lib: fix outpost fake-ip not working, add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-07-22 10:10:25 +02:00
parent 7370dd5f3f
commit c05240afbf
2 changed files with 82 additions and 9 deletions
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -40,24 +40,30 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
        or OUTPOST_TOKEN_HEADER not in request.META
    ):
        return None
+    fake_ip = request.META[OUTPOST_REMOTE_IP_HEADER]
    tokens = Token.filter_not_expired(
        key=request.META.get(OUTPOST_TOKEN_HEADER), intent=TokenIntents.INTENT_API
    )
    if not tokens.exists():
-        LOGGER.warning("Attempted remote-ip override without token")
+        LOGGER.warning("Attempted remote-ip override without token", fake_ip=fake_ip)
        return None
    user = tokens.first().user
-    if user.group_attributes().get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
+    if not user.group_attributes().get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
+        LOGGER.warning(
+            "Remote-IP override: user doesn't have permission",
+            user=user,
+            fake_ip=fake_ip,
+        )
        return None
-    return request.META[OUTPOST_REMOTE_IP_HEADER]
+    return fake_ip


 def get_client_ip(request: Optional[HttpRequest]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
-    if request:
-        override = _get_outpost_override_ip(request)
-        if override:
-            return override
-        return _get_client_ip_from_meta(request.META)
-    return DEFAULT_IP
+    if not request:
+        return DEFAULT_IP
+    override = _get_outpost_override_ip(request)
+    if override:
+        return override
+    return _get_client_ip_from_meta(request.META)