Feature/dev 356 (#62)

Tu-S · web-flow · commit acf38caab34b · 2025-07-30T14:01:06.000+07:00
* DEV-356 cache groups

* DEV-356 ip white list
diff --git a/MultiFactor.Radius.Adapter/Configuration/AuthenticatedClientCacheConfig.cs b/MultiFactor.Radius.Adapter/Configuration/AuthenticatedClientCacheConfig.cs
@@ -1,27 +1,43 @@
 ﻿using System;
+using System.Collections.Generic;
+using System.Linq;
 
 namespace MultiFactor.Radius.Adapter.Configuration
 {
     public class AuthenticatedClientCacheConfig
     {
         public TimeSpan Lifetime { get; }
         public bool Enabled => Lifetime != TimeSpan.Zero;
+        public IReadOnlyCollection<string> AuthenticationCacheGroups { get; }
 
-        public AuthenticatedClientCacheConfig(TimeSpan lifetime)
+        public AuthenticatedClientCacheConfig(TimeSpan lifetime, IReadOnlyCollection<string> authenticationCacheGroups = null)
         {
             Lifetime = lifetime;
+            AuthenticationCacheGroups = authenticationCacheGroups?.Select(x => x.ToLower()).ToArray() ?? Array.Empty<string>();
         }
 
-        public static AuthenticatedClientCacheConfig CreateFromTimeSpan(string value)
+        public static AuthenticatedClientCacheConfig CreateFromTimeSpan(string value, string authenticationCacheGroups = null)
         {
             if (string.IsNullOrWhiteSpace(value)) return new AuthenticatedClientCacheConfig(TimeSpan.Zero);
-            return new AuthenticatedClientCacheConfig(TimeSpan.ParseExact(value, @"hh\:mm\:ss", null, System.Globalization.TimeSpanStyles.None));
+            var cacheGroups = SplitCacheGroup(authenticationCacheGroups);
+            return new AuthenticatedClientCacheConfig(TimeSpan.ParseExact(value, @"hh\:mm\:ss", null, System.Globalization.TimeSpanStyles.None), cacheGroups);
         }
         
-        public static AuthenticatedClientCacheConfig CreateFromMinutes(string value)
+        public static AuthenticatedClientCacheConfig CreateFromMinutes(string value, string authenticationCacheGroups = null)
         {
             if (string.IsNullOrWhiteSpace(value)) return new AuthenticatedClientCacheConfig(TimeSpan.Zero);
-            return new AuthenticatedClientCacheConfig(TimeSpan.FromMinutes(int.Parse(value)));
+            var cacheGroups = SplitCacheGroup(authenticationCacheGroups);
+            return new AuthenticatedClientCacheConfig(TimeSpan.FromMinutes(int.Parse(value)), cacheGroups);
+        }
+
+        private static string[] SplitCacheGroup(string cacheGroup)
+        {
+            return cacheGroup
+                ?.Split(new[] {';'}, StringSplitOptions.RemoveEmptyEntries)
+                .Select(x => x.ToLower().Trim())
+                .Where(x => !string.IsNullOrWhiteSpace(x))
+                .Distinct()
+                .ToArray() ?? Array.Empty<string>();
         }
     }
 }
diff --git a/MultiFactor.Radius.Adapter/Configuration/ClientConfiguration.cs b/MultiFactor.Radius.Adapter/Configuration/ClientConfiguration.cs
@@ -9,6 +9,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using NetTools;
 
 namespace MultiFactor.Radius.Adapter.Configuration
 {
@@ -17,6 +18,8 @@ namespace MultiFactor.Radius.Adapter.Configuration
     /// </summary>
     public class ClientConfiguration
     {
+        private readonly List<IPAddressRange> _ipAddressRanges = new List<IPAddressRange>();
+        
         public ClientConfiguration()
         {
             BypassSecondFactorWhenApiUnreachable = true; //by default
@@ -205,6 +208,7 @@ public bool ShouldLoadUserGroups()
             return
                 ActiveDirectoryGroup.Any() ||
                 ActiveDirectory2FaGroup.Any() ||
+                AuthenticationCacheLifetime.AuthenticationCacheGroups.Any() ||
                 RadiusReplyAttributes
                     .Values
                     .SelectMany(attr => attr)
@@ -233,5 +237,9 @@ public bool ShouldLoadUserGroups()
         /// Ldap connection timeout
         /// </summary>
         public TimeSpan LdapBindTimeout { get; set; } = new TimeSpan(0, 0, 30);
+        
+        public IReadOnlyCollection<IPAddressRange> IpWhiteAddressRanges => _ipAddressRanges;
+        
+        public void AddWhiteIpRange(IPAddressRange range) => _ipAddressRanges.Add(range);
     }
 }
diff --git a/MultiFactor.Radius.Adapter/Configuration/ServiceConfiguration.cs b/MultiFactor.Radius.Adapter/Configuration/ServiceConfiguration.cs
@@ -505,6 +505,8 @@ public static ClientConfiguration LoadClientSettings(string name,
                     configuration.LdapBindTimeout = ldapBindTimeout;
                 }
             }
+            
+            ReadIpWhiteList(configuration, appSettings.Settings["ip-white-list"]?.Value);
 
             return configuration;
         }
@@ -513,15 +515,16 @@ private static void ReadAuthenticationCacheSetting(AppSettingsSection appSetting
         {
             var setting = appSettings.Settings[Constants.Configuration.AuthenticationCacheLifetime]?.Value;
             var legacySetting = appSettings.Settings[Constants.Configuration.BypassSecondFactorPeriod]?.Value;
+            var groups = appSettings.Settings["authentication-cache-groups"]?.Value;
             try
             {
                 if (setting != null)
                 {
-                    configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromTimeSpan(setting);
+                    configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromTimeSpan(setting, groups);
                 }
                 else
                 {
-                    configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromMinutes(legacySetting);
+                    configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromMinutes(legacySetting, groups);
                 }
 
             }
@@ -811,6 +814,23 @@ private static void ReadSignUpGroupsSettings(ClientConfiguration configuration,
 
             configuration.SignUpGroups = signUpGroupsSettings;
         }
+        
+        private static void ReadIpWhiteList(ClientConfiguration builder, string ipWhiteList)
+        {
+            var splittedRanges = ipWhiteList
+                ?.Split(new[] {';'}, StringSplitOptions.RemoveEmptyEntries)
+                .Select(x => x.ToLower().Trim())
+                .Where(x => !string.IsNullOrWhiteSpace(x))
+                .Distinct()
+                .ToArray() ?? Array.Empty<string>();
+
+            foreach (var range in splittedRanges)
+            {
+                if (!IPAddressRange.TryParse(range, out var ipAddressRange))
+                    throw new Exception($"Invalid IP address range: '{range}' in '{builder.Name}' config");
+                builder.AddWhiteIpRange(ipAddressRange);
+            }
+        }
 
         #endregion
 
diff --git a/MultiFactor.Radius.Adapter/Server/RadiusRouter.cs b/MultiFactor.Radius.Adapter/Server/RadiusRouter.cs
@@ -12,6 +12,7 @@
 using System;
 using System.Collections.Concurrent;
 using System.Linq;
+using System.Net;
 using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
@@ -47,7 +48,21 @@ public async Task HandleRequest(PendingRequest request)
         {
             try
             {
-                if (request.RequestPacket.Header.Code == PacketCode.StatusServer)
+                var rangesStr = string.Join(", ", request.Configuration.IpWhiteAddressRanges);
+                if (!IsAllowedClientIp(request))
+                {
+                    _logger.Debug("Client '{clientIp}' is not in the allowed IP range: ({ranges})", request.RemoteEndpoint.Address, rangesStr);
+
+                    request.AuthenticationState.Reject();
+                    
+                    CreateAndSendRadiusResponse(request);
+                    return;
+                }
+				
+				if (!string.IsNullOrWhiteSpace(rangesStr))
+                	_logger.Debug("Client '{clientIp}' is in the allowed IP range: ({ranges})", request.RemoteEndpoint.Address, rangesStr);
+                
+				if (request.RequestPacket.Header.Code == PacketCode.StatusServer)
                 {
                     //status
                     var uptime = (DateTime.Now - _startedAt);
@@ -433,5 +448,21 @@ private void RemoveStateChallengeRequest(string state)
         {
             _stateChallengePendingRequests.TryRemove(state, out PendingRequest _);
         }
+
+        private bool IsAllowedClientIp(PendingRequest request)
+        {
+            var ipWhiteList = request.Configuration.IpWhiteAddressRanges;
+            if (ipWhiteList.Count == 0)
+                return true;
+            
+            var callingStationId = request.RequestPacket.CallingStationId;
+            
+            var clientIp =  IPAddress.TryParse(callingStationId ?? string.Empty, out var callingStationIp)
+                ? callingStationIp
+                : request.RemoteEndpoint.Address;
+            
+            var isIpInRange = ipWhiteList.Any(x => x.Contains(clientIp));
+            return isIpInRange;
+        }
     }
 }
diff --git a/MultiFactor.Radius.Adapter/Services/AuthenticatedClientCache.cs b/MultiFactor.Radius.Adapter/Services/AuthenticatedClientCache.cs
@@ -2,6 +2,8 @@
 using Serilog;
 using System;
 using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
 
 namespace MultiFactor.Radius.Adapter.Services
 {
@@ -15,9 +17,26 @@ public AuthenticatedClientCache(ILogger logger)
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         }
 
-        public bool TryHitCache(string callingStationId, string userName, ClientConfiguration clientConfiguration)
+        public bool TryHitCache(string callingStationId, string userName, ClientConfiguration clientConfiguration, IReadOnlyCollection<string> userGroups)
         {
+            if (userGroups is null)
+                throw new ArgumentException(nameof(userGroups));
+            
             if (!clientConfiguration.AuthenticationCacheLifetime.Enabled) return false;
+            
+            var cacheGroups = clientConfiguration.AuthenticationCacheLifetime.AuthenticationCacheGroups;
+            var lowercaseUserGroups = userGroups.Select(x => x.ToLower().Trim());
+            var groupsStr = string.Join(", ", cacheGroups);
+            if (cacheGroups.Count > 0 && !cacheGroups.Intersect(lowercaseUserGroups).Any())
+            {
+                _logger.Debug("Skip auth caching. User '{userName}' is not a member of any authentication cache groups: ({groups})", userName, groupsStr);
+                return false;
+            }
+
+            if (!string.IsNullOrEmpty(groupsStr))
+            {
+                _logger.Debug("User '{userName}' is a member of authentication cache groups: ({groups})", userName, groupsStr);
+            }
 
             if (string.IsNullOrEmpty(callingStationId))
             {
diff --git a/MultiFactor.Radius.Adapter/Services/MultiFactorApi/MultifactorApiAdapter.cs b/MultiFactor.Radius.Adapter/Services/MultiFactorApi/MultifactorApiAdapter.cs
@@ -62,7 +62,7 @@ public async Task<SecondFactorResponse> CreateSecondFactorRequestAsync(PendingRe
             }
             
             //try to get authenticated client to bypass second factor if configured
-            if (_authenticatedClientCache.TryHitCache(callingStationId, userName, request.Configuration))
+            if (_authenticatedClientCache.TryHitCache(callingStationId, userName, request.Configuration, request.Profile.MemberOf))
             {
                 _logger.Information("Bypass second factor for user '{name:l}' with identity '{user:l}' from {host:l}:{port}", request.UserName, userName, request.RemoteEndpoint.Address, request.RemoteEndpoint.Port);
                 return new SecondFactorResponse(PacketCode.AccessAccept);

Original file line number	Diff line number	Diff line change
`@@ -1,27 +1,43 @@`
`1`	`1`	`using System;`
	`2`	`+using System.Collections.Generic;`
	`3`	`+using System.Linq;`
`2`	`4`
`3`	`5`	`namespace MultiFactor.Radius.Adapter.Configuration`
`4`	`6`	`{`
`5`	`7`	`public class AuthenticatedClientCacheConfig`
`6`	`8`	`{`
`7`	`9`	`public TimeSpan Lifetime { get; }`
`8`	`10`	`public bool Enabled => Lifetime != TimeSpan.Zero;`
	`11`	`+ public IReadOnlyCollection<string> AuthenticationCacheGroups { get; }`
`9`	`12`
`10`		`- public AuthenticatedClientCacheConfig(TimeSpan lifetime)`
	`13`	`+ public AuthenticatedClientCacheConfig(TimeSpan lifetime, IReadOnlyCollection<string> authenticationCacheGroups = null)`
`11`	`14`	`{`
`12`	`15`	`Lifetime = lifetime;`
	`16`	`+ AuthenticationCacheGroups = authenticationCacheGroups?.Select(x => x.ToLower()).ToArray() ?? Array.Empty<string>();`
`13`	`17`	`}`
`14`	`18`
`15`		`- public static AuthenticatedClientCacheConfig CreateFromTimeSpan(string value)`
	`19`	`+ public static AuthenticatedClientCacheConfig CreateFromTimeSpan(string value, string authenticationCacheGroups = null)`
`16`	`20`	`{`
`17`	`21`	`if (string.IsNullOrWhiteSpace(value)) return new AuthenticatedClientCacheConfig(TimeSpan.Zero);`
`18`		`- return new AuthenticatedClientCacheConfig(TimeSpan.ParseExact(value, @"hh\:mm\:ss", null, System.Globalization.TimeSpanStyles.None));`
	`22`	`+ var cacheGroups = SplitCacheGroup(authenticationCacheGroups);`
	`23`	`+ return new AuthenticatedClientCacheConfig(TimeSpan.ParseExact(value, @"hh\:mm\:ss", null, System.Globalization.TimeSpanStyles.None), cacheGroups);`
`19`	`24`	`}`
`20`	`25`
`21`		`- public static AuthenticatedClientCacheConfig CreateFromMinutes(string value)`
	`26`	`+ public static AuthenticatedClientCacheConfig CreateFromMinutes(string value, string authenticationCacheGroups = null)`
`22`	`27`	`{`
`23`	`28`	`if (string.IsNullOrWhiteSpace(value)) return new AuthenticatedClientCacheConfig(TimeSpan.Zero);`
`24`		`- return new AuthenticatedClientCacheConfig(TimeSpan.FromMinutes(int.Parse(value)));`
	`29`	`+ var cacheGroups = SplitCacheGroup(authenticationCacheGroups);`
	`30`	`+ return new AuthenticatedClientCacheConfig(TimeSpan.FromMinutes(int.Parse(value)), cacheGroups);`
	`31`	`+ }`
	`32`	`+`
	`33`	`+ private static string[] SplitCacheGroup(string cacheGroup)`
	`34`	`+ {`
	`35`	`+ return cacheGroup`
	`36`	`+ ?.Split(new[] {';'}, StringSplitOptions.RemoveEmptyEntries)`
	`37`	`+ .Select(x => x.ToLower().Trim())`
	`38`	`+ .Where(x => !string.IsNullOrWhiteSpace(x))`
	`39`	`+ .Distinct()`
	`40`	`+ .ToArray() ?? Array.Empty<string>();`
`25`	`41`	`}`
`26`	`42`	`}`
`27`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -505,6 +505,8 @@ public static ClientConfiguration LoadClientSettings(string name,`
`505`	`505`	`configuration.LdapBindTimeout = ldapBindTimeout;`
`506`	`506`	`}`
`507`	`507`	`}`
	`508`	`+`
	`509`	`+ ReadIpWhiteList(configuration, appSettings.Settings["ip-white-list"]?.Value);`
`508`	`510`
`509`	`511`	`return configuration;`
`510`	`512`	`}`
`@@ -513,15 +515,16 @@ private static void ReadAuthenticationCacheSetting(AppSettingsSection appSetting`
`513`	`515`	`{`
`514`	`516`	`var setting = appSettings.Settings[Constants.Configuration.AuthenticationCacheLifetime]?.Value;`
`515`	`517`	`var legacySetting = appSettings.Settings[Constants.Configuration.BypassSecondFactorPeriod]?.Value;`
	`518`	`+ var groups = appSettings.Settings["authentication-cache-groups"]?.Value;`
`516`	`519`	`try`
`517`	`520`	`{`
`518`	`521`	`if (setting != null)`
`519`	`522`	`{`
`520`		`- configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromTimeSpan(setting);`
	`523`	`+ configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromTimeSpan(setting, groups);`
`521`	`524`	`}`
`522`	`525`	`else`
`523`	`526`	`{`
`524`		`- configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromMinutes(legacySetting);`
	`527`	`+ configuration.AuthenticationCacheLifetime = AuthenticatedClientCacheConfig.CreateFromMinutes(legacySetting, groups);`
`525`	`528`	`}`
`526`	`529`
`527`	`530`	`}`
`@@ -811,6 +814,23 @@ private static void ReadSignUpGroupsSettings(ClientConfiguration configuration,`
`811`	`814`
`812`	`815`	`configuration.SignUpGroups = signUpGroupsSettings;`
`813`	`816`	`}`
	`817`	`+`
	`818`	`+ private static void ReadIpWhiteList(ClientConfiguration builder, string ipWhiteList)`
	`819`	`+ {`
	`820`	`+ var splittedRanges = ipWhiteList`
	`821`	`+ ?.Split(new[] {';'}, StringSplitOptions.RemoveEmptyEntries)`
	`822`	`+ .Select(x => x.ToLower().Trim())`
	`823`	`+ .Where(x => !string.IsNullOrWhiteSpace(x))`
	`824`	`+ .Distinct()`
	`825`	`+ .ToArray() ?? Array.Empty<string>();`
	`826`	`+`
	`827`	`+ foreach (var range in splittedRanges)`
	`828`	`+ {`
	`829`	`+ if (!IPAddressRange.TryParse(range, out var ipAddressRange))`
	`830`	`+ throw new Exception($"Invalid IP address range: '{range}' in '{builder.Name}' config");`
	`831`	`+ builder.AddWhiteIpRange(ipAddressRange);`
	`832`	`+ }`
	`833`	`+ }`
`814`	`834`
`815`	`835`	`#endregion`
`816`	`836`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ public async Task<SecondFactorResponse> CreateSecondFactorRequestAsync(PendingRe`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`//try to get authenticated client to bypass second factor if configured`
`65`		`- if (_authenticatedClientCache.TryHitCache(callingStationId, userName, request.Configuration))`
	`65`	`+ if (_authenticatedClientCache.TryHitCache(callingStationId, userName, request.Configuration, request.Profile.MemberOf))`
`66`	`66`	`{`
`67`	`67`	`_logger.Information("Bypass second factor for user '{name:l}' with identity '{user:l}' from {host:l}:{port}", request.UserName, userName, request.RemoteEndpoint.Address, request.RemoteEndpoint.Port);`
`68`	`68`	`return new SecondFactorResponse(PacketCode.AccessAccept);`