diff --git a/Cargo.lock b/Cargo.lock index ec046ca..f9ef785 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -108,6 +108,17 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "actix-remote-ip" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7629b357d4705cf3f1e31f989f48ecd56027112f7d52dcf06dd96ee197065f8e" +dependencies = [ + "actix-web", + "futures-util", + "log", +] + [[package]] name = "actix-router" version = "0.5.1" @@ -547,6 +558,7 @@ version = "0.1.4" dependencies = [ "actix", "actix-identity", + "actix-remote-ip", "actix-session", "actix-web", "aes-gcm", diff --git a/Cargo.toml b/Cargo.toml index 3e423c1..2ab4e55 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,6 +10,7 @@ actix = "0.13.0" actix-identity = "0.5.2" actix-web = "4" actix-session = { version = "0.7.2", features = ["cookie-session"] } +actix-remote-ip = "0.1.0" clap = { version = "4.2.1", features = ["derive", "env"] } include_dir = "0.7.3" log = "0.4.17" diff --git a/src/controllers/login_api.rs b/src/controllers/login_api.rs index 19043a0..532fdc1 100644 --- a/src/controllers/login_api.rs +++ b/src/controllers/login_api.rs @@ -1,9 +1,9 @@ use crate::actors::users_actor; use crate::actors::users_actor::UsersActor; use crate::data::action_logger::{Action, ActionLogger}; -use crate::data::remote_ip::RemoteIP; use actix::Addr; use actix_identity::Identity; +use actix_remote_ip::RemoteIP; use actix_web::{web, HttpRequest, HttpResponse, Responder}; use webauthn_rs::prelude::PublicKeyCredential; diff --git a/src/controllers/login_controller.rs b/src/controllers/login_controller.rs index 5bcf1f3..770beeb 100644 --- a/src/controllers/login_controller.rs +++ b/src/controllers/login_controller.rs @@ -1,5 +1,6 @@ use actix::Addr; use actix_identity::Identity; +use actix_remote_ip::RemoteIP; use actix_web::{web, HttpRequest, HttpResponse, Responder}; use askama::Template; use std::sync::Arc; @@ -14,7 +15,6 @@ use crate::controllers::base_controller::{ use crate::data::action_logger::{Action, ActionLogger}; use crate::data::login_redirect::LoginRedirect; use crate::data::provider::{Provider, ProvidersManager}; -use crate::data::remote_ip::RemoteIP; use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::user::User; use crate::data::webauthn_manager::WebAuthManagerReq; diff --git a/src/controllers/providers_controller.rs b/src/controllers/providers_controller.rs index f067ad7..3b77f95 100644 --- a/src/controllers/providers_controller.rs +++ b/src/controllers/providers_controller.rs @@ -2,6 +2,7 @@ use std::sync::Arc; use actix::Addr; use actix_identity::Identity; +use actix_remote_ip::RemoteIP; use actix_web::{web, HttpRequest, HttpResponse, Responder}; use askama::Template; @@ -16,7 +17,6 @@ use crate::data::action_logger::{Action, ActionLogger}; use crate::data::login_redirect::LoginRedirect; use crate::data::provider::{ProviderID, ProvidersManager}; use crate::data::provider_configuration::ProviderConfigurationHelper; -use crate::data::remote_ip::RemoteIP; use crate::data::session_identity::{SessionIdentity, SessionStatus}; #[derive(askama::Template)] diff --git a/src/controllers/settings_controller.rs b/src/controllers/settings_controller.rs index db713e2..30c69b4 100644 --- a/src/controllers/settings_controller.rs +++ b/src/controllers/settings_controller.rs @@ -1,4 +1,5 @@ use actix::Addr; +use actix_remote_ip::RemoteIP; use actix_web::{web, HttpResponse, Responder}; use askama::Template; @@ -9,7 +10,7 @@ use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN}; use crate::data::action_logger::{Action, ActionLogger}; use crate::data::app_config::AppConfig; use crate::data::current_user::CurrentUser; -use crate::data::remote_ip::RemoteIP; + use crate::data::user::User; pub(crate) struct BaseSettingsPage<'a> { @@ -45,6 +46,7 @@ impl<'a> BaseSettingsPage<'a> { #[template(path = "settings/account_details.html")] struct AccountDetailsPage<'a> { _p: BaseSettingsPage<'a>, + remote_ip: String, } #[derive(Template)] @@ -55,11 +57,12 @@ struct ChangePasswordPage<'a> { } /// Account details page -pub async fn account_settings_details_route(user: CurrentUser) -> impl Responder { +pub async fn account_settings_details_route(user: CurrentUser, ip: RemoteIP) -> impl Responder { let user = user.into(); HttpResponse::Ok().body( AccountDetailsPage { _p: BaseSettingsPage::get("Account details", &user, None, None), + remote_ip: ip.0.to_string(), } .render() .unwrap(), diff --git a/src/data/action_logger.rs b/src/data/action_logger.rs index 694d074..46e9278 100644 --- a/src/data/action_logger.rs +++ b/src/data/action_logger.rs @@ -4,6 +4,7 @@ use std::pin::Pin; use actix::Addr; use actix_identity::Identity; +use actix_remote_ip::RemoteIP; use actix_web::dev::Payload; use actix_web::{web, Error, FromRequest, HttpRequest}; @@ -12,7 +13,7 @@ use crate::actors::users_actor; use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor}; use crate::data::client::Client; use crate::data::provider::{Provider, ProviderID}; -use crate::data::remote_ip::RemoteIP; + use crate::data::session_identity::SessionIdentity; use crate::data::user::{FactorID, GrantedClients, TwoFactor, User, UserID}; diff --git a/src/data/mod.rs b/src/data/mod.rs index 8bcf253..bb1f10a 100644 --- a/src/data/mod.rs +++ b/src/data/mod.rs @@ -12,7 +12,6 @@ pub mod login_redirect; pub mod openid_primitive; pub mod provider; pub mod provider_configuration; -pub mod remote_ip; pub mod session_identity; pub mod totp_key; pub mod user; diff --git a/src/data/remote_ip.rs b/src/data/remote_ip.rs deleted file mode 100644 index 98b7531..0000000 --- a/src/data/remote_ip.rs +++ /dev/null @@ -1,30 +0,0 @@ -use std::net::IpAddr; - -use actix_web::dev::Payload; -use actix_web::{Error, FromRequest, HttpRequest}; -use futures_util::future::{ready, Ready}; - -use crate::data::app_config::AppConfig; -use crate::utils::network_utils::get_remote_ip; - -#[derive(Copy, Clone, Debug, Eq, PartialEq)] -pub struct RemoteIP(pub IpAddr); - -impl From for IpAddr { - fn from(i: RemoteIP) -> Self { - i.0 - } -} - -impl FromRequest for RemoteIP { - type Error = Error; - type Future = Ready>; - - #[inline] - fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future { - ready(Ok(RemoteIP(get_remote_ip( - req, - AppConfig::get().proxy_ip.as_deref(), - )))) - } -} diff --git a/src/main.rs b/src/main.rs index 1093f87..5c34e79 100644 --- a/src/main.rs +++ b/src/main.rs @@ -4,6 +4,7 @@ use std::sync::Arc; use actix::Actor; use actix_identity::config::LogoutBehaviour; use actix_identity::IdentityMiddleware; +use actix_remote_ip::RemoteIPConfig; use actix_session::storage::CookieSessionStore; use actix_session::SessionMiddleware; use actix_web::cookie::{Key, SameSite}; @@ -113,6 +114,9 @@ async fn main() -> std::io::Result<()> { .app_data(web::Data::new(providers.clone())) .app_data(web::Data::new(jwt_signer.clone())) .app_data(web::Data::new(webauthn_manager.clone())) + .app_data(web::Data::new(RemoteIPConfig { + proxy: AppConfig::get().proxy_ip.clone(), + })) .wrap( middleware::DefaultHeaders::new().add(("Permissions-Policy", "interest-cohort=()")), ) diff --git a/src/utils/mod.rs b/src/utils/mod.rs index a93d33b..86d67dc 100644 --- a/src/utils/mod.rs +++ b/src/utils/mod.rs @@ -1,5 +1,4 @@ pub mod crypt_utils; pub mod err; -pub mod network_utils; pub mod string_utils; pub mod time; diff --git a/src/utils/network_utils.rs b/src/utils/network_utils.rs deleted file mode 100644 index 874a5e4..0000000 --- a/src/utils/network_utils.rs +++ /dev/null @@ -1,178 +0,0 @@ -use std::net::{IpAddr, Ipv6Addr}; -use std::str::FromStr; - -use actix_web::HttpRequest; - -/// Check if two ips matches -pub fn match_ip(pattern: &str, ip: &str) -> bool { - if pattern.eq(ip) { - return true; - } - - if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) { - return true; - } - - false -} - -/// Get the remote IP address -pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> IpAddr { - let mut ip = req.peer_addr().unwrap().ip(); - - // We check if the request comes from a trusted reverse proxy - if let Some(proxy) = proxy_ip.as_ref() { - if match_ip(proxy, &ip.to_string()) { - if let Some(header) = req.headers().get("X-Forwarded-For") { - let header = header.to_str().unwrap(); - - let remote_ip = if let Some((upstream_ip, _)) = header.split_once(',') { - upstream_ip - } else { - header - }; - - if let Some(upstream_ip) = parse_ip(remote_ip) { - ip = upstream_ip; - } - } - } - } - - ip -} - -/// Parse an IP address -pub fn parse_ip(ip: &str) -> Option { - let mut ip = match IpAddr::from_str(ip) { - Ok(ip) => ip, - Err(e) => { - log::warn!("Failed to parse an IP address: {}", e); - return None; - } - }; - - if let IpAddr::V6(ipv6) = &mut ip { - let mut octets = ipv6.octets(); - for o in octets.iter_mut().skip(8) { - *o = 0; - } - ip = IpAddr::V6(Ipv6Addr::from(octets)); - } - - Some(ip) -} - -#[cfg(test)] -mod test { - use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr}; - use std::str::FromStr; - - use actix_web::test::TestRequest; - - use crate::utils::network_utils::{get_remote_ip, parse_ip}; - - #[test] - fn test_get_remote_ip() { - let req = TestRequest::default() - .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap()) - .to_http_request(); - assert_eq!( - get_remote_ip(&req, None), - "192.168.1.1".parse::().unwrap() - ); - } - - #[test] - fn test_get_remote_ip_from_proxy() { - let req = TestRequest::default() - .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap()) - .insert_header(("X-Forwarded-For", "1.1.1.1")) - .to_http_request(); - assert_eq!( - get_remote_ip(&req, Some("192.168.1.1")), - "1.1.1.1".parse::().unwrap() - ); - } - - #[test] - fn test_get_remote_ip_from_proxy_2() { - let req = TestRequest::default() - .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap()) - .insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2")) - .to_http_request(); - assert_eq!( - get_remote_ip(&req, Some("192.168.1.1")), - "1.1.1.1".parse::().unwrap() - ); - } - - #[test] - fn test_get_remote_ip_from_proxy_ipv6() { - let req = TestRequest::default() - .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap()) - .insert_header(("X-Forwarded-For", "10::1, 1.2.2.2")) - .to_http_request(); - assert_eq!( - get_remote_ip(&req, Some("192.168.1.1")), - "10::".parse::().unwrap() - ); - } - - #[test] - fn test_get_remote_ip_from_no_proxy() { - let req = TestRequest::default() - .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap()) - .insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2")) - .to_http_request(); - assert_eq!( - get_remote_ip(&req, None), - "192.168.1.1".parse::().unwrap() - ); - } - - #[test] - fn test_get_remote_ip_from_other_proxy() { - let req = TestRequest::default() - .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap()) - .insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2")) - .to_http_request(); - assert_eq!( - get_remote_ip(&req, Some("192.168.1.2")), - "192.168.1.1".parse::().unwrap() - ); - } - - #[test] - fn parse_bad_ip() { - let ip = parse_ip("badbad"); - assert_eq!(None, ip); - } - - #[test] - fn parse_ip_v4_address() { - let ip = parse_ip("192.168.1.1").unwrap(); - assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1))); - } - - #[test] - fn parse_ip_v6_address() { - let ip = parse_ip("2a00:1450:4007:813::200e").unwrap(); - assert_eq!( - ip, - IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0)) - ); - } - - #[test] - fn parse_ip_v6_address_2() { - let ip = parse_ip("::1").unwrap(); - assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0))); - } - - #[test] - fn parse_ip_v6_address_3() { - let ip = parse_ip("a::1").unwrap(); - assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0))); - } -} diff --git a/templates/settings/account_details.html b/templates/settings/account_details.html index ace56be..4d918de 100644 --- a/templates/settings/account_details.html +++ b/templates/settings/account_details.html @@ -30,4 +30,6 @@ +

Your IP address: {{ remote_ip }}

+ {% endblock content %}