summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
authorAsbjørn Sloth Tønnesen <asbjorn@asbjorn.biz>2017-11-15 21:39:43 +0000
committerAsbjørn Sloth Tønnesen <asbjorn@asbjorn.biz>2017-11-15 21:39:43 +0000
commit9e42e4de93901583cb7bd516d9d9407834840060 (patch)
tree436f919ed3dc52b15fda7449ac1049750d86e270 /web
parentb366c77b6cae76d22078f8bb63bdac9de68b05d3 (diff)
downloadlabitrack-9e42e4de93901583cb7bd516d9d9407834840060.tar.gz
labitrack-9e42e4de93901583cb7bd516d9d9407834840060.tar.xz
labitrack-9e42e4de93901583cb7bd516d9d9407834840060.zip
initial firewalling for https://track.labitat.dk/HEADmaster
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@asbjorn.biz>
Diffstat (limited to 'web')
-rwxr-xr-xweb/labitrackd.lua62
1 files changed, 62 insertions, 0 deletions
diff --git a/web/labitrackd.lua b/web/labitrackd.lua
index 77d15b5..f30dd42 100755
--- a/web/labitrackd.lua
+++ b/web/labitrackd.lua
@@ -30,6 +30,37 @@ end
local pg_connect_str = 'host=localhost user=labitrack dbname=labitrack password=nerfyoawdAj3'
local bind = arg[1] or '*:8080'
local queue_dir = arg[2] or './queue'
+
+local acl_labitat = {
+ create = true,
+ update = true,
+ printing = true,
+}
+
+local acl_everywhere = {
+ create = false,
+ update = false,
+ printing = false,
+}
+
+local labitat_addresses = {
+ '185.38.175.',
+ '2a01:4260:1ab:',
+ '10.42.',
+}
+
+local function getpermisions(ip)
+ if not ip then return acl_everywhere end
+ for i=1,#labitat_addresses do
+ local prefix = labitat_addresses[i]
+ if ip:sub(1,#prefix) == prefix then
+ return acl_labitat
+ end
+ end
+ return acl_everywhere
+end
+
+
--
-- end of settings
--
@@ -138,6 +169,25 @@ local function set_json_nocache_headers(res)
res.headers['Cache-Control'] = 'max-age=0, must-revalidate'
end
+local function forbidden(req, res)
+ set_json_nocache_headers(res)
+ res.status = 403
+ res:add('{"count": %d, "objects":', count());
+ add_json(res, assert(db:run('since', (since-1)*10)))
+ res:add('}');
+end
+
+local function allow(perm, req, res)
+ local ip = req.headers['x-real-ip']
+ local p = getpermisions(ip)
+ if p[perm] then
+ return true
+ else
+ forbidden(req, res)
+ return false
+ end
+end
+
local function unescape(s)
s = string.gsub(s, "+", " ")
s = string.gsub(s, "%%(%x%x)", function (h)
@@ -259,12 +309,20 @@ GETM('^/search.json%??(.*)$', function(req, res, rawqs)
end
end)
+GET('/permissions.json', function(req, res)
+ set_json_nocache_headers(res)
+ local ip = req.headers['x-real-ip']
+ local p = getpermisions(ip)
+ res:add('%s', json.encode(p))
+end)
+
GET('/queue.json', function(req, res)
set_json_nocache_headers(res)
res:add('%s', json.encode(queue:stat()))
end)
GET('/queue.json?empty', function(req, res)
+ if not allow('printing', req, res) then return end
set_json_nocache_headers(res)
res:add('%s', json.encode(queue:empty()))
end)
@@ -285,8 +343,10 @@ local function save_or_update(req, res)
local id
if label['id'] == nil then
+ if not allow('create', req, res) then return end
id = assert(db:run('insert', label['name'], label['desc'], table.concat(label['tags'], ',')))[1][1]
else
+ if not allow('update', req, res) then return end
assert(db:run('update', label['id'], label['name'], label['desc'], table.concat(label['tags'], ',')))
id = label['id']
end
@@ -310,6 +370,8 @@ end)
POST('/print.json', function(req, res)
+ if not allow('printing', req, res) then return end
+
set_json_nocache_headers(res)
local expected = "application/x-www-form-urlencoded"