From 06049cd22fb7d1c240c731af7fbc649a11746eff Mon Sep 17 00:00:00 2001
From: Georg Kahest <georg@tld.ee>
Date: Mon, 13 Nov 2017 17:14:26 +0200
Subject: [PATCH 1/6] while logging in with id/mid pick only users who have
 whitelisted ip

---
 .../registrar/sessions_controller.rb           | 18 +++++++++++++++---
 app/models/api_user.rb                         | 15 +++++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 4ba6501f1..80eefddb7 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -53,7 +53,7 @@ class Registrar
     end
 
     def id
-      @user = ApiUser.find_by_idc_data(request.env['SSL_CLIENT_S_DN'])
+      @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'],request.ip)
 
       if @user
         sign_in(@user, event: :authentication)
@@ -87,7 +87,7 @@ class Registrar
         return
       end
 
-      @user = find_user_by_idc(response.user_id_code)
+      @user = find_user_by_idc_and_allowed(response.user_id_code)
 
       if @user.persisted?
         session[:user_id_code] = response.user_id_code
@@ -112,7 +112,7 @@ class Registrar
         when 'OUTSTANDING_TRANSACTION'
           render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
         when 'USER_AUTHENTICATED'
-          @user = find_user_by_idc(session[:user_id_code])
+          @user = find_user_by_idc_and_allowed(session[:user_id_code])
           sign_in @user
           flash[:notice] = t(:welcome)
           flash.keep(:notice)
@@ -149,6 +149,18 @@ class Registrar
       ApiUser.find_by(identity_code: idc) || User.new
     end
 
+    def find_user_by_idc_and_allowed(idc)
+      return User.new unless idc
+      possible_users = ApiUser.where(identity_code: idc) || User.new
+	for i in 0..possible_users.count
+		if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip)
+		    break
+		end
+	end
+      possible_users[i]
+    end
+
+
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
       allowed = ip_restriction.can_access_registrar_area_sign_in_page?
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 5e20db24a..a6ec82b06 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -51,6 +51,21 @@ class ApiUser < User
 
       find_by(identity_code: identity_code)
     end
+    
+    def find_by_idc_data_and_allowed(idc_data,ip)
+      return false if idc_data.blank?
+      identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first
+
+      return false if ip.blank?
+      possible_users = where(identity_code: identity_code)
+        for i in 0..possible_users.count
+                if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip)
+                break
+                end
+        end
+      possible_users[i]
+    end
+
   end
 
   def registrar_typeahead

From af3123028554f0dbc3f4426c72ad4c0a52acee0e Mon Sep 17 00:00:00 2001
From: Georg Kahest <georg@tld.ee>
Date: Mon, 13 Nov 2017 17:46:31 +0200
Subject: [PATCH 2/6] fix rspec for mid without ip whitelist

---
 app/controllers/registrar/sessions_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 80eefddb7..fa8ab4a88 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -87,7 +87,11 @@ class Registrar
         return
       end
 
-      @user = find_user_by_idc_and_allowed(response.user_id_code)
+      if Setting.registrar_ip_whitelist_enabled
+        @user = find_user_by_idc_and_allowed(response.user_id_code)
+      else
+        @user = find_user_by_idc(response.user_id_code)
+      end  
 
       if @user.persisted?
         session[:user_id_code] = response.user_id_code

From 3f1c36bd9a7416b77d3b04a9547929a1e608d23a Mon Sep 17 00:00:00 2001
From: Georg Kahest <georg@tld.ee>
Date: Mon, 13 Nov 2017 18:43:37 +0200
Subject: [PATCH 3/6] fix some of the style bugs

---
 app/controllers/registrar/sessions_controller.rb | 12 ++++++------
 app/models/api_user.rb                           |  8 ++++----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index fa8ab4a88..c39fa93d0 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -53,7 +53,7 @@ class Registrar
     end
 
     def id
-      @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'],request.ip)
+      @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)
 
       if @user
         sign_in(@user, event: :authentication)
@@ -156,11 +156,11 @@ class Registrar
     def find_user_by_idc_and_allowed(idc)
       return User.new unless idc
       possible_users = ApiUser.where(identity_code: idc) || User.new
-	for i in 0..possible_users.count
-		if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip)
-		    break
-		end
-	end
+	  for i in 0..possible_users.count
+	    if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip)
+          break
+	    end
+      end
       possible_users[i]
     end
 
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index a6ec82b06..4f230d3b4 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -52,16 +52,16 @@ class ApiUser < User
       find_by(identity_code: identity_code)
     end
     
-    def find_by_idc_data_and_allowed(idc_data,ip)
+    def find_by_idc_data_and_allowed(idc_data, ip)
       return false if idc_data.blank?
       identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first
 
       return false if ip.blank?
       possible_users = where(identity_code: identity_code)
         for i in 0..possible_users.count
-                if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip)
-                break
-                end
+          if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip)
+             break
+          end
         end
       possible_users[i]
     end

From e62bb19a7edc91d38bfa1268942548aeb2c1ddbd Mon Sep 17 00:00:00 2001
From: Georg Kahest <georg@tld.ee>
Date: Tue, 14 Nov 2017 12:32:33 +0200
Subject: [PATCH 4/6] fix indention

---
 app/controllers/registrar/sessions_controller.rb |  8 ++++----
 app/models/api_user.rb                           | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index c39fa93d0..d56dc24de 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -156,12 +156,12 @@ class Registrar
     def find_user_by_idc_and_allowed(idc)
       return User.new unless idc
       possible_users = ApiUser.where(identity_code: idc) || User.new
-	  for i in 0..possible_users.count
-	    if possible_users[i].registrar.white_ips.registrar_area.include_ip?(request.ip)
+      for selected_user in 0..possible_users.count
+        if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(request.ip)
           break
-	    end
+        end
       end
-      possible_users[i]
+      possible_users[selected_user]
     end
 
 
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 4f230d3b4..b70aeeb11 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -51,19 +51,19 @@ class ApiUser < User
 
       find_by(identity_code: identity_code)
     end
-    
+
     def find_by_idc_data_and_allowed(idc_data, ip)
       return false if idc_data.blank?
       identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first
 
       return false if ip.blank?
       possible_users = where(identity_code: identity_code)
-        for i in 0..possible_users.count
-          if possible_users[i].registrar.white_ips.registrar_area.include_ip?(ip)
-             break
-          end
+      for selected_user in 0..possible_users.count
+        if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(ip)
+          break
         end
-      possible_users[i]
+      end
+      possible_users[selected_user]
     end
 
   end

From abeeec3baf95ed5de690971372fb0475556b9c50 Mon Sep 17 00:00:00 2001
From: Georg Kahest <georg@tld.ee>
Date: Tue, 14 Nov 2017 12:51:44 +0200
Subject: [PATCH 5/6] prefer each over for

---
 app/controllers/registrar/sessions_controller.rb | 8 ++++----
 app/models/api_user.rb                           | 7 +++----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index d56dc24de..811769400 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -156,15 +156,15 @@ class Registrar
     def find_user_by_idc_and_allowed(idc)
       return User.new unless idc
       possible_users = ApiUser.where(identity_code: idc) || User.new
-      for selected_user in 0..possible_users.count
-        if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(request.ip)
-          break
+      possible_users eacho do |selected_user|
+        if selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip)
+          return selected_user
         end
       end
-      possible_users[selected_user]
     end
 
 
+
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
       allowed = ip_restriction.can_access_registrar_area_sign_in_page?
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index b70aeeb11..d05f8eb46 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -58,12 +58,11 @@ class ApiUser < User
 
       return false if ip.blank?
       possible_users = where(identity_code: identity_code)
-      for selected_user in 0..possible_users.count
-        if possible_users[selected_user].registrar.white_ips.registrar_area.include_ip?(ip)
-          break
+      possible_users eacho do |selected_user|
+        if selected_user.registrar.white_ips.registrar_area.include_ip?(ip)
+          return selected_user
         end
       end
-      possible_users[selected_user]
     end
 
   end

From f1739f2202d58655c683116fbc6a1780917aff11 Mon Sep 17 00:00:00 2001
From: Georg Kahest <georg@tld.ee>
Date: Tue, 14 Nov 2017 12:58:22 +0200
Subject: [PATCH 6/6] fix typo

---
 app/controllers/registrar/sessions_controller.rb | 2 +-
 app/models/api_user.rb                           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 811769400..1a8b195ee 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -156,7 +156,7 @@ class Registrar
     def find_user_by_idc_and_allowed(idc)
       return User.new unless idc
       possible_users = ApiUser.where(identity_code: idc) || User.new
-      possible_users eacho do |selected_user|
+      possible_users.each do |selected_user|
         if selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip)
           return selected_user
         end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index d05f8eb46..ce32c4045 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -58,7 +58,7 @@ class ApiUser < User
 
       return false if ip.blank?
       possible_users = where(identity_code: identity_code)
-      possible_users eacho do |selected_user|
+      possible_users.each do |selected_user|
         if selected_user.registrar.white_ips.registrar_area.include_ip?(ip)
           return selected_user
         end