mlibrary · botimer · Dec 21, 2023 · Nov 3, 2023 · Dec 19, 2023 · Dec 19, 2023
diff --git a/apache/conf/lauth.conf b/apache/conf/lauth.conf
@@ -4,3 +4,5 @@ SetHandler lauth
 </Location>
 
 RemoteIPHeader X-Client-IP
+RemoteIPInternalProxy 0.0.0.0/1
+RemoteIPInternalProxy 128.0.0.0/1
diff --git a/apache/conf/test-site.conf b/apache/conf/test-site.conf
@@ -19,6 +19,17 @@
       Require lauth
     </RequireAll>
   </Location>
+
+  <Location "/restricted-by-network/">
+    AuthType Basic
+    AuthName "Restricted Resource"
+    AuthUserFile /lauth/test-site/htpasswd
+    AuthzSendForbiddenOnFailure On
+    <RequireAll>
+      Require valid-user
+      Require lauth
+    </RequireAll>
+  </Location>
 </VirtualHost>
 
 # <VirtualHost *:443>

diff --git a/db/network.sql b/db/network.sql
@@ -0,0 +1,131 @@
+-- Create an institution within the larger institution
+INSERT INTO aa_inst VALUES(
+  NULL,
+  'Lauth Law Enclave', NULL,
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+SET @enclave_inst_id = LAST_INSERT_ID();
+
+-- We use the existing inst as the larger university network.
+SET @big_inst_id = (
+  SELECT uniqueIdentifier
+  FROM aa_inst
+  WHERE organizationName = 'University of Lauth, Testing'
+);
+
+-- Collection for most network scenarios
+INSERT INTO aa_coll VALUES(
+  'lauth-by-client-ip', -- uniqueIdentifier
+  'lauth-by-client-ip', -- commonName
+  'auth system testing: network authentication',
+  'lauth-test', -- dlpsClass
+  'none', -- dlpsSource (unused)
+  'ip', -- dlpsAuthenMethod
+  'n', -- dlpsAuthzType
+  'f', -- dlpsPartlyPublic
+  0, -- manager
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+INSERT INTO aa_coll_obj VALUES(
+  'www.lauth.local', -- server hostname, not vhost
+  '/lauth/test-site/web/restricted-by-network%', -- dlpsPath
+  'lauth-by-client-ip', -- coll.uniqueIdentifier
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+INSERT INTO aa_may_access VALUES(
+  NULL, -- uniqueIdentifier
+  NULL, -- userid
+  NULL, -- user_grp
+  @big_inst_id, -- inst
+  'lauth-by-client-ip', -- coll
+  CURRENT_TIMESTAMP,
+  'root',
+  NULL,
+  'f'
+);
+
+INSERT INTO aa_may_access VALUES(
+  NULL, -- uniqueIdentifier
+  NULL, -- userid
+  NULL, -- user_grp
+  @enclave_inst_id, -- inst
+  'lauth-by-client-ip', -- coll
+  CURRENT_TIMESTAMP,
+  'root',
+  NULL,
+  'f'
+);
+
+------A full /24 allowed campus network-------
+-- allow campus 10.1.16.0/24 (255 - 0)
+INSERT INTO aa_network --
+VALUES (
+  NULL, NULL,
+  '10.1.16.0/24', 167841792, 167842047,
+  'allow', NULL, @big_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
+
+-- keep this range free of rules!
+-- null 10.1.8.0/24 (255)
+
+----Campus net with a single blocked ip and an allowed enclave----
+-- allow campus 10.1.6.0/24 (255)
+-- deny one ip 10.1.6.2/32 (1)
+-- allow enclave 10.1.6.8/29 (8)
+INSERT INTO aa_network -- campus network
+VALUES (
+  NULL, NULL,
+  '10.1.6.0/24', 167839232, 167839487,
+  'allow', NULL, @big_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
+INSERT INTO aa_network -- blocked ip
+VALUES (
+  NULL, NULL,
+  '10.1.6.2/32', 167839234, 167839234,
+  'deny', NULL, @big_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
+INSERT INTO aa_network -- allowed enclave
+VALUES (
+  NULL, NULL,
+  '10.1.6.8/29', 167839240, 167839247,
+  'allow', NULL, @enclave_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
+
+----An allowed enclave within a denied campus-----
+-- deny campus 10.1.7.0/24 (255 - 8)
+-- allow enclave 10.1.7.8/29 (-8)
+INSERT INTO aa_network -- campus network, denied
+VALUES (
+  NULL, NULL,
+  '10.1.7.0/24', 167839488, 167839743,
+  'deny', NULL, @big_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
+INSERT INTO aa_network -- allowed enclave
+VALUES (
+  NULL, NULL,
+  '10.1.7.8/29', 167839496, 167839503,
+  'allow', NULL, @enclave_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
+
+
+
+------A full /24 denied campus network-------
+-- deny campus 10.1.17.0/24 (255 - 0)
+INSERT INTO aa_network
+VALUES (
+  NULL, NULL,
+  '10.1.17.0/24', 167842048, 167842303,
+  'deny', NULL, @big_inst_id,
+  CURRENT_TIMESTAMP, 'root', 'f'
+);
diff --git a/db/setup.sh b/db/setup.sh
@@ -42,4 +42,5 @@ if [[ $all == "true" ]]; then
   mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/root.sql"
   mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/keys.sql"
   mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/test-fixture.sql"
+  mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/network.sql"
 fi
diff --git a/db/test-fixture.sql b/db/test-fixture.sql
@@ -47,10 +47,6 @@ INSERT INTO aa_may_access VALUES(
   NULL, NULL, @test_inst_id, 'lauth-by-username', CURRENT_TIMESTAMP, 'root', NULL, 'f'
 );
 
------- TODO: Discuss network ranges
--- INSERT INTO aa_network VALUES(
---   NULL, NULL, '10.1.1.1/24', 167837953, 167838207, 'allow', NULL, @test_inst_id, CURRENT_TIMESTAMP, 'root', 'f'
--- );
 
 INSERT INTO aa_user VALUES(
   'lauth-allowed',NULL,'Lauth',NULL,'Tester-Allowed','lauth-allowed@umich.edu',

diff --git a/lauth/app/actions/authorize.rb b/lauth/app/actions/authorize.rb
@@ -7,7 +7,9 @@ def handle(request, response)
 
         result = Lauth::Ops::Authorize.new(
           request: Lauth::Access::Request.new(
-            user: request.params[:user], uri: request.params[:uri]
+            user: request.params[:user],
+            uri: request.params[:uri],
+            client_ip: request.params[:ip]
           )
         ).call
 

diff --git a/lauth/app/repositories/grant_repo.rb b/lauth/app/repositories/grant_repo.rb
@@ -8,14 +8,23 @@ def find(id)
         grants.where(uniqueIdentifier: id).one
       end
 
-      def for_user_and_uri(username, uri)
+      def for(username:, uri:, client_ip: nil)
+        ip = client_ip ? IPAddr.new(client_ip).to_i : nil
+        smallest_network = networks
+          .dataset
+          .where { dlpsAddressStart <= ip }
+          .where { dlpsAddressEnd >= ip }
+          .select_append(Sequel.as(Sequel.expr { dlpsAddressEnd - dlpsAddressStart }, :block_size))
+          .order(Sequel.asc(:block_size)).limit(1)
+
         ds = grants
           .dataset
           .join(collections.name.dataset, uniqueIdentifier: :coll)
           .join(locations.name.dataset, coll: :uniqueIdentifier)
           .left_join(users.name.dataset, userid: grants[:userid])
           .left_join(institution_memberships.name.dataset, inst: grants[:inst])
           .left_join(group_memberships.name.dataset, user_grp: grants[:user_grp])
+          .left_join(Sequel.as(smallest_network, :smallest), inst: grants[:inst])
           .where(Sequel.ilike(uri, locations[:dlpsPath]))
           .where(
             Sequel.|(
@@ -30,6 +39,10 @@ def for_user_and_uri(username, uri)
               Sequel.&(
                 Sequel.~(group_memberships[:userid] => nil),
                 {group_memberships[:userid] => username}
+              ),
+              Sequel.&(
+                Sequel.~(Sequel[:smallest][:inst] => nil),
+                {Sequel[:smallest][:dlpsAccessSwitch] => "allow"}
               )
             )
           )

diff --git a/lauth/lib/lauth/network.rb b/lauth/lib/lauth/network.rb
@@ -0,0 +1,4 @@
+module Lauth
+  class Network < ROM::Struct
+  end
+end
diff --git a/lauth/lib/lauth/ops/authorize.rb b/lauth/lib/lauth/ops/authorize.rb
@@ -13,7 +13,12 @@ def self.call(request:)
       end
 
       def call
-        determination = if grant_repo.for_user_and_uri(request.user, request.uri).any?
+        relevant_grants = grant_repo.for(
+          username: request.user,
+          uri: request.uri,
+          client_ip: request.client_ip
+        )
+        determination = if relevant_grants.any?
           "allowed"
         else
           "denied"

diff --git a/lauth/lib/lauth/persistence/relations/networks.rb b/lauth/lib/lauth/persistence/relations/networks.rb
@@ -0,0 +1,35 @@
+module Lauth
+  module Persistence
+    module Relations
+      # +------------------+------------------+------+-----+---------+----------------+
+      # | Field            | Type             | Null | Key | Default | Extra          |
+      # +------------------+------------------+------+-----+---------+----------------+
+      # | uniqueIdentifier | int(11)          | NO   | PRI | NULL    | auto_increment |
+      # | dlpsDNSName      | varchar(128)     | YES  |     | NULL    |                |
+      # | dlpsCIDRAddress  | varchar(18)      | YES  |     | NULL    |                |
+      # | dlpsAddressStart | int(10) unsigned | YES  | MUL | NULL    |                |
+      # | dlpsAddressEnd   | int(10) unsigned | YES  | MUL | NULL    |                |
+      # | dlpsAccessSwitch | varchar(5)       | NO   |     | NULL    |                |
+      # | coll             | varchar(32)      | YES  | MUL | NULL    |                |
+      # | inst             | int(11)          | YES  | MUL | NULL    |                |
+      # | lastModifiedTime | timestamp        | NO   |     | NULL    |                |
+      # | lastModifiedBy   | varchar(64)      | NO   | MUL | NULL    |                |
+      # | dlpsDeleted      | char(1)          | NO   |     | NULL    |                |
+      # +------------------+------------------+------+-----+---------+----------------+
+      class Networks < ROM::Relation[:sql]
+        schema(:aa_network, infer: true, as: :networks) do
+          attribute :lastModifiedBy, Types::String.default("root".freeze)
+          attribute :dlpsDeleted, Types::String.default("f".freeze)
+
+          associations do
+            belongs_to :collection, foreign_key: :coll
+            belongs_to :institution, foreign_key: :inst
+          end
+        end
+
+        struct_namespace Lauth
+        auto_struct true
+      end
+    end
+  end
+end