Client Access Lists #360
Client Access Lists #360
Conversation
|
Docker Image for build 2 is available on DockerHub as |
|
Thanks for doing the hard work here, greatly appreciated. I'm using your code and I get the following error on save:
|
|
Docker Image for build 3 is available on DockerHub as |
|
@jc21 happy to do it, I would really benefit from the feature. I intentionally marked this PR as WIP because there are a couple of fairly significant items that need to be finished to make this complete. You've hit on one of them. I'm not sure what the best way to handle that one is either. It doesn't look like the JSON API spec supports multiple validation formats? I could do it as one big regex, but that would get really ugly really fast because valid data could be an IPv4 address, IPv6 address or a CIDR notation of either. I didn't see an example in the codebase of doing validation in what I'll call the controller either? I may just have not known where to look. If you can provide an example of doing validation outside of the JSON schema I'll be happy to implement it. |
|
So this line here is where the JSON payload is validated in the API Handler: And this is the json schema validation for that one as you already know: for the "address": {
"oneOf": [
{
"type": "string",
"format": "ipv4"
},
{
"type": "string",
"pattern": "^regexHere$"
},
{
"type": "string",
"pattern": "^anotherRegexHere$"
}
]
},I wouldn't worry about validating anywhere else, as the incoming data is guaranteed to be valid at this point. |
|
Perfect, the Is there something similar to make sure that either an "item" or "client" is provided? I have them both set as |
|
AJV is the validation library I'm using and it has some great simple documentation for your options: https://github.com/epoberezkin/ajv#validation-keywords Yes you can make sure that either one of them is completed in the json schema, but the only way to do it is really stupid and you have to wrap what you have in a "oneOf" array and duplicate a lot of the json schema as is. So I don't recommend that. Instead I would just have a quick check here: to make sure that the length of the items in the |
|
ie: create: (access, data) => {
return access.can('access_lists:create', data)
.then((/*access_data*/) => {
if ((typeof data.items === 'undefined' || !data.items.length) && (typeof data.clients === 'undefined' || !data.clients.length)) {
throw new error.InternalValidationError('At leaste one user/pass or address must be defined');
}
// ...
} |
now accepts CIDR notation, IPv6 or the string 'any'
|
Docker Image for build 4 is available on DockerHub as |
this ensures that an access list is 'secure by default' and requires the user to create exceptions or holes in the proection instead of building the wall entirely. This also means that we no longer require the user to input any username/passwords or client addressses and can avoid internal errors which generate unhelpful user errors.
|
Docker Image for build 5 is available on DockerHub as |
|
This should be fully functional now. It could use a pretty though peer review as I'm sure there is some refactoring that could take place. in particular, this expansion feels gross but I don't see a cleaner solution. |
|
Awesome. Just verified it works as expected! I'll be able to fix up any "mess" later. Thanks heaps for the contribution! |
|
@Indemnity83 would it also be possible with this feature to allow the IP's in the list and if the IP is not in the list, provide the HTTP Auth? |
|
That’s exactly what the “satisfy any” option does. |
|
Totally missed that, thanks! Great addition to the repo, awesome work man! |
This PR adds client (IP address) based access control to the application in a way that aims to cover the 80% case based on #356
There are a few significant outstanding tasks remaining to make this ready for showtime.
Write tests