Can set a list of allowed IP
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
9d738285ab
commit
9365e9afdf
@ -17,6 +17,7 @@ Please refer to this guide: [virtweb_docs/SETUP_PROD.md](virtweb_docs/SETUP_PROD
|
||||
* Start & stop networks
|
||||
* Create, update & delete network filters
|
||||
* Upload ISO for easy VM installation
|
||||
* API tokens for system interconnection
|
||||
|
||||
## Screenshot
|
||||
![](https://0ph.fr/resume_assets/img/screenshots/virtweb.png)
|
||||
![](https://0ph.fr/resume_assets/img/screenshots/virtweb.png)
|
||||
|
@ -103,10 +103,15 @@ pub struct AppConfig {
|
||||
#[arg(short = 'H', long, env)]
|
||||
pub hypervisor_uri: Option<String>,
|
||||
|
||||
/// Trusted network. If set, a client from a different will not be able to perform request other
|
||||
/// than those with GET verb (aside for login)
|
||||
/// Trusted network. If set, a client (user) from a different network will not be able to perform
|
||||
/// request other than those with GET verb (aside for login)
|
||||
#[arg(short = 'T', long, env)]
|
||||
pub trusted_network: Vec<String>,
|
||||
|
||||
/// Comma-separated list of allowed networks. If set, a client (user or API token) from a
|
||||
/// different network will not be able to access VirtWeb
|
||||
#[arg(short = 'A', long, env)]
|
||||
pub allowed_networks: Vec<String>,
|
||||
}
|
||||
|
||||
lazy_static::lazy_static! {
|
||||
@ -190,6 +195,25 @@ impl AppConfig {
|
||||
false
|
||||
}
|
||||
|
||||
/// Check if an IP belongs to an allowed network or not
|
||||
pub fn is_allowed_ip(&self, ip: IpAddr) -> bool {
|
||||
if self.allowed_networks.is_empty() {
|
||||
return true;
|
||||
}
|
||||
|
||||
for i in &self.allowed_networks {
|
||||
for sub_i in i.split(',') {
|
||||
let net =
|
||||
ipnetwork::IpNetwork::from_str(sub_i).expect("Allowed network is invalid!");
|
||||
if net.contains(ip) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
false
|
||||
}
|
||||
|
||||
/// Get OpenID providers configuration
|
||||
pub fn openid_provider(&self) -> Option<OIDCProvider<'_>> {
|
||||
if self.disable_oidc {
|
||||
|
@ -67,6 +67,16 @@ where
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
if !AppConfig::get().is_allowed_ip(remote_ip.0) {
|
||||
log::error!("An attempt to access VirtWeb from an unauthorized network has been intercepted! {:?}", remote_ip);
|
||||
return Ok(req
|
||||
.into_response(
|
||||
HttpResponse::MethodNotAllowed()
|
||||
.json("I am sorry, but your IP is not allowed to access this service!"),
|
||||
)
|
||||
.map_into_right_body());
|
||||
}
|
||||
|
||||
let auth_disabled = AppConfig::get().unsecure_disable_auth;
|
||||
|
||||
// Check API authentication
|
||||
|
Loading…
Reference in New Issue
Block a user