auth: cleanup

2023-09-09 19:26:36 +02:00 · 2023-09-09 19:26:36 +02:00 · 38c7245a3f
parent 156df0a8a5
commit 38c7245a3f
4 changed files with 28 additions and 36 deletions
--- a/docker-compose.dev-override.yml
+++ b/docker-compose.dev-override.yml
@ -14,3 +14,4 @@ services:
      # - SPEJSTORE_MEDIA_ROOT=
      # - SPEJSTORE_REQUIRE_AUTH=true
      - SPEJSTORE_OAUTH_REDIRECT_IS_HTTPS=false
+      - SPEJSTORE_PROXY_TRUSTED_IPS=172.21.37.1
--- a/spejstore/settings.py
+++ b/spejstore/settings.py
@ -220,8 +220,5 @@ SOCIAL_AUTH_JSONFIELD_ENABLED = True

 LABEL_API = env("LABEL_API", "http://label.waw.hackerspace.pl:4567")
 LOGIN_URL = "/admin/login/"
-# HSWAW lan
-LAN_ALLOWED_ADDRESS_SPACE = env("LAN_ALLOWED_ADDRESS_SPACE", "10.8.0.0/16")
-
-LAN_ALLOWED_HEADER = env("LAN_ALLOWED_HEADER", "X-LAN-ALLOWED")
-PROXY_TRUSTED_IPS = env("PROXY_TRUSTED_IPS", "172.21.37.1").split(",")
+# Local LAN address space
+LAN_ALLOWED_ADDRESS_SPACE = env("LAN_ALLOWED_ADDRESS_SPACE", "")
--- a/storage/authentication.py
+++ b/storage/authentication.py
@ -4,9 +4,6 @@ from rest_framework import exceptions
 from rest_framework.authentication import SessionAuthentication
 from spejstore.settings import (
    LAN_ALLOWED_ADDRESS_SPACE,
-    LAN_ALLOWED_HEADER,
-    PROD,
-    PROXY_TRUSTED_IPS,
 )


@ -41,38 +38,32 @@ def get_ip_from_request(request):


 def has_permission(request):
-    if PROD:
-        client_ip = get_ip_from_request(request)
-        if client_ip is None:
-            # This should only happen on localhost env when fiddling with code.
-            # It's technically impossible to get there with proper headers.
-            raise exceptions.AuthenticationFailed("Unauthorized: no ip detected?")
-        # Make sure that we need to check PROXY_TRUSTED_IPS here
-        if len(PROXY_TRUSTED_IPS) > 0:
-            if request.META["REMOTE_ADDR"] not in PROXY_TRUSTED_IPS:
-                raise exceptions.AuthenticationFailed(
-                    "Unauthorized: request is not coming from the PROXY_TRUSTED_IPS machine"
-                )
-        return ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
-            LAN_ALLOWED_ADDRESS_SPACE
-        )
-    else:
-        return True
-
+    # We don't care if address space is undefined
+    if LAN_ALLOWED_ADDRESS_SPACE == '':
+        return (True, '')
+    client_ip = get_ip_from_request(request)
+    if client_ip is None:
+        # This should only happen on localhost env when fiddling with code.
+        # It's technically impossible to get there with proper headers.
+        return (False, "Unauthorized: no ip detected?")
+    in_local_space = ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
+        LAN_ALLOWED_ADDRESS_SPACE
+    )
+    if not in_local_space:
+        return (False, "Unauthorized: " + client_ip + " not in subnet of " + LAN_ALLOWED_ADDRESS_SPACE)
+    return (True, '')

 class LanAuthentication(SessionAuthentication):
    def authenticate(self, request):
        is_session_authorized = super().authenticate(request)
        if is_session_authorized:
            return is_session_authorized
-        is_authorized = has_permission(request)
+        is_authorized, error_message = has_permission(request)
        if is_authorized:
            user = getattr(request._request, "user", None)
            return (user, "authorized")
        else:
            raise exceptions.AuthenticationFailed(
-                "Unauthorized: not in subnet of " + LAN_ALLOWED_ADDRESS_SPACE
+                error_message
            )

-    def authenticate_header(self, request):
-        return LAN_ALLOWED_HEADER
--- a/storage/middleware.py
+++ b/storage/middleware.py
@ -1,22 +1,25 @@
 from storage.authentication import has_permission
 from django.http import HttpResponseRedirect
-
+from spejstore.settings import STATIC_URL, MEDIA_URL, LOGIN_URL
+from django.core.exceptions import PermissionDenied

 def is_authorized_or_in_lan_middleware(get_response):
    # One-time configuration and initialization.
    login_paths_to_ignore = [
-        "/admin/login",
-        "/static",
+        "/login",
+        LOGIN_URL[:-1],
+        STATIC_URL[:-1],
+        MEDIA_URL[:-1],
        "/admin/static",
        "/complete",
        "/favicon.ico",
-        "/api",
+        "/api/1",
    ]

    def middleware(request):
        if request.user.is_authenticated:
            return get_response(request)
-        is_within_lan = has_permission(request)
+        is_within_lan, error_message = has_permission(request)
        if is_within_lan:
            return get_response(request)
        else:
@ -24,6 +27,6 @@ def is_authorized_or_in_lan_middleware(get_response):
                if request.path.startswith(login_path):
                    return get_response(request)
            else:
-                return HttpResponseRedirect("/admin/login")
+                raise PermissionDenied()

    return middleware