Auth policy: support for NotIpAddress condition operator (#9702)

Author: nopcoder

docs/src/security/rbac.md

@@ -77,9 +77,9 @@ Conditions are added to policy statements using the optional `condition` field:
 
 ### Supported Condition Operators
 
-#### IpAddress
+#### IpAddress / NotIpAddress
 
-The `IpAddress` condition operator matches the client's source IP address against one or more IP addresses or CIDR blocks.
+The `IpAddress` condition operator matches the client's source IP address against one or more IP addresses or CIDR blocks. The `NotIpAddress` condition operator matches when the client's source IP address does NOT match any of the specified IP addresses or CIDR blocks (negation of `IpAddress`).
 
 **Supported Fields:**
 - `SourceIp` - The IP address of the client making the request
@@ -127,6 +127,25 @@ The `IpAddress` condition operator matches the client's source IP address agains
 }
 ```
 
+**Example - Deny access from IPs NOT in allowed ranges:**
+
+```json
+{
+  "statement": [
+    {
+      "action": ["fs:*"],
+      "effect": "deny",
+      "resource": "*",
+      "condition": {
+        "NotIpAddress": {
+          "SourceIp": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+        }
+      }
+    }
+  ]
+}
+```
+
 **IP Address Extraction:**
 
 lakeFS extracts the client IP address from the request using the following priority:

pkg/auth/condition.go

@@ -8,7 +8,8 @@ import (
 )
 
 const (
-	OperatorNameIpAddress = "IpAddress"
+	OperatorNameIpAddress    = "IpAddress"
+	OperatorNameNotIpAddress = "NotIpAddress"
 )
 
 var (
@@ -36,7 +37,10 @@ type ConditionOperator interface {
 
 // IpAddressOperator handles IP address matching with CIDR notation support
 // Dynamically checks all field names that contain IP addresses in the condition
-type IpAddressOperator struct{}
+type IpAddressOperator struct {
+	// negate determines whether to negate the matching result
+	negate bool
+}
 
 // Validate implements ConditionOperator.
 func (op *IpAddressOperator) Validate(fields map[string][]string) error {
@@ -114,21 +118,24 @@ func (op *IpAddressOperator) Evaluate(fields map[string][]string, conditionCtx *
 			return false, fmt.Errorf("%w in field %s: %s", ErrInvalidIPCIDRFormat, fieldName, value)
 		}
 
-		// If this field didn't match any values, entire condition fails (AND logic between fields)
-		if !fieldMatched {
+		// For IpAddress: fail if field didn't match
+		// For NotIpAddress: fail if field matched
+		if fieldMatched == op.negate {
 			return false, nil
 		}
 	}
 
-	// All fields matched
+	// All fields processed successfully - condition passes
 	return true, nil
 }
 
 // OperatorFactory returns the appropriate operator for a given operator name
 func OperatorFactory(operatorName string) (ConditionOperator, error) {
 	switch operatorName {
 	case OperatorNameIpAddress:
-		return &IpAddressOperator{}, nil
+		return &IpAddressOperator{negate: false}, nil
+	case OperatorNameNotIpAddress:
+		return &IpAddressOperator{negate: true}, nil
 	default:
 		return nil, fmt.Errorf("%w: %s", ErrUnsupportedConditionOperator, operatorName)
 	}