diff --git a/internal/dataprovider/user.go b/internal/dataprovider/user.go index eb440a0b..20f5f2ab 100644 --- a/internal/dataprovider/user.go +++ b/internal/dataprovider/user.go @@ -1170,7 +1170,7 @@ func (u *User) GetBandwidthForIP(clientIP, connectionID string) (int64, int64) { // IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr. // If AllowedIP is defined only the specified IP/Mask can login. // If DeniedIP is defined the specified IP/Mask cannot login. -// If an IP is both allowed and denied then login will be denied +// If an IP is both allowed and denied then login will be allowed func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool { if len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 { return true @@ -1181,15 +1181,6 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool { logger.Warn(logSender, "", "login allowed for invalid IP. remote address: %#v", remoteAddr) return true } - for _, IPMask := range u.Filters.DeniedIP { - _, IPNet, err := net.ParseCIDR(IPMask) - if err != nil { - return false - } - if IPNet.Contains(remoteIP) { - return false - } - } for _, IPMask := range u.Filters.AllowedIP { _, IPNet, err := net.ParseCIDR(IPMask) if err != nil { @@ -1199,6 +1190,15 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool { return true } } + for _, IPMask := range u.Filters.DeniedIP { + _, IPNet, err := net.ParseCIDR(IPMask) + if err != nil { + return false + } + if IPNet.Contains(remoteIP) { + return false + } + } return len(u.Filters.AllowedIP) == 0 } diff --git a/internal/sftpd/sftpd_test.go b/internal/sftpd/sftpd_test.go index 1987967d..a12096b2 100644 --- a/internal/sftpd/sftpd_test.go +++ b/internal/sftpd/sftpd_test.go @@ -8370,8 +8370,9 @@ func TestUserFiltersIPMaskConditions(t *testing.T) { assert.True(t, user.IsLoginFromAddrAllowed("192.168.2.6")) user.Filters.AllowedIP = append(user.Filters.AllowedIP, "192.168.1.5/32") - // if the same ip/mask is both denied and allowed then login must be denied - assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.5")) + // if the same ip/mask is both denied and allowed then login must be allowed + assert.True(t, user.IsLoginFromAddrAllowed("192.168.1.5")) + assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.3")) assert.False(t, user.IsLoginFromAddrAllowed("192.168.3.6")) user.Filters.DeniedIP = []string{}