Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-08 07:10:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

add a global whitelist

Browse Source 
if defined only the listed IPs/networks can access the configured
services, all other client connections will be dropped before they
even try to authenticate

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2022-03-17 22:10:52 +01:00
parent 03da7f696c
commit d9f30e7ac5
12 changed files with 196 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
httpd/httpd_test.go
View File

@@ -8700,7 +8700,7 @@ func TestWebClientMaxConnections(t *testing.T) {
setJWTCookieForReq(req, webToken)
rr = executeRequest(req)
checkResponseCode(t, http.StatusForbidden, rr)
assert.Contains(t, rr.Body.String(), "configured connections limit reached")
assert.Contains(t, rr.Body.String(), "connection not allowed from your ip")
common.Connections.Remove(connection.GetID())
_, err = httpdtest.RemoveUser(user, http.StatusOK)
@@ -12617,6 +12617,60 @@ func TestWebAdminSetupMock(t *testing.T) {
os.Setenv("SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN", "1")
}
func TestWhitelist(t *testing.T) {
configCopy := common.Config
common.Config.MaxTotalConnections = 1
wlFile := filepath.Join(os.TempDir(), "wl.json")
common.Config.WhiteListFile = wlFile
wl := common.HostListFile{
IPAddresses: []string{"172.120.1.1", "172.120.1.2"},
CIDRNetworks: []string{"192.8.7.0/22"},
}
data, err := json.Marshal(wl)
assert.NoError(t, err)
err = os.WriteFile(wlFile, data, 0664)
assert.NoError(t, err)
defer os.Remove(wlFile)
err = common.Initialize(common.Config, 0)
assert.NoError(t, err)
req, _ := http.NewRequest(http.MethodGet, webLoginPath, nil)
rr := executeRequest(req)
checkResponseCode(t, http.StatusForbidden, rr)
assert.Contains(t, rr.Body.String(), "connection not allowed from your ip")
req.RemoteAddr = "172.120.1.1"
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
req.RemoteAddr = "172.120.1.3"
rr = executeRequest(req)
checkResponseCode(t, http.StatusForbidden, rr)
assert.Contains(t, rr.Body.String(), "connection not allowed from your ip")
req.RemoteAddr = "192.8.7.1"
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
wl.IPAddresses = append(wl.IPAddresses, "172.120.1.3")
data, err = json.Marshal(wl)
assert.NoError(t, err)
err = os.WriteFile(wlFile, data, 0664)
assert.NoError(t, err)
err = common.Reload()
assert.NoError(t, err)
req.RemoteAddr = "172.120.1.3"
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
common.Config = configCopy
err = common.Initialize(common.Config, 0)
assert.NoError(t, err)
}
func TestWebAdminLoginMock(t *testing.T) {
webToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)
assert.NoError(t, err)