lib: return default IP if none could be extracted

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-05-30 12:49:44 +02:00 · 2021-05-30 12:49:44 +02:00 · 7e8044619c
parent cf57660772
commit 7e8044619c
5 changed files with 9 additions and 10 deletions
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -149,7 +149,7 @@ class Event(ExpiringModel):
                    request.session[SESSION_IMPERSONATE_USER]
                )
        # User 255.255.255.255 as fallback if IP cannot be determined
-        self.client_ip = get_client_ip(request) or "255.255.255.255"
+        self.client_ip = get_client_ip(request)
        # Apply GeoIP Data, when enabled
        self.with_geoip()
        # If there's no app set, we get it from the requests too
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -5,9 +5,10 @@ from django.http import HttpRequest
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 DEFAULT_IP = "255.255.255.255"
-def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
+def _get_client_ip_from_meta(meta: dict[str, Any]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
    headers = (
@ -19,7 +20,7 @@ def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
        if _header in meta:
            ips: list[str] = meta.get(_header).split(",")
            return ips[0].strip()
-    return None
+    return DEFAULT_IP
 def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
@ -37,7 +38,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
    return request.META[OUTPOST_REMOTE_IP_HEADER]
-def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
+def get_client_ip(request: Optional[HttpRequest]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
    if request:
@ -45,4 +46,4 @@ def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
        if override:
            return override
        return _get_client_ip_from_meta(request.META)
-    return None
+    return DEFAULT_IP
--- a/authentik/policies/expression/evaluator.py
+++ b/authentik/policies/expression/evaluator.py
@ -50,9 +50,7 @@ class PolicyEvaluator(BaseEvaluator):
        """Update context based on http request"""
        # update website/docs/expressions/_objects.md
        # update website/docs/expressions/_functions.md
-        self._context["ak_client_ip"] = ip_address(
+        self._context["ak_client_ip"] = ip_address(get_client_ip(request))
            get_client_ip(request) or "255.255.255.255"
        )
        self._context["http_request"] = request
    def handle_error(self, exc: Exception, expression_source: str):
--- a/authentik/policies/reputation/models.py
+++ b/authentik/policies/reputation/models.py
@ -30,7 +30,7 @@ class ReputationPolicy(Policy):
        return "ak-policy-reputation-form"
    def passes(self, request: PolicyRequest) -> PolicyResult:
-        remote_ip = get_client_ip(request.http_request) or "255.255.255.255"
+        remote_ip = get_client_ip(request.http_request)
        passing = True
        if self.check_ip:
            score = cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0)
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -17,7 +17,7 @@ LOGGER = get_logger()
 def update_score(request: HttpRequest, username: str, amount: int):
    """Update score for IP and User"""
-    remote_ip = get_client_ip(request) or "255.255.255.255"
+    remote_ip = get_client_ip(request)
    # We only update the cache here, as its faster than writing to the DB
    cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0)