From f49cb3d6f3b6f9e1a315ae848a5191a3e801d7d3 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Thu, 29 May 2025 15:44:21 +0200 Subject: [PATCH] Fix ip checks --- README.md | 1 + hmdooris/AppConfig.py | 13 ++++++++++--- hmdooris/BottleHelpers.py | 2 +- hmdooris/__main__.py | 4 ++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5751428..4aa1912 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ All configuration is handled through environment variables. | Name | Default | Description | |---------------------------------|-------------------------------------------------------------------------|------------------------------------------------------------------------------------------| +| `HMDOORIS_ALLOWED_IPS` | - | List of IP addresses in CIDR notation that are allowed to control the locks | | `HMDOORIS_URL` | `http://localhost:3000` | URL of the application, used to construct links to itself | | `HMDOORIS_DISCOVERY_URL` | `http://localhost:8080/realms/testing/.well-known/openid-configuration` | OIDC configuration discovery URL | | `HMDOORIS_CLIENT_ID` | `hmdooris` | OIDC client ID | diff --git a/hmdooris/AppConfig.py b/hmdooris/AppConfig.py index d4380d2..8d28c69 100644 --- a/hmdooris/AppConfig.py +++ b/hmdooris/AppConfig.py @@ -12,6 +12,8 @@ class AppConfig: """ Gets the config from environment variables """ + self.log = logging.getLogger(__name__) + self.basepath = path.dirname(__file__) self.debug = getenv("DEBUG", None) self.staticpath = path.join(self.basepath, "static") @@ -28,13 +30,17 @@ class AppConfig: self.ccujack_certificate_path = getenv('HMDOORIS_CCU_CERTIFICATE_PATH', None) self.ccujack_username = getenv('HMDOORIS_CCUJACK_USERNAME', None) self.ccujack_password = getenv('HMDOORIS_CCUJACK_PASSWORD', None) - self.log = logging.getLogger(__name__) if self.debug is not None and self.debug.lower not in ('0', 'f', 'false'): self.debug = True else: self.debug = False + self.allowed = [] + for a in getenv('HMDOORIS_ALLOWED_IPS', '').split(' '): + if a != '': + self.allowed.append(a) + if self.client_secret is None or self.client_secret == '': raise ValueError('You need to provide HMDOORIS_CLIENT_SECRET') if self.ccujack_url is None or self.ccujack_url == '': @@ -45,9 +51,10 @@ class AppConfig: else: p = Path(self.ccujack_certificate_path) if not p.is_file(): - self.log.warning(f'Unable to read certificate file {self.ccujack_certificate_path}, certificate verification might not work') + self.log.warning( + f'Unable to read certificate file {self.ccujack_certificate_path}, certificate verification might not work') self.oidc = { 'client_id': self.client_id, - } \ No newline at end of file + } diff --git a/hmdooris/BottleHelpers.py b/hmdooris/BottleHelpers.py index 92ad45c..45fc206 100644 --- a/hmdooris/BottleHelpers.py +++ b/hmdooris/BottleHelpers.py @@ -17,7 +17,7 @@ class BottleHelpers: def require_login(self, func: Callable) -> Callable: if self.group is not None: - return self.auth.require_login(auth.require_attribute('groups', self.group)(func)) + return self.auth.require_login(self.auth.require_attribute('groups', self.group)(func)) else: return self.auth.require_login(func) diff --git a/hmdooris/__main__.py b/hmdooris/__main__.py index c0802d9..7b32be3 100644 --- a/hmdooris/__main__.py +++ b/hmdooris/__main__.py @@ -40,7 +40,7 @@ auth = BottleOIDC(app, config={ }) websocket_clients = WebSocketClients() -bottle_helpers = BottleHelpers(auth, config.requires_group) +bottle_helpers = BottleHelpers(auth, group=config.requires_group, allowed=config.allowed) update_poller = UpdatePoller(websocket_clients, ccujack, 1 if config.debug else 0.1) @@ -51,12 +51,12 @@ def server_static(filepath): @app.get("/") @jinja2_view("home.html.j2") -@bottle_helpers.require_sourceip def root(): return {} @app.get("/operate") @bottle_helpers.require_login +@bottle_helpers.require_sourceip @jinja2_view("operate.html.j2") def root(): return {}