Commit 0b50582b by Jacob Richard

Adding CIDR capability to auth_proxy whitelist

parent 7653d8a1
...@@ -198,17 +198,31 @@ func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error ...@@ -198,17 +198,31 @@ func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error
} }
proxies := strings.Split(setting.AuthProxyWhitelist, ",") proxies := strings.Split(setting.AuthProxyWhitelist, ",")
sourceIP, _, err := net.SplitHostPort(remoteAddr) var proxyObjs []*net.IPNet
if err != nil { for _, proxy := range proxies {
return err proxyObjs = append(proxyObjs, coerceProxyAddress(proxy))
} }
// Compare allowed IP addresses to actual address sourceIP, _, _ := net.SplitHostPort(remoteAddr)
for _, proxyIP := range proxies { sourceObj := net.ParseIP(sourceIP)
if sourceIP == strings.TrimSpace(proxyIP) {
for _, proxyObj := range proxyObjs {
if proxyObj.Contains(sourceObj) {
return nil return nil
} }
} }
return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP) return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP)
} }
func coerceProxyAddress(proxyAddr string) *net.IPNet {
proxyAddr = strings.TrimSpace(proxyAddr)
if !strings.Contains(proxyAddr, "/") {
proxyAddr = strings.Join([]string{proxyAddr, "32"}, "/")
}
_, network, err := net.ParseCIDR(proxyAddr)
if err != nil {
fmt.Println(err)
}
return network
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment