REPP: check webclient IPs to bypass registrar IP whitelist

2025-06-05 20:27:30 +02:00 · 2020-12-22 20:15:01 +02:00 · 2020-12-22 20:15:01 +02:00 · 490467b5d9
commit 490467b5d9
parent 1d3c70ae34
1 changed files with 21 additions and 3 deletions
--- a/app/controllers/repp/v1/base_controller.rb
+++ b/app/controllers/repp/v1/base_controller.rb
@ -3,6 +3,7 @@ module Repp
    class BaseController < ActionController::API
      rescue_from ActiveRecord::RecordNotFound, with: :not_found_error
      before_action :authenticate_user
+      before_action :validate_webclient_ca
      before_action :check_ip_restriction
      attr_reader :current_user

@ -93,15 +94,32 @@ module Repp
      end

      def check_ip_restriction
-        allowed = @current_user.registrar.api_ip_white?(request.ip)
-
-        return if allowed
+        return if webclient_request?
+        return if @current_user.registrar.api_ip_white?(request.ip)

        @response = { code: 2202,
                      message: I18n.t('registrar.authorization.ip_not_allowed', ip: request.ip) }
        render(json: @response, status: :unauthorized)
      end

+      def webclient_request?
+        return if Rails.env.test?
+        ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+      end
+
+      def validate_webclient_ca
+        return unless webclient_request?
+
+        request_name = request.env['HTTP_SSL_CLIENT_S_DN_CN']
+        webclient_cn = ENV['webclient_cert_common_name'] || 'webclient'
+        return if request_name == webclient_cn
+
+        @response = { code: 2202,
+                      message: I18n.t('registrar.authorization.ip_not_allowed', ip: request.ip) }
+
+        render(json: @response, status: :unauthorized)
+      end
+
      def not_found_error
        @response = { code: 2303, message: 'Object does not exist' }
        render(json: @response, status: :not_found)