{SSL_CLIENT_M_DN} // ""));
unless(
($c->user_exists && ($c->user->roles eq "admin" || $c->user->roles eq "reseller")) ||
defined $c->request->env->{SSL_CLIENT_M_DN}
) {
$c->log->notice("unauthenticated config access to id '$id' via ip " . $c->req->address);
$c->response->content_type('text/plain');
if($c->config->{features}->{debug}) {
$c->response->body("403 - unauthenticated config access");
@ -1176,6 +1172,27 @@ sub dev_field_config :Chained('/') :PathPart('device/autoprov/config') :Args() {
$ip = $c->req->address;
}
# example DN format is:
# /C=US/ST=708105B37234/L=CBT153908BX/O=Cisco Systems, Inc./OU=cisco.com/CN=SPA-525G2, MAC: 708105B37234, Serial: CBT153908BX/emailAddress=linksys-certadmin@cisco.com
# if check is enabled, lowercase both DN and given MAC, strip colons and dashes from both, and try to
# find given MAC as substring in DN
if ($c->config->{security}->{autoprov_ssl_mac_check}) {
my $dn = $c->request->env->{SSL_CLIENT_M_DN} // '';
$dn = lc($dn);
$dn =~ s/[:\-]//g;
if (index($dn, $id) == -1) {
$c->log->notice("unauthorized config access to id '$id' from dn '$dn' via ip '$ip'");
$c->response->content_type('text/plain');
if($c->config->{features}->{debug}) {
$c->response->body("403 - unauthorized config access");
} else {
$c->response->body("403 - forbidden");
}
$c->response->status(403);
return;
}
}
my $dev = $c->model('DB')->resultset('autoprov_field_devices')->find({
identifier => $id
});

Write Preview
Loading…
Cancel
Save