beenull/sftpgo-mirror
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-11-22 07:30:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

allow a client if its IP is both allowed and denied

Browse source 
this allows you to define a group deny policy that can be overridden
on a per-user basis.

This is a backward incompatible change

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2022-09-15 19:51:17 +02:00
parent e58709c822
commit e54237ff70
No known key found for this signature in database
GPG key ID: 2F1FB59433D5A8CB
2 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
internal/dataprovider/user.go
View file

@ -1170,7 +1170,7 @@ func (u *User) GetBandwidthForIP(clientIP, connectionID string) (int64, int64) {
// IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr.
// If AllowedIP is defined only the specified IP/Mask can login.
// If DeniedIP is defined the specified IP/Mask cannot login.
// If an IP is both allowed and denied then login will be denied
// If an IP is both allowed and denied then login will be allowed
func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
if len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 {
return true
@ -1181,15 +1181,6 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
logger.Warn(logSender, "", "login allowed for invalid IP. remote address: %#v", remoteAddr)
return true
}
for _, IPMask := range u.Filters.DeniedIP {
_, IPNet, err := net.ParseCIDR(IPMask)
if err != nil {
return false
}
if IPNet.Contains(remoteIP) {
return false
}
}
for _, IPMask := range u.Filters.AllowedIP {
_, IPNet, err := net.ParseCIDR(IPMask)
if err != nil {
@ -1199,6 +1190,15 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
return true
}
}
for _, IPMask := range u.Filters.DeniedIP {
_, IPNet, err := net.ParseCIDR(IPMask)
if err != nil {
return false
}
if IPNet.Contains(remoteIP) {
return false
}
}
return len(u.Filters.AllowedIP) == 0
}

5
internal/sftpd/sftpd_test.go
View file

@ -8370,8 +8370,9 @@ func TestUserFiltersIPMaskConditions(t *testing.T) {
assert.True(t, user.IsLoginFromAddrAllowed("192.168.2.6"))
user.Filters.AllowedIP = append(user.Filters.AllowedIP, "192.168.1.5/32")
// if the same ip/mask is both denied and allowed then login must be denied
assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.5"))
// if the same ip/mask is both denied and allowed then login must be allowed
assert.True(t, user.IsLoginFromAddrAllowed("192.168.1.5"))
assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.3"))
assert.False(t, user.IsLoginFromAddrAllowed("192.168.3.6"))
user.Filters.DeniedIP = []string{}