username = "overpass"
basedir = data_bag_item("accounts", username)["home"]
+web_passwords = data_bag_item("web", "passwords")
%w[bin site diffs db src].each do |dirname|
directory "#{basedir}/#{dirname}" do
## Setup Apache
+gem_package "rotp"
+
+directory "#{basedir}/apache" do
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+template "#{basedir}/apache/totp-filter" do
+ source "totp-filter.erb"
+ owner "root"
+ group "root"
+ mode "755"
+ variables :totp_key => web_passwords["totp_key"]
+end
+
ssl_certificate node[:fqdn] do
domains [node[:fqdn],
node[:overpass][:fqdn]]
apache_module "cgi"
apache_module "headers"
+apache_module "rewrite"
apache_site "default" do
action :disable
DocumentRoot <%= @directory %>
+ RewriteMap totp prg:/srv/query.openstreetmap.org/apache/totp-filter
+ RewriteCond "${totp:%{HTTP_COOKIE}}" "0"
+ RewriteRule ^.*$ - [F,L]
+
<% if node[:overpass][:restricted_api] -%>
ScriptAlias /query-features <%= @script_directory %>/interpreter
SetEnvIf Origin "http.*(osm.org|openstreetmap.org).*" AccessControlAllowOrigin=$0
--- /dev/null
+#!/usr/bin/ruby
+
+requrie "cgi"
+require "rotp"
+
+totp = ROTP::TOTP.new("<%= @totp_key %>", :interval => 3600)
+
+STDIN.each_line do |header|
+ cookies = CGI::Cookie.parse(header)
+
+ if totp.verify(cookies["_osm_totp_token"], :drift_behind => 43200, :drift_ahead => 3600)
+ puts "1"
+ else
+ puts "0"
+ end
+end
+
+exit 0
projects / chef.git / commitdiff