From 36bfe8e24e79cc5cd0dbbe637659b65f858a7ab7 Mon Sep 17 00:00:00 2001 From: Pierre Hubert Date: Sat, 16 Oct 2021 21:55:29 +0200 Subject: [PATCH] Accept wider range of IP for proxies and RTC relay --- src/controllers/rtc_relay_controller.rs | 3 ++- src/data/http_request_handler.rs | 3 ++- src/utils/mod.rs | 3 ++- src/utils/network_utils.rs | 28 +++++++++++++++++++++++++ 4 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 src/utils/network_utils.rs diff --git a/src/controllers/rtc_relay_controller.rs b/src/controllers/rtc_relay_controller.rs index e736aa5..5b8d046 100644 --- a/src/controllers/rtc_relay_controller.rs +++ b/src/controllers/rtc_relay_controller.rs @@ -13,6 +13,7 @@ use crate::data::config::conf; use crate::data::error::{ExecError, Res}; use crate::helpers::events_helper; use crate::helpers::events_helper::Event; +use crate::utils::network_utils::match_ip; struct RtcRelayActor {} @@ -245,7 +246,7 @@ pub async fn open_ws(req: actix_web::HttpRequest, let conf = conf().rtc_relay.as_ref().unwrap(); // Check remote IP address - if !ip.ip().to_string().eq(&conf.ip) { + if !match_ip(&conf.ip, ip.ip().to_string().as_str()) { eprintln!("A relay from {} tried to connect to the server but the IP address is not authorized!", ip); return Ok(actix_web::HttpResponse::Unauthorized().body("Access denied!")); } diff --git a/src/data/http_request_handler.rs b/src/data/http_request_handler.rs index fbb17e1..c7b14a3 100644 --- a/src/data/http_request_handler.rs +++ b/src/data/http_request_handler.rs @@ -15,6 +15,7 @@ use crate::data::error::{Res, ResultBoxError}; use crate::data::user_token::UserAccessToken; use crate::helpers::{account_helper, admin_access_token_helper, api_helper}; use crate::routes::RequestResult; +use crate::utils::network_utils::match_ip; /// Http request handler /// @@ -183,7 +184,7 @@ impl BaseRequestHandler for HttpRequestHandler { // We check if the request comes from a trusted reverse proxy if let Some(proxy) = conf().proxy.as_ref() { - if ip.eq(proxy) { + if match_ip(proxy, &ip) { if let Some(header) = self.request.headers().get("X-Forwarded-For") { let header: Vec = header .to_str() diff --git a/src/utils/mod.rs b/src/utils/mod.rs index ca23dd7..4c35fdd 100644 --- a/src/utils/mod.rs +++ b/src/utils/mod.rs @@ -11,4 +11,5 @@ pub mod pdf_utils; pub mod mp3_utils; pub mod mp4_utils; pub mod zip_utils; -pub mod webpage_utils; \ No newline at end of file +pub mod webpage_utils; +pub mod network_utils; \ No newline at end of file diff --git a/src/utils/network_utils.rs b/src/utils/network_utils.rs new file mode 100644 index 0000000..ae9f44f --- /dev/null +++ b/src/utils/network_utils.rs @@ -0,0 +1,28 @@ +//! # Network utilities +//! +//! @author Pierre Hubert + +/// Check whether an IP address matches a given pattern. Pattern can be either: +/// * An IP address +/// * An IP mask ending with a star (*) +/// +/// ``` +/// use comunic_server::utils::network_utils::match_ip; +/// +/// assert!(match_ip("127.0.0.1", "127.0.0.1")); +/// assert!(!match_ip("127.0.0.1", "127.0.0.2")); +/// assert!(match_ip("127.0.0.*", "127.0.0.2")); +/// assert!(!match_ip("127.0.0.*", "187.0.0.2")); +/// ``` +/// +pub fn match_ip(pattern: &str, ip: &str) -> bool { + if pattern.eq(ip) { + return true; + } + + if pattern.ends_with("*") && ip.starts_with(&pattern.replace("*", "")){ + return true; + } + + false +} \ No newline at end of file