allow a client if its IP is both allowed and denied
this allows you to define a group deny policy that can be overridden on a per-user basis. This is a backward incompatible change Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
parent
e58709c822
commit
e54237ff70
2 changed files with 13 additions and 12 deletions
|
@ -1170,7 +1170,7 @@ func (u *User) GetBandwidthForIP(clientIP, connectionID string) (int64, int64) {
|
|||
// IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr.
|
||||
// If AllowedIP is defined only the specified IP/Mask can login.
|
||||
// If DeniedIP is defined the specified IP/Mask cannot login.
|
||||
// If an IP is both allowed and denied then login will be denied
|
||||
// If an IP is both allowed and denied then login will be allowed
|
||||
func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
|
||||
if len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 {
|
||||
return true
|
||||
|
@ -1181,15 +1181,6 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
|
|||
logger.Warn(logSender, "", "login allowed for invalid IP. remote address: %#v", remoteAddr)
|
||||
return true
|
||||
}
|
||||
for _, IPMask := range u.Filters.DeniedIP {
|
||||
_, IPNet, err := net.ParseCIDR(IPMask)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if IPNet.Contains(remoteIP) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
for _, IPMask := range u.Filters.AllowedIP {
|
||||
_, IPNet, err := net.ParseCIDR(IPMask)
|
||||
if err != nil {
|
||||
|
@ -1199,6 +1190,15 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
|
|||
return true
|
||||
}
|
||||
}
|
||||
for _, IPMask := range u.Filters.DeniedIP {
|
||||
_, IPNet, err := net.ParseCIDR(IPMask)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if IPNet.Contains(remoteIP) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return len(u.Filters.AllowedIP) == 0
|
||||
}
|
||||
|
||||
|
|
|
@ -8370,8 +8370,9 @@ func TestUserFiltersIPMaskConditions(t *testing.T) {
|
|||
assert.True(t, user.IsLoginFromAddrAllowed("192.168.2.6"))
|
||||
|
||||
user.Filters.AllowedIP = append(user.Filters.AllowedIP, "192.168.1.5/32")
|
||||
// if the same ip/mask is both denied and allowed then login must be denied
|
||||
assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.5"))
|
||||
// if the same ip/mask is both denied and allowed then login must be allowed
|
||||
assert.True(t, user.IsLoginFromAddrAllowed("192.168.1.5"))
|
||||
assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.3"))
|
||||
assert.False(t, user.IsLoginFromAddrAllowed("192.168.3.6"))
|
||||
|
||||
user.Filters.DeniedIP = []string{}
|
||||
|
|
Loading…
Reference in a new issue