lib: return default IP if none could be extracted

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/events/models.py

@@ -149,7 +149,7 @@ class Event(ExpiringModel):
                     request.session[SESSION_IMPERSONATE_USER]
                 )
         # User 255.255.255.255 as fallback if IP cannot be determined
-        self.client_ip = get_client_ip(request) or "255.255.255.255"
+        self.client_ip = get_client_ip(request)
         # Apply GeoIP Data, when enabled
         self.with_geoip()
         # If there's no app set, we get it from the requests too

authentik/lib/utils/http.py

@@ -5,9 +5,10 @@ from django.http import HttpRequest
 
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
+DEFAULT_IP = "255.255.255.255"
 
 
-def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
+def _get_client_ip_from_meta(meta: dict[str, Any]) -> str:
     """Attempt to get the client's IP by checking common HTTP Headers.
     Returns none if no IP Could be found"""
     headers = (
@@ -19,7 +20,7 @@ def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
         if _header in meta:
             ips: list[str] = meta.get(_header).split(",")
             return ips[0].strip()
-    return None
+    return DEFAULT_IP
 
 
 def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
@@ -37,7 +38,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
     return request.META[OUTPOST_REMOTE_IP_HEADER]
 
 
-def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
+def get_client_ip(request: Optional[HttpRequest]) -> str:
     """Attempt to get the client's IP by checking common HTTP Headers.
     Returns none if no IP Could be found"""
     if request:
@@ -45,4 +46,4 @@ def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
         if override:
             return override
         return _get_client_ip_from_meta(request.META)
-    return None
+    return DEFAULT_IP

authentik/policies/expression/evaluator.py

@@ -50,9 +50,7 @@ class PolicyEvaluator(BaseEvaluator):
         """Update context based on http request"""
         # update website/docs/expressions/_objects.md
         # update website/docs/expressions/_functions.md
-        self._context["ak_client_ip"] = ip_address(
-            get_client_ip(request) or "255.255.255.255"
-        )
+        self._context["ak_client_ip"] = ip_address(get_client_ip(request))
         self._context["http_request"] = request
 
     def handle_error(self, exc: Exception, expression_source: str):

authentik/policies/reputation/models.py

@@ -30,7 +30,7 @@ class ReputationPolicy(Policy):
         return "ak-policy-reputation-form"
 
     def passes(self, request: PolicyRequest) -> PolicyResult:
-        remote_ip = get_client_ip(request.http_request) or "255.255.255.255"
+        remote_ip = get_client_ip(request.http_request)
         passing = True
         if self.check_ip:
             score = cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0)

authentik/policies/reputation/signals.py

@@ -17,7 +17,7 @@ LOGGER = get_logger()
 
 def update_score(request: HttpRequest, username: str, amount: int):
     """Update score for IP and User"""
-    remote_ip = get_client_ip(request) or "255.255.255.255"
+    remote_ip = get_client_ip(request)
 
     # We only update the cache here, as its faster than writing to the DB
     cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0)