New: Add config file setting for CGNAT authentication bypass

(cherry picked from commit 4c41a4f368046f73f82306bbd73bec992392938b) Closes #3903
1 month ago · 0d121fe9c0
parent 892c34fe35
commit 0d121fe9c0
7 changed files with 43 additions and 4 deletions
--- a/src/NzbDrone.Common.Test/ExtensionTests/IPAddressExtensionsFixture.cs
+++ b/src/NzbDrone.Common.Test/ExtensionTests/IPAddressExtensionsFixture.cs
@ -21,9 +21,28 @@ namespace NzbDrone.Common.Test.ExtensionTests
        [TestCase("1.2.3.4")]
        [TestCase("172.55.0.1")]
        [TestCase("192.55.0.1")]
+        [TestCase("100.64.0.1")]
+        [TestCase("100.127.255.254")]
        public void should_return_false_for_public_ip_address(string ipAddress)
        {
            IPAddress.Parse(ipAddress).IsLocalAddress().Should().BeFalse();
        }
+
+        [TestCase("100.64.0.1")]
+        [TestCase("100.127.255.254")]
+        [TestCase("100.100.100.100")]
+        public void should_return_true_for_cgnat_ip_address(string ipAddress)
+        {
+            IPAddress.Parse(ipAddress).IsCgnatIpAddress().Should().BeTrue();
+        }
+
+        [TestCase("1.2.3.4")]
+        [TestCase("192.168.5.1")]
+        [TestCase("100.63.255.255")]
+        [TestCase("100.128.0.0")]
+        public void should_return_false_for_non_cgnat_ip_address(string ipAddress)
+        {
+            IPAddress.Parse(ipAddress).IsCgnatIpAddress().Should().BeFalse();
+        }
    }
 }
--- a/src/NzbDrone.Common/Extensions/IpAddressExtensions.cs
+++ b/src/NzbDrone.Common/Extensions/IpAddressExtensions.cs
@ -52,5 +52,11 @@ namespace NzbDrone.Common.Extensions

            return isLinkLocal || isClassA || isClassC || isClassB;
        }
+
+        public static bool IsCgnatIpAddress(this IPAddress ipAddress)
+        {
+            var bytes = ipAddress.GetAddressBytes();
+            return bytes.Length == 4 && bytes[0] == 100 && bytes[1] >= 64 && bytes[1] <= 127;
+        }
    }
 }
--- a/src/NzbDrone.Common/Options/AuthOptions.cs
+++ b/src/NzbDrone.Common/Options/AuthOptions.cs
@ -6,4 +6,5 @@ public class AuthOptions
    public bool? Enabled { get; set; }
    public string Method { get; set; }
    public string Required { get; set; }
+    public bool? TrustCgnatIpAddresses { get; set; }
 }
--- a/src/NzbDrone.Core/Configuration/ConfigFileProvider.cs
+++ b/src/NzbDrone.Core/Configuration/ConfigFileProvider.cs
@ -53,6 +53,7 @@ namespace NzbDrone.Core.Configuration
        string SyslogServer { get; }
        int SyslogPort { get; }
        string SyslogLevel { get; }
+        string Theme { get; }
        string PostgresHost { get; }
        int PostgresPort { get; }
        string PostgresUser { get; }
@ -60,7 +61,7 @@ namespace NzbDrone.Core.Configuration
        string PostgresMainDb { get; }
        string PostgresLogDb { get; }
        string PostgresCacheDb { get; }
-        string Theme { get; }
+        bool TrustCgnatIpAddresses { get; }
    }

    public class ConfigFileProvider : IConfigFileProvider
@ -462,5 +463,7 @@ namespace NzbDrone.Core.Configuration
        {
            SetValue("ApiKey", GenerateApiKey());
        }
+
+        public bool TrustCgnatIpAddresses => _authOptions.TrustCgnatIpAddresses ?? GetValueBoolean("TrustCgnatIpAddresses", false, persist: false);
    }
 }
--- a/src/NzbDrone.Core/Configuration/ConfigService.cs
+++ b/src/NzbDrone.Core/Configuration/ConfigService.cs
@ -404,6 +404,12 @@ namespace NzbDrone.Core.Configuration

        public string ApplicationUrl => GetValue("ApplicationUrl", string.Empty);

+        public bool TrustCgnatIpAddresses
+        {
+            get { return GetValueBoolean("TrustCgnatIpAddresses", false); }
+            set { SetValue("TrustCgnatIpAddresses", value); }
+        }
+
        private string GetValue(string key)
        {
            return GetValue(key, string.Empty);
--- a/src/Readarr.Api.V1/Config/HostConfigResource.cs
+++ b/src/Readarr.Api.V1/Config/HostConfigResource.cs
@ -44,6 +44,7 @@ namespace Readarr.Api.V1.Config
        public string BackupFolder { get; set; }
        public int BackupInterval { get; set; }
        public int BackupRetention { get; set; }
+        public bool TrustCgnatIpAddresses { get; set; }
    }

    public static class HostConfigResourceMapper
--- a/src/Readarr.Http/Authentication/UiAuthorizationHandler.cs
+++ b/src/Readarr.Http/Authentication/UiAuthorizationHandler.cs
@ -27,10 +27,13 @@ namespace NzbDrone.Http.Authentication
            if (_authenticationRequired == AuthenticationRequiredType.DisabledForLocalAddresses)
            {
                if (context.Resource is HttpContext httpContext &&
-                    IPAddress.TryParse(httpContext.GetRemoteIP(), out var ipAddress) &&
-                    ipAddress.IsLocalAddress())
+                    IPAddress.TryParse(httpContext.GetRemoteIP(), out var ipAddress))
                {
-                    context.Succeed(requirement);
+                    if (ipAddress.IsLocalAddress() ||
+                        (_configService.TrustCgnatIpAddresses && ipAddress.IsCgnatIpAddress()))
+                    {
+                        context.Succeed(requirement);
+                    }
                }
            }