authentication: fix loopback detection

When an request is coming from a loopback interface, authentication is not required. This commit fixes ipv4 addresses mapped inside ipv6 addresses, by first converting to a canonical address. There addresses were otherwise falsely tested as a non loopback addresses.
turing-machines · Mar 13, 2024 · 8ec72c6 · 8ec72c6
1 parent c516208
commit 8ec72c6
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 11 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -3,8 +3,7 @@ name = "bmcd"
 version = "2.0.5"
 edition = "2021"
 license = "Apache-2.0"
-# MSRV required to build clap dependency
-rust-version = "1.70.0"
+rust-version = "1.75.0"
 
 [dependencies]
 actix = "0.13.3"

diff --git a/src/authentication/authentication_service.rs b/src/authentication/authentication_service.rs
@@ -25,16 +25,9 @@ use actix_web::{
 use futures::future::LocalBoxFuture;
 use futures::StreamExt;
 use serde::Serialize;
-use std::{
-    net::{IpAddr, Ipv4Addr, Ipv6Addr},
-    rc::Rc,
-    sync::Arc,
-};
+use std::{rc::Rc, sync::Arc};
 use tokio::sync::Mutex;
 
-const LOCALHOSTV4: IpAddr = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
-const LOCALHOSTV6: IpAddr = IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1));
-
 /// This authentication service is designed to prepare for implementing "Redfish
 /// Session Login Authentication" as good as possible. Redfish is not yet
 /// implemented in this product, until then this session based, token
@@ -82,7 +75,7 @@ where
         if request
             .head()
             .peer_addr
-            .is_some_and(|addr| addr.ip() == LOCALHOSTV6 || addr.ip() == LOCALHOSTV4)
+            .is_some_and(|addr| addr.ip().to_canonical().is_loopback())
         {
             return Box::pin(async move {
                 service