From 4c8a650943a0e619526937543a6e4a45e12d0427 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Thu, 26 Dec 2013 13:13:59 +0100
Subject: add support for ip whitelist

---
 python/webiopi/protocols/http.py  | 8 +++++++-
 python/webiopi/server/__init__.py | 5 ++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/python/webiopi/protocols/http.py b/python/webiopi/protocols/http.py
index aea6d82..00d811d 100644
--- a/python/webiopi/protocols/http.py
+++ b/python/webiopi/protocols/http.py
@@ -22,6 +22,7 @@ from webiopi.utils.version import VERSION_STRING, PYTHON_MAJOR
 from webiopi.utils.logger import info, exception
 from webiopi.utils.crypto import encrypt
 from webiopi.utils.types import str2bool
+from netaddr import IPNetwork, IPAddress
 
 if PYTHON_MAJOR >= 3:
     import http.server as BaseHTTPServer
@@ -36,7 +37,7 @@ except:
 WEBIOPI_DOCROOT = "/usr/share/webiopi/htdocs"
 
 class HTTPServer(BaseHTTPServer.HTTPServer, threading.Thread):
-    def __init__(self, host, port, handler, context, docroot, index, auth=None):
+    def __init__(self, host, port, handler, context, docroot, index, auth=None, allowfrom=[]):
         BaseHTTPServer.HTTPServer.__init__(self, ("", port), HTTPHandler)
         threading.Thread.__init__(self, name="HTTPThread")
         self.host = host
@@ -60,6 +61,7 @@ class HTTPServer(BaseHTTPServer.HTTPServer, threading.Thread):
             
         self.handler = handler
         self.auth = auth
+        self.allowfrom = allowfrom
 
         self.running = True
         self.start()
@@ -98,6 +100,10 @@ class HTTPHandler(BaseHTTPServer.BaseHTTPRequestHandler):
         if self.server.auth == None or len(self.server.auth) == 0:
             return True
         
+        for cidr in self.server.allowfrom:
+            if IPAddress(self.client_address[0]) in IPNetwork(cidr):
+                return True
+
         authHeader = self.headers.get('Authorization')
         if authHeader == None:
             return False
diff --git a/python/webiopi/server/__init__.py b/python/webiopi/server/__init__.py
index 68fdbe6..11fe7d7 100644
--- a/python/webiopi/server/__init__.py
+++ b/python/webiopi/server/__init__.py
@@ -80,6 +80,7 @@ class Server():
         http_port = config.getint("HTTP", "port", port)
         http_enabled = config.getboolean("HTTP", "enabled", http_port > 0)
         http_passwdfile = config.get("HTTP", "passwd-file", passwdfile)
+        http_allowfrom = config.get("HTTP", "allow-from", None)
         context = config.get("HTTP", "context", None)
         docroot = config.get("HTTP", "doc-root", None)
         index = config.get("HTTP", "welcome-file", None)
@@ -112,8 +113,10 @@ class Server():
         if auth == None or len(auth) == 0:
             logger.warn("Access unprotected")
         
+        allowfrom = http_allowfrom.split(" ") if http_allowfrom != None else [ ]
+
         if http_enabled:
-            self.http_server = http.HTTPServer(self.host, http_port, self.restHandler, context, docroot, index, auth)
+            self.http_server = http.HTTPServer(self.host, http_port, self.restHandler, context, docroot, index, auth, allowfrom)
         else:
             self.http_server = None
         
-- 
cgit v1.2.3