Check Iinternal IP and pre shared api key

NebraLtd · Jan 7, 2023 · cc0fb26 · cc0fb26
1 parent 1916b46
commit cc0fb26
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/hw_diag/views/auth.py b/hw_diag/views/auth.py
@@ -1,6 +1,7 @@
 import logging
 import os
 import datetime
+import ipaddress
 
 from flask import Blueprint
 from flask import render_template
@@ -28,6 +29,8 @@
 AUTH = Blueprint('AUTH', __name__)
 LOGIN_FORM_TEMPLATE = 'login_form.html'
 
+DOCKER_SUBNET = '172.17.0.0/16'
+
 
 @AUTH.route('/login', methods=['GET'])
 def get_login_form():
@@ -160,6 +163,10 @@ def display_password_reset_page():
 def handle_reset_password():
     # Check this originates from the docker private subnet, only
     # internal containers should be privileged to reset the password.
+    request_ip = request.remote_addr
+    if ipaddress.ip_address(request_ip) not in ipaddress.ip_network(DOCKER_SUBNET):
+        return 'Unauthorised', 401
+
     password_reset = perform_password_reset()
     return jsonify({'password_updated': password_reset})
 

diff --git a/requirements.txt b/requirements.txt
@@ -16,6 +16,7 @@ dbus-python==1.2.16
 hm-pyhelper==0.13.45
 python-gnupg==0.5.0
 pydantic==1.10.4
+ipaddress==1.0.23
 icmplib==3.0.3
 uptime==3.0.1
 persist-queue==0.8.0