2019-06-14 16:14:24 +00:00
/ *
*
* ( c ) Copyright Ascensio System Limited 2010 - 2018
*
* This program is freeware . You can redistribute it and / or modify it under the terms of the GNU
* General Public License ( GPL ) version 3 as published by the Free Software Foundation ( https : //www.gnu.org/copyleft/gpl.html).
* In accordance with Section 7 ( a ) of the GNU GPL its Section 15 shall be amended to the effect that
* Ascensio System SIA expressly excludes the warranty of non - infringement of any third - party rights .
*
* THIS PROGRAM IS DISTRIBUTED WITHOUT ANY WARRANTY ; WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR
* FITNESS FOR A PARTICULAR PURPOSE . For more details , see GNU GPL at https : //www.gnu.org/copyleft/gpl.html
*
* You can contact Ascensio System SIA by email at sales @onlyoffice . com
*
* The interactive user interfaces in modified source and object code versions of ONLYOFFICE must display
* Appropriate Legal Notices , as required under Section 5 of the GNU GPL version 3.
*
* Pursuant to Section 7 § 3 ( b ) of the GNU GPL you must retain the original ONLYOFFICE logo which contains
* relevant author attributions when distributing the software . If the display of the logo in its graphic
* form is not reasonably feasible for technical reasons , you must include the words "Powered by ONLYOFFICE"
* in every copy of the program you distribute .
* Pursuant to Section 7 § 3 ( e ) we decline to grant you any rights under trademark law for use of our trademarks .
*
* /
namespace ASC.IPSecurity
{
2020-10-19 15:53:15 +00:00
[Scope]
2019-09-20 15:08:45 +00:00
public class IPSecurity
2019-06-14 16:14:24 +00:00
{
2019-09-20 15:08:45 +00:00
public bool IpSecurityEnabled { get ; }
2019-06-14 16:14:24 +00:00
2022-02-11 15:11:00 +00:00
private readonly ILog _logger ;
private readonly IHttpContextAccessor _httpContextAccessor ;
private readonly AuthContext _authContext ;
private readonly TenantManager _tenantManager ;
private readonly IPRestrictionsService _ipRestrictionsService ;
private readonly SettingsManager _settingsManager ;
private readonly string _currentIpForTest ;
2019-09-20 15:08:45 +00:00
2019-10-17 15:55:35 +00:00
public IPSecurity (
IConfiguration configuration ,
IHttpContextAccessor httpContextAccessor ,
AuthContext authContext ,
TenantManager tenantManager ,
IPRestrictionsService iPRestrictionsService ,
2019-11-08 12:21:51 +00:00
SettingsManager settingsManager ,
2019-11-06 15:03:09 +00:00
IOptionsMonitor < ILog > options )
2019-06-14 16:14:24 +00:00
{
2022-02-11 15:11:00 +00:00
_logger = options . Get ( "ASC.IPSecurity" ) ;
_httpContextAccessor = httpContextAccessor ;
_authContext = authContext ;
_tenantManager = tenantManager ;
_ipRestrictionsService = iPRestrictionsService ;
_settingsManager = settingsManager ;
_currentIpForTest = configuration [ "ipsecurity:test" ] ;
2019-09-20 15:08:45 +00:00
var hideSettings = ( configuration [ "web:hide-settings" ] ? ? "" ) . Split ( new [ ] { ',' , ';' , ' ' } ) ;
IpSecurityEnabled = ! hideSettings . Contains ( "IpSecurity" , StringComparer . CurrentCultureIgnoreCase ) ;
2019-06-14 16:14:24 +00:00
}
2019-09-20 15:53:27 +00:00
public bool Verify ( )
2019-06-14 16:14:24 +00:00
{
2022-02-11 15:11:00 +00:00
var tenant = _tenantManager . GetCurrentTenant ( ) ;
2019-09-20 15:53:27 +00:00
2019-06-14 16:14:24 +00:00
if ( ! IpSecurityEnabled ) return true ;
2022-02-11 15:11:00 +00:00
if ( _httpContextAccessor ? . HttpContext = = null ) return true ;
2019-06-14 16:14:24 +00:00
2022-02-11 15:11:00 +00:00
if ( tenant = = null | | _authContext . CurrentAccount . ID = = tenant . OwnerId ) return true ;
2019-06-14 16:14:24 +00:00
string requestIps = null ;
try
{
2022-02-11 15:11:00 +00:00
var restrictions = _ipRestrictionsService . Get ( tenant . TenantId ) . ToList ( ) ;
2019-06-14 16:14:24 +00:00
2022-01-18 13:54:24 +00:00
if ( restrictions . Count = = 0 ) return true ;
2019-06-14 16:14:24 +00:00
2022-02-11 15:11:00 +00:00
requestIps = _currentIpForTest ;
2022-01-21 11:02:17 +00:00
if ( string . IsNullOrWhiteSpace ( requestIps ) )
2019-06-14 16:14:24 +00:00
{
2022-02-11 15:11:00 +00:00
var request = _httpContextAccessor . HttpContext . Request ;
2019-06-14 16:14:24 +00:00
requestIps = request . Headers [ "X-Forwarded-For" ] . FirstOrDefault ( ) ? ? request . GetUserHostAddress ( ) ;
}
var ips = string . IsNullOrWhiteSpace ( requestIps )
2022-01-19 10:24:11 +00:00
? Array . Empty < string > ( )
2019-06-14 16:14:24 +00:00
: requestIps . Split ( new [ ] { "," , " " } , StringSplitOptions . RemoveEmptyEntries ) ;
if ( ips . Any ( requestIp = > restrictions . Any ( restriction = > MatchIPs ( GetIpWithoutPort ( requestIp ) , restriction . Ip ) ) ) )
{
return true ;
}
}
catch ( Exception ex )
{
2022-02-11 15:11:00 +00:00
_logger . ErrorFormat ( "Can't verify request with IP-address: {0}. Tenant: {1}. Error: {2} " , requestIps ? ? "" , tenant , ex ) ;
2019-06-14 16:14:24 +00:00
return false ;
}
2022-02-11 15:11:00 +00:00
_logger . InfoFormat ( "Restricted from IP-address: {0}. Tenant: {1}. Request to: {2}" , requestIps ? ? "" , tenant , _httpContextAccessor . HttpContext . Request . GetDisplayUrl ( ) ) ;
2019-06-14 16:14:24 +00:00
return false ;
}
private static bool MatchIPs ( string requestIp , string restrictionIp )
{
var dividerIdx = restrictionIp . IndexOf ( '-' ) ;
2022-01-19 15:29:04 +00:00
if ( dividerIdx > - 1 )
2019-06-14 16:14:24 +00:00
{
var lower = IPAddress . Parse ( restrictionIp . Substring ( 0 , dividerIdx ) . Trim ( ) ) ;
var upper = IPAddress . Parse ( restrictionIp . Substring ( dividerIdx + 1 ) . Trim ( ) ) ;
var range = new IPAddressRange ( lower , upper ) ;
return range . IsInRange ( IPAddress . Parse ( requestIp ) ) ;
}
return requestIp = = restrictionIp ;
}
private static string GetIpWithoutPort ( string ip )
{
var portIdx = ip . IndexOf ( ':' ) ;
return portIdx > 0 ? ip . Substring ( 0 , portIdx ) : ip ;
}
}
}
