Refactor IP registrar restriction

#600

app/api/repp/api.rb

@@ -15,7 +15,7 @@ module Repp
     before do
       webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
       unless webclient_request
-        error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
+        error! I18n.t('api.authorization.ip_not_allowed', ip: request.ip), 401 unless @current_user.registrar.api_ip_white?(request.ip)
       end
 
       if @current_user.cannot?(:view, :repp)

app/controllers/registrar/base_controller.rb

@@ -1,40 +1,37 @@
 class Registrar
   class BaseController < ApplicationController
-    before_action :authenticate_user!, :check_ip
-
     include Registrar::ApplicationHelper
 
+    before_action :authenticate_user!
+    before_action :check_ip_restriction
     helper_method :depp_controller?
-
-    def depp_controller?
-      false
-    end
-
-    def check_ip
-      return unless current_user
-      unless current_user.is_a? ApiUser
-        sign_out(current_user)
-        return
-      end
-
-      registrar_ip_whitelisted = current_user.registrar.registrar_ip_white?(request.ip)
-
-      return if registrar_ip_whitelisted
-      flash[:alert] = t('ip_is_not_whitelisted')
-      sign_out(current_user)
-      redirect_to registrar_login_path and return
-    end
-
     helper_method :head_title_sufix
 
-    def head_title_sufix
-      t(:registrar_head_title_sufix)
-    end
-
     protected
 
     def current_ability
       @current_ability ||= Ability.new(current_user, request.remote_ip)
     end
+
+    private
+
+    def check_ip_restriction
+      ip_restriction = Authorization::RestrictedIP.new(request.ip)
+      allowed = ip_restriction.can_access_registrar_area?(current_user.registrar)
+
+      unless allowed
+        flash[:alert] = t('registrar.authorization.ip_not_allowed', ip: request.ip)
+        sign_out current_user
+        redirect_to registrar_login_url
+      end
+    end
+
+    def depp_controller?
+      false
+    end
+
+    def head_title_sufix
+      t(:registrar_head_title_sufix)
+    end
   end
 end

app/controllers/registrar/sessions_controller.rb

@@ -1,13 +1,8 @@
 class Registrar
   class SessionsController < Devise::SessionsController
+    before_action :check_ip_restriction
     helper_method :depp_controller?
 
-    def depp_controller?
-      false
-    end
-
-    before_action :check_ip
-
     def login
       @depp_user = Depp::User.new
     end
@@ -157,16 +152,24 @@ class Registrar
     # rubocop: enable Metrics/CyclomaticComplexity
     # rubocop: enable Metrics/MethodLength
 
+    private
+
+    def depp_controller?
+      false
+    end
+
     def find_user_by_idc(idc)
       return User.new unless idc
       ApiUser.find_by(identity_code: idc) || User.new
     end
 
-    private
+    def check_ip_restriction
+      ip_restriction = Authorization::RestrictedIP.new(request.ip)
+      allowed = ip_restriction.can_access_registrar_area_sign_in_page?
 
-    def check_ip
-      return if WhiteIp.registrar_ip_white?(request.ip)
-      render :denied, :layout => false, status: :forbidden, :locals => { :ip => request.ip } and return
+      unless allowed
+        render text: t('registrar.authorization.ip_not_allowed', ip: request.ip), status: :forbidden
+      end
     end
   end
 end

app/models/authorization/restricted_ip.rb

@@ -0,0 +1,25 @@
+module Authorization
+  class RestrictedIP
+    def initialize(ip)
+      @ip = ip
+    end
+
+    def self.enabled?
+      Setting.registrar_ip_whitelist_enabled
+    end
+
+    def can_access_registrar_area?(registrar)
+      return true unless self.class.enabled?
+      registrar.white_ips.registrar_area.include_ip?(ip)
+    end
+
+    def can_access_registrar_area_sign_in_page?
+      return true unless self.class.enabled?
+      WhiteIp.registrar_area.include_ip?(ip)
+    end
+
+    private
+
+    attr_reader :ip
+  end
+end

app/models/registrar.rb

@@ -162,9 +162,4 @@ class Registrar < ActiveRecord::Base
     return true unless Setting.api_ip_whitelist_enabled
     white_ips.api.pluck(:ipv4, :ipv6).flatten.include?(ip)
   end
-
-  def registrar_ip_white?(ip)
-    return true unless Setting.registrar_ip_whitelist_enabled
-    white_ips.registrar.pluck(:ipv4, :ipv6).flatten.include?(ip)
-  end
 end

app/models/white_ip.rb

@@ -18,16 +18,15 @@ class WhiteIp < ActiveRecord::Base
   INTERFACES = [API, REGISTRAR]
 
   scope :api, -> { where("interfaces @> ?::varchar[]", "{#{API}}") }
-  scope :registrar, -> { where("interfaces @> ?::varchar[]", "{#{REGISTRAR}}") }
+  scope :registrar_area, -> { where("interfaces @> ?::varchar[]", "{#{REGISTRAR}}") }
 
   def interfaces=(interfaces)
     super(interfaces.reject(&:blank?))
   end
 
   class << self
-    def registrar_ip_white?(ip)
-      return true unless Setting.registrar_ip_whitelist_enabled
-      WhiteIp.where(ipv4: ip).registrar.any?
+    def include_ip?(ip)
+      where("#{table_name}.ipv4 = '#{ip}' OR #{table_name}.ipv6 = '#{ip}'").any?
     end
   end
 end

app/views/registrar/sessions/denied.haml

@@ -1 +0,0 @@
-#{t('access_denied')} from #{ip}