Rewrite get public IP to force use of IPv4

basefarm · Feb 19, 2019 · 7eee6e0 · 7eee6e0
1 parent 897c91e
commit 7eee6e0
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 13 deletions.
diff --git a/blessclient.cfg.sample b/blessclient.cfg.sample
@@ -51,7 +51,7 @@ mfa_cache_file: token_cache.json
 # ip_urls: comma-separated list of urls that can provide a user's public IP address. This
 # IP will be added as an authorized IP to the user's certificate, preventing a stolen
 # SSH certificate from being used by another IP.
-ip_urls: http://api.ipify.org, http://canihazip.com
+ip_urls: http://api.ipify.org, http://ifconfig.co/ip, http://canihazip.com/s
 
 # update_script: This script will be called after 7 days of use, so you can push updates
 # to your users. Your update script should use some mechanism to verify the integrity of

diff --git a/blessclient/user_ip.py b/blessclient/user_ip.py
@@ -3,7 +3,9 @@
 import logging
 import string
 import time
-from six.moves.urllib_request import urlopen
+import socket
+import requests
+from urllib.parse import urlparse
 
 VALID_IP_CHARACTERS = string.hexdigits + '.:'
 
@@ -51,13 +53,19 @@ def _refreshIP(self):
 
     def _fetchIP(self, url):
         try:
-            with contextlib.closing(urlopen(url, timeout=2)) as f:
-                if f.getcode() == 200:
-                    content = f.read().decode().strip()[:40]
-                    for c in content:
-                        if c not in VALID_IP_CHARACTERS:
-                            raise ValueError("Public IP response included invalid character '{}'.".format(c))
-                    return content
+            # We do this to force IPv4 lookup as bless do not currently support IPv6
+            parsed_uri = urlparse(url)
+            addrs = socket.gethostbyname(parsed_uri.netloc)
+            headers = { 'Host' : parsed_uri.netloc }
+            r = requests.get('{}://{}{}'.format(parsed_uri.scheme, addrs, parsed_uri.path), headers=headers)
+            if r.status_code == 200:
+                content = r.text.strip()
+                for c in content:
+                    if c not in VALID_IP_CHARACTERS:
+                        print(content)
+                        raise ValueError("Public IP response included invalid character '{}'.".format(c))
+                logging.debug('Public IP is {}'.format(content))
+                return content
         except Exception as e:
             logging.debug(e)
             logging.debug('Could not refresh public IP from {}'.format(url), exc_info=True)

diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 
 setup(
     name="blessclient",
-    version="0.4.1",
+    version="0.4.2",
     packages=find_packages(exclude=["test*"]),
     install_requires=[
         'boto3>=1.4.0,<2.0.0',
@@ -11,13 +11,14 @@
         'six',
         'hvac',
         'requests_aws_sign',
-        'pycryptodomex'
+        'pycryptodomex',
+        'requests'
     ],
     author="Chris Steipp",
     author_email="[email protected]",
-    description="Issue temporary certificates for ssh, signed by the Netflix BLESS lambda.",
+    description="Basefarm modified blessclient. Forked from lyft",
     license="apache2",
-    url="https://github.com/lyft/python-blessclient",
+    url="https://github.com/basefarm/python-blessclient",
     entry_points={
         "console_scripts": [
             "blessclient = blessclient.client:main",