Merge branch '245-authentifikation-bei-rwth-intern-uber-ips-erlauben' into 'master'

Resolve "Authentifikation bei RWTH-Intern über IPs erlauben" Closes #245 See merge request !9

Merge branch '245-authentifikation-bei-rwth-intern-uber-ips-erlauben' into 'master'
507588e5 · Julian Rother · afe041c2 · 00bc63c7 · 507588e5 · 507588e5
Commit 507588e5 authored 8 years ago by Julian Rother
--- a/config.py.example
+++ b/config.py.example
@@ -26,3 +26,4 @@ SQLITE_INIT_DATA = True
 #LDAP_HOST = 'ldaps://rumo.fsmpi.rwth-aachen.de'
 #ICAL_URL = 'https://user:password@mail.fsmpi.rwth-aachen.de/SOGo/....ics'
 ERROR_PAGE = 'static/500.html'
+RWTH_IP_RANGES = ['134.130.0.0/16', '137.226.0.0/16', '134.61.0.0/16', '192.35.229.0/24', '2a00:8a60::/32']
--- a/server.py
+++ b/server.py
@@ -11,6 +11,7 @@ import sched
 import traceback
 import string
 from socket import gethostname
+from ipaddress import ip_address, ip_network

 app = Flask(__name__)

@@ -142,6 +143,12 @@ def checkperm(perms, username=None, password=None):
 		elif perm['type'] == 'rwth':
 			if session.get('rwthintern', False):
 				return True
+			if 'X-Real-IP' not in request.headers:
+				continue
+			ip = ip_address(request.headers['X-Real-IP'])
+			for net in config['RWTH_IP_RANGES']:
+				if ip in ip_network(net):
+					return True
 	return False

 @app.template_filter()
@@ -574,7 +581,6 @@ def auth(): # For use with nginx auth_request
 	if 'X-Original-Uri' not in request.headers:
 		return 'Internal Server Error', 500
 	url = request.headers['X-Original-Uri'].lstrip(config['VIDEOPREFIX'])
-	ip = request.headers.get('X-Real-IP', '')
 	if request.cookies.get('tracking', '') and request.cookies['tracking'].isdigit():
 		cookie = int(request.cookies['tracking'])
 	else: