From f9da8e402619fa5e4cab70c4d45a091606dbacab Mon Sep 17 00:00:00 2001 From: SuhorukovAnton Date: Thu, 7 Apr 2022 13:19:30 +0300 Subject: [PATCH] iprestrictions fix Verify add check enable add api method --- .../Middleware/IpSecurityFilter.cs | 8 +++- .../ASC.IPSecurity/IPRestrictionsService.cs | 2 +- common/ASC.IPSecurity/IPSecurity.cs | 45 +++++++++++++++++++ .../Controllers/SettingsController.cs | 7 +++ web/ASC.Web.Core/Users/UserManagerWrapper.cs | 5 ++- 5 files changed, 63 insertions(+), 4 deletions(-) diff --git a/common/ASC.Api.Core/Middleware/IpSecurityFilter.cs b/common/ASC.Api.Core/Middleware/IpSecurityFilter.cs index 0b8741c2e5..dfd0547a58 100644 --- a/common/ASC.Api.Core/Middleware/IpSecurityFilter.cs +++ b/common/ASC.Api.Core/Middleware/IpSecurityFilter.cs @@ -3,6 +3,7 @@ using ASC.Common; using ASC.Common.Logging; using ASC.Core; +using ASC.Core.Common.Settings; using ASC.IPSecurity; using Microsoft.AspNetCore.Mvc; @@ -19,9 +20,11 @@ namespace ASC.Api.Core.Middleware public IpSecurityFilter( IOptionsMonitor options, AuthContext authContext, - IPSecurity.IPSecurity IPSecurity) + IPSecurity.IPSecurity IPSecurity, + SettingsManager settingsManager) { log = options.CurrentValue; + IPRestrictionsSettings = settingsManager.Load(); AuthContext = authContext; this.IPSecurity = IPSecurity; } @@ -36,7 +39,8 @@ namespace ASC.Api.Core.Middleware public void OnResourceExecuting(ResourceExecutingContext context) { - if (AuthContext.IsAuthenticated && !IPSecurity.Verify()) + + if (IPRestrictionsSettings.Enable && AuthContext.IsAuthenticated && !IPSecurity.Verify()) { context.Result = new StatusCodeResult((int)HttpStatusCode.Forbidden); log.WarnFormat("IPSecurity: user {0}", AuthContext.CurrentAccount.ID); diff --git a/common/ASC.IPSecurity/IPRestrictionsService.cs b/common/ASC.IPSecurity/IPRestrictionsService.cs index 3f459bf4df..57bbf57b00 100644 --- a/common/ASC.IPSecurity/IPRestrictionsService.cs +++ b/common/ASC.IPSecurity/IPRestrictionsService.cs @@ -75,7 +75,7 @@ namespace ASC.IPSecurity { var key = IPRestrictionsServiceCache.GetCacheKey(tenant); var restrictions = cache.Get>(key); - if (restrictions == null) + if (restrictions == null || restrictions.Count == 0) { restrictions = IPRestrictionsRepository.Get(tenant); cache.Insert(key, restrictions, timeout); diff --git a/common/ASC.IPSecurity/IPSecurity.cs b/common/ASC.IPSecurity/IPSecurity.cs index 0153b97949..33faa8e7e9 100644 --- a/common/ASC.IPSecurity/IPSecurity.cs +++ b/common/ASC.IPSecurity/IPSecurity.cs @@ -25,8 +25,10 @@ using System; +using System.Collections.Generic; using System.Linq; using System.Net; +using System.Net.Sockets; using System.Web; using ASC.Common; @@ -55,6 +57,7 @@ namespace ASC.IPSecurity private SettingsManager SettingsManager { get; } private readonly string CurrentIpForTest; + private readonly string MyNetworks; public IPSecurity( IConfiguration configuration, @@ -72,6 +75,7 @@ namespace ASC.IPSecurity IPRestrictionsService = iPRestrictionsService; SettingsManager = settingsManager; CurrentIpForTest = configuration["ipsecurity:test"]; + MyNetworks = configuration["ipsecurity.mynetworks"]; var hideSettings = (configuration["web:hide-settings"] ?? "").Split(new[] { ',', ';', ' ' }); IpSecurityEnabled = !hideSettings.Contains("IpSecurity", StringComparer.CurrentCultureIgnoreCase); } @@ -109,6 +113,10 @@ namespace ASC.IPSecurity { return true; } + if (IsMyNetwork(ips)) + { + return true; + } } catch (Exception ex) { @@ -140,5 +148,42 @@ namespace ASC.IPSecurity var portIdx = ip.IndexOf(':'); return portIdx > 0 ? ip.Substring(0, portIdx) : ip; } + + private bool IsMyNetwork(string[] ips) + { + try + { + if (!string.IsNullOrEmpty(MyNetworks)) + { + var myNetworkIps = MyNetworks.Split(new[] { ",", " " }, StringSplitOptions.RemoveEmptyEntries); + + if (ips.Any(requestIp => myNetworkIps.Any(ipAddress => MatchIPs(GetIpWithoutPort(requestIp), ipAddress)))) + { + return true; + } + } + + var hostName = Dns.GetHostName(); + var hostAddresses = Dns.GetHostAddresses(Dns.GetHostName()); + + var localIPs = new List { IPAddress.IPv6Loopback, IPAddress.Loopback }; + + localIPs.AddRange(hostAddresses.Where(ip => ip.AddressFamily == AddressFamily.InterNetwork || ip.AddressFamily == AddressFamily.InterNetworkV6)); + + foreach (var ipAddress in localIPs) + { + if (ips.Contains(ipAddress.ToString())) + { + return true; + } + } + } + catch (Exception ex) + { + Log.ErrorFormat("Can't verify local network from request with IP-address: {0}", string.Join(",", ips), ex); + } + + return false; + } } } \ No newline at end of file diff --git a/web/ASC.Web.Api/Controllers/SettingsController.cs b/web/ASC.Web.Api/Controllers/SettingsController.cs index 4021d0b1ce..096d8d8e19 100644 --- a/web/ASC.Web.Api/Controllers/SettingsController.cs +++ b/web/ASC.Web.Api/Controllers/SettingsController.cs @@ -1341,6 +1341,13 @@ namespace ASC.Api.Settings return IPRestrictionsService.Save(model.Ips, Tenant.TenantId); } + [Read("iprestrictions/settings")] + public IPRestrictionsSettings GetIpRestrictionsSettings() + { + PermissionContext.DemandPermissions(SecutiryConstants.EditPortalSettings); + return SettingsManager.Load(); + } + [Update("iprestrictions/settings")] public IPRestrictionsSettings UpdateIpRestrictionsSettingsFromBody([FromBody] IpRestrictionsModel model) { diff --git a/web/ASC.Web.Core/Users/UserManagerWrapper.cs b/web/ASC.Web.Core/Users/UserManagerWrapper.cs index ba9c0fee41..89a21abd36 100644 --- a/web/ASC.Web.Core/Users/UserManagerWrapper.cs +++ b/web/ASC.Web.Core/Users/UserManagerWrapper.cs @@ -36,6 +36,7 @@ using ASC.Core; using ASC.Core.Common.Settings; using ASC.Core.Tenants; using ASC.Core.Users; +using ASC.IPSecurity; using ASC.MessagingSystem; using ASC.Web.Core.PublicResources; using ASC.Web.Core.Utility; @@ -259,7 +260,9 @@ namespace ASC.Web.Core.Users email = (email ?? "").Trim(); if (!email.TestEmailRegex()) throw new ArgumentNullException(nameof(email), Resource.ErrorNotCorrectEmail); - if (!IPSecurity.Verify()) + var settings = SettingsManager.Load(); + + if (settings.Enable && !IPSecurity.Verify()) { throw new Exception(Resource.ErrorAccessRestricted); }