File size: 14,129 Bytes
f70869e 50d5925 f70869e 26f5543 f70869e 26f5543 f70869e 26f5543 f70869e 26f5543 f70869e 26f5543 f70869e |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 |
"""
Module: services.ip_whitelist_service
Description: IP whitelist management for production environments
Author: Anderson H. Silva
Date: 2025-01-25
License: Proprietary - All rights reserved
"""
import ipaddress
from typing import List, Optional, Set, Dict, Any
from datetime import datetime, timezone
import json
from src.core import get_logger
from src.services.cache_service import cache_service
from src.core.config import settings
from src.models.base import BaseModel
from sqlalchemy import Column, String, Boolean, DateTime, Integer, JSON
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select, delete
logger = get_logger(__name__)
class IPWhitelist(BaseModel):
"""IP whitelist entry model."""
__tablename__ = "ip_whitelists"
id = Column(String(64), primary_key=True)
ip_address = Column(String(45), nullable=False, unique=True) # IPv4 or IPv6
description = Column(String(255))
environment = Column(String(20), nullable=False, default="production")
active = Column(Boolean, default=True)
created_by = Column(String(255), nullable=False)
created_at = Column(DateTime(timezone=True), nullable=False, default=lambda: datetime.now(timezone.utc))
expires_at = Column(DateTime(timezone=True), nullable=True)
meta_info = Column(JSON, default=dict)
# CIDR support
is_cidr = Column(Boolean, default=False)
cidr_prefix = Column(Integer, nullable=True)
def is_expired(self) -> bool:
"""Check if whitelist entry is expired."""
if not self.expires_at:
return False
return datetime.now(timezone.utc) > self.expires_at
def matches(self, ip: str) -> bool:
"""Check if IP matches this whitelist entry."""
if not self.active or self.is_expired():
return False
try:
if self.is_cidr:
# CIDR range check
network = ipaddress.ip_network(f"{self.ip_address}/{self.cidr_prefix}")
return ipaddress.ip_address(ip) in network
else:
# Exact match
return self.ip_address == ip
except ValueError:
logger.error(f"Invalid IP address format: {ip}")
return False
class IPWhitelistService:
"""Service for managing IP whitelists."""
def __init__(self):
"""Initialize IP whitelist service."""
self._cache_key_prefix = "ip_whitelist"
self._cache_ttl = 300 # 5 minutes
self._whitelist_cache: Optional[Set[str]] = None
self._cidr_cache: Optional[List[tuple]] = None
self._last_cache_update: Optional[datetime] = None
async def add_ip(
self,
session: AsyncSession,
ip_address: str,
created_by: str,
description: Optional[str] = None,
environment: str = "production",
expires_at: Optional[datetime] = None,
is_cidr: bool = False,
meta_info: Optional[Dict[str, Any]] = None
) -> IPWhitelist:
"""Add IP address or CIDR range to whitelist."""
try:
# Parse and validate IP/CIDR
if is_cidr or "/" in ip_address:
network = ipaddress.ip_network(ip_address, strict=False)
ip_str = str(network.network_address)
cidr_prefix = network.prefixlen
is_cidr = True
else:
# Validate single IP
ip_obj = ipaddress.ip_address(ip_address)
ip_str = str(ip_obj)
cidr_prefix = None
is_cidr = False
except ValueError as e:
logger.error(f"Invalid IP address format: {ip_address}")
raise ValueError(f"Invalid IP address format: {ip_address}") from e
# Check if already exists
existing = await session.execute(
select(IPWhitelist).where(
IPWhitelist.ip_address == ip_str,
IPWhitelist.environment == environment
)
)
if existing.scalar_one_or_none():
raise ValueError(f"IP address already whitelisted: {ip_str}")
# Create whitelist entry
entry = IPWhitelist(
id=f"{environment}:{ip_str}",
ip_address=ip_str,
description=description,
environment=environment,
created_by=created_by,
expires_at=expires_at,
is_cidr=is_cidr,
cidr_prefix=cidr_prefix,
meta_info=meta_info or {}
)
session.add(entry)
await session.commit()
# Invalidate cache
await self._invalidate_cache()
logger.info(
"ip_whitelist_added",
ip=ip_str,
environment=environment,
is_cidr=is_cidr,
created_by=created_by
)
return entry
async def remove_ip(
self,
session: AsyncSession,
ip_address: str,
environment: str = "production"
) -> bool:
"""Remove IP from whitelist."""
result = await session.execute(
delete(IPWhitelist).where(
IPWhitelist.ip_address == ip_address,
IPWhitelist.environment == environment
)
)
await session.commit()
if result.rowcount > 0:
await self._invalidate_cache()
logger.info(
"ip_whitelist_removed",
ip=ip_address,
environment=environment
)
return True
return False
async def check_ip(
self,
session: AsyncSession,
ip_address: str,
environment: str = "production"
) -> bool:
"""Check if IP is whitelisted."""
# Check cache first
cache_key = f"{self._cache_key_prefix}:{environment}:check:{ip_address}"
cached = await cache_service.get(cache_key)
if cached is not None:
return cached
# Load whitelist if needed
await self._ensure_cache_loaded(session, environment)
# Check exact matches first
if self._whitelist_cache and ip_address in self._whitelist_cache:
await cache_service.set(cache_key, True, ttl=self._cache_ttl)
return True
# Check CIDR ranges
if self._cidr_cache:
for cidr_ip, prefix, expires_at in self._cidr_cache:
if expires_at and datetime.now(timezone.utc) > expires_at:
continue
try:
network = ipaddress.ip_network(f"{cidr_ip}/{prefix}")
if ipaddress.ip_address(ip_address) in network:
await cache_service.set(cache_key, True, ttl=self._cache_ttl)
return True
except ValueError:
continue
# Not whitelisted
await cache_service.set(cache_key, False, ttl=self._cache_ttl)
return False
async def list_ips(
self,
session: AsyncSession,
environment: str = "production",
include_expired: bool = False
) -> List[IPWhitelist]:
"""List all whitelisted IPs."""
query = select(IPWhitelist).where(
IPWhitelist.environment == environment
)
if not include_expired:
now = datetime.now(timezone.utc)
query = query.where(
(IPWhitelist.expires_at.is_(None)) |
(IPWhitelist.expires_at > now)
)
result = await session.execute(query)
return list(result.scalars().all())
async def update_ip(
self,
session: AsyncSession,
ip_address: str,
environment: str = "production",
active: Optional[bool] = None,
description: Optional[str] = None,
expires_at: Optional[datetime] = None,
meta_info: Optional[Dict[str, Any]] = None
) -> Optional[IPWhitelist]:
"""Update whitelist entry."""
result = await session.execute(
select(IPWhitelist).where(
IPWhitelist.ip_address == ip_address,
IPWhitelist.environment == environment
)
)
entry = result.scalar_one_or_none()
if not entry:
return None
if active is not None:
entry.active = active
if description is not None:
entry.description = description
if expires_at is not None:
entry.expires_at = expires_at
if meta_info is not None:
entry.meta_info = meta_info
await session.commit()
await self._invalidate_cache()
logger.info(
"ip_whitelist_updated",
ip=ip_address,
environment=environment,
active=entry.active
)
return entry
async def cleanup_expired(
self,
session: AsyncSession,
environment: Optional[str] = None
) -> int:
"""Remove expired whitelist entries."""
query = delete(IPWhitelist).where(
IPWhitelist.expires_at < datetime.now(timezone.utc)
)
if environment:
query = query.where(IPWhitelist.environment == environment)
result = await session.execute(query)
await session.commit()
if result.rowcount > 0:
await self._invalidate_cache()
logger.info(
"ip_whitelist_cleanup",
removed=result.rowcount,
environment=environment
)
return result.rowcount
async def _ensure_cache_loaded(
self,
session: AsyncSession,
environment: str
) -> None:
"""Ensure whitelist is loaded in cache."""
# Check if cache is still valid
if (
self._last_cache_update and
(datetime.now(timezone.utc) - self._last_cache_update).total_seconds() < self._cache_ttl
):
return
# Load from database
now = datetime.now(timezone.utc)
result = await session.execute(
select(IPWhitelist).where(
IPWhitelist.environment == environment,
IPWhitelist.active == True,
(IPWhitelist.expires_at.is_(None)) | (IPWhitelist.expires_at > now)
)
)
entries = result.scalars().all()
# Separate exact IPs and CIDR ranges
self._whitelist_cache = set()
self._cidr_cache = []
for entry in entries:
if entry.is_cidr:
self._cidr_cache.append((
entry.ip_address,
entry.cidr_prefix,
entry.expires_at
))
else:
self._whitelist_cache.add(entry.ip_address)
self._last_cache_update = datetime.now(timezone.utc)
logger.debug(
"ip_whitelist_cache_loaded",
environment=environment,
exact_ips=len(self._whitelist_cache),
cidr_ranges=len(self._cidr_cache)
)
async def _invalidate_cache(self) -> None:
"""Invalidate the whitelist cache."""
self._whitelist_cache = None
self._cidr_cache = None
self._last_cache_update = None
# Clear Redis cache patterns
pattern = f"{self._cache_key_prefix}:*"
await cache_service.delete_pattern(pattern)
def get_default_whitelist(self) -> List[str]:
"""Get default whitelist based on environment."""
defaults = []
# Always allow localhost
defaults.extend([
"127.0.0.1",
"::1",
"localhost"
])
# Development environment
if settings.is_development:
defaults.extend([
"10.0.0.0/8", # Private network
"172.16.0.0/12", # Private network
"192.168.0.0/16" # Private network
])
# Production environment - add known services
if settings.is_production:
# Vercel IPs (example - would need real ranges)
defaults.extend([
"76.76.21.0/24", # Vercel edge network (example)
"76.223.0.0/16" # Vercel edge network (example)
])
# HuggingFace Spaces IPs (example - would need real ranges)
defaults.extend([
"34.0.0.0/8", # Google Cloud (where HF runs)
"35.0.0.0/8" # Google Cloud
])
# Monitoring services
defaults.extend([
"52.0.0.0/8" # AWS (for monitoring)
])
return defaults
async def initialize_defaults(
self,
session: AsyncSession,
created_by: str = "system"
) -> int:
"""Initialize default whitelist entries."""
defaults = self.get_default_whitelist()
count = 0
for ip in defaults:
try:
is_cidr = "/" in ip
await self.add_ip(
session=session,
ip_address=ip,
created_by=created_by,
description="Default whitelist entry",
environment=settings.app_env,
is_cidr=is_cidr
)
count += 1
except ValueError:
# Already exists or invalid
continue
logger.info(
"ip_whitelist_defaults_initialized",
count=count,
environment=settings.app_env
)
return count
# Global instance
ip_whitelist_service = IPWhitelistService() |