fix ip restrictions if two subnets are used

1b6ecd90 · Gabriel Zachmann · c82a1dc2 · 1b6ecd90 · 1b6ecd90
Commit 1b6ecd90 authored 3 years ago by Gabriel Zachmann
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,10 @@
 - Removed buttons from webinterface in the tokeninfo tabs. The content now loads directly when switching the tab.
 - Added request ids to response header and logging

+### Bugfixes
+
+- Fixed a bug where restrictions did not behave correctly when multiple subnets were used
+
 ## mytoken 0.3.2

 - Fixed password prompt for migratedb

--- a/shared/utils/utils.go
+++ b/shared/utils/utils.go
 package utils

 import (
+	"bytes"
 	"encoding/base64"
 	"fmt"
 	"math/rand"
@@ -99,22 +100,39 @@ func IPsAreSubSet(ipsA, ipsB []string) bool {
 	return true
 }

+func parseIP(ip string) (net.IP, *net.IPNet) {
+	ipA, ipNet, err := net.ParseCIDR(ip)
+	if err != nil {
+		ipA = net.ParseIP(ip)
+	}
+	if ipNet != nil && !ipA.Equal(ipNet.IP) {
+		ipNet = nil
+	}
+	return ipA, ipNet
+}
+
 // IPIsIn checks if a ip is in a slice of ips, it will also check ip subnets
 func IPIsIn(ip string, ips []string) bool {
 	if len(ips) == 0 {
 		return false
 	}
-	ipA := net.ParseIP(ip)
+	ipA, ipNetA := parseIP(ip)
 	for _, ipp := range ips {
-		if strings.Contains(ipp, "/") {
-			_, ipNetB, _ := net.ParseCIDR(ipp)
-			if ipNetB != nil && ipNetB.Contains(ipA) {
+		ipB, ipNetB := parseIP(ipp)
+		if ipNetA == nil && ipNetB == nil {
+			if ipA.Equal(ipB) {
+				return true
+			}
+		} else if ipNetA == nil && ipNetB != nil {
+			if ipNetB.Contains(ipA) {
+				return true
+			}
+		} else if ipNetA != nil && ipNetB != nil {
+			if ipNetB.Contains(ipA) && bytes.Compare(ipNetA.Mask, ipNetB.Mask) >= 0 {
 				return true
 			}
-		} else if ip == ipp {
-			return true
 		}
-
+		// check for ipNetA != nil && ipNetB == nil not needed -> won't work
 	}
 	return false
 }