iprestrictions

fix Verify
add check enable
add api method

common/ASC.Api.Core/Middleware/IpSecurityFilter.cs

@@ -3,6 +3,7 @@
 using ASC.Common;
 using ASC.Common.Logging;
 using ASC.Core;
+using ASC.Core.Common.Settings;
 using ASC.IPSecurity;
 
 using Microsoft.AspNetCore.Mvc;
@@ -19,9 +20,11 @@ namespace ASC.Api.Core.Middleware
         public IpSecurityFilter(
             IOptionsMonitor<ILog> options,
             AuthContext authContext,
-            IPSecurity.IPSecurity IPSecurity)
+            IPSecurity.IPSecurity IPSecurity,
+            SettingsManager settingsManager)
         {
             log = options.CurrentValue;
+            IPRestrictionsSettings = settingsManager.Load<IPRestrictionsSettings>();
             AuthContext = authContext;
             this.IPSecurity = IPSecurity;
         }
@@ -36,7 +39,8 @@ namespace ASC.Api.Core.Middleware
 
         public void OnResourceExecuting(ResourceExecutingContext context)
         {
-            if (AuthContext.IsAuthenticated && !IPSecurity.Verify())
+
+            if (IPRestrictionsSettings.Enable && AuthContext.IsAuthenticated && !IPSecurity.Verify())
             {
                 context.Result = new StatusCodeResult((int)HttpStatusCode.Forbidden);
                 log.WarnFormat("IPSecurity: user {0}", AuthContext.CurrentAccount.ID);

common/ASC.IPSecurity/IPRestrictionsService.cs

@@ -75,7 +75,7 @@ namespace ASC.IPSecurity
         {
             var key = IPRestrictionsServiceCache.GetCacheKey(tenant);
             var restrictions = cache.Get<List<IPRestriction>>(key);
-            if (restrictions == null)
+            if (restrictions == null || restrictions.Count == 0)
             {
                 restrictions = IPRestrictionsRepository.Get(tenant);
                 cache.Insert(key, restrictions, timeout);

common/ASC.IPSecurity/IPSecurity.cs

@@ -25,8 +25,10 @@
 
 
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using System.Net.Sockets;
 using System.Web;
 
 using ASC.Common;
@@ -55,6 +57,7 @@ namespace ASC.IPSecurity
         private SettingsManager SettingsManager { get; }
 
         private readonly string CurrentIpForTest;
+        private readonly string MyNetworks;
 
         public IPSecurity(
             IConfiguration configuration,
@@ -72,6 +75,7 @@ namespace ASC.IPSecurity
             IPRestrictionsService = iPRestrictionsService;
             SettingsManager = settingsManager;
             CurrentIpForTest = configuration["ipsecurity:test"];
+            MyNetworks = configuration["ipsecurity.mynetworks"];
             var hideSettings = (configuration["web:hide-settings"] ?? "").Split(new[] { ',', ';', ' ' });
             IpSecurityEnabled = !hideSettings.Contains("IpSecurity", StringComparer.CurrentCultureIgnoreCase);
         }
@@ -109,6 +113,10 @@ namespace ASC.IPSecurity
                 {
                     return true;
                 }
+                if (IsMyNetwork(ips))
+                {
+                    return true;
+                }
             }
             catch (Exception ex)
             {
@@ -140,5 +148,42 @@ namespace ASC.IPSecurity
             var portIdx = ip.IndexOf(':');
             return portIdx > 0 ? ip.Substring(0, portIdx) : ip;
         }
+
+        private bool IsMyNetwork(string[] ips)
+        {
+            try
+            {
+                if (!string.IsNullOrEmpty(MyNetworks))
+                {
+                    var myNetworkIps = MyNetworks.Split(new[] { ",", " " }, StringSplitOptions.RemoveEmptyEntries);
+
+                    if (ips.Any(requestIp => myNetworkIps.Any(ipAddress => MatchIPs(GetIpWithoutPort(requestIp), ipAddress))))
+                    {
+                        return true;
+                    }
+                }
+
+                var hostName = Dns.GetHostName();
+                var hostAddresses = Dns.GetHostAddresses(Dns.GetHostName());
+
+                var localIPs = new List<IPAddress> { IPAddress.IPv6Loopback, IPAddress.Loopback };
+
+                localIPs.AddRange(hostAddresses.Where(ip => ip.AddressFamily == AddressFamily.InterNetwork || ip.AddressFamily == AddressFamily.InterNetworkV6));
+
+                foreach (var ipAddress in localIPs)
+                {
+                    if (ips.Contains(ipAddress.ToString()))
+                    {
+                        return true;
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Log.ErrorFormat("Can't verify local network from request with IP-address: {0}", string.Join(",", ips), ex);
+            }
+
+            return false;
+        }
     }
 }

web/ASC.Web.Api/Controllers/SettingsController.cs

@@ -1341,6 +1341,13 @@ namespace ASC.Api.Settings
             return IPRestrictionsService.Save(model.Ips, Tenant.TenantId);
         }
 
+        [Read("iprestrictions/settings")]
+        public IPRestrictionsSettings GetIpRestrictionsSettings()
+        {
+            PermissionContext.DemandPermissions(SecutiryConstants.EditPortalSettings);
+            return SettingsManager.Load<IPRestrictionsSettings>();
+        }
+
         [Update("iprestrictions/settings")]
         public IPRestrictionsSettings UpdateIpRestrictionsSettingsFromBody([FromBody] IpRestrictionsModel model)
         {

web/ASC.Web.Core/Users/UserManagerWrapper.cs

@@ -36,6 +36,7 @@ using ASC.Core;
 using ASC.Core.Common.Settings;
 using ASC.Core.Tenants;
 using ASC.Core.Users;
+using ASC.IPSecurity;
 using ASC.MessagingSystem;
 using ASC.Web.Core.PublicResources;
 using ASC.Web.Core.Utility;
@@ -259,7 +260,9 @@ namespace ASC.Web.Core.Users
             email = (email ?? "").Trim();
             if (!email.TestEmailRegex()) throw new ArgumentNullException(nameof(email), Resource.ErrorNotCorrectEmail);
 
-            if (!IPSecurity.Verify())
+            var settings = SettingsManager.Load<IPRestrictionsSettings>();
+
+            if (settings.Enable && !IPSecurity.Verify())
             {
                 throw new Exception(Resource.ErrorAccessRestricted);
             }