fix: restring acesso ao prometheus metrics para apenas ips locais/invalidos (#3668)

Co-authored-by: joao <joao@mezzoplanejamento.com.br>

sapl/endpoint_restriction_middleware.py

@@ -0,0 +1,38 @@
+from django.http import HttpResponseForbidden
+import logging
+
+# lista de IPs permitidos (localhost, redes locais, etc)
+# https://en.wikipedia.org/wiki/Reserved_IP_addresses
+ALLOWED_IPS = [
+    '127.0.0.1',
+    '::1',
+    '10.0.0.0/8',
+    '172.16.0.0/12',
+    '192.168.0.0/16',
+    'fc00::/7',
+    '::1',
+    'fe80::/10',
+    '192.0.2.0/24',
+    '2001:db8::/32',
+    '224.0.0.0/4',
+    'ff00::/8'
+]
+
+RESTRICTED_ENDPOINTS = ['/metrics']
+
+
+class EndpointRestrictionMiddleware:
+    logging.getLogger(__name__)
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # IP do cliente
+        client_ip = request.META.get('REMOTE_ADDR')
+
+        # bloqueia acesso a endpoints restritos para IPs nao permitidos
+        if request.path in RESTRICTED_ENDPOINTS and client_ip not in ALLOWED_IPS:
+            return HttpResponseForbidden('Acesso proibido')
+
+        return self.get_response(request)

sapl/settings.py

@@ -129,6 +129,7 @@ MIDDLEWARE = [
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.common.CommonMiddleware',
+    'sapl.endpoint_restriction_middleware.EndpointRestrictionMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',