auth: cleanup

This commit is contained in:
Dariusz Niemczyk 2023-09-09 19:26:36 +02:00
parent 156df0a8a5
commit 38c7245a3f
No known key found for this signature in database
4 changed files with 28 additions and 36 deletions

View File

@ -14,3 +14,4 @@ services:
# - SPEJSTORE_MEDIA_ROOT=
# - SPEJSTORE_REQUIRE_AUTH=true
- SPEJSTORE_OAUTH_REDIRECT_IS_HTTPS=false
- SPEJSTORE_PROXY_TRUSTED_IPS=172.21.37.1

View File

@ -220,8 +220,5 @@ SOCIAL_AUTH_JSONFIELD_ENABLED = True
LABEL_API = env("LABEL_API", "http://label.waw.hackerspace.pl:4567")
LOGIN_URL = "/admin/login/"
# HSWAW lan
LAN_ALLOWED_ADDRESS_SPACE = env("LAN_ALLOWED_ADDRESS_SPACE", "10.8.0.0/16")
LAN_ALLOWED_HEADER = env("LAN_ALLOWED_HEADER", "X-LAN-ALLOWED")
PROXY_TRUSTED_IPS = env("PROXY_TRUSTED_IPS", "172.21.37.1").split(",")
# Local LAN address space
LAN_ALLOWED_ADDRESS_SPACE = env("LAN_ALLOWED_ADDRESS_SPACE", "")

View File

@ -4,9 +4,6 @@ from rest_framework import exceptions
from rest_framework.authentication import SessionAuthentication
from spejstore.settings import (
LAN_ALLOWED_ADDRESS_SPACE,
LAN_ALLOWED_HEADER,
PROD,
PROXY_TRUSTED_IPS,
)
@ -41,38 +38,32 @@ def get_ip_from_request(request):
def has_permission(request):
if PROD:
# We don't care if address space is undefined
if LAN_ALLOWED_ADDRESS_SPACE == '':
return (True, '')
client_ip = get_ip_from_request(request)
if client_ip is None:
# This should only happen on localhost env when fiddling with code.
# It's technically impossible to get there with proper headers.
raise exceptions.AuthenticationFailed("Unauthorized: no ip detected?")
# Make sure that we need to check PROXY_TRUSTED_IPS here
if len(PROXY_TRUSTED_IPS) > 0:
if request.META["REMOTE_ADDR"] not in PROXY_TRUSTED_IPS:
raise exceptions.AuthenticationFailed(
"Unauthorized: request is not coming from the PROXY_TRUSTED_IPS machine"
)
return ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
return (False, "Unauthorized: no ip detected?")
in_local_space = ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
LAN_ALLOWED_ADDRESS_SPACE
)
else:
return True
if not in_local_space:
return (False, "Unauthorized: " + client_ip + " not in subnet of " + LAN_ALLOWED_ADDRESS_SPACE)
return (True, '')
class LanAuthentication(SessionAuthentication):
def authenticate(self, request):
is_session_authorized = super().authenticate(request)
if is_session_authorized:
return is_session_authorized
is_authorized = has_permission(request)
is_authorized, error_message = has_permission(request)
if is_authorized:
user = getattr(request._request, "user", None)
return (user, "authorized")
else:
raise exceptions.AuthenticationFailed(
"Unauthorized: not in subnet of " + LAN_ALLOWED_ADDRESS_SPACE
error_message
)
def authenticate_header(self, request):
return LAN_ALLOWED_HEADER

View File

@ -1,22 +1,25 @@
from storage.authentication import has_permission
from django.http import HttpResponseRedirect
from spejstore.settings import STATIC_URL, MEDIA_URL, LOGIN_URL
from django.core.exceptions import PermissionDenied
def is_authorized_or_in_lan_middleware(get_response):
# One-time configuration and initialization.
login_paths_to_ignore = [
"/admin/login",
"/static",
"/login",
LOGIN_URL[:-1],
STATIC_URL[:-1],
MEDIA_URL[:-1],
"/admin/static",
"/complete",
"/favicon.ico",
"/api",
"/api/1",
]
def middleware(request):
if request.user.is_authenticated:
return get_response(request)
is_within_lan = has_permission(request)
is_within_lan, error_message = has_permission(request)
if is_within_lan:
return get_response(request)
else:
@ -24,6 +27,6 @@ def is_authorized_or_in_lan_middleware(get_response):
if request.path.startswith(login_path):
return get_response(request)
else:
return HttpResponseRedirect("/admin/login")
raise PermissionDenied()
return middleware