From 42004f933f9bda6f5bfe119a3f6ae50b76ab9ba2 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Tue, 24 Jul 2018 11:33:51 +0300 Subject: [PATCH] Add IP block on authentication via EID Also, correct mistakenly used 403 error code. Update aplication-example.yml to include new functionality. --- .../api/v1/registrant/auth_controller.rb | 10 ++++++++++ .../api/v1/registrant/base_controller.rb | 9 ++++++++- .../api/v1/registrant/domains_controller.rb | 6 +++--- config/application-example.yml | 2 ++ .../registrant_api_authentication_test.rb | 14 ++++++++++++++ .../api/registrant/registrant_api_domains_test.rb | 7 +++++-- 6 files changed, 42 insertions(+), 6 deletions(-) diff --git a/app/controllers/api/v1/registrant/auth_controller.rb b/app/controllers/api/v1/registrant/auth_controller.rb index e1bd37b1e..2bbaad973 100644 --- a/app/controllers/api/v1/registrant/auth_controller.rb +++ b/app/controllers/api/v1/registrant/auth_controller.rb @@ -5,6 +5,8 @@ module Api module V1 module Registrant class AuthController < ActionController::API + before_action :check_ip_whitelist + rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception| error = {} error[parameter_missing_exception.param] = ['parameter is required'] @@ -39,6 +41,14 @@ module Api hash = token_creator.token_in_hash hash end + + def check_ip_whitelist + allowed_ips = ENV['registrant_api_auth_allowed_ips'].to_s.split(',').map(&:strip) + + unless allowed_ips.include?(request.ip) || Rails.env.development? + render json: { error: 'Not authorized' }, status: 401 + end + end end end end diff --git a/app/controllers/api/v1/registrant/base_controller.rb b/app/controllers/api/v1/registrant/base_controller.rb index 5b01f94b5..f18fd1eb2 100644 --- a/app/controllers/api/v1/registrant/base_controller.rb +++ b/app/controllers/api/v1/registrant/base_controller.rb @@ -7,6 +7,13 @@ module Api class BaseController < ActionController::API before_action :authenticate + rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception| + error = {} + error[parameter_missing_exception.param] = ['parameter is required'] + response = { errors: [error] } + render json: response, status: :unprocessable_entity + end + private def bearer_token @@ -22,7 +29,7 @@ module Api if decryptor.valid? sign_in decryptor.user else - render json: { error: 'Not authorized' }, status: 403 + render json: { error: 'Not authorized' }, status: 401 end end end diff --git a/app/controllers/api/v1/registrant/domains_controller.rb b/app/controllers/api/v1/registrant/domains_controller.rb index cc53e6772..fdfc6872c 100644 --- a/app/controllers/api/v1/registrant/domains_controller.rb +++ b/app/controllers/api/v1/registrant/domains_controller.rb @@ -7,11 +7,11 @@ module Api class DomainsController < BaseController def index registrant = ::Registrant.find_by(ident: current_user.registrant_ident) - unless registrant - render json: Domain.all - else + if registrant domains = Domain.where(registrant_id: registrant.id) render json: domains + else + render json: [] end end end diff --git a/config/application-example.yml b/config/application-example.yml index 7785aafb5..7a69aa9e2 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -96,6 +96,8 @@ arireg_host: 'http://demo-ariregxml.rik.ee:81/' sk_digi_doc_service_endpoint: 'https://tsp.demo.sk.ee' sk_digi_doc_service_name: 'Testimine' +# Registrant API +registrant_api_auth_allowed_ips: '127.0.0.1,0.0.0.0' #ips, separated with commas # # MISC diff --git a/test/system/api/registrant/registrant_api_authentication_test.rb b/test/system/api/registrant/registrant_api_authentication_test.rb index 72da06fff..94693ddd5 100644 --- a/test/system/api/registrant/registrant_api_authentication_test.rb +++ b/test/system/api/registrant/registrant_api_authentication_test.rb @@ -33,6 +33,20 @@ class RegistrantApiAuthenticationTest < ApplicationSystemTestCase end end + def test_request_returns_401_from_a_not_whitelisted_ip + params = { foo: :bar, test: :test } + @original_whitelist_ip = ENV['registrant_api_auth_allowed_ips'] + ENV['registrant_api_auth_allowed_ips'] = '1.2.3.4' + + post '/api/v1/registrant/auth/eid', params + assert_equal(401, response.status) + json_body = JSON.parse(response.body, symbolize_names: true) + + assert_equal({error: 'Not authorized'}, json_body) + + ENV['registrant_api_auth_allowed_ips'] = @original_whitelist_ip + end + def test_request_documented_parameters_are_required params = { foo: :bar, test: :test } diff --git a/test/system/api/registrant/registrant_api_domains_test.rb b/test/system/api/registrant/registrant_api_domains_test.rb index e7abe2cae..da5813518 100644 --- a/test/system/api/registrant/registrant_api_domains_test.rb +++ b/test/system/api/registrant/registrant_api_domains_test.rb @@ -14,9 +14,12 @@ class RegistrantApiDomainsTest < ApplicationSystemTestCase assert_equal(200, response.status) end - def test_root_returns_403_without_authorization + def test_root_returns_401_without_authorization get '/api/v1/registrant/domains', {}, {} - assert_equal(403, response.status) + assert_equal(401, response.status) + json_body = JSON.parse(response.body, symbolize_names: true) + + assert_equal({error: 'Not authorized'}, json_body) end private