Add support for allowed_ip_range for users#1846
Merged
Merged
Conversation
Contributor
Author
|
One thing I've realised is that before we merge this, it should be a set of address ranges, and not a single one. That should be changed before merging so we don'r have to break the API |
Contributor
Author
|
I've updated the PR to allow for a list of ip ranges, rather than a single IP range. This allows for accepting a set of IPs that cannot be covered by a single range. |
Member
|
Thanks! |
captain686
pushed a commit
to captain686/warpgate
that referenced
this pull request
May 29, 2026
This PR adds a new properties to users: allowed_ip_range. If someone tires to log into that user from outside the IP range, the login will be rejected. There are quite a few usecases for this: 1. Companies who want to harden their security by restricting login from their on-site locations. 2. Only allow SSH/kubectl access from the CI (so if someone manages extract the warpgate access token from the CI, they still can't use it) 3. A very niche usecase that we need it for: Running student exams through warpgate, where students should only be logging in from the exam hall. The main reason to have this over for example firewall-level tightening is that it can be configured per user. So for us for example we don't want students to log in outside the exam hall, but we still want to be able to get in ourselves outside the exam PCs. I've paid special attention to making sure this works nicely with SSO too. I also tried to get the SSH session to print out a message explaining why the auth was rejected, but I didn't manage to do that, so it just says "password rejected" when the SSH session is rejected due to the IP restriction. <img width="871" height="278" alt="Screenshot From 2026-04-08 16-02-14" src="https://github.com/user-attachments/assets/b5669c58-60ae-4f71-9b70-5742ff59fb14" /> <img width="692" height="681" alt="Screenshot From 2026-04-08 16-02-44" src="https://github.com/user-attachments/assets/b23a47b3-ceb4-4251-ae16-0aeb8b04460d" /> Closes warp-tech#1545 --------- Co-authored-by: Eugene <inbox@null.page>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a new properties to users: allowed_ip_range. If someone tires to log into that user from outside the IP range, the login will be rejected. There are quite a few usecases for this:
The main reason to have this over for example firewall-level tightening is that it can be configured per user. So for us for example we don't want students to log in outside the exam hall, but we still want to be able to get in ourselves outside the exam PCs.
I've paid special attention to making sure this works nicely with SSO too. I also tried to get the SSH session to print out a message explaining why the auth was rejected, but I didn't manage to do that, so it just says "password rejected" when the SSH session is rejected due to the IP restriction.
Closes #1545