IPRangePredicate

The org.opensaml.profile.logic.IPRangePredicate class in OpenSAML provides a simple condition you can create and use for performing checks between a client’s IP address and one more or CIDR network ranges supplied to test against.

Example

Given a script of some kind (an MFA rule in the example), you can inject the predicate to perform a test as part of some kind of business logic. The example demonstrates the common technique of using a map bean to allow both the condition and the actual servlet request to be accessed so that the client’s address can also be logged.

<util:map id="my.CustomObjects">
  <entry key="condition">
      <bean class="org.opensaml.profile.logic.IPRangePredicate"
            p:httpServletRequestSupplier-ref="shibboleth.HttpServletRequestSupplier"
            p:ranges="#{ {'10.0.0.0/8', '192.168.3.0/24', '192.168.18.0/24} }" />
  </entry>
  <entry key="request" value-ref="shibboleth.HttpServletRequestSupplier" />
</util:map>
  
    <!-- Example script to see if second factor is required. Currently just returns the DuoOIDC flow -->
    <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
            p:customObject-ref="my.CustomObjects">
        <constructor-arg>
            <value>
                  <![CDATA[
                  // set logging
                  logger = Java.type("org.slf4j.LoggerFactory").getLogger("org.example.mfa.script");

                  // default to secondfactor
                  var nextFlow = "authn/SecondFactor";

                  // check if client is internal
                  if (custom["condition"].test(input)) {
                      logger.info("request excluded from MFA, address {} in internal IP range", custom["request"].get().getRemoteAddr());
                      nextFlow = null;
                  }
                  nextFlow;   // pass control to second factor or end with the first
                  ]]>
            </value>
        </constructor-arg>
    </bean>