@@ -625,13 +625,19 @@ class Endpoint {
625625 private function check_acl (): void {
626626 # Allow the API call if the ignore_acl flag is set
627627 if ($ this ignore_acl ) {
628+ $ this log (level: LOG_DEBUG , message: "Ignoring REST API ACL for $ this url as ignore_acl is set. " );
628629 return ;
629630 }
630631
631632 # Check if the client is allowed to access this Endpoint according to the REST API Access List
632633 if (
633634 !RESTAPIAccessListEntry::is_allowed_by_acl (ip: $ this client ->ip_address , username: $ this client ->username )
634635 ) {
636+ $ this log (
637+ level: LOG_WARNING ,
638+ message: "Denied {$ this client ->username }@ {$ this client ->ip_address } access to $ this url for REST " .
639+ "API access list violation. "
640+ );
635641 throw new ForbiddenError (
636642 message: 'The requested action is not allowed by admin policy ' ,
637643 response_id: 'ENDPOINT_CLIENT_NOT_ALLOWED_BY_ACL ' ,
@@ -643,7 +649,13 @@ class Endpoint {
643649 * Checks if the API is enabled before allowing the call.
644650 */
645651 private function check_enabled (): void {
652+ $ client_ip$ _SERVER 'REMOTE_ADDR ' ];
653+
646654 if (!$ this restapi_settings ->enabled ->value and !$ this ignore_enabled ) {
655+ $ this log (
656+ level: LOG_WARNING ,
657+ message: "Denied $ client_ip access to $ this url as REST API is disabled. "
658+ );
647659 throw new ServiceUnavailableError (
648660 message: 'The REST API is currently not enabled. ' ,
649661 response_id: 'ENDPOINT_REST_API_IS_NOT_ENABLED ' ,
@@ -657,6 +669,7 @@ class Endpoint {
657669 private function check_interface_allowed (): void {
658670 # Variables
659671 $ server_ip$ _SERVER 'SERVER_ADDR ' ];
672+ $ client_ip$ _SERVER 'REMOTE_ADDR ' ];
660673 $ allowed_interfaces$ this restapi_settings ->allowed_interfaces ->value ;
661674
662675 # Allow any interface if the allowed interfaces is empty or the ignore_interfaces flag is set
@@ -672,23 +685,28 @@ class Endpoint {
672685 # Loop through each allowed interface and check if the server IP is allowed to answer API calls
673686 foreach (
674687 $ this restapi_settings ->allowed_interfaces ->get_related_models ()->model_objects
675- as $ allowed_interface
688+ as $ allowed_if
676689 ) {
677690 # Allow the server IP if it matches the current interface's IPv4 or IPv6 address
678- if ($ server_ip$ allowed_interface get_current_ipv4 ()) {
691+ if ($ server_ip$ allowed_if get_current_ipv4 ()) {
679692 return ;
680693 }
681- if ($ server_ip$ allowed_interface get_current_ipv6 ()) {
694+ if ($ server_ip$ allowed_if get_current_ipv6 ()) {
682695 return ;
683696 }
684697
685698 # Check if this interface has a virtual IP that matches the server IP that accepted the API call
686- $ vip_qquery (interface: $ allowed_interface represented_as (), subnet: $ server_ip
699+ $ vip_qquery (interface: $ allowed_if represented_as (), subnet: $ server_ip
687700 if ($ vip_qexists ()) {
688701 return ;
689702 }
690703 }
704+
691705 # Throw a forbidden error if this API call was made to a non-API enabled interface
706+ $ this log (
707+ level: LOG_WARNING ,
708+ message:"Denied $ client_ip access to $ this url as interface IP $ server_ip is not allowed to respond. "
709+ );
692710 throw new ForbiddenError (
693711 message: 'The requested action is not allowed by admin policy ' ,
694712 response_id: 'ENDPOINT_INTERFACE_NOT_ALLOWED ' ,
0 commit comments