django: force auth for all requests
This commit is contained in:
parent
401fcc088d
commit
15bf813b04
|
@ -63,6 +63,7 @@ MIDDLEWARE = [
|
||||||
"django.middleware.security.SecurityMiddleware",
|
"django.middleware.security.SecurityMiddleware",
|
||||||
"whitenoise.middleware.WhiteNoiseMiddleware",
|
"whitenoise.middleware.WhiteNoiseMiddleware",
|
||||||
"django.middleware.cache.UpdateCacheMiddleware",
|
"django.middleware.cache.UpdateCacheMiddleware",
|
||||||
|
"storage.middleware.is_authorized_or_in_lan_middleware",
|
||||||
"django.middleware.gzip.GZipMiddleware",
|
"django.middleware.gzip.GZipMiddleware",
|
||||||
"django.contrib.sessions.middleware.SessionMiddleware",
|
"django.contrib.sessions.middleware.SessionMiddleware",
|
||||||
"django.middleware.common.CommonMiddleware",
|
"django.middleware.common.CommonMiddleware",
|
||||||
|
|
|
@ -24,7 +24,7 @@ headers_to_check_for_ip = [
|
||||||
|
|
||||||
|
|
||||||
def get_request_meta(request, key):
|
def get_request_meta(request, key):
|
||||||
value = request.META.get(key, request).strip()
|
value = request.META.get(key, "")
|
||||||
if value == "":
|
if value == "":
|
||||||
return None
|
return None
|
||||||
return value
|
return value
|
||||||
|
@ -40,6 +40,26 @@ def get_ip_from_request(request):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|
||||||
|
def has_permission(request):
|
||||||
|
if PROD:
|
||||||
|
client_ip = get_ip_from_request(request)
|
||||||
|
if client_ip is None:
|
||||||
|
# This should only happen on localhost env when fiddling with code.
|
||||||
|
# It's technically impossible to get there with proper headers.
|
||||||
|
raise exceptions.AuthenticationFailed("Unauthorized: no ip detected?")
|
||||||
|
# Make sure that we need to check PROXY_TRUSTED_IPS here
|
||||||
|
if len(PROXY_TRUSTED_IPS) > 0:
|
||||||
|
if request.META["REMOTE_ADDR"] not in PROXY_TRUSTED_IPS:
|
||||||
|
raise exceptions.AuthenticationFailed(
|
||||||
|
"Unauthorized: request is not coming from the PROXY_TRUSTED_IPS machine"
|
||||||
|
)
|
||||||
|
return ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
|
||||||
|
LAN_ALLOWED_ADDRESS_SPACE
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
class LanAuthentication(SessionAuthentication):
|
class LanAuthentication(SessionAuthentication):
|
||||||
def authenticate(self, request):
|
def authenticate(self, request):
|
||||||
is_session_authorized = super().authenticate(request)
|
is_session_authorized = super().authenticate(request)
|
||||||
|
@ -56,20 +76,3 @@ class LanAuthentication(SessionAuthentication):
|
||||||
|
|
||||||
def authenticate_header(self, request):
|
def authenticate_header(self, request):
|
||||||
return LAN_ALLOWED_HEADER
|
return LAN_ALLOWED_HEADER
|
||||||
|
|
||||||
def has_permission(self, request):
|
|
||||||
if PROD:
|
|
||||||
client_ip = get_ip_from_request(request)
|
|
||||||
if client_ip is None:
|
|
||||||
raise exceptions.AuthenticationFailed("Unauthorized: no ip detected?")
|
|
||||||
# Make sure that we need to check PROXY_TRUSTED_IPS here
|
|
||||||
if len(PROXY_TRUSTED_IPS) > 0:
|
|
||||||
if request.META["REMOTE_ADDR"] not in PROXY_TRUSTED_IPS:
|
|
||||||
raise exceptions.AuthenticationFailed(
|
|
||||||
"Unauthorized: request is not coming from the PROXY_TRUSTED_IPS machine"
|
|
||||||
)
|
|
||||||
return ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
|
|
||||||
LAN_ALLOWED_ADDRESS_SPACE
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
return True
|
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
from django.core.exceptions import PermissionDenied
|
||||||
|
from storage.authentication import has_permission
|
||||||
|
|
||||||
|
|
||||||
|
def is_authorized_or_in_lan_middleware(get_response):
|
||||||
|
# One-time configuration and initialization.
|
||||||
|
|
||||||
|
def middleware(request):
|
||||||
|
# Code to be executed for each request before
|
||||||
|
# the view (and later middleware) are called.
|
||||||
|
|
||||||
|
response = get_response(request)
|
||||||
|
if request.user.is_authenticated:
|
||||||
|
return response
|
||||||
|
is_within_lan = has_permission(request)
|
||||||
|
if is_within_lan:
|
||||||
|
return response
|
||||||
|
else:
|
||||||
|
raise PermissionDenied()
|
||||||
|
|
||||||
|
# Code to be executed for each request/response after
|
||||||
|
# the view is called.
|
||||||
|
|
||||||
|
return middleware
|
Loading…
Reference in New Issue