Can set a list of allowed IP

2024-04-23 19:29:11 +02:00
parent 9d738285ab
commit 9365e9afdf
3 changed files with 38 additions and 3 deletions
--- a/virtweb_backend/src/app_config.rs
+++ b/virtweb_backend/src/app_config.rs
@@ -103,10 +103,15 @@ pub struct AppConfig {
    #[arg(short = 'H', long, env)]
    pub hypervisor_uri: Option<String>,

-    /// Trusted network. If set, a client from a different will not be able to perform request other
-    /// than those with GET verb (aside for login)
+    /// Trusted network. If set, a client (user) from a different network will not be able to perform
+    /// request other than those with GET verb (aside for login)
    #[arg(short = 'T', long, env)]
    pub trusted_network: Vec<String>,
+
+    /// Comma-separated list of allowed networks. If set, a client (user or API token) from a
+    /// different network will not be able to access VirtWeb
+    #[arg(short = 'A', long, env)]
+    pub allowed_networks: Vec<String>,
 }

 lazy_static::lazy_static! {
@@ -190,6 +195,25 @@ impl AppConfig {
        false
    }

+    /// Check if an IP belongs to an allowed network or not
+    pub fn is_allowed_ip(&self, ip: IpAddr) -> bool {
+        if self.allowed_networks.is_empty() {
+            return true;
+        }
+
+        for i in &self.allowed_networks {
+            for sub_i in i.split(',') {
+                let net =
+                    ipnetwork::IpNetwork::from_str(sub_i).expect("Allowed network is invalid!");
+                if net.contains(ip) {
+                    return true;
+                }
+            }
+        }
+
+        false
+    }
+
    /// Get OpenID providers configuration
    pub fn openid_provider(&self) -> Option<OIDCProvider<'_>> {
        if self.disable_oidc {
--- a/virtweb_backend/src/middlewares/auth_middleware.rs
+++ b/virtweb_backend/src/middlewares/auth_middleware.rs
@@ -67,6 +67,16 @@ where
                    .await
                    .unwrap();

+            if !AppConfig::get().is_allowed_ip(remote_ip.0) {
+                log::error!("An attempt to access VirtWeb from an unauthorized network has been intercepted! {:?}", remote_ip);
+                return Ok(req
+                    .into_response(
+                        HttpResponse::MethodNotAllowed()
+                            .json("I am sorry, but your IP is not allowed to access this service!"),
+                    )
+                    .map_into_right_body());
+            }
+
            let auth_disabled = AppConfig::get().unsecure_disable_auth;

            // Check API authentication