feat(security): Implemented more security information

2026-05-03 22:46:54 +03:00
parent 88ab6e808b
commit 9d9db5cf0b
20 changed files with 902 additions and 193 deletions
--- a/lib/server/admin.go
+++ b/lib/server/admin.go
@@ -62,7 +62,7 @@ func (app *App) handleAdminLoginPost(ctx *gin.Context) {
 		ctx.Redirect(http.StatusSeeOther, "/")
 		return
 	}
-	ip := clientIP(ctx)
+	ip := app.clientIP(ctx)
 	guard := app.securityGuard
 	if guard == nil {
 		guard = security.NewGuard()
--- a/lib/server/admin_security.go
+++ b/lib/server/admin_security.go
@@ -3,6 +3,7 @@ package server
 import (
 	"net"
 	"net/http"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -20,16 +21,20 @@ type adminAlertsActionRequest struct {
 }

 type adminSecurityActionRequest struct {
-	Action   string `json:"action"`
-	IP       string `json:"ip"`
-	BanUntil string `json:"ban_until"`
+	Action   string   `json:"action"`
+	IP       string   `json:"ip"`
+	IPs      []string `json:"ips"`
+	BanUntil string   `json:"ban_until"`
 }

 func (app *App) reloadSecurityConfig() {
 	if app.securityGuard == nil {
 		app.securityGuard = security.NewGuard()
 	}
-	app.securityGuard.Reload(security.Config{
+	if app.config != nil {
+		_ = app.securityGuard.EnableBanPersistence(filepath.Join(app.config.DBDir, "bans.badger"))
+	}
+	_ = app.securityGuard.Reload(security.Config{
 		IPWhitelist:         app.config.SecurityIPWhitelist,
 		AdminIPWhitelist:    app.config.SecurityAdminIPWhitelist,
 		LoginWindowSeconds:  app.config.SecurityLoginWindowSeconds,
@@ -55,7 +60,7 @@ func (app *App) logActivity(kind string, severity string, message string, ctx *g
 		Meta:      meta,
 	}
 	if ctx != nil {
-		event.IP = clientIP(ctx)
+		event.IP = app.clientIP(ctx)
 		event.Path = ctx.Request.URL.Path
 		event.Method = ctx.Request.Method
 	}
@@ -84,7 +89,7 @@ func (app *App) securityMiddleware() gin.HandlerFunc {
 			ctx.Next()
 			return
 		}
-		ip := clientIP(ctx)
+		ip := app.clientIP(ctx)
 		if app.securityGuard.IsWhitelisted(ip) || app.securityGuard.IsAdminWhitelisted(ip) {
 			ctx.Next()
 			return
@@ -106,7 +111,7 @@ func (app *App) handleNoRoute(ctx *gin.Context) {
 	path := strings.ToLower(ctx.Request.URL.Path)
 	suspicious := strings.Contains(path, "../") || strings.Contains(path, ".php") || strings.Contains(path, "wp-admin") || strings.Contains(path, ".env")
 	if suspicious {
-		ip := clientIP(ctx)
+		ip := app.clientIP(ctx)
 		if !app.securityGuard.IsWhitelisted(ip) {
 			banned, attempts := app.securityGuard.RegisterScanAttempt(ip, app.config.SecurityScanWindowSeconds, app.config.SecurityScanMaxAttempts, app.config.SecurityBanSeconds)
 			app.logActivity("security.scan", "medium", "Suspicious path probe detected", ctx, map[string]string{"attempts": intToString(attempts)})
@@ -146,10 +151,10 @@ func (app *App) handleAdminSecurity(ctx *gin.Context) {
 	events := []activity.Event{}
 	alertsList := []alerts.Alert{}
 	if app.activityStore != nil {
-		events, _ = app.activityStore.List(100, app.config.ActivityRetentionSeconds)
+		events, _ = app.activityStore.List(300, app.config.ActivityRetentionSeconds)
 	}
 	if app.alertStore != nil {
-		alertsList, _ = app.alertStore.List(50)
+		alertsList, _ = app.alertStore.List(120)
 	}
 	bans := []security.BanEntry{}
 	if app.securityGuard != nil {
@@ -200,6 +205,15 @@ func (app *App) handleAdminAlertsAction(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, gin.H{"ok": true, "alerts": alertsList})
 }

+func (app *App) recordManualBanAction(ctx *gin.Context, kind string, message string, severity string, ip string, meta map[string]string, alertTitle string, alertSeverity string, code string, trace string, alertMessage string) {
+	metaCopy := map[string]string{"ip": ip}
+	for k, v := range meta {
+		metaCopy[k] = v
+	}
+	app.logActivity(kind, severity, message, ctx, metaCopy)
+	app.createAlert(alertTitle, alertSeverity, "security", code, trace, alertMessage, metaCopy)
+}
+
 func (app *App) handleAdminSecurityAction(ctx *gin.Context) {
 	if app.securityGuard == nil {
 		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Security guard unavailable"})
@@ -215,6 +229,7 @@ func (app *App) handleAdminSecurityAction(ctx *gin.Context) {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid IP"})
 		return
 	}
+
 	switch request.Action {
 	case "ban":
 		if ip == "" {
@@ -222,8 +237,7 @@ func (app *App) handleAdminSecurityAction(ctx *gin.Context) {
 			return
 		}
 		app.securityGuard.Ban(ip, app.config.SecurityBanSeconds)
-		app.logActivity("security.manual_ban", "high", "Admin banned IP", ctx, map[string]string{"ip": ip})
-		app.createAlert("IP manually banned by admin", "medium", "security", "420", "security.manual.ban", "Admin manually applied temporary ban.", map[string]string{"ip": ip})
+		app.recordManualBanAction(ctx, "security.manual_ban", "Admin banned IP", "high", ip, nil, "IP manually banned by admin", "medium", "420", "security.manual.ban", "Admin manually applied temporary ban.")
 		ctx.JSON(http.StatusOK, gin.H{"ok": true, "message": "IP banned", "bans": app.securityGuard.BanList()})
 	case "ban_until":
 		if ip == "" {
@@ -236,8 +250,8 @@ func (app *App) handleAdminSecurityAction(ctx *gin.Context) {
 			return
 		}
 		app.securityGuard.BanUntil(ip, until)
-		app.logActivity("security.manual_ban_until", "high", "Admin set custom ban expiration", ctx, map[string]string{"ip": ip, "until": until.UTC().Format(time.RFC3339)})
-		app.createAlert("Custom IP ban applied by admin", "medium", "security", "421", "security.manual.ban_until", "Admin set explicit ban expiration date.", map[string]string{"ip": ip, "until": until.UTC().Format(time.RFC3339)})
+		meta := map[string]string{"until": until.UTC().Format(time.RFC3339)}
+		app.recordManualBanAction(ctx, "security.manual_ban_until", "Admin set custom ban expiration", "high", ip, meta, "Custom IP ban applied by admin", "medium", "421", "security.manual.ban_until", "Admin set explicit ban expiration date.")
 		ctx.JSON(http.StatusOK, gin.H{"ok": true, "message": "IP ban expiration updated", "bans": app.securityGuard.BanList()})
 	case "unban":
 		if ip == "" {
@@ -245,9 +259,34 @@ func (app *App) handleAdminSecurityAction(ctx *gin.Context) {
 			return
 		}
 		app.securityGuard.Unban(ip)
-		app.logActivity("security.manual_unban", "medium", "Admin unbanned IP", ctx, map[string]string{"ip": ip})
-		app.createAlert("IP unbanned by admin", "low", "security", "422", "security.manual.unban", "Admin manually removed temporary ban.", map[string]string{"ip": ip})
+		app.recordManualBanAction(ctx, "security.manual_unban", "Admin unbanned IP", "medium", ip, nil, "IP unbanned by admin", "low", "422", "security.manual.unban", "Admin manually removed temporary ban.")
 		ctx.JSON(http.StatusOK, gin.H{"ok": true, "message": "IP unbanned", "bans": app.securityGuard.BanList()})
+	case "bulk_unban":
+		if len(request.IPs) == 0 {
+			ctx.JSON(http.StatusBadRequest, gin.H{"error": "Missing IP list"})
+			return
+		}
+		count := 0
+		for _, candidate := range request.IPs {
+			candidate = strings.TrimSpace(candidate)
+			if net.ParseIP(candidate) == nil {
+				continue
+			}
+			app.securityGuard.Unban(candidate)
+			count++
+		}
+		app.logActivity("security.manual_bulk_unban", "high", "Admin unbanned multiple IPs", ctx, map[string]string{"count": intToString(count)})
+		app.createAlert("Bulk IP unban by admin", "medium", "security", "423", "security.manual.bulk_unban", "Admin manually removed multiple temporary bans.", map[string]string{"count": intToString(count)})
+		ctx.JSON(http.StatusOK, gin.H{"ok": true, "message": "Bulk unban complete", "bans": app.securityGuard.BanList()})
+	case "unban_all":
+		current := app.securityGuard.BanList()
+		for _, ban := range current {
+			app.securityGuard.Unban(ban.IP)
+		}
+		count := len(current)
+		app.logActivity("security.manual_unban_all", "high", "Admin cleared all active bans", ctx, map[string]string{"count": intToString(count)})
+		app.createAlert("All active bans cleared by admin", "medium", "security", "424", "security.manual.unban_all", "Admin manually removed all temporary bans.", map[string]string{"count": intToString(count)})
+		ctx.JSON(http.StatusOK, gin.H{"ok": true, "message": "All bans cleared", "bans": app.securityGuard.BanList()})
 	default:
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Unknown action"})
 	}
--- a/lib/server/admin_security_test.go
+++ b/lib/server/admin_security_test.go
@@ -0,0 +1,123 @@
+package server
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+
+	"warpbox/lib/activity"
+	"warpbox/lib/alerts"
+	"warpbox/lib/config"
+	"warpbox/lib/security"
+)
+
+func TestAdminSecurityActionsWriteAuditTrail(t *testing.T) {
+	app, router := setupAdminSecurityTest(t)
+
+	for _, body := range []string{
+		`{"action":"ban","ip":"203.0.113.7"}`,
+		`{"action":"unban","ip":"203.0.113.7"}`,
+	} {
+		request := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(body))
+		request.Header.Set("Content-Type", "application/json")
+		request.AddCookie(authCookie(app))
+		response := httptest.NewRecorder()
+		router.ServeHTTP(response, request)
+		if response.Code != http.StatusOK {
+			t.Fatalf("expected 200, got %d body=%s", response.Code, response.Body.String())
+		}
+	}
+
+	events, err := app.activityStore.List(100, app.config.ActivityRetentionSeconds)
+	if err != nil {
+		t.Fatalf("activity list error: %v", err)
+	}
+	if len(events) < 2 {
+		t.Fatalf("expected activity events, got %d", len(events))
+	}
+	alertsList, err := app.alertStore.List(100)
+	if err != nil {
+		t.Fatalf("alerts list error: %v", err)
+	}
+	if len(alertsList) < 2 {
+		t.Fatalf("expected alerts for manual actions, got %d", len(alertsList))
+	}
+}
+
+func TestAdminSecurityBulkUnbanAndUnbanAll(t *testing.T) {
+	app, router := setupAdminSecurityTest(t)
+	app.securityGuard.Ban("203.0.113.8", 300)
+	app.securityGuard.Ban("203.0.113.9", 300)
+
+	request := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(`{"action":"bulk_unban","ips":["203.0.113.8"]}`))
+	request.Header.Set("Content-Type", "application/json")
+	request.AddCookie(authCookie(app))
+	response := httptest.NewRecorder()
+	router.ServeHTTP(response, request)
+	if response.Code != http.StatusOK {
+		t.Fatalf("bulk_unban expected 200, got %d", response.Code)
+	}
+	if app.securityGuard.IsBanned("203.0.113.8") {
+		t.Fatal("expected selected IP to be unbanned")
+	}
+	if !app.securityGuard.IsBanned("203.0.113.9") {
+		t.Fatal("expected non-selected IP to remain banned")
+	}
+
+	requestAll := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(`{"action":"unban_all"}`))
+	requestAll.Header.Set("Content-Type", "application/json")
+	requestAll.AddCookie(authCookie(app))
+	responseAll := httptest.NewRecorder()
+	router.ServeHTTP(responseAll, requestAll)
+	if responseAll.Code != http.StatusOK {
+		t.Fatalf("unban_all expected 200, got %d", responseAll.Code)
+	}
+	if len(app.securityGuard.BanList()) != 0 {
+		t.Fatal("expected all bans to be removed")
+	}
+}
+
+func setupAdminSecurityTest(t *testing.T) (*App, *gin.Engine) {
+	t.Helper()
+	gin.SetMode(gin.TestMode)
+	cwd, _ := os.Getwd()
+	root := filepath.Clean(filepath.Join(cwd, "..", ".."))
+	if err := os.Chdir(root); err != nil {
+		t.Fatalf("chdir: %v", err)
+	}
+	t.Cleanup(func() { _ = os.Chdir(cwd) })
+
+	clearAdminSettingsEnv(t)
+	t.Setenv("WARPBOX_DATA_DIR", t.TempDir())
+	t.Setenv("WARPBOX_ADMIN_PASSWORD", "secret")
+	t.Setenv("WARPBOX_ADMIN_ENABLED", "true")
+
+	cfg, err := config.Load()
+	if err != nil {
+		t.Fatalf("config load: %v", err)
+	}
+	if err := cfg.EnsureDirectories(); err != nil {
+		t.Fatalf("ensure dirs: %v", err)
+	}
+
+	app := &App{
+		config:        cfg,
+		activityStore: activity.NewStore(filepath.Join(cfg.DBDir, "activity.json")),
+		alertStore:    alerts.NewStore(filepath.Join(cfg.DBDir, "alerts.json")),
+		securityGuard: security.NewGuard(),
+	}
+	app.reloadSecurityConfig()
+	t.Cleanup(func() { _ = app.securityGuard.Close() })
+
+	router := gin.New()
+	admin := router.Group("/admin")
+	admin.GET("/login", app.handleAdminLogin)
+	protected := router.Group("/admin", app.adminAuthMiddleware)
+	protected.POST("/security/actions", app.handleAdminSecurityAction)
+	return app, router
+}
--- a/lib/server/admin_settings_test.go
+++ b/lib/server/admin_settings_test.go
@@ -265,7 +265,34 @@ func clearAdminSettingsEnv(t *testing.T) {
 		"WARPBOX_BOX_POLL_INTERVAL_MS",
 		"WARPBOX_THUMBNAIL_BATCH_SIZE",
 		"WARPBOX_THUMBNAIL_INTERVAL_SECONDS",
+		"WARPBOX_SECURITY_IP_WHITELIST",
+		"WARPBOX_SECURITY_ADMIN_IP_WHITELIST",
+		"WARPBOX_TRUSTED_PROXY_CIDRS",
+		"WARPBOX_SECURITY_LOGIN_WINDOW_SECONDS",
+		"WARPBOX_SECURITY_LOGIN_MAX_ATTEMPTS",
+		"WARPBOX_SECURITY_BAN_SECONDS",
+		"WARPBOX_SECURITY_SCAN_WINDOW_SECONDS",
+		"WARPBOX_SECURITY_SCAN_MAX_ATTEMPTS",
+		"WARPBOX_SECURITY_UPLOAD_WINDOW_SECONDS",
+		"WARPBOX_SECURITY_UPLOAD_MAX_REQUESTS",
+		"WARPBOX_SECURITY_UPLOAD_MAX_GB",
+		"WARPBOX_SECURITY_UPLOAD_MAX_MB",
+		"WARPBOX_SECURITY_UPLOAD_MAX_BYTES",
 	} {
 		t.Setenv(name, "")
 	}
 }
+
+func TestAdminSettingsSaveRejectsInvalidTrustedProxyCIDR(t *testing.T) {
+	app, router := setupAdminSettingsTest(t)
+
+	request := httptest.NewRequest(http.MethodPost, "/admin/settings/save", strings.NewReader(`{"values":{"trusted_proxy_cidrs":"not-a-cidr"}}`))
+	request.Header.Set("Content-Type", "application/json")
+	request.AddCookie(authCookie(app))
+	response := httptest.NewRecorder()
+	router.ServeHTTP(response, request)
+
+	if response.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d", response.Code)
+	}
+}
--- a/lib/server/ip.go
+++ b/lib/server/ip.go
@@ -6,29 +6,47 @@ import (
 	"strings"

 	"github.com/gin-gonic/gin"
+
+	"warpbox/lib/security"
 )

-func clientIP(ctx *gin.Context) string {
+func (app *App) clientIP(ctx *gin.Context) string {
 	if ctx == nil || ctx.Request == nil {
 		return ""
 	}
 	remoteIP := remoteAddrIP(ctx.Request)
-
-	// Only trust forwarding headers when remote hop looks like local/internal proxy.
-	if isPrivateOrLoopback(remoteIP) {
-		for _, candidate := range headerIPs(ctx.Request.Header) {
-			if isPublicIP(candidate) {
-				return candidate
-			}
-		}
-		candidates := headerIPs(ctx.Request.Header)
-		if len(candidates) > 0 {
-			return candidates[0]
+	trusted, err := security.ParseCIDRList(app.config.TrustedProxyCIDRs)
+	if err != nil {
+		return remoteIP
+	}
+	if !remoteIsTrusted(remoteIP, trusted) {
+		return remoteIP
+	}
+	for _, candidate := range headerIPs(ctx.Request.Header) {
+		if isPublicIP(candidate) {
+			return candidate
 		}
 	}
+	candidates := headerIPs(ctx.Request.Header)
+	if len(candidates) > 0 {
+		return candidates[0]
+	}
 	return remoteIP
 }

+func remoteIsTrusted(remoteIP string, trusted []net.IPNet) bool {
+	ip := net.ParseIP(strings.TrimSpace(remoteIP))
+	if ip == nil {
+		return false
+	}
+	for _, prefix := range trusted {
+		if prefix.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
 func headerIPs(header http.Header) []string {
 	keys := []string{
 		"X-Forwarded-For",
--- a/lib/server/ip_test.go
+++ b/lib/server/ip_test.go
@@ -0,0 +1,44 @@
+package server
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+
+	"warpbox/lib/config"
+)
+
+func TestClientIPDirectClient(t *testing.T) {
+	app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
+	ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
+	ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
+	ctx.Request.RemoteAddr = "198.51.100.10:1234"
+	ctx.Request.Header.Set("X-Forwarded-For", "203.0.113.4")
+	if got := app.clientIP(ctx); got != "198.51.100.10" {
+		t.Fatalf("expected direct remote IP, got %q", got)
+	}
+}
+
+func TestClientIPTrustedProxyChain(t *testing.T) {
+	app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
+	ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
+	ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
+	ctx.Request.RemoteAddr = "10.1.2.3:8080"
+	ctx.Request.Header.Set("X-Forwarded-For", "203.0.113.44, 10.0.0.5")
+	if got := app.clientIP(ctx); got != "203.0.113.44" {
+		t.Fatalf("expected forwarded public client IP, got %q", got)
+	}
+}
+
+func TestClientIPSpoofedHeaderFromUntrustedRemote(t *testing.T) {
+	app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
+	ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
+	ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
+	ctx.Request.RemoteAddr = "203.0.113.200:8080"
+	ctx.Request.Header.Set("X-Forwarded-For", "198.51.100.55")
+	if got := app.clientIP(ctx); got != "203.0.113.200" {
+		t.Fatalf("expected untrusted remote IP, got %q", got)
+	}
+}
--- a/lib/server/validation.go
+++ b/lib/server/validation.go
@@ -156,7 +156,7 @@ func (app *App) maxRequestBodyBytes() int64 {
 }

 func (app *App) enforceUploadRateLimit(ctx *gin.Context, size int64) bool {
-	ip := clientIP(ctx)
+	ip := app.clientIP(ctx)
 	if app.securityGuard.IsWhitelisted(ip) || app.securityGuard.IsAdminWhitelisted(ip) {
 		return true
 	}