From 06049cd22fb7d1c240c731af7fbc649a11746eff Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Mon, 13 Nov 2017 17:14:26 +0200 Subject: [PATCH 1/6] while logging in with id/mid pick only users who have whitelisted ip --- .../registrar/sessions_controller.rb | 18 +++++++++++++++--- app/models/api_user.rb | 15 +++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index 4ba6501f1..80eefddb7 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -53,7 +53,7 @@ class Registrar end def id - @user = ApiUser.find_by_idc_data(request.env['SSL_CLIENT_S_DN']) + @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'],request.ip) if @user sign_in(@user, event: :authentication) @@ -87,7 +87,7 @@ class Registrar return end - @user = find_user_by_idc(response.user_id_code) + @user = find_user_by_idc_and_allowed(response.user_id_code) if @user.persisted? session[:user_id_code] = response.user_id_code @@ -112,7 +112,7 @@ class Registrar when 'OUTSTANDING_TRANSACTION' render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok when 'USER_AUTHENTICATED' - @user = find_user_by_idc(session[:user_id_code]) + @user = find_user_by_idc_and_allowed(session[:user_id_code]) sign_in @user flash[:notice] = t(:welcome) flash.keep(:notice) @@ -149,6 +149,18 @@ class Registrar ApiUser.find_by(identity_code: idc) || User.new end + def find_user_by_idc_and_allowed(idc) + return User.new unless idc + possible_users = ApiUser.where(identity_code: idc) || User.new + for i in 0..possible_users.count + if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip) + break + end + end + possible_users[i] + end + + def check_ip_restriction ip_restriction = Authorization::RestrictedIP.new(request.ip) allowed = ip_restriction.can_access_registrar_area_sign_in_page? diff --git a/app/models/api_user.rb b/app/models/api_user.rb index 5e20db24a..a6ec82b06 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -51,6 +51,21 @@ class ApiUser < User find_by(identity_code: identity_code) end + + def find_by_idc_data_and_allowed(idc_data,ip) + return false if idc_data.blank? + identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first + + return false if ip.blank? + possible_users = where(identity_code: identity_code) + for i in 0..possible_users.count + if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip) + break + end + end + possible_users[i] + end + end def registrar_typeahead From af3123028554f0dbc3f4426c72ad4c0a52acee0e Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Mon, 13 Nov 2017 17:46:31 +0200 Subject: [PATCH 2/6] fix rspec for mid without ip whitelist --- app/controllers/registrar/sessions_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index 80eefddb7..fa8ab4a88 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -87,7 +87,11 @@ class Registrar return end - @user = find_user_by_idc_and_allowed(response.user_id_code) + if Setting.registrar_ip_whitelist_enabled + @user = find_user_by_idc_and_allowed(response.user_id_code) + else + @user = find_user_by_idc(response.user_id_code) + end if @user.persisted? session[:user_id_code] = response.user_id_code From 3f1c36bd9a7416b77d3b04a9547929a1e608d23a Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Mon, 13 Nov 2017 18:43:37 +0200 Subject: [PATCH 3/6] fix some of the style bugs --- app/controllers/registrar/sessions_controller.rb | 12 ++++++------ app/models/api_user.rb | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index fa8ab4a88..c39fa93d0 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -53,7 +53,7 @@ class Registrar end def id - @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'],request.ip) + @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip) if @user sign_in(@user, event: :authentication) @@ -156,11 +156,11 @@ class Registrar def find_user_by_idc_and_allowed(idc) return User.new unless idc possible_users = ApiUser.where(identity_code: idc) || User.new - for i in 0..possible_users.count - if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip) - break - end - end + for i in 0..possible_users.count + if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip) + break + end + end possible_users[i] end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index a6ec82b06..4f230d3b4 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -52,16 +52,16 @@ class ApiUser < User find_by(identity_code: identity_code) end - def find_by_idc_data_and_allowed(idc_data,ip) + def find_by_idc_data_and_allowed(idc_data, ip) return false if idc_data.blank? identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first return false if ip.blank? possible_users = where(identity_code: identity_code) for i in 0..possible_users.count - if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip) - break - end + if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip) + break + end end possible_users[i] end From e62bb19a7edc91d38bfa1268942548aeb2c1ddbd Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Tue, 14 Nov 2017 12:32:33 +0200 Subject: [PATCH 4/6] fix indention --- app/controllers/registrar/sessions_controller.rb | 8 ++++---- app/models/api_user.rb | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index c39fa93d0..d56dc24de 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -156,12 +156,12 @@ class Registrar def find_user_by_idc_and_allowed(idc) return User.new unless idc possible_users = ApiUser.where(identity_code: idc) || User.new - for i in 0..possible_users.count - if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip) + for selected_user in 0..possible_users.count + if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(request.ip) break - end + end end - possible_users[i] + possible_users[selected_user] end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index 4f230d3b4..b70aeeb11 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -51,19 +51,19 @@ class ApiUser < User find_by(identity_code: identity_code) end - + def find_by_idc_data_and_allowed(idc_data, ip) return false if idc_data.blank? identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first return false if ip.blank? possible_users = where(identity_code: identity_code) - for i in 0..possible_users.count - if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip) - break - end + for selected_user in 0..possible_users.count + if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(ip) + break end - possible_users[i] + end + possible_users[selected_user] end end From abeeec3baf95ed5de690971372fb0475556b9c50 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Tue, 14 Nov 2017 12:51:44 +0200 Subject: [PATCH 5/6] prefer each over for --- app/controllers/registrar/sessions_controller.rb | 8 ++++---- app/models/api_user.rb | 7 +++---- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index d56dc24de..811769400 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -156,15 +156,15 @@ class Registrar def find_user_by_idc_and_allowed(idc) return User.new unless idc possible_users = ApiUser.where(identity_code: idc) || User.new - for selected_user in 0..possible_users.count - if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(request.ip) - break + possible_users eacho do |selected_user| + if selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip) + return selected_user end end - possible_users[selected_user] end + def check_ip_restriction ip_restriction = Authorization::RestrictedIP.new(request.ip) allowed = ip_restriction.can_access_registrar_area_sign_in_page? diff --git a/app/models/api_user.rb b/app/models/api_user.rb index b70aeeb11..d05f8eb46 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -58,12 +58,11 @@ class ApiUser < User return false if ip.blank? possible_users = where(identity_code: identity_code) - for selected_user in 0..possible_users.count - if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(ip) - break + possible_users eacho do |selected_user| + if selected_user.registrar.white_ips.registrar_area.include_ip?(ip) + return selected_user end end - possible_users[selected_user] end end From f1739f2202d58655c683116fbc6a1780917aff11 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Tue, 14 Nov 2017 12:58:22 +0200 Subject: [PATCH 6/6] fix typo --- app/controllers/registrar/sessions_controller.rb | 2 +- app/models/api_user.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index 811769400..1a8b195ee 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -156,7 +156,7 @@ class Registrar def find_user_by_idc_and_allowed(idc) return User.new unless idc possible_users = ApiUser.where(identity_code: idc) || User.new - possible_users eacho do |selected_user| + possible_users.each do |selected_user| if selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip) return selected_user end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index d05f8eb46..ce32c4045 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -58,7 +58,7 @@ class ApiUser < User return false if ip.blank? possible_users = where(identity_code: identity_code) - possible_users eacho do |selected_user| + possible_users.each do |selected_user| if selected_user.registrar.white_ips.registrar_area.include_ip?(ip) return selected_user end