[aur-dev] [PATCH 3/4] git-serve: Implement IP address bans

Lukas Fleischer lfleischer at archlinux.org
Wed Jan 25 18:39:40 UTC 2017


Currently, IP address bans affect the web interface only. Make sure they
are honored in the SSH interface as well.

Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
 aurweb/exceptions.py |  4 ++++
 aurweb/git/serve.py  | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/aurweb/exceptions.py b/aurweb/exceptions.py
index 639f9e0..664db68 100644
--- a/aurweb/exceptions.py
+++ b/aurweb/exceptions.py
@@ -6,6 +6,10 @@ class MaintenanceException(AurwebException):
     pass
 
 
+class BannedException(AurwebException):
+    pass
+
+
 class PermissionDeniedException(AurwebException):
     def __init__(self, user):
         msg = 'permission denied: {:s}'.format(user)
diff --git a/aurweb/git/serve.py b/aurweb/git/serve.py
index cfd4910..44cce75 100755
--- a/aurweb/git/serve.py
+++ b/aurweb/git/serve.py
@@ -422,6 +422,14 @@ def log_ssh_login(user, remote_addr):
     conn.close()
 
 
+def bans_match(remote_addr):
+    conn = aurweb.db.Connection()
+
+    cur = conn.execute("SELECT COUNT(*) FROM Bans WHERE IPAddress = ?",
+                       [remote_addr])
+    return cur.fetchone()[0] > 0
+
+
 def die(msg):
     sys.stderr.write("{:s}\n".format(msg))
     exit(1)
@@ -463,6 +471,8 @@ def serve(action, cmdargv, user, privileged, remote_addr):
     if enable_maintenance:
         if remote_addr not in maintenance_exc:
             raise aurweb.exceptions.MaintenanceException
+    if bans_match(remote_addr):
+        raise aurweb.exceptions.BannedException
     log_ssh_login(user, remote_addr)
 
     if action == 'git' and cmdargv[1] in ('upload-pack', 'receive-pack'):
@@ -586,6 +596,8 @@ def main():
         serve(action, cmdargv, user, privileged, remote_addr)
     except aurweb.exceptions.MaintenanceException:
         die("The AUR is down due to maintenance. We will be back soon.")
+    except aurweb.exceptions.BannedException:
+        die("The SSH interface is disabled for your IP address.")
     except aurweb.exceptions.InvalidArgumentsException as e:
         die_with_help('{:s}: {}'.format(action, e))
     except aurweb.exceptions.AurwebException as e:
-- 
2.11.0


More information about the aur-dev mailing list