WebDev - Security Zones

luc.martin · August 23, 2024, 1:56pm

I'm on 8.1.41

Is there a way to use Security Zones in WebDev module ?

I want to secured some WebDev scripts to give access to specific IP addresses without authentification required.

I don't want to hardcode allowed ip addresses in my scripts, I want to be able to configure it in the gateway...

Kevin.Herron · August 23, 2024, 2:06pm

Not in convenient built in way, but if you have a GatewayContext there's nothing stopping you from grabbing the SecurityZoneManager and doing something with it, like call getZonesFor() with some IdentityTraits you built using the IP address from the request header.

luc.martin · August 23, 2024, 2:16pm

Something like this?

gateway = request["context"]
listOfZones = gateway.SecurityZoneManager.getZonesFor(request["remoteAddr"])

Kevin.Herron · August 23, 2024, 2:18pm

Almost, but getZonesFor requires you build an IdentityTraits object.

luc.martin · August 23, 2024, 2:22pm

Not familiar with that, have you some examples for me ?

Kevin.Herron · August 23, 2024, 2:24pm

You should be able to figure this out from looking at the Javadoc, it's a necessary skill if you will be using classes from the SDK.

It would look something like this:

from com.inductiveautomation.ignition.gateway.authentication.securityzones import IdentityTraits

id = IdentityTraits.newBuilder.ipAddress(request["remoteAddr"]).build()

Kevin.Herron · August 23, 2024, 2:33pm

Another thing to keep in mind here is that the usefulness/accuracy of the remote address as seen by the WebDev module will depend entirely on your network architecture.

luc.martin · August 23, 2024, 3:26pm

Seems that something going wrong with the IdentityTraits

The first part of my code working well and retun list of securityzones

gateway = request["context"]
szm = gateway.getSecurityZoneManager() 
listOfZones = szm.getZones()
return {'json': {"Zones for {}:".format(request["remoteAddr"]): listOfZones}}

But when I try to build the IdentityTraits I got server error
com.inductiveautomation.ignition.common.script.JythonExecException: Traceback (most recent call last): File "", line 8, in doGet AttributeError: 'reflectedfunction' object has no attribute 'ipAddress'

from com.inductiveautomation.ignition.gateway.authentication.securityzones import IdentityTraits 
identity = IdentityTraits.newBuilder.ipAddress(request["remoteAddr"]).build()
return {'html': "Here !!!"}

luc.martin · August 23, 2024, 3:28pm

Was missing () for newBuilder

identity = IdentityTraits.newBuilder().ipAddress(request["remoteAddr"]).build()

luc.martin · August 23, 2024, 3:48pm

szm.getZonesFor(identity) always return empty list

	gateway = request["context"]
	szm = gateway.getSecurityZoneManager() 
	listOfZones = szm.getZones()

	from com.inductiveautomation.ignition.gateway.authentication.securityzones import IdentityTraits 
	identity = IdentityTraits.newBuilder().ipAddress(request["remoteAddr"]).build()
	identityZones = szm.getZonesFor(identity)
	return {'json': 
				{
					"Zones for {}: ".format(identity.getIpAddress()): identityZones,
					"Zones for context: " : listOfZones
				}
			}

Kevin.Herron · August 26, 2024, 1:33pm

In the Gateway, set the logger for "Security.SecurityZones.Zone" to DEBUG level and then send the request again and see what gets logged.

luc.martin · August 26, 2024, 1:52pm

Zone 'WebDev_API' does not match due to incorrect value for qualifier 'direct-connection'. Remote machine sent: '{ip-address=10.7.15.64}'

Kevin.Herron · August 26, 2024, 1:58pm

Ok, I think you need to set some additional attributes on the IdentityTraits you build.

Probably call isDirect(true) and gatewayScope(): IdentityTraits.Builder

luc.martin · August 26, 2024, 2:02pm

missing isDirect, isSecure and gatewayScopre()

identity = IdentityTraits.newBuilder().ipAddress(request["remoteAddr"]).isDirect(True).isSecure(False).gatewayScope().build()