chore: Add support for trusted IP forwarders in authentication and request middleware

2025-03-20 06:50:23 +03:00 · 2024-08-19 22:56:27 +02:00 · 2024-08-19 22:56:27 +02:00 · 5ba08e2896
commit 5ba08e2896
parent 6f8eb00ad0
3 changed files with 20 additions and 4 deletions
--- a/server/src/uds/core/auths/auth.py
+++ b/server/src/uds/core/auths/auth.py
@ -175,6 +175,10 @@ def is_trusted_source(ip: str) -> bool:
    return net.contains(GlobalConfig.TRUSTED_SOURCES.get(True), ip)


+def is_trusted_ip_forwarder(ip: str) -> bool:
+    return net.contains(GlobalConfig.ALLOWED_IP_FORWARDERS.get(True), ip)
+
+
 # Decorator to protect pages that needs to be accessed from "trusted sites"
 def needs_trusted_source(
    view_func: collections.abc.Callable[..., HttpResponse]
@ -534,6 +538,11 @@ def log_logout(request: 'ExtendedHttpRequest') -> None:
                f'user {request.user.name} has logged out from {request.ip}',
                types.log.LogSource.WEB,
            )
-            log.log(request.user, types.log.LogLevel.INFO, f'has logged out from {request.ip}', types.log.LogSource.WEB)
+            log.log(
+                request.user,
+                types.log.LogLevel.INFO,
+                f'has logged out from {request.ip}',
+                types.log.LogSource.WEB,
+            )
        else:
            logger.info('Root has logged out from %s', request.ip)
--- a/server/src/uds/core/util/config.py
+++ b/server/src/uds/core/util/config.py
@ -616,7 +616,14 @@ class GlobalConfig:
        'Trusted Hosts',
        '*',
        type=Config.FieldType.TEXT,
-        help=_('Networks considered "trusted" for UDS (Tunnels, Load Balancers, etc...)'),
+        help=_('Networks or hosts considered "trusted" for UDS (Tunnels, etc...)'),
+    )
+    
+    ALLOWED_IP_FORWARDERS: Config.Value = Config.section(Config.SectionType.SECURITY).value(
+        'Allowed IP Forwarders',
+        '*',
+        type=Config.FieldType.TEXT,
+        help=_('IPs or networks allowed to forward requests (like proxies)'),
    )

    # Allow clients to notify their own ip (if set), or use always the request extracted IP
--- a/server/src/uds/middleware/request.py
+++ b/server/src/uds/middleware/request.py
@ -39,7 +39,7 @@ from uds.core.util import os_detector as OsDetector
 from uds.core.util.config import GlobalConfig
 from uds.core import consts, types
 from uds.core.auths.auth import (
-    is_trusted_source,
+    is_trusted_ip_forwarder,
    root_user,
    web_logout,
 )
@ -92,7 +92,7 @@ def _fill_ips(request: 'ExtendedHttpRequest') -> None:
    #   request.ip = PROXY3
    #   request.ip_proxy = PROXY2

-    if behind_proxy and is_trusted_source(request.ip):
+    if behind_proxy and is_trusted_ip_forwarder(request.ip):
        request.ip = request.ip_proxy
        request.ip_proxy = proxies[1] if len(proxies) > 1 else request.ip