Merge pull request #1495 from ONLYOFFICE/feature/ipsecurity-fixes
Feature/ipsecurity fixes
This commit is contained in:
GitHub
commit
2a80673ba4
@ -73,8 +73,16 @@ internal class IPAddressRange
|
|||||||
{
|
{
|
||||||
var parts = CIDRmask.Split('/');
|
var parts = CIDRmask.Split('/');
|
||||||
|
|
||||||
var IP_addr = BitConverter.ToInt32(IPAddress.Parse(ipAddress).GetAddressBytes(), 0);
|
var requestIP = IPAddress.Parse(ipAddress);
|
||||||
var CIDR_addr = BitConverter.ToInt32(IPAddress.Parse(parts[0]).GetAddressBytes(), 0);
|
var restrictionIP = IPAddress.Parse(parts[0]);
|
||||||
|
|
||||||
|
if (requestIP.AddressFamily != restrictionIP.AddressFamily)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
var IP_addr = BitConverter.ToInt32(requestIP.GetAddressBytes(), 0);
|
||||||
|
var CIDR_addr = BitConverter.ToInt32(restrictionIP.GetAddressBytes(), 0);
|
||||||
var CIDR_mask = IPAddress.HostToNetworkOrder(-1 << (32 - int.Parse(parts[1])));
|
var CIDR_mask = IPAddress.HostToNetworkOrder(-1 << (32 - int.Parse(parts[1])));
|
||||||
|
|
||||||
return (IP_addr & CIDR_mask) == (CIDR_addr & CIDR_mask);
|
return (IP_addr & CIDR_mask) == (CIDR_addr & CIDR_mask);
|
||||||
|
|||||||
@ -38,7 +38,6 @@ public class IPSecurity
|
|||||||
private readonly IPRestrictionsService _ipRestrictionsService;
|
private readonly IPRestrictionsService _ipRestrictionsService;
|
||||||
private readonly string _currentIpForTest;
|
private readonly string _currentIpForTest;
|
||||||
private readonly string _myNetworks;
|
private readonly string _myNetworks;
|
||||||
private readonly SecurityContext _securityContext;
|
|
||||||
private readonly UserManager _userManager;
|
private readonly UserManager _userManager;
|
||||||
|
|
||||||
public IPSecurity(
|
public IPSecurity(
|
||||||
@ -47,7 +46,6 @@ public class IPSecurity
|
|||||||
AuthContext authContext,
|
AuthContext authContext,
|
||||||
TenantManager tenantManager,
|
TenantManager tenantManager,
|
||||||
IPRestrictionsService iPRestrictionsService,
|
IPRestrictionsService iPRestrictionsService,
|
||||||
SecurityContext securityContext,
|
|
||||||
UserManager userManager,
|
UserManager userManager,
|
||||||
ILogger<IPSecurity> logger)
|
ILogger<IPSecurity> logger)
|
||||||
{
|
{
|
||||||
@ -56,7 +54,6 @@ public class IPSecurity
|
|||||||
_authContext = authContext;
|
_authContext = authContext;
|
||||||
_tenantManager = tenantManager;
|
_tenantManager = tenantManager;
|
||||||
_ipRestrictionsService = iPRestrictionsService;
|
_ipRestrictionsService = iPRestrictionsService;
|
||||||
_securityContext = securityContext;
|
|
||||||
_userManager = userManager;
|
_userManager = userManager;
|
||||||
_currentIpForTest = configuration["ipsecurity:test"];
|
_currentIpForTest = configuration["ipsecurity:test"];
|
||||||
_myNetworks = configuration["ipsecurity:mynetworks"];
|
_myNetworks = configuration["ipsecurity:mynetworks"];
|
||||||
@ -97,7 +94,6 @@ public class IPSecurity
|
|||||||
|
|
||||||
if (string.IsNullOrWhiteSpace(requestIps))
|
if (string.IsNullOrWhiteSpace(requestIps))
|
||||||
{
|
{
|
||||||
var request = _httpContextAccessor.HttpContext.Request;
|
|
||||||
requestIps = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
|
requestIps = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress.ToString();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -105,7 +101,7 @@ public class IPSecurity
|
|||||||
? Array.Empty<string>()
|
? Array.Empty<string>()
|
||||||
: requestIps.Split(new[] { ",", " " }, StringSplitOptions.RemoveEmptyEntries);
|
: requestIps.Split(new[] { ",", " " }, StringSplitOptions.RemoveEmptyEntries);
|
||||||
|
|
||||||
var isDocSpaceAdmin = await _userManager.IsUserInGroupAsync(_securityContext.CurrentAccount.ID, Core.Users.Constants.GroupAdmin.ID);
|
var isDocSpaceAdmin = await _userManager.IsUserInGroupAsync(_authContext.CurrentAccount.ID, Core.Users.Constants.GroupAdmin.ID);
|
||||||
|
|
||||||
if (ips.Any(requestIp => restrictions.Any(restriction => (restriction.ForAdmin ? isDocSpaceAdmin : true) && MatchIPs(GetIpWithoutPort(requestIp), restriction.Ip))))
|
if (ips.Any(requestIp => restrictions.Any(restriction => (restriction.ForAdmin ? isDocSpaceAdmin : true) && MatchIPs(GetIpWithoutPort(requestIp), restriction.Ip))))
|
||||||
{
|
{
|
||||||
@ -131,7 +127,7 @@ public class IPSecurity
|
|||||||
public static bool MatchIPs(string requestIp, string restrictionIp)
|
public static bool MatchIPs(string requestIp, string restrictionIp)
|
||||||
{
|
{
|
||||||
var dividerIdx = restrictionIp.IndexOf('-');
|
var dividerIdx = restrictionIp.IndexOf('-');
|
||||||
if (dividerIdx > -1)
|
if (dividerIdx > 0)
|
||||||
{
|
{
|
||||||
var lower = IPAddress.Parse(restrictionIp.Substring(0, dividerIdx).Trim());
|
var lower = IPAddress.Parse(restrictionIp.Substring(0, dividerIdx).Trim());
|
||||||
var upper = IPAddress.Parse(restrictionIp.Substring(dividerIdx + 1).Trim());
|
var upper = IPAddress.Parse(restrictionIp.Substring(dividerIdx + 1).Trim());
|
||||||
@ -141,7 +137,7 @@ public class IPSecurity
|
|||||||
return range.IsInRange(IPAddress.Parse(requestIp));
|
return range.IsInRange(IPAddress.Parse(requestIp));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (restrictionIp.IndexOf('/') > -1)
|
if (restrictionIp.IndexOf('/') > 0)
|
||||||
{
|
{
|
||||||
return IPAddressRange.IsInRange(requestIp, restrictionIp);
|
return IPAddressRange.IsInRange(requestIp, restrictionIp);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -170,13 +170,6 @@ public class MessageSettingsController : BaseSettingsController
|
|||||||
throw new Exception(_customNamingPeople.Substitute<Resource>("ErrorEmailAlreadyExists"));
|
throw new Exception(_customNamingPeople.Substitute<Resource>("ErrorEmailAlreadyExists"));
|
||||||
}
|
}
|
||||||
|
|
||||||
var settings = await _settingsManager.LoadAsync<IPRestrictionsSettings>();
|
|
||||||
|
|
||||||
if (settings.Enable && !await _ipSecurity.VerifyAsync())
|
|
||||||
{
|
|
||||||
throw new Exception(Resource.ErrorAccessRestricted);
|
|
||||||
}
|
|
||||||
|
|
||||||
var trustedDomainSettings = await _settingsManager.LoadAsync<StudioTrustedDomainSettings>();
|
var trustedDomainSettings = await _settingsManager.LoadAsync<StudioTrustedDomainSettings>();
|
||||||
var emplType = trustedDomainSettings.InviteAsUsers ? EmployeeType.User : EmployeeType.RoomAdmin;
|
var emplType = trustedDomainSettings.InviteAsUsers ? EmployeeType.User : EmployeeType.RoomAdmin;
|
||||||
if (!_coreBaseSettings.Personal)
|
if (!_coreBaseSettings.Personal)
|
||||||
|
|||||||
@ -380,13 +380,6 @@ public sealed class UserManagerWrapper
|
|||||||
throw new ArgumentNullException(nameof(email), Resource.ErrorNotCorrectEmail);
|
throw new ArgumentNullException(nameof(email), Resource.ErrorNotCorrectEmail);
|
||||||
}
|
}
|
||||||
|
|
||||||
var settings = await _settingsManager.LoadAsync<IPRestrictionsSettings>();
|
|
||||||
|
|
||||||
if (settings.Enable && !await _iPSecurity.VerifyAsync())
|
|
||||||
{
|
|
||||||
throw new Exception(Resource.ErrorAccessRestricted);
|
|
||||||
}
|
|
||||||
|
|
||||||
var userInfo = await _userManager.GetUserByEmailAsync(email);
|
var userInfo = await _userManager.GetUserByEmailAsync(email);
|
||||||
if (!_userManager.UserExists(userInfo) || string.IsNullOrEmpty(userInfo.Email))
|
if (!_userManager.UserExists(userInfo) || string.IsNullOrEmpty(userInfo.Email))
|
||||||
{
|
{
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user