upstream/kallithea Commit - r3212:6c28533d

IP restrictions now also enabled for IPv6

marcink -

r3212:6c28533d beta

parent child

rhodecode/lib/auth.py

0 +17 -4

             from pylons import config, url, request
             from pylons.controllers.util import abort, redirect
             from pylons.i18n.translation import _
+            from sqlalchemy.orm.exc import ObjectDeletedError
             from rhodecode import __platform__, is_windows, is_unix
             from rhodecode.model.meta import Session
                         user_ips = user_ips.options(FromCache("sql_cache_short",
                                                               "get_user_ips_%s" % user_id))
                     for ip in user_ips:
-                        _set.add(ip.ip_addr)
+                        try:
-                    return _set or set(['0.0.0.0/0'])
+                            _set.add(ip.ip_addr)
+                        except ObjectDeletedError:
+                            # since we use heavy caching sometimes it happens that we get
+                            # deleted objects here, we just skip them
+                            pass
+                    return _set or set(['0.0.0.0/0', '::/0'])
             def set_available_permissions(config):
                 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
                 if isinstance(allowed_ips, (tuple, list, set)):
                     for ip in allowed_ips:
-                        if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
+                        try:
-                            return True
+                            if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
+                                return True
+                            # for any case we cannot determine the IP, don't crash just
+                            # skip it and log as error, we want to say forbidden still when
+                            # sending bad IP
+                        except Exception:
+                            log.error(traceback.format_exc())
+                            continue
                 return False

rhodecode/model/db.py

0 +1 -1

                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     from rhodecode.lib import ipaddr
-                    net = ipaddr.IPv4Network(ip_addr)
+                    net = ipaddr.IPNetwork(address=ip_addr)
                     return [str(net.network), str(net.broadcast)]
                 def __json__(self):

rhodecode/model/validators.py

0 +19 -22

@@ -14,6 +14,7 b' from formencode.validators import ('
14	NotEmpty, IPAddress, CIDR	14	NotEmpty, IPAddress, CIDR
15	)	15	)
16	from rhodecode.lib.compat import OrderedSet	16	from rhodecode.lib.compat import OrderedSet
		17	from rhodecode.lib import ipaddr
17	from rhodecode.lib.utils import repo_name_slug	18	from rhodecode.lib.utils import repo_name_slug
18	from rhodecode.model.db import RepoGroup, Repository, UsersGroup, User,\	19	from rhodecode.model.db import RepoGroup, Repository, UsersGroup, User,\
19	ChangesetStatus	20	ChangesetStatus
@@ -711,35 +712,31 b' def NotReviewedRevisions(repo_id):'
711	def ValidIp():	712	def ValidIp():
712	class _validator(CIDR):	713	class _validator(CIDR):
713	messages = dict(	714	messages = dict(
714	badFormat=_('Please enter a valid IP address ~~(a.b.c.d)~~'),	715	badFormat=_('Please enter a valid IPv4 or IpV6 address'),
715	illegalOctets=_('The octets must be within the range of 0-255'
716	' (not %(octet)r)'),
717	illegalBits=_('The network size (bits) must be within the range'	716	illegalBits=_('The network size (bits) must be within the range'
718	' of 0-32 (not %(bits)r)'))	717	' of 0-32 (not %(bits)r)'))
719		718
		719	def to_python(self, value, state):
		720	v = super(_validator, self).to_python(value, state)
		721	v = v.strip()
		722	net = ipaddr.IPNetwork(address=v)
		723	if isinstance(net, ipaddr.IPv4Network):
		724	#if IPv4 doesn't end with a mask, add /32
		725	if '/' not in value:
		726	v += '/32'
		727	if isinstance(net, ipaddr.IPv6Network):
		728	#if IPv6 doesn't end with a mask, add /128
		729	if '/' not in value:
		730	v += '/128'
		731	return v
		732
720	def validate_python(self, value, state):	733	def validate_python(self, value, state):
721	try:	734	try:
722	# Split into octets and bits	735	addr = value.strip()
723	if '/' in value: # a.b.c.d/e	736	#this raises an ValueError if address is not IpV4 or IpV6
724	addr, bits = value.split('/')	737	ipaddr.IPNetwork(address=addr)
725	else: # a.b.c.d
726	addr, bits = value, 32
727	# Use IPAddress validator to validate the IP part
728	IPAddress.validate_python(self, addr, state)
729	# Bits (netmask) correct?
730	if not 0 <= int(bits) <= 32:
731	raise formencode.Invalid(
732	self.message('illegalBits', state, bits=bits),
733	value, state)
734	# Splitting faild: wrong syntax
735	except ValueError:	738	except ValueError:
736	raise formencode.Invalid(self.message('badFormat', state),	739	raise formencode.Invalid(self.message('badFormat', state),
737	value, state)	740	value, state)
738		741
739	def to_python(self, value, state):
740	v = super(_validator, self).to_python(value, state)
741	#if IP doesn't end with a mask, add /32
742	if '/' not in value:
743	v += '/32'
744	return v
745	return _validator	742	return _validator

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages