Pull request 2166: 5829-trusted-ip

Updates #5829. Squashed commit of the following: commit 8a93b30d5bd1c40c30bd10cd3fc77c3a3a64cb71 Merge: 8e4429c48 54f77c010 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 19:15:07 2024 +0300 Merge branch 'master' into 5829-trusted-ip commit 8e4429c483c0fd6fffdc93fa808adcca6678bc3e Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 18:37:26 2024 +0300 all: upd chlog commit b598a8d1ea239cc574bfdfdd6a2da47792582589 Merge: 1f58bf8fd 054233962 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 18:34:13 2024 +0300 Merge branch 'master' into 5829-trusted-ip commit 1f58bf8fd1bc3b3790475651cb87494885cadf66 Merge: ffb4b9a65 c64a36c94 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 20 17:09:09 2024 +0300 Merge branch 'master' into 5829-trusted-ip commit ffb4b9a65fea5555d0d401194d3fc3820b2e6766 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Mar 14 17:40:07 2024 +0300 home: fix alignment commit 7f11807ff13eff286be1d3bd4b796273454bdbda Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Mar 14 17:35:13 2024 +0300 all: imp code commit 2aee9a66c70af929e28653245eb73c0f29a46e97 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Mar 11 18:17:58 2024 +0300 home: real ip in logs
2025-05-03 22:42:51 +03:00 · 2024-03-20 19:25:59 +03:00 · 2024-03-20 19:25:59 +03:00 · 3b12ff2cc2
commit 3b12ff2cc2
parent 54f77c0101
6 changed files with 72 additions and 50 deletions
--- a/internal/home/auth.go
+++ b/internal/home/auth.go
@ -11,6 +11,7 @@ import (

 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
 	"go.etcd.io/bbolt"
 	"golang.org/x/crypto/bcrypt"
 )
@ -51,14 +52,15 @@ func (s *session) deserialize(data []byte) bool {
 	return true
 }

-// Auth - global object
+// Auth is the global authentication object.
 type Auth struct {
-	db          *bbolt.DB
-	rateLimiter *authRateLimiter
-	sessions    map[string]*session
-	users       []webUser
-	lock        sync.Mutex
-	sessionTTL  uint32
+	trustedProxies netutil.SubnetSet
+	db             *bbolt.DB
+	rateLimiter    *authRateLimiter
+	sessions       map[string]*session
+	users          []webUser
+	lock           sync.Mutex
+	sessionTTL     uint32
 }

 // webUser represents a user of the Web UI.
@ -69,15 +71,22 @@ type webUser struct {
 	PasswordHash string `yaml:"password"`
 }

-// InitAuth - create a global object
-func InitAuth(dbFilename string, users []webUser, sessionTTL uint32, rateLimiter *authRateLimiter) *Auth {
+// InitAuth initializes the global authentication object.
+func InitAuth(
+	dbFilename string,
+	users []webUser,
+	sessionTTL uint32,
+	rateLimiter *authRateLimiter,
+	trustedProxies netutil.SubnetSet,
+) (a *Auth) {
 	log.Info("Initializing auth module: %s", dbFilename)

-	a := &Auth{
-		sessionTTL:  sessionTTL,
-		rateLimiter: rateLimiter,
-		sessions:    make(map[string]*session),
-		users:       users,
+	a = &Auth{
+		sessionTTL:     sessionTTL,
+		rateLimiter:    rateLimiter,
+		sessions:       make(map[string]*session),
+		users:          users,
+		trustedProxies: trustedProxies,
 	}
 	var err error
 	a.db, err = bbolt.Open(dbFilename, 0o644, nil)
@ -95,7 +104,7 @@ func InitAuth(dbFilename string, users []webUser, sessionTTL uint32, rateLimiter
 	return a
 }

-// Close - close module
+// Close closes the authentication database.
 func (a *Auth) Close() {
 	_ = a.db.Close()
 }
@ -104,7 +113,8 @@ func bucketName() []byte {
 	return []byte("sessions-2")
 }

-// load sessions from file, remove expired sessions
+// loadSessions loads sessions from the database file and removes expired
+// sessions.
 func (a *Auth) loadSessions() {
 	tx, err := a.db.Begin(true)
 	if err != nil {
@ -156,7 +166,8 @@ func (a *Auth) loadSessions() {
 	log.Debug("auth: loaded %d sessions from DB (removed %d expired)", len(a.sessions), removed)
 }

-// store session data in file
+// addSession adds a new session to the list of sessions and saves it in the
+// database file.
 func (a *Auth) addSession(data []byte, s *session) {
 	name := hex.EncodeToString(data)
 	a.lock.Lock()
@ -167,7 +178,7 @@ func (a *Auth) addSession(data []byte, s *session) {
 	}
 }

-// store session data in file
+// storeSession saves a session in the database file.
 func (a *Auth) storeSession(data []byte, s *session) bool {
 	tx, err := a.db.Begin(true)
 	if err != nil {