zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-06-05 20:27:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

REPP: check webclient IPs to bypass registrar IP whitelist

Browse source
This commit is contained in:
Karl Erik Õunapuu 2020-12-22 20:15:01 +02:00
parent 1d3c70ae34
commit 490467b5d9
No known key found for this signature in database
GPG key ID: C9DD647298A34764
1 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

24
app/controllers/repp/v1/base_controller.rb
View file

@ -3,6 +3,7 @@ module Repp
class BaseController < ActionController::API
rescue_from ActiveRecord::RecordNotFound, with: :not_found_error
before_action :authenticate_user
before_action :validate_webclient_ca
before_action :check_ip_restriction
attr_reader :current_user
@ -93,15 +94,32 @@ module Repp
end
def check_ip_restriction
allowed = @current_user.registrar.api_ip_white?(request.ip)
return if allowed
return if webclient_request?
return if @current_user.registrar.api_ip_white?(request.ip)
@response = { code: 2202,
message: I18n.t('registrar.authorization.ip_not_allowed', ip: request.ip) }
render(json: @response, status: :unauthorized)
end
def webclient_request?
return if Rails.env.test?
ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
end
def validate_webclient_ca
return unless webclient_request?
request_name = request.env['HTTP_SSL_CLIENT_S_DN_CN']
webclient_cn = ENV['webclient_cert_common_name'] || 'webclient'
return if request_name == webclient_cn
@response = { code: 2202,
message: I18n.t('registrar.authorization.ip_not_allowed', ip: request.ip) }
render(json: @response, status: :unauthorized)
end
def not_found_error
@response = { code: 2303, message: 'Object does not exist' }
render(json: @response, status: :not_found)