Clean ip extraction

Author: Inbal Tako

VERSION

@@ -1 +1 @@
-0.3.2
+0.3.3

securenative/config/configuration_manager.py

@@ -7,7 +7,7 @@
 
 class ConfigurationManager(object):
     DEFAULT_CONFIG_FILE = "securenative.ini"
-    CUSTOM_CONFIG_FILE_ENV_NAME = "SECURENATIVE_COMFIG_FILE"
+    CUSTOM_CONFIG_FILE_ENV_NAME = "SECURENATIVE_CONFIG_FILE"
     config = ConfigParser()
 
     @classmethod
@@ -35,8 +35,12 @@ def _get_resource_path(cls, env_name):
     @classmethod
     def _get_env_or_default(cls, properties, key, default):
         if os.environ.get(key):
+            if "," in os.environ.get(key):
+                return os.environ.get(key).split(",")
             return os.environ.get(key)
         if properties.get(key):
+            if "," in properties.get(key):
+                return properties.get(key).split(",")
             return properties.get(key)
         return default
 

securenative/utils/ip_utils.py

@@ -17,21 +17,16 @@ def is_ip_address(ip_address):
 
     @staticmethod
     def is_valid_public_ip(ip_address):
-        try:
-            socket.inet_aton(ip_address)
-        except socket.error:
-            return False
+        ip = ipaddress.ip_address(ip_address)
 
-        ip = ipaddress.IPv4Address(ip_address)
-        if ip.is_loopback \
-                or not ip.is_global \
-                or ip.is_private \
-                or ip.is_link_local \
-                or ip.is_multicast \
-                or ip.is_reserved \
-                or ip.is_unspecified:
+        if ip is ipaddress.IPv4Address:
+            if not ip.is_loopback and not ip.is_reserved and not ip.is_unspecified:
+                return True
             return False
-        return True
+
+        if not ip.is_unspecified:
+            return True
+        return False
 
     @staticmethod
     def is_loop_back(ip_address):

securenative/utils/request_utils.py

@@ -1,6 +1,10 @@
+from securenative.utils.ip_utils import IpUtils
+
+
 class RequestUtils(object):
     SECURENATIVE_COOKIE = "_sn"
     SECURENATIVE_HEADER = "x-securenative"
+    IP_HEADERS = ["x-forwarded-for", "x-client-ip", "x-real-ip", "x-forwarded", "x-cluster-client-ip", "forwarded-for", "forwarded", "via"]
 
     @staticmethod
     def get_secure_header_from_request(headers):
@@ -15,25 +19,35 @@ def get_client_ip_from_request(request, options):
             for header in options.proxy_headers:
                 try:
                     if request.environ.get(header) is not None:
-                        return request.environ.get(header)
+                        ips = request.environ.get(header).split(',')
+                        return RequestUtils.get_valid_ip(ips)
                     if request.headers[header] is not None:
-                        return request.headers[header]
+                        ips = request.headers[header].split(',')
+                        return RequestUtils.get_valid_ip(ips)
                 except Exception:
                     try:
                         if request.headers[header] is not None:
-                            return request.headers[header]
+                            ips = request.headers[header].split(',')
+                            return RequestUtils.get_valid_ip(ips)
                     except Exception:
                         continue
 
+        for header in RequestUtils.IP_HEADERS:
+            try:
+                ips = request.headers[header].split(',')
+                return RequestUtils.get_valid_ip(ips)
+            except Exception:
+                continue
+
         try:
             x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
             if x_forwarded_for:
-                ip = x_forwarded_for.split(',')[-1].strip()
+                ip = x_forwarded_for.split(',')[0].strip()
             else:
                 ip = request.META.get('REMOTE_ADDR')
 
             if ip is None or ip == "":
-                ip = request.environ.get('HTTP_X_FORWARDED_FOR', request.environ.get('REMOTE_ADDR', ""))
+                ip = request.environ.get('HTTP_X_FORWARDED_FOR', request.environ.get('REMOTE_ADDR', "")).split(',')[0].strip()
 
             return ip
         except Exception:
@@ -45,3 +59,24 @@ def get_remote_ip_from_request(request):
             return request.raw._original_response.fp.raw._sock.getpeername()[0]
         except Exception:
             return ""
+
+    @staticmethod
+    def get_valid_ip(ips):
+        if isinstance(ips, list):
+            for ip in ips:
+                ip = ip.strip()
+                if IpUtils.is_valid_public_ip(ip):
+                    return ip
+
+            # No public ip found check for no loopback
+            for ip in ips:
+                ip = ip.strip()
+                if not IpUtils.is_loop_back(ip):
+                    return ip
+
+        ip = ips.strip()
+        if IpUtils.is_valid_public_ip(ip):
+            return ip
+
+        if IpUtils.is_loop_back(ip):
+            return ip

securenative/utils/version_utils.py

@@ -2,4 +2,4 @@ class VersionUtils(object):
 
     @staticmethod
     def get_version():
-        return "0.3.2"
+        return "0.3.3"

tests/api_manager_test.py

@@ -50,7 +50,7 @@ def test_track_event(self):
 
     @responses.activate
     def test_should_timeout_on_post(self):
-        options = SecureNativeOptions(api_key="YOUR_API_KEY", auto_send=True, timeout=0,
+        options = SecureNativeOptions(api_key="YOUR_API_KEY", auto_send=True, timeout=0.000001,
                                       api_url="https://api.securenative-stg.com/collector/api/v1")
 
         responses.add(responses.POST, "https://api.securenative-stg.com/collector/api/v1/verify",

tests/configuration_manager_test.py

@@ -12,26 +12,13 @@ class ConfigurationManagerTest(unittest.TestCase):
     def setUp(self):
         self.config_file_path = "/tmp/securenative.ini"
 
-    def create_ini_file(self, conf):
-        os.environ["SECURENATIVE_COMFIG_FILE"] = self.config_file_path
-
+    def clean_settings(self):
         try:
             os.remove(self.config_file_path)
         except FileNotFoundError:
             pass
 
-        config = configparser.ConfigParser()
-
-        for key, value in conf.items():
-            config.set("DEFAULT", key.upper(), value)
-
-        with open(self.config_file_path, "w") as configfile:
-            config.write(configfile)
-
-    @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
-    def test_parse_config_file_correctly(self):
         try:
-            os.remove(self.config_file_path)
             del os.environ["SECURENATIVE_API_KEY"]
             del os.environ["SECURENATIVE_API_URL"]
             del os.environ["SECURENATIVE_INTERVAL"]
@@ -41,11 +28,29 @@ def test_parse_config_file_correctly(self):
             del os.environ["SECURENATIVE_DISABLE"]
             del os.environ["SECURENATIVE_LOG_LEVEL"]
             del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
+            del os.environ["SECURENATIVE_PROXY_HEADERS"]
         except KeyError:
             pass
 
+    def create_ini_file(self, conf):
+        os.environ["SECURENATIVE_CONFIG_FILE"] = self.config_file_path
+
+        try:
+            os.remove(self.config_file_path)
+        except FileNotFoundError:
+            pass
+
+        config = configparser.ConfigParser()
+
+        for key, value in conf.items():
+            config.set("DEFAULT", key.upper(), value)
+
+        with open(self.config_file_path, "w") as configfile:
+            config.write(configfile)
+
+    @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
+    def test_parse_config_file_correctly(self):
+        self.clean_settings()
         config = {
             "SECURENATIVE_API_KEY": "SOME_API_KEY",
             "SECURENATIVE_APP_NAME": "SOME_APP_NAME",
@@ -57,7 +62,8 @@ def test_parse_config_file_correctly(self):
             "SECURENATIVE_AUTO_SEND": "True",
             "SECURENATIVE_DISABLE": "False",
             "SECURENATIVE_LOG_LEVEL": "Critical",
-            "SECURENATIVE_FAILOVER_STRATEGY": "fail-closed"
+            "SECURENATIVE_FAILOVER_STRATEGY": "fail-closed",
+            "SECURENATIVE_PROXY_HEADERS": "CF-Connecting-IP,Some-Random-Ip"
         }
 
         self.create_ini_file(config)
@@ -73,25 +79,11 @@ def test_parse_config_file_correctly(self):
         self.assertEqual(options.log_level, "Critical")
         self.assertEqual(options.max_events, "100")
         self.assertEqual(options.timeout, "1500")
+        self.assertEqual(options.proxy_headers, ["CF-Connecting-IP", "Some-Random-Ip"])
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def test_ignore_unknown_config_in_properties_file(self):
-        try:
-            os.remove(self.config_file_path)
-            del os.environ["SECURENATIVE_API_KEY"]
-            del os.environ["SECURENATIVE_API_URL"]
-            del os.environ["SECURENATIVE_INTERVAL"]
-            del os.environ["SECURENATIVE_MAX_EVENTS"]
-            del os.environ["SECURENATIVE_TIMEOUT"]
-            del os.environ["SECURENATIVE_AUTO_SEND"]
-            del os.environ["SECURENATIVE_DISABLE"]
-            del os.environ["SECURENATIVE_LOG_LEVEL"]
-            del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
-        except KeyError:
-            pass
-
+        self.clean_settings()
         config = {
             "SECURENATIVE_TIMEOUT": "1500",
             "SECURENATIVE_UNKNOWN_KEY": "SOME_UNKNOWN_KEY"
@@ -105,22 +97,7 @@ def test_ignore_unknown_config_in_properties_file(self):
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def test_handle_invalid_config_file(self):
-        try:
-            os.remove(self.config_file_path)
-            del os.environ["SECURENATIVE_API_KEY"]
-            del os.environ["SECURENATIVE_API_URL"]
-            del os.environ["SECURENATIVE_INTERVAL"]
-            del os.environ["SECURENATIVE_MAX_EVENTS"]
-            del os.environ["SECURENATIVE_TIMEOUT"]
-            del os.environ["SECURENATIVE_AUTO_SEND"]
-            del os.environ["SECURENATIVE_DISABLE"]
-            del os.environ["SECURENATIVE_LOG_LEVEL"]
-            del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
-        except KeyError:
-            pass
-
+        self.clean_settings()
         config = {"bla": "bla"}
 
         self.create_ini_file(config)
@@ -130,27 +107,12 @@ def test_handle_invalid_config_file(self):
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def ignore_invalid_config_file_entries(self):
-        try:
-            os.remove(self.config_file_path)
-            del os.environ["SECURENATIVE_API_KEY"]
-            del os.environ["SECURENATIVE_API_URL"]
-            del os.environ["SECURENATIVE_INTERVAL"]
-            del os.environ["SECURENATIVE_MAX_EVENTS"]
-            del os.environ["SECURENATIVE_TIMEOUT"]
-            del os.environ["SECURENATIVE_AUTO_SEND"]
-            del os.environ["SECURENATIVE_DISABLE"]
-            del os.environ["SECURENATIVE_LOG_LEVEL"]
-            del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
-        except KeyError:
-            pass
-
+        self.clean_settings()
         config = {
             "SECURENATIVE_API_KEY": 1,
             "SECURENATIVE_API_URL": 3,
             "SECURENATIVE_TIMEOUT": "bad timeout",
-            "SECURENATIVE_FAILOVER_STRATEGY": "fail-what"
+            "SECURENATIVE_FAILOVER_STRATEGY": "fail-what",
         }
 
         self.create_ini_file(config)
@@ -161,22 +123,7 @@ def ignore_invalid_config_file_entries(self):
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def test_load_default_config(self):
-        try:
-            os.remove(self.config_file_path)
-            del os.environ["SECURENATIVE_API_KEY"]
-            del os.environ["SECURENATIVE_API_URL"]
-            del os.environ["SECURENATIVE_INTERVAL"]
-            del os.environ["SECURENATIVE_MAX_EVENTS"]
-            del os.environ["SECURENATIVE_TIMEOUT"]
-            del os.environ["SECURENATIVE_AUTO_SEND"]
-            del os.environ["SECURENATIVE_DISABLE"]
-            del os.environ["SECURENATIVE_LOG_LEVEL"]
-            del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
-        except KeyError:
-            pass
-
+        self.clean_settings()
         options = ConfigurationManager.load_config(None)
 
         self.assertIsNotNone(options)
@@ -189,24 +136,11 @@ def test_load_default_config(self):
         self.assertEqual(str(options.disable), "False")
         self.assertEqual(options.log_level, "CRITICAL")
         self.assertEqual(options.fail_over_strategy, FailOverStrategy.FAIL_OPEN.value)
+        self.assertEqual(len(options.proxy_headers), 0)
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def test_get_config_from_env_variables(self):
-        try:
-            os.remove(self.config_file_path)
-            del os.environ["SECURENATIVE_API_KEY"]
-            del os.environ["SECURENATIVE_API_URL"]
-            del os.environ["SECURENATIVE_INTERVAL"]
-            del os.environ["SECURENATIVE_MAX_EVENTS"]
-            del os.environ["SECURENATIVE_TIMEOUT"]
-            del os.environ["SECURENATIVE_AUTO_SEND"]
-            del os.environ["SECURENATIVE_DISABLE"]
-            del os.environ["SECURENATIVE_LOG_LEVEL"]
-            del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
-        except KeyError:
-            pass
+        self.clean_settings()
 
         os.environ["SECURENATIVE_API_KEY"] = "SOME_ENV_API_KEY"
         os.environ["SECURENATIVE_API_URL"] = "SOME_API_URL"
@@ -217,6 +151,7 @@ def test_get_config_from_env_variables(self):
         os.environ["SECURENATIVE_DISABLE"] = "True"
         os.environ["SECURENATIVE_LOG_LEVEL"] = "Debug"
         os.environ["SECURENATIVE_FAILOVER_STRATEGY"] = "fail-closed"
+        os.environ["SECURENATIVE_PROXY_HEADERS"] = "CF-Connecting-IP"
 
         options = ConfigurationManager.load_config(None)
 
@@ -229,25 +164,11 @@ def test_get_config_from_env_variables(self):
         self.assertEqual(options.disable, "True")
         self.assertEqual(options.log_level, "Debug")
         self.assertEqual(options.fail_over_strategy, FailOverStrategy.FAIL_CLOSED.value)
+        self.assertEqual(options.proxy_headers, "CF-Connecting-IP")
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def test_default_values_for_invalid_enum_config_props(self):
-        try:
-            os.remove(self.config_file_path)
-            del os.environ["SECURENATIVE_API_KEY"]
-            del os.environ["SECURENATIVE_API_URL"]
-            del os.environ["SECURENATIVE_INTERVAL"]
-            del os.environ["SECURENATIVE_MAX_EVENTS"]
-            del os.environ["SECURENATIVE_TIMEOUT"]
-            del os.environ["SECURENATIVE_AUTO_SEND"]
-            del os.environ["SECURENATIVE_DISABLE"]
-            del os.environ["SECURENATIVE_LOG_LEVEL"]
-            del os.environ["SECURENATIVE_FAILOVER_STRATEGY"]
-        except FileNotFoundError:
-            pass
-        except KeyError:
-            pass
-
+        self.clean_settings()
         config = {
             "SECURENATIVE_FAILOVER_STRATEGY": "fail-something"
         }