From patchwork Mon Jul 20 14:25:11 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?=
 <fmang@mg0.fr>
X-Patchwork-Id: 1726
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id CD9CB1A0B4658
	for <patchwork@archlinux.org>; Mon, 20 Jul 2020 14:25:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1,
	RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001,T_DMARC_POLICY_NONE=0.01
	autolearn=ham autolearn_force=no version=3.4.4
X-Spam-BL-Results: 
 <dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
	[127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Mon, 20 Jul 2020 14:25:26 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 6082B1D35F36EE;
	Mon, 20 Jul 2020 14:25:20 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 408551D35F36EC;
	Mon, 20 Jul 2020 14:25:20 +0000 (UTC)
Authentication-Results: orion.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=jznAevld
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 163C820F45;
	Mon, 20 Jul 2020 14:25:20 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=jznAevld
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 7D04220F45
 for <aur-dev@lists.archlinux.org>; Mon, 20 Jul 2020 14:25:14 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Mon, 20 Jul 2020 14:25:14 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id CCCDE1D35F36E8
 for <aur-dev@archlinux.org>; Mon, 20 Jul 2020 14:25:12 +0000 (UTC)
Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@archlinux.org>; Mon, 20 Jul 2020 14:25:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr;
 s=tsubame; h=Message-ID:Subject:To:From:Date:cc;
 bh=0latJFoi3QMm9UKgsb5Zq/mr5put8SfYWRXwAA9WoSU=; b=jznAevldbBLlyRig0XyzJk5v3O
 W6TSjNELS8MDGRIjbwO7EcAZ48LGyoMqZvXoL9NUew08T65hAkDG3Rys6PEUiYGUiYpPANBwvmRjF
 lTAdxykdwio6NZZv8AYPNDEaYI/caz2dstUwIwRfEZXctACoQ52ejUc0h5NTEiFWF7F8=;
Received: from fmang by tsubame.mg0.fr with local (Exim 4.94)
 (envelope-from <fmang@mg0.fr>) id 1jxWj9-00GtUk-Ov
 for aur-dev@archlinux.org; Mon, 20 Jul 2020 16:25:11 +0200
Date: Mon, 20 Jul 2020 16:25:11 +0200
From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi <fmang@mg0.fr>
To: aur-dev@archlinux.org
Subject: [PATCH 1/3] SSO: Port IP ban checking
Message-ID: <20200720142511.GA4026568@tsubame.mg0.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

---
 aurweb/routers/sso.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 04ecdca6..efd4462c 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -14,7 +14,7 @@ from starlette.requests import Request
 import aurweb.config
 import aurweb.db
 
-from aurweb.schema import Sessions, Users
+from aurweb.schema import Bans, Sessions, Users
 
 router = fastapi.APIRouter()
 
@@ -57,13 +57,28 @@ def open_session(conn, user_id):
     return sid
 
 
+def is_ip_banned(conn, ip):
+    """
+    Check if an IP is banned. `ip` is a string and may be an IPv4 as well as an
+    IPv6, depending on the server’s configuration.
+    """
+    result = conn.execute(Bans.select().where(Bans.c.IPAddress == ip))
+    return result.fetchone() is not None
+
+
 @router.get("/sso/authenticate")
 async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
     """
     Receive an OpenID Connect ID token, validate it, then process it to create
     an new AUR session.
     """
-    # TODO check for banned IPs
+    # TODO Handle translations
+    if is_ip_banned(conn, request.client.host):
+        raise HTTPException(
+            status_code=403,
+            detail='The login form is currently disabled for your IP address, '
+                   'probably due to sustained spam attacks. Sorry for the '
+                   'inconvenience.')
     token = await oauth.sso.authorize_access_token(request)
     user = await oauth.sso.parse_id_token(request, token)
     sub = user.get("sub")  # this is the SSO account ID in JWT terminology