Allow strictly binding tokens to source IP address #202
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the option,
token_strictly_bind_ip
, to strictly bind thetoken's approved CIDRs to the source IP address a login request was
associated with. This means if the IP address were ever ported to a
system with a new IP address, the login workflow would have to be
restarted to request a fresh token.
This binding is done in accordance with the
X-Forwarded-For
header,allowing the CIDR value to be populated and validated against the
correct end-client's IP address (when sent via trusted
X-Forwarded-For
header).
This also fixes the rejection of invalid
X-Forwarded-For
headers:When
x_forwarded_for_reject_not_authorized=false
is explicitly set inthe listener configuration, we need to remove the header before
processing the request, otherwise downstream consumers of the request
will not know if the header is authorized or not, and presume that,
because we passed it along, we trusted it.
This is missing tests; I might try using the container based testing infrastructure to do this; I think I can run OpenBao within the test suite and use a curl container to check if the binding works. Though, I don't think I'll have the capabilities to test
X-Forwarded-For
there.Curious to get your thoughts on this one @thequailman!
Resolves: #32