Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-08 07:10:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

allow a client if its IP is both allowed and denied

Browse Source 
this allows you to define a group deny policy that can be overridden
on a per-user basis.

This is a backward incompatible change

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2022-09-15 19:51:17 +02:00
parent e58709c822
commit e54237ff70
2 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/dataprovider/user.go
View File

@@ -1170,7 +1170,7 @@ func (u *User) GetBandwidthForIP(clientIP, connectionID string) (int64, int64) {
// IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr. // IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr.
// If AllowedIP is defined only the specified IP/Mask can login. // If AllowedIP is defined only the specified IP/Mask can login.
// If DeniedIP is defined the specified IP/Mask cannot login. // If DeniedIP is defined the specified IP/Mask cannot login.
// If an IP is both allowed and denied then login will be denied // If an IP is both allowed and denied then login will be allowed
func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool { func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
if len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 { if len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 {
return true return true
@@ -1181,15 +1181,6 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
logger.Warn(logSender, "", "login allowed for invalid IP. remote address: %#v", remoteAddr) logger.Warn(logSender, "", "login allowed for invalid IP. remote address: %#v", remoteAddr)
return true return true
} }
for _, IPMask := range u.Filters.DeniedIP {
_, IPNet, err := net.ParseCIDR(IPMask)
if err != nil {
return false
}
if IPNet.Contains(remoteIP) {
return false
}
}
for _, IPMask := range u.Filters.AllowedIP { for _, IPMask := range u.Filters.AllowedIP {
_, IPNet, err := net.ParseCIDR(IPMask) _, IPNet, err := net.ParseCIDR(IPMask)
if err != nil { if err != nil {
@@ -1199,6 +1190,15 @@ func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
return true return true
} }
} }
for _, IPMask := range u.Filters.DeniedIP {
_, IPNet, err := net.ParseCIDR(IPMask)
if err != nil {
return false
}
if IPNet.Contains(remoteIP) {
return false
}
}
return len(u.Filters.AllowedIP) == 0 return len(u.Filters.AllowedIP) == 0
} }

5
internal/sftpd/sftpd_test.go
View File

@@ -8370,8 +8370,9 @@ func TestUserFiltersIPMaskConditions(t *testing.T) {
assert.True(t, user.IsLoginFromAddrAllowed("192.168.2.6")) assert.True(t, user.IsLoginFromAddrAllowed("192.168.2.6"))
user.Filters.AllowedIP = append(user.Filters.AllowedIP, "192.168.1.5/32") user.Filters.AllowedIP = append(user.Filters.AllowedIP, "192.168.1.5/32")
// if the same ip/mask is both denied and allowed then login must be denied // if the same ip/mask is both denied and allowed then login must be allowed
assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.5")) assert.True(t, user.IsLoginFromAddrAllowed("192.168.1.5"))
assert.False(t, user.IsLoginFromAddrAllowed("192.168.1.3"))
assert.False(t, user.IsLoginFromAddrAllowed("192.168.3.6")) assert.False(t, user.IsLoginFromAddrAllowed("192.168.3.6"))
user.Filters.DeniedIP = []string{} user.Filters.DeniedIP = []string{}