1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 18:32:41 +01:00
phorge-phorge/src
epriestley fa7bb8ff7a Add cluster.addresses and require membership before accepting cluster authentication tokens
Summary:
Ref T2783. Ref T6706.

  - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts.
  - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
    - This provides a general layer of security for these mechanisms.
    - In particular, it means they do not work by default on unconfigured hosts.
  - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it.
    - This provides a general layer of security for getting the Ops side of cluster configuration correct.
    - If cluster nodes have public IPs and are listening on them, we'll reject requests.
    - Basically, this means that any requests which bypass the LB get rejected.

Test Plan:
  - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
  - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
  - With addresses configured correctly, made valid requests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6706, T2783

Differential Revision: https://secure.phabricator.com/D11159
2015-01-02 15:13:41 -08:00
..
__tests__ Improve top-level exception handling 2015-01-02 10:49:27 -08:00
aphront Add cluster.addresses and require membership before accepting cluster authentication tokens 2015-01-02 15:13:41 -08:00
applications Add cluster.addresses and require membership before accepting cluster authentication tokens 2015-01-02 15:13:41 -08:00
docs Update doc reference to PhabricatorIRCBot for D4757 2014-12-31 07:47:02 -08:00
extensions Add src/extensions/ to Phabricator 2013-08-14 15:38:06 -07:00
infrastructure Add cluster.addresses and require membership before accepting cluster authentication tokens 2015-01-02 15:13:41 -08:00
view Revert "Remove an empty div" 2015-01-02 09:09:34 -08:00
__phutil_library_init__.php Delete license headers from files 2012-11-05 11:16:51 -08:00
__phutil_library_map__.php Add cluster.addresses and require membership before accepting cluster authentication tokens 2015-01-02 15:13:41 -08:00