From cc0fb26e91e8fa7f6d083a6d5d2126c00f0d48f3 Mon Sep 17 00:00:00 2001
From: Robert Putt <robe8437@C02FV3BTMD6R.local>
Date: Sat, 7 Jan 2023 18:26:36 +0000
Subject: [PATCH] Check Iinternal IP and pre shared api key

---
 hw_diag/views/auth.py | 7 +++++++
 requirements.txt      | 1 +
 2 files changed, 8 insertions(+)

diff --git a/hw_diag/views/auth.py b/hw_diag/views/auth.py
index 5c62e287..8a234ab9 100644
--- a/hw_diag/views/auth.py
+++ b/hw_diag/views/auth.py
@@ -1,6 +1,7 @@
 import logging
 import os
 import datetime
+import ipaddress
 
 from flask import Blueprint
 from flask import render_template
@@ -28,6 +29,8 @@
 AUTH = Blueprint('AUTH', __name__)
 LOGIN_FORM_TEMPLATE = 'login_form.html'
 
+DOCKER_SUBNET = '172.17.0.0/16'
+
 
 @AUTH.route('/login', methods=['GET'])
 def get_login_form():
@@ -160,6 +163,10 @@ def display_password_reset_page():
 def handle_reset_password():
     # Check this originates from the docker private subnet, only
     # internal containers should be privileged to reset the password.
+    request_ip = request.remote_addr
+    if ipaddress.ip_address(request_ip) not in ipaddress.ip_network(DOCKER_SUBNET):
+        return 'Unauthorised', 401
+
     password_reset = perform_password_reset()
     return jsonify({'password_updated': password_reset})
 
diff --git a/requirements.txt b/requirements.txt
index 6f8ffe0b..3788ce91 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,6 +16,7 @@ dbus-python==1.2.16
 hm-pyhelper==0.13.45
 python-gnupg==0.5.0
 pydantic==1.10.4
+ipaddress==1.0.23
 icmplib==3.0.3
 uptime==3.0.1
 persist-queue==0.8.0