feat: add support for global ip filters (#567)

internal/bootstrap/service_bootstrap.go

@@ -67,6 +67,7 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 		LoginTimeout:       app.config.Auth.LoginTimeout,
 		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
 		SessionCookieName:  app.context.sessionCookieName,
+		IP:                 app.config.Auth.IP,
 	}, dockerService, services.ldapService, queries)
 
 	err = authService.Init()

internal/config/config.go

@@ -40,6 +40,7 @@ type ServerConfig struct {
 }
 
 type AuthConfig struct {
+	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
 	Users              string   `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
 	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
 	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
@@ -49,6 +50,11 @@ type AuthConfig struct {
 	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
 }
 
+type IPConfig struct {
+	Allow []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
+	Block []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
+}
+
 type OAuthConfig struct {
 	Whitelist    string                        `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
 	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`

internal/controller/proxy_controller.go

@@ -179,9 +179,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if userContext.IsLoggedIn {
-		appAllowed := controller.auth.IsResourceAllowed(c, userContext, acls)
+		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
 
-		if !appAllowed {
+		if !userAllowed {
 			log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
 
 			if req.Proxy == "nginx" || !isBrowser {

internal/service/auth_service.go

@@ -35,6 +35,7 @@ type AuthServiceConfig struct {
 	LoginTimeout       int
 	LoginMaxRetries    int
 	SessionCookieName  string
+	IP                 config.IPConfig
 }
 
 type AuthService struct {
@@ -352,7 +353,7 @@ func (auth *AuthService) UserAuthConfigured() bool {
 	return len(auth.config.Users) > 0 || auth.ldap != nil
 }
 
-func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, acls config.App) bool {
+func (auth *AuthService) IsUserAllowed(c *gin.Context, context config.UserContext, acls config.App) bool {
 	if context.OAuth {
 		log.Debug().Msg("Checking OAuth whitelist")
 		return utils.CheckFilter(acls.OAuth.Whitelist, context.Email)
@@ -435,7 +436,11 @@ func (auth *AuthService) GetBasicAuth(c *gin.Context) *config.User {
 }
 
 func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
-	for _, blocked := range acls.Block {
+	// Merge the global and app IP filter
+	blockedIps := append(auth.config.IP.Block, acls.Block...)
+	allowedIPs := append(auth.config.IP.Allow, acls.Allow...)
+
+	for _, blocked := range blockedIps {
 		res, err := utils.FilterIP(blocked, ip)
 		if err != nil {
 			log.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
@@ -447,7 +452,7 @@ func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
 		}
 	}
 
-	for _, allowed := range acls.Allow {
+	for _, allowed := range allowedIPs {
 		res, err := utils.FilterIP(allowed, ip)
 		if err != nil {
 			log.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
@@ -459,7 +464,7 @@ func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
 		}
 	}
 
-	if len(acls.Allow) > 0 {
+	if len(allowedIPs) > 0 {
 		log.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
 		return false
 	}