diff --git a/authentik/events/models.py b/authentik/events/models.py index 55bb64d98..ebcab2cfc 100644 --- a/authentik/events/models.py +++ b/authentik/events/models.py @@ -149,7 +149,7 @@ class Event(ExpiringModel): request.session[SESSION_IMPERSONATE_USER] ) # User 255.255.255.255 as fallback if IP cannot be determined - self.client_ip = get_client_ip(request) or "255.255.255.255" + self.client_ip = get_client_ip(request) # Apply GeoIP Data, when enabled self.with_geoip() # If there's no app set, we get it from the requests too diff --git a/authentik/lib/utils/http.py b/authentik/lib/utils/http.py index 6b0a2da78..dc4c003b4 100644 --- a/authentik/lib/utils/http.py +++ b/authentik/lib/utils/http.py @@ -5,9 +5,10 @@ from django.http import HttpRequest OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP" USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips" +DEFAULT_IP = "255.255.255.255" -def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]: +def _get_client_ip_from_meta(meta: dict[str, Any]) -> str: """Attempt to get the client's IP by checking common HTTP Headers. Returns none if no IP Could be found""" headers = ( @@ -19,7 +20,7 @@ def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]: if _header in meta: ips: list[str] = meta.get(_header).split(",") return ips[0].strip() - return None + return DEFAULT_IP def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]: @@ -37,7 +38,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]: return request.META[OUTPOST_REMOTE_IP_HEADER] -def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]: +def get_client_ip(request: Optional[HttpRequest]) -> str: """Attempt to get the client's IP by checking common HTTP Headers. Returns none if no IP Could be found""" if request: @@ -45,4 +46,4 @@ def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]: if override: return override return _get_client_ip_from_meta(request.META) - return None + return DEFAULT_IP diff --git a/authentik/policies/expression/evaluator.py b/authentik/policies/expression/evaluator.py index 8f28ee9f3..b8302b00a 100644 --- a/authentik/policies/expression/evaluator.py +++ b/authentik/policies/expression/evaluator.py @@ -50,9 +50,7 @@ class PolicyEvaluator(BaseEvaluator): """Update context based on http request""" # update website/docs/expressions/_objects.md # update website/docs/expressions/_functions.md - self._context["ak_client_ip"] = ip_address( - get_client_ip(request) or "255.255.255.255" - ) + self._context["ak_client_ip"] = ip_address(get_client_ip(request)) self._context["http_request"] = request def handle_error(self, exc: Exception, expression_source: str): diff --git a/authentik/policies/reputation/models.py b/authentik/policies/reputation/models.py index 5eab67531..bd03c7564 100644 --- a/authentik/policies/reputation/models.py +++ b/authentik/policies/reputation/models.py @@ -30,7 +30,7 @@ class ReputationPolicy(Policy): return "ak-policy-reputation-form" def passes(self, request: PolicyRequest) -> PolicyResult: - remote_ip = get_client_ip(request.http_request) or "255.255.255.255" + remote_ip = get_client_ip(request.http_request) passing = True if self.check_ip: score = cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0) diff --git a/authentik/policies/reputation/signals.py b/authentik/policies/reputation/signals.py index 6fe0ddd00..d6eaf9fa0 100644 --- a/authentik/policies/reputation/signals.py +++ b/authentik/policies/reputation/signals.py @@ -17,7 +17,7 @@ LOGGER = get_logger() def update_score(request: HttpRequest, username: str, amount: int): """Update score for IP and User""" - remote_ip = get_client_ip(request) or "255.255.255.255" + remote_ip = get_client_ip(request) # We only update the cache here, as its faster than writing to the DB cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0)