Add a system to restrict untrusted IPs

2023-12-12 01:52:46 +01:00
parent 4c839eb2d1
commit c7f7bfe67c
5 changed files with 43 additions and 3 deletions
--- a/virtweb_backend/src/app_config.rs
+++ b/virtweb_backend/src/app_config.rs
@@ -1,6 +1,8 @@
 use crate::libvirt_lib_structures::XMLUuid;
 use clap::Parser;
+use std::net::IpAddr;
 use std::path::{Path, PathBuf};
+use std::str::FromStr;

 /// VirtWeb backend API
 #[derive(Parser, Debug, Clone)]
@@ -85,6 +87,11 @@ pub struct AppConfig {
    /// Hypervisor URI. If not specified, "" will be used instead
    #[arg(long, env)]
    pub hypervisor_uri: Option<String>,
+
+    /// Trusted network. If set, a client from a different will not be able to perform request other
+    /// than those with GET verb (aside for login)
+    #[arg(long, env)]
+    pub trusted_network: Vec<String>,
 }

 lazy_static::lazy_static! {
@@ -131,6 +138,23 @@ impl AppConfig {
        self.auth_username == user && self.auth_password == pass
    }

+    /// Check if an IP belongs to a trusted network or not
+    pub fn is_trusted_ip(&self, ip: IpAddr) -> bool {
+        if self.trusted_network.is_empty() {
+            return true;
+        }
+
+        for i in &self.trusted_network {
+            let net = ipnetwork::IpNetwork::from_str(i).expect("Trusted network is invalid!");
+
+            if net.contains(ip) {
+                return true;
+            }
+        }
+
+        false
+    }
+
    /// Get OpenID providers configuration
    pub fn openid_provider(&self) -> Option<OIDCProvider<'_>> {
        if self.disable_oidc {
--- a/virtweb_backend/src/middlewares/auth_middleware.rs
+++ b/virtweb_backend/src/middlewares/auth_middleware.rs
@@ -61,6 +61,11 @@ where
        let service = Rc::clone(&self.service);

        Box::pin(async move {
+            let remote_ip =
+                actix_remote_ip::RemoteIP::from_request(req.request(), &mut Payload::None)
+                    .await
+                    .unwrap();
+
            let auth_disabled = AppConfig::get().unsecure_disable_auth;

            // Check authentication, if required
@@ -89,6 +94,15 @@ where
                        )
                        .map_into_right_body());
                }
+
+                if !AppConfig::get().is_trusted_ip(remote_ip.0) && !req.method().as_str().eq("GET")
+                {
+                    return Ok(req
+                        .into_response(
+                            HttpResponse::MethodNotAllowed().json("I am sorry, but your IP is not trusted. You cannot perform this action!"),
+                        )
+                        .map_into_right_body());
+                }
            }

            service