From 9365e9afdf59b1b6ee4c488e37b5536c0d0876b7 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Tue, 23 Apr 2024 19:29:11 +0200
Subject: [PATCH] Can set a list of allowed IP

---
 README.md                                     |  3 +-
 virtweb_backend/src/app_config.rs             | 28 +++++++++++++++++--
 .../src/middlewares/auth_middleware.rs        | 10 +++++++
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e762be3..b558e9b 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,7 @@ Please refer to this guide: [virtweb_docs/SETUP_PROD.md](virtweb_docs/SETUP_PROD
 * Start & stop networks
 * Create, update & delete network filters
 * Upload ISO for easy VM installation
+* API tokens for system interconnection
 
 ## Screenshot
-![](https://0ph.fr/resume_assets/img/screenshots/virtweb.png)
\ No newline at end of file
+![](https://0ph.fr/resume_assets/img/screenshots/virtweb.png)
diff --git a/virtweb_backend/src/app_config.rs b/virtweb_backend/src/app_config.rs
index 16780b6..7fbd11a 100644
--- a/virtweb_backend/src/app_config.rs
+++ b/virtweb_backend/src/app_config.rs
@@ -103,10 +103,15 @@ pub struct AppConfig {
     #[arg(short = 'H', long, env)]
     pub hypervisor_uri: Option<String>,
 
-    /// Trusted network. If set, a client from a different will not be able to perform request other
-    /// than those with GET verb (aside for login)
+    /// Trusted network. If set, a client (user) from a different network will not be able to perform
+    /// request other than those with GET verb (aside for login)
     #[arg(short = 'T', long, env)]
     pub trusted_network: Vec<String>,
+
+    /// Comma-separated list of allowed networks. If set, a client (user or API token) from a
+    /// different network will not be able to access VirtWeb
+    #[arg(short = 'A', long, env)]
+    pub allowed_networks: Vec<String>,
 }
 
 lazy_static::lazy_static! {
@@ -190,6 +195,25 @@ impl AppConfig {
         false
     }
 
+    /// Check if an IP belongs to an allowed network or not
+    pub fn is_allowed_ip(&self, ip: IpAddr) -> bool {
+        if self.allowed_networks.is_empty() {
+            return true;
+        }
+
+        for i in &self.allowed_networks {
+            for sub_i in i.split(',') {
+                let net =
+                    ipnetwork::IpNetwork::from_str(sub_i).expect("Allowed network is invalid!");
+                if net.contains(ip) {
+                    return true;
+                }
+            }
+        }
+
+        false
+    }
+
     /// Get OpenID providers configuration
     pub fn openid_provider(&self) -> Option<OIDCProvider<'_>> {
         if self.disable_oidc {
diff --git a/virtweb_backend/src/middlewares/auth_middleware.rs b/virtweb_backend/src/middlewares/auth_middleware.rs
index 7479b4d..f6b47ef 100644
--- a/virtweb_backend/src/middlewares/auth_middleware.rs
+++ b/virtweb_backend/src/middlewares/auth_middleware.rs
@@ -67,6 +67,16 @@ where
                     .await
                     .unwrap();
 
+            if !AppConfig::get().is_allowed_ip(remote_ip.0) {
+                log::error!("An attempt to access VirtWeb from an unauthorized network has been intercepted! {:?}", remote_ip);
+                return Ok(req
+                    .into_response(
+                        HttpResponse::MethodNotAllowed()
+                            .json("I am sorry, but your IP is not allowed to access this service!"),
+                    )
+                    .map_into_right_body());
+            }
+
             let auth_disabled = AppConfig::get().unsecure_disable_auth;
 
             // Check API authentication