up
Some checks failed
Build Test Deploy / build-test (push) Has been cancelled
Build Test Deploy / authority-container (push) Has been cancelled
Build Test Deploy / docs (push) Has been cancelled
Build Test Deploy / deploy (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Build Test Deploy / build-test (push) Has been cancelled
Build Test Deploy / authority-container (push) Has been cancelled
Build Test Deploy / docs (push) Has been cancelled
Build Test Deploy / deploy (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
This commit is contained in:
root
@@ -0,0 +1,54 @@
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using NetTools;
|
||||
using System;
|
||||
using System.Linq;
|
||||
using System.Net;
|
||||
using System.Collections.Generic;
|
||||
using Ablera.Serdica.Authentication.Utilities;
|
||||
using Ablera.Serdica.Authentication.Models.Oidc;
|
||||
using Ablera.Serdica.Common.Tools.Utilities;
|
||||
|
||||
namespace Ablera.Serdica.Authority.Extensions;
|
||||
|
||||
public static class AllowedMaskExtensions
|
||||
{
|
||||
// Lazily built the first time AllowedMaskExtensions is referenced.
|
||||
private static readonly IReadOnlyCollection<IPAddressRange> AssociatedNetworks = ListeningNetworksRetriever.Retrieve();
|
||||
|
||||
public static AllowedMask? MergeWith(this AllowedMask? client, AllowedMask? global)
|
||||
=> (client, global) switch
|
||||
{
|
||||
(null, null) => null,
|
||||
(null, _) => global,
|
||||
_ => new()
|
||||
{
|
||||
SameNetworks = client.SameNetworks ?? global?.SameNetworks,
|
||||
Networks = client.Networks ?? global?.Networks,
|
||||
Hosts = client.Hosts ?? global?.Hosts,
|
||||
Ports = client.Ports ?? global?.Ports
|
||||
}
|
||||
};
|
||||
|
||||
public static bool MatchesRemote(this AllowedMask allow, HttpContext http)
|
||||
{
|
||||
var remoteIp = http.Connection.RemoteIpAddress ?? IPAddress.None;
|
||||
var host = http.Request.Host.Host;
|
||||
var port = http.Request.Host.Port ?? 0;
|
||||
|
||||
bool ipOk = allow.Networks == null ||
|
||||
allow.Networks.Any(net => IPAddressRange.Parse(net).Contains(remoteIp));
|
||||
|
||||
bool hostOk = allow.Hosts == null ||
|
||||
allow.Hosts.Any(h => StringComparer.OrdinalIgnoreCase.Equals(h, host));
|
||||
|
||||
bool portOk = allow.Ports == null || allow.Ports.Contains(port);
|
||||
|
||||
// Same-network rule: only enforced when SameNetwork == true
|
||||
bool sameNetworkOk =
|
||||
allow.SameNetworks != true || // Flag not enabled → no restriction
|
||||
AssociatedNetworks == null || // Could not determine our own network
|
||||
AssociatedNetworks.Any(network => network.Contains(remoteIp));
|
||||
|
||||
return ipOk && hostOk && portOk && sameNetworkOk;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user