Only allow specific IP addresses to connect to the helpdesk app

f1800773 · Georgios Gousios · a1284c32 · f1800773 · f1800773 · f1800773
Commit f1800773 authored Jun 15, 2011 by Georgios Gousios
--- a/helpdesk/middleware.py
+++ b/helpdesk/middleware.py
@@ -27,6 +27,7 @@
 # The views and conclusions contained in the software and documentation are
 # those of the authors and should not be interpreted as representing official
 # policies, either expressed or implied, of GRNET S.A.
+
 from synnefo.db.models import SynnefoUser
 from django.conf import settings
 from django.http import HttpResponse
@@ -37,6 +38,17 @@ class HelpdeskMiddleware(object):
    auth_tmp_token = "X-Auth-Tmp-Token"

    def process_request(self, request):
+
+        # Check the request's IP address
+        allowed = settings.HELPDESK_ALLOWED_IPS
+        if not check_ip(request.META['REMOTE_ADDR'], allowed):
+            try:
+                proxy_ip = request.META['HTTP_X_FORWARDED_FOR']
+            except Exception:
+                return HttpResponse(status=403, content="IP Address not allowed")
+            if not check_ip(proxy_ip, allowed):
+                return HttpResponse(status=403, content="IP Address not allowed")
+
        # Helpdesk application request, find the temp token
        tmp_token = None
        try:
@@ -49,6 +61,21 @@ class HelpdeskMiddleware(object):
        if (time.time() -
            time.mktime(tmp_user.tmp_auth_token_expires.timetuple())) > 0:
            # The impersonated user's token has expired, re-login
-            return HttpResponse("User token expired, request a new token")
+            return HttpResponse(status=403, content="Temporary token expired")

        request.user = tmp_user
+
+def check_ip(ip, allowed):
+    for addr in allowed:
+        # Check exact match
+        if ip == addr:
+            return True;
+        # Check range match
+        if addr.endswith('.0'):
+            iprange = ip[0:ip.rfind(".")]
+            if addr.startswith(iprange):
+                return True
+        else:
+            continue
+
+        return False
--- a/helpdesk/tests.py
+++ b/helpdesk/tests.py
+# vim: set fileencoding=utf-8 :
+# Copyright 2011 GRNET S.A. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+#   1. Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#
+#  2. Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in the
+#     documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# The views and conclusions contained in the software and documentation are
+# those of the authors and should not be interpreted as representing official
+# policies, either expressed or implied, of GRNET S.A.
+
+from django.test import TestCase
+from django.test.client import Client
+
+from synnefo.helpdesk.middleware import check_ip
+
+class HelpdeskTestCase(TestCase):
+    apibase = '/api/v1.1'
+
+    def setUp(self):
+        self.client = Client()
+
+    def test_check_ip(self):
+        range = ('127.0.0.1', '195.251.249.0')
+
+        ip = '127.0.0.1'
+        self.assertTrue(check_ip(ip, range))
+
+        ip = '195.251.249.212'
+        self.assertTrue(check_ip(ip, range))
+
+        ip = '195.234.249.2'
+        self.assertFalse(check_ip(ip, range))
--- a/settings.py.dist
+++ b/settings.py.dist
@@ -273,12 +273,12 @@ BYPASS_AUTHENTICATION = False
 # Helpdesk application
 #

-# Duration for temporary auth tokens, created for impersonating a register
-# user by help desk staff.
+# Duration for temporary auth tokens, created for impersonating a registered
+# user by helpdesk staff.
 HELPDESK_TOKEN_DURATION_MIN = 30

 # IP addresses of the machines allowed to connect as help desk
-HELPDESK_ALLOWED_IP = ("127.0.0.1")
+HELPDESK_ALLOWED_IPS = ("127.0.0.1",)

 # Helpdesk auth token
 HELPDESK_AUTH_TOKEN = "0xdeadbabe"