Improve ip whitelist #2713

app/controllers/registrar/sessions_controller.rb

@@ -47,16 +47,6 @@ class Registrar::SessionsController < Devise::SessionsController
       end
     end
 
-    unless @api_user.registrar.registrar_ip_white?(request.ip)
-      @depp_user.errors.add(:base, I18n.t(:ip_is_not_whitelisted))
-    end
-
-    if @api_user.can_make_api_calls?
-      unless @api_user.registrar.api_ip_white?(request.ip)
-        @depp_user.errors.add(:base, I18n.t(:ip_is_not_whitelisted))
-      end
-    end
-
     if @depp_user.errors.none? && @depp_user.valid?
       if @api_user.active?
         sign_in @api_user

app/controllers/registrar_controller.rb

@@ -9,6 +9,8 @@ class RegistrarController < ApplicationController
     false
   end
 
+  # rubocop:disable Metrics/PerceivedComplexity
+  # rubocop:disable Metrics/CyclomaticComplexity
   def check_ip
     return unless current_user
     unless current_user.is_a? ApiUser
@@ -16,11 +18,20 @@ class RegistrarController < ApplicationController
       return
     end
     return if Rails.env.development?
-    return if current_user.registrar.registrar_ip_white?(request.ip)
+    riw = current_user.registrar.registrar_ip_white?(request.ip)
+
+    aiw = true
+    if current_user.can_make_api_calls?
+      aiw = current_user.registrar.api_ip_white?(request.ip)
+    end
+
+    return if riw && aiw
     flash[:alert] = t('access_denied')
     sign_out(current_user)
     redirect_to registrar_login_path and return
   end
+  # rubocop:enable Metrics/PerceivedComplexity
+  # rubocop:enable Metrics/CyclomaticComplexity
 
   helper_method :head_title_sufix
   def head_title_sufix

config/locales/en.yml

@@ -911,3 +911,5 @@ en:
   pending_epp: Pending epp
   id: ID
   hidden: '[hidden]'
+  registrar_ip_is_not_whitelisted: 'Registrar IP is not whitelisted'
+  api_ip_is_not_whitelisted: 'API IP is not whitelisted'

spec/fabricators/registrar_fabricator.rb

@@ -9,7 +9,7 @@ Fabricator(:registrar) do
   country_code 'EE'
   code { sequence(:code) { |i| "REGISTRAR#{i}" } }
   reference_no { sequence(:reference_no) { |i| "RF#{i}" } }
-  white_ips { [Fabricate(:white_ip)] }
+  white_ips { [Fabricate(:white_ip), Fabricate(:white_ip, interface: WhiteIp::REGISTRAR)] }
 end
 
 Fabricator(:registrar_with_no_account_activities, from: :registrar) do

spec/fabricators/white_ip_fabricator.rb

@@ -1,6 +1,6 @@
 Fabricator(:white_ip) do
   ipv4 '127.0.0.1'
-  interface WhiteIp::GLOBAL
+  interface WhiteIp::API
 end
 
 Fabricator(:white_ip_registrar, from: :white_ip) do

spec/features/registrar/sessions_spec.rb

@@ -3,6 +3,7 @@ require 'rails_helper'
 feature 'Sessions', type: :feature do
   context 'with invalid ip' do
     it 'should not see login page' do
+      Setting.registrar_ip_whitelist_enabled = true
       WhiteIp.destroy_all
       visit registrar_login_path
       page.should have_text('Access denied')
@@ -36,6 +37,7 @@ feature 'Sessions', type: :feature do
 
     it 'should get in with invalid when whitelist disabled' do
       Setting.registrar_ip_whitelist_enabled = false
+      Setting.api_ip_whitelist_enabled = false
       Fabricate(:registrar, white_ips: [Fabricate(:white_ip), Fabricate(:white_ip_registrar)])
       @api_user_invalid_ip = Fabricate(
         :api_user, identity_code: '37810013294', registrar: Fabricate(:registrar, white_ips: [])
@@ -46,6 +48,7 @@ feature 'Sessions', type: :feature do
       click_button 'Log in'
       page.should have_text('Log out')
       Setting.registrar_ip_whitelist_enabled = true
+      Setting.api_ip_whitelist_enabled = true
     end
 
     it 'should not get in with invalid user' do