hscloud: Add single address authentication
This commit is contained in:
parent
38c7245a3f
commit
f1143dc4f1
|
@ -222,3 +222,4 @@ LABEL_API = env("LABEL_API", "http://label.waw.hackerspace.pl:4567")
|
||||||
LOGIN_URL = "/admin/login/"
|
LOGIN_URL = "/admin/login/"
|
||||||
# Local LAN address space
|
# Local LAN address space
|
||||||
LAN_ALLOWED_ADDRESS_SPACE = env("LAN_ALLOWED_ADDRESS_SPACE", "")
|
LAN_ALLOWED_ADDRESS_SPACE = env("LAN_ALLOWED_ADDRESS_SPACE", "")
|
||||||
|
LAN_ALLOWED_SINGLE_ADDRESS = env("LAN_ALLOWED_SINGLE_ADDRESS", "")
|
||||||
|
|
|
@ -4,6 +4,7 @@ from rest_framework import exceptions
|
||||||
from rest_framework.authentication import SessionAuthentication
|
from rest_framework.authentication import SessionAuthentication
|
||||||
from spejstore.settings import (
|
from spejstore.settings import (
|
||||||
LAN_ALLOWED_ADDRESS_SPACE,
|
LAN_ALLOWED_ADDRESS_SPACE,
|
||||||
|
LAN_ALLOWED_SINGLE_ADDRESS,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -37,20 +38,29 @@ def get_ip_from_request(request):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|
||||||
|
def has_address_space_permission(client_ip):
|
||||||
|
return ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
|
||||||
|
LAN_ALLOWED_ADDRESS_SPACE
|
||||||
|
)
|
||||||
|
|
||||||
|
def has_single_address_permission(client_ip):
|
||||||
|
return ipaddress.IPv4Address(client_ip) == LAN_ALLOWED_SINGLE_ADDRESS
|
||||||
|
|
||||||
|
|
||||||
def has_permission(request):
|
def has_permission(request):
|
||||||
# We don't care if address space is undefined
|
# We don't care if address space is undefined
|
||||||
if LAN_ALLOWED_ADDRESS_SPACE == '':
|
if LAN_ALLOWED_ADDRESS_SPACE == '' and LAN_ALLOWED_SINGLE_ADDRESS == '':
|
||||||
return (True, '')
|
return (True, '')
|
||||||
client_ip = get_ip_from_request(request)
|
client_ip = get_ip_from_request(request)
|
||||||
if client_ip is None:
|
if client_ip is None:
|
||||||
# This should only happen on localhost env when fiddling with code.
|
# This should only happen on localhost env when fiddling with code.
|
||||||
# It's technically impossible to get there with proper headers.
|
# It's technically impossible to get there with proper headers.
|
||||||
return (False, "Unauthorized: no ip detected?")
|
return (False, "Unauthorized: no ip detected?")
|
||||||
in_local_space = ipaddress.IPv4Address(client_ip) in ipaddress.IPv4Network(
|
|
||||||
LAN_ALLOWED_ADDRESS_SPACE
|
if LAN_ALLOWED_ADDRESS_SPACE != '' and not has_address_space_permission(client_ip):
|
||||||
)
|
|
||||||
if not in_local_space:
|
|
||||||
return (False, "Unauthorized: " + client_ip + " not in subnet of " + LAN_ALLOWED_ADDRESS_SPACE)
|
return (False, "Unauthorized: " + client_ip + " not in subnet of " + LAN_ALLOWED_ADDRESS_SPACE)
|
||||||
|
if LAN_ALLOWED_SINGLE_ADDRESS != '' and not has_single_address_permission(client_ip):
|
||||||
|
return (False, "Unauthorized: " + client_ip + " is not " + LAN_ALLOWED_SINGLE_ADDRESS)
|
||||||
return (True, '')
|
return (True, '')
|
||||||
|
|
||||||
class LanAuthentication(SessionAuthentication):
|
class LanAuthentication(SessionAuthentication):
|
||||||
|
|
Loading…
Reference in New Issue