Restrict API key usage by source IP

[PieterL75]

NetBox version

v3.1.4

Feature type

Change to existing functionality

Proposed functionality

Limit the access to the API with a certain API key by source IPs

Use case

We have API keys that belong to 'service accounts'. The source IP of these services consumers are known.
We should be able to limit the usage of these service account API keys to only the known sources.
This cannot be done by firewalls but needs to go to the application layer

If an API key gets compromised, it cannot be used outside of that scope of source IPs

Database changes

API Keys

• add multivalue 'Source IP'

External dependencies

No response

[jeremystretch]

This should be feasible to implement in our custom TokenAuthentication class. We currently override only the authenticate_credentials() method, which has access only to the token itself, but the authenticate() method receives the entire request. We just need a way to reference the requesting IP address when evaluating the credentials.

We'll also need to do a bit of grunt work around mapping allowed IPs (e.g. networks and/or lists of individual IPs), but I certainly hope we can manage that. 🙂

[hagbarddenstore]

This should be feasible to implement in our custom TokenAuthentication class. We currently override only the authenticate_credentials() method, which has access only to the token itself, but the authenticate() method receives the entire request. We just need a way to reference the requesting IP address when evaluating the credentials.

We'll also need to do a bit of grunt work around mapping allowed IPs (e.g. networks and/or lists of individual IPs), but I certainly hope we can manage that. 🙂

Be aware that Python might not receive the "true" source IP because of being behind a proxy. It would be helpful if the documentation mentioned that where this feature is documented. Perhaps adding external links on how to configure passing remote IP in nginx, apache, etc.

https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

[PieterL75]

Can we keep this open ? Our compliance team is asking about when this could be implemented

[jeremystretch]

@PieterL75 would you like to volunteer to own it?

[PieterL75]

I lack real coding ethics, but never afraid of a challenge...
I'll give it a try.

Must be in netbox/netbox/api/authentication.py ?

adding a check under TokenPermissions/has_permission() ?

[PieterL75]

Looks like I have a working solution...
@jeremystretch Can you review this branch in my fork : https://github.com/PieterL75/netbox/tree/master
Or should I create a PR here

[jeremystretch]

Given the substantial changes being introduced here (namely adding the allowed_ips field to the Token model), I'd like to tag this for v3.2.

@PieterL75 would you mind rebasing your PR on the feature branch? I don't think you'll run into much trouble but please let me know if I can be of assistance.

[DanSheps]

I am assuming we would want to shoot for v3.3 now?

[PieterL75]

What about 3.2.1 ?
I'm off for a week, going to do the rebase when I'm back

[jeremystretch]

It's an API change, so it'll need to go in the next minor release (v3.3).