From 34fb15980110a540d53e9dc1a7a78511fd100ea6 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Sun, 22 Oct 2017 12:35:12 -0400
Subject: [PATCH] Restrict forward source ip to requestor

This prevents sockets from opening up to the world that could be used
to connect to management interfaces directly, apart from the specific
requestors.
---
 confluent_server/confluent/forwarder.py | 17 ++++++++++++++---
 confluent_server/confluent/httpapi.py   |  2 +-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/confluent_server/confluent/forwarder.py b/confluent_server/confluent/forwarder.py
index cc807f4f..231b3bf0 100644
--- a/confluent_server/confluent/forwarder.py
+++ b/confluent_server/confluent/forwarder.py
@@ -22,6 +22,7 @@ import eventlet.green.select as select
 import eventlet.green.socket as socket
 forwarders = {}
 sockhandler = {}
+allowedclients = set([])
 vidtarget = None
 vidforwarder = None
 
@@ -40,7 +41,10 @@ def handle_connection(incoming, outgoing):
 
 def forward_port(sock, target):
     while True:
-        conn, _ = sock.accept()
+        conn, cli = sock.accept()
+        if cli[0] not in allowedclients:
+            conn.close()
+            continue
         try:
             client = socket.create_connection((target, 443))
         except Exception:
@@ -52,7 +56,10 @@ def forward_port(sock, target):
 def forward_video():
     sock = eventlet.listen(('::', 3900, 0, 0), family=socket.AF_INET6)
     while True:
-        conn, _ = sock.accept()
+        conn, cli = sock.accept()
+        if cli[0] not in allowedclients:
+            conn.close()
+            continue
         if vidtarget is None:
             conn.close()
             continue
@@ -63,9 +70,13 @@ def forward_video():
             continue
         eventlet.spawn_n(handle_connection, conn, vidclient)
 
-def get_port(addr):
+def get_port(addr, clientip):
     global vidtarget
     global vidforwarder
+    if socket.getaddrinfo(clientip, 0)[0][0] == socket.AF_INET:
+        allowedclients.add('::ffff:' + clientip)
+    else:
+        allowedclients.add(clientip)
     if addr not in forwarders:
         newsock = eventlet.listen(('::', 0, 0, 0),
                   family=socket.AF_INET6)
diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py
index 6ea4682e..1239fbfd 100644
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -464,7 +464,7 @@ def resourcehandler_backend(env, start_response):
             start_response('404 Not Found', headers)
             yield 'No hardwaremanagemnet.manager defined for node'
             return
-        funport = forwarder.get_port(targip)
+        funport = forwarder.get_port(targip, env['HTTP_X_FORWARDED_FOR'])
         host = env['HTTP_X_FORWARDED_HOST']
         url = 'https://{0}:{1}/'.format(host, funport)
         start_response('302', [('Location', url)])