Merge pull request #3465 from matrix-org/matthew/as_ip_lock

add ip_range_whitelist parameter to limit where ASes can connect from
author: Matthew Hodgson <matthew@arasphere.net> 2018-06-28 21:15:06 +0100
committer: GitHub <noreply@github.com> 2018-06-28 21:15:06 +0100
commit: fc0e17b3e50d92a600cbb067577f147a966cf3c4 (patch)
tree: 2d6b3baad1aa0ed44132d8f9d9352ce9de070cbf /synapse/api/auth.py
parent: Attempt to be more performant on PyPy (#3462) (diff)
parent: add test (diff)
download: synapse-fc0e17b3e50d92a600cbb067577f147a966cf3c4.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 54186695cd..088b4e8b6d 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -19,6 +19,7 @@ from six import itervalues
 
 import pymacaroons
 from twisted.internet import defer
+from netaddr import IPAddress
 
 import synapse.types
 from synapse import event_auth
@@ -244,6 +245,11 @@ class Auth(object):
         if app_service is None:
             defer.returnValue((None, None))
 
+        if app_service.ip_range_whitelist:
+            ip_address = IPAddress(self.hs.get_ip_from_request(request))
+            if ip_address not in app_service.ip_range_whitelist:
+                defer.returnValue((None, None))
+
         if "user_id" not in request.args:
             defer.returnValue((app_service.sender, app_service))
author	Matthew Hodgson <matthew@arasphere.net>	2018-06-28 21:15:06 +0100
committer	GitHub <noreply@github.com>	2018-06-28 21:15:06 +0100
commit	fc0e17b3e50d92a600cbb067577f147a966cf3c4 (patch)
tree	2d6b3baad1aa0ed44132d8f9d9352ce9de070cbf /synapse/api/auth.py
parent	Attempt to be more performant on PyPy (#3462) (diff)
parent	add test (diff)
download	synapse-fc0e17b3e50d92a600cbb067577f147a966cf3c4.tar.xz