Allow ip subnet comparison in ussd ip access check

This commit is contained in:
nolash 2021-04-06 18:24:49 +02:00
parent 7728f38f14
commit e668d0b8b3
Signed by untrusted user who does not match committer: lash
GPG Key ID: 21D2E7BB88C2A746
8 changed files with 19 additions and 11 deletions

View File

@ -1,4 +1,4 @@
FROM python:3.8.6
FROM python:3.8.6-slim-buster
RUN apt-get update && \
apt install -y gcc gnupg libpq-dev wget make g++ gnupg bash procps
@ -6,7 +6,7 @@ RUN apt-get update && \
WORKDIR /usr/src/cic-notify
ARG pip_extra_index_url_flag='--index https://pypi.org/simple --extra-index-url https://pip.grassrootseconomics.net:8433'
RUN pip install $pip_extra_index_url_flag cic-base[full_graph]==0.1.2a44
RUN pip install $pip_extra_index_url_flag cic-base[full_graph]==0.1.2a61
COPY cic-notify/setup.cfg \
cic-notify/setup.py \

View File

@ -1 +1 @@
cic_base[full_graph]~=0.1.2a46
cic_base[full_graph]~=0.1.2a61

View File

@ -1,6 +1,6 @@
[metadata]
name = cic-notify
version= 0.4.0a2
version= 0.4.0a3
description = CIC notifications service
author = Louis Holbrook
author_email = dev@holbrook.no

View File

@ -1,5 +1,5 @@
[app]
ALLOWED_IP=127.0.0.1
ALLOWED_IP=0.0.0.0/0
LOCALE_FALLBACK=en
LOCALE_PATH=var/lib/locale/
MAX_BODY_LENGTH=1024

View File

@ -1,6 +1,7 @@
# standard imports
import logging
import re
import ipaddress
# third-party imports
from confini import Config
@ -20,7 +21,14 @@ def check_ip(config: Config, env: dict):
:return: Request IP validity
:rtype: boolean
"""
return env.get('REMOTE_ADDR') == config.get('APP_ALLOWED_IP')
# TODO: do once at boot time
actual_ip = ipaddress.ip_network(env.get('REMOTE_ADDR') + '/32')
for allowed_net_src in config.get('APP_ALLOWED_IP').split(','):
allowed_net = ipaddress.ip_network(allowed_net_src)
if actual_ip.subnet_of(allowed_net):
return True
return False
def check_request_content_length(config: Config, env: dict):

View File

@ -1,4 +1,4 @@
cic_base[full_graph]~=0.1.2a58
cic-eth~=0.11.0a4
cic_base[full_graph]~=0.1.2a61
cic-eth~=0.11.0b1
cic-notify~=0.4.0a3
cic-types~=0.1.0a10

View File

@ -490,9 +490,9 @@ services:
DATABASE_ENGINE: postgresql
DATABASE_DRIVER: psycopg2
PGP_PASSPHRASE: merman
SERVER_PORT: 8000
SERVER_PORT: 9000
ports:
- ${HTTP_PORT_CIC_USSD:-63315}:8000
- ${HTTP_PORT_CIC_USSD:-63315}:9000
depends_on:
- postgres
- redis