diff --git a/README.md b/README.md index e762be3..b558e9b 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Please refer to this guide: [virtweb_docs/SETUP_PROD.md](virtweb_docs/SETUP_PROD * Start & stop networks * Create, update & delete network filters * Upload ISO for easy VM installation +* API tokens for system interconnection ## Screenshot -![](https://0ph.fr/resume_assets/img/screenshots/virtweb.png) \ No newline at end of file +![](https://0ph.fr/resume_assets/img/screenshots/virtweb.png) diff --git a/virtweb_backend/src/app_config.rs b/virtweb_backend/src/app_config.rs index 16780b6..7fbd11a 100644 --- a/virtweb_backend/src/app_config.rs +++ b/virtweb_backend/src/app_config.rs @@ -103,10 +103,15 @@ pub struct AppConfig { #[arg(short = 'H', long, env)] pub hypervisor_uri: Option, - /// Trusted network. If set, a client from a different will not be able to perform request other - /// than those with GET verb (aside for login) + /// Trusted network. If set, a client (user) from a different network will not be able to perform + /// request other than those with GET verb (aside for login) #[arg(short = 'T', long, env)] pub trusted_network: Vec, + + /// Comma-separated list of allowed networks. If set, a client (user or API token) from a + /// different network will not be able to access VirtWeb + #[arg(short = 'A', long, env)] + pub allowed_networks: Vec, } lazy_static::lazy_static! { @@ -190,6 +195,25 @@ impl AppConfig { false } + /// Check if an IP belongs to an allowed network or not + pub fn is_allowed_ip(&self, ip: IpAddr) -> bool { + if self.allowed_networks.is_empty() { + return true; + } + + for i in &self.allowed_networks { + for sub_i in i.split(',') { + let net = + ipnetwork::IpNetwork::from_str(sub_i).expect("Allowed network is invalid!"); + if net.contains(ip) { + return true; + } + } + } + + false + } + /// Get OpenID providers configuration pub fn openid_provider(&self) -> Option> { if self.disable_oidc { diff --git a/virtweb_backend/src/middlewares/auth_middleware.rs b/virtweb_backend/src/middlewares/auth_middleware.rs index 7479b4d..f6b47ef 100644 --- a/virtweb_backend/src/middlewares/auth_middleware.rs +++ b/virtweb_backend/src/middlewares/auth_middleware.rs @@ -67,6 +67,16 @@ where .await .unwrap(); + if !AppConfig::get().is_allowed_ip(remote_ip.0) { + log::error!("An attempt to access VirtWeb from an unauthorized network has been intercepted! {:?}", remote_ip); + return Ok(req + .into_response( + HttpResponse::MethodNotAllowed() + .json("I am sorry, but your IP is not allowed to access this service!"), + ) + .map_into_right_body()); + } + let auth_disabled = AppConfig::get().unsecure_disable_auth; // Check API authentication