From 3d33ddd6380fd092a04e6c2d0f26128dd5df4367 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 30 Jun 2015 12:16:11 +0300 Subject: [PATCH 01/20] Update poll translation #2453 --- config/locales/en.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/locales/en.yml b/config/locales/en.yml index 2275b13b1..2336303e6 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -615,9 +615,9 @@ en: you_have_no_new_messages: 'You have no new messages' message_id: 'Message ID' trStatus: 'Status' - reID: 'Transfer from' + reID: 'Transfer to' reDate: 'Transfer requested at' - acID: 'Transfer to' + acID: 'Transfer from' acDate: 'Accept date' exDate: 'Valid to' dequeue: 'Dequeue' From 027d800b355c9b1351ea8718e08b457d01e7cfc8 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Mon, 13 Jul 2015 18:06:59 +0300 Subject: [PATCH 02/20] Add pw filtered #2757 --- app/controllers/epp_controller.rb | 2 +- config/initializers/filter_parameter_logging.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/epp_controller.rb b/app/controllers/epp_controller.rb index 8817e150e..4b1af94ce 100644 --- a/app/controllers/epp_controller.rb +++ b/app/controllers/epp_controller.rb @@ -281,7 +281,7 @@ class EppController < ApplicationController # filter pw if request_command == 'login' && frame.present? - frame.gsub!(/.+<\/pw>/, '[FILTERED]') + frame.gsub!(/pw>.+<\//, 'pw>[FILTERED].+<\//, 'pw>[FILTERED] Date: Mon, 13 Jul 2015 18:17:44 +0300 Subject: [PATCH 03/20] Typo fix #2757 --- config/initializers/filter_parameter_logging.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index 21e09cd43..bdc362174 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -4,5 +4,5 @@ Rails.application.config.filter_parameters += [:password] Rails.application.config.filter_parameters << lambda do |key, value| - frame.gsub!(/pw>.+<\//, 'pw>[FILTERED].+<\//, 'pw>[FILTERED] Date: Tue, 14 Jul 2015 10:54:11 +0300 Subject: [PATCH 04/20] Convert all frames to string #2757 --- config/initializers/filter_parameter_logging.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index bdc362174..41a0eef24 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -4,5 +4,5 @@ Rails.application.config.filter_parameters += [:password] Rails.application.config.filter_parameters << lambda do |key, value| - value.gsub!(/pw>.+<\//, 'pw>[FILTERED].+<\//, 'pw>[FILTERED] Date: Tue, 14 Jul 2015 11:04:23 +0300 Subject: [PATCH 05/20] Filter only frame and raw_frame and not parsed_frame #2757 --- config/initializers/filter_parameter_logging.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index 41a0eef24..30327efd5 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -4,5 +4,5 @@ Rails.application.config.filter_parameters += [:password] Rails.application.config.filter_parameters << lambda do |key, value| - value.to_s.gsub!(/pw>.+<\//, 'pw>[FILTERED].+<\//, 'pw>[FILTERED] Date: Wed, 15 Jul 2015 12:52:04 +0300 Subject: [PATCH 06/20] Updated email whitelist, added Timo second email #2771 --- config/initializers/settings.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/config/initializers/settings.rb b/config/initializers/settings.rb index 8a222b617..f121e3816 100644 --- a/config/initializers/settings.rb +++ b/config/initializers/settings.rb @@ -1,5 +1,6 @@ TEST_EMAILS = %w( timo.vohmar@internet.ee + timo.vohmar@eestiinternet.ee rene.vahtel@internet.ee martin.mettig@internet.ee hannes.klausen@internet.ee From fccb76068852f0e8166b65a743050e8877bef064 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Wed, 15 Jul 2015 13:52:19 +0300 Subject: [PATCH 07/20] Fix cron job method #2784 --- app/models/domain.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/models/domain.rb b/app/models/domain.rb index e6bf2ea41..9f78327b2 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -199,7 +199,6 @@ class Domain < ActiveRecord::Base count += 1 domain.clean_pendings! end - STDOUT << "#{Time.zone.now.utc} - Successfully cancelled #{count} domain pendings\n" unless Rails.env.test? count end @@ -213,7 +212,7 @@ class Domain < ActiveRecord::Base domain.set_expired! end - STDOUT << "#{Time.zone.now.utc} - Successfully expired #{d.count} domains\n" unless Rails.env.test? + STDOUT << "#{Time.zone.now.utc} - Successfully expired #{domain.count} domains\n" unless Rails.env.test? end def start_redemption_grace_period From 8e1c9be56b22abd9aaf6cdaa3d573ba1d821e046 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Wed, 15 Jul 2015 14:00:46 +0300 Subject: [PATCH 08/20] Typo fix #2784 --- app/models/domain.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/domain.rb b/app/models/domain.rb index 9f78327b2..9a475f7f9 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -212,7 +212,7 @@ class Domain < ActiveRecord::Base domain.set_expired! end - STDOUT << "#{Time.zone.now.utc} - Successfully expired #{domain.count} domains\n" unless Rails.env.test? + STDOUT << "#{Time.zone.now.utc} - Successfully expired #{domains.count} domains\n" unless Rails.env.test? end def start_redemption_grace_period From a9e8bb65fb73322d985d4e8976d841bbc5b9de1b Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 16 Jul 2015 15:53:58 +0300 Subject: [PATCH 09/20] Fix que doc #2724 --- doc/que/que-init-example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/que/que-init-example b/doc/que/que-init-example index d36fbf101..9e561d3a8 100644 --- a/doc/que/que-init-example +++ b/doc/que/que-init-example @@ -38,7 +38,7 @@ start) ;; stop) echo "$1 que monitor and server" - cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE_PATH lib/daemons/que_ctl stop + cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE_PATH exec lib/daemons/que_ctl stop ;; restart) echo "$1 que monitor and server" From 486996fd53c6b467d2981dd9c4e72c783c987774 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 16 Jul 2015 18:42:49 +0300 Subject: [PATCH 10/20] Que inits script sudo friendly, pid files moved to tmp/pids #2724 --- config/daemons.yml | 4 +++- config/deploy.rb | 11 ++++++++++- doc/que/README.md | 10 ++++++++-- doc/que/que-init-example | 23 ++++++++++------------- 4 files changed, 31 insertions(+), 17 deletions(-) diff --git a/config/daemons.yml b/config/daemons.yml index 29ce969f4..55e5cdb25 100644 --- a/config/daemons.yml +++ b/config/daemons.yml @@ -1,7 +1,9 @@ dir_mode: script -dir: ../../log +dir: ../../tmp/pids multiple: true backtrace: true monitor: true ontop: false app_name: 'que' +user: <%= ENV['QUE_USER'] || 'registry' %> +group: <%= ENV['QUE_GROUP'] || ENV['QUE_USER'] || 'registry' %> diff --git a/config/deploy.rb b/config/deploy.rb index 05eb64ab4..40a8a5ace 100644 --- a/config/deploy.rb +++ b/config/deploy.rb @@ -138,7 +138,8 @@ set :shared_paths, [ 'public/system', 'export/zonefiles', 'import/bank_statements', - 'import/legal_documents' + 'import/legal_documents', + 'tmp/pids' ] # Optional settings: @@ -180,6 +181,9 @@ task setup: :environment do queue! %(mkdir -p "#{deploy_to}/shared/import/legal_documents") queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/import/legal_documents") + queue! %(mkdir -p "#{deploy_to}/shared/tmp/pids") + queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/tmp/pids") + queue! %(touch "#{deploy_to}/shared/config/database.yml") deploy do invoke :'git:clone' @@ -199,6 +203,11 @@ task deploy: :environment do # instance of your project. invoke :'git:clone' invoke :load_commit_hash + + # TEMP until all servers are updated + queue! %(mkdir -p "#{deploy_to}/shared/tmp/pids") + queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/tmp/pids") + invoke :'deploy:link_shared_paths' invoke :'bundle:install' invoke :'rails:db_migrate' diff --git a/doc/que/README.md b/doc/que/README.md index 3c34a10ac..1dddd8fc3 100644 --- a/doc/que/README.md +++ b/doc/que/README.md @@ -22,9 +22,15 @@ Installation at deployed server: sudo /etc/init.d/que start # for manual start sudo update-rc.d que defaults # for start in server boot -# Debugging +PID files +--------- -You can run que manually as well: +All pid files are at tmp/pids directory. + +Debugging +--------- + +You can run que manually as well for debugging: cd /home/registry/registry/current diff --git a/doc/que/que-init-example b/doc/que/que-init-example index 9e561d3a8..28e27e957 100644 --- a/doc/que/que-init-example +++ b/doc/que/que-init-example @@ -11,38 +11,35 @@ set -u set -e -# -# Change these to match your server: -# -# Make sure that all paths are correct. -# +### CHANGES APP_HOME="/home/registry/registry" APP_ROOT="$APP_HOME/current" -QUE_USER=registry # or use some other unprivileged system user +QUE_USER=registry # or use some other unprivileged OS user what your registry servers uses RAILS_ENV=production -RUBY_BUNDLE_PATH=/home/$QUE_USER/.rbenv/shims/bundle -QUE_INSTANCES=1 # or as many really needed based real load +RUBY_BUNDLE=/home/$QUE_USER/.rbenv/shims/bundle +QUE_INSTANCES=1 # or as many really needed based on real load info +### END OF CHANGES cd $APP_ROOT || exit 1 case ${1-help} in status) - cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE_PATH exec lib/daemons/que_ctl status + cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE exec lib/daemons/que_ctl status ;; start) echo "$1 que monitor and server" for i in `seq 1 $QUE_INSTANCES`; do - cd $APP_ROOT && QUE_WORKER_COUNT=1 RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE_PATH exec rake daemon:que:start - echo '.' + cd $APP_ROOT && QUE_WORKER_COUNT=1 RAILS_ENV=$RAILS_ENV QUE_USER=$QUE_USER $RUBY_BUNDLE exec rake daemon:que:start + echo 'que instance started' done ;; stop) echo "$1 que monitor and server" - cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE_PATH exec lib/daemons/que_ctl stop + cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE exec lib/daemons/que_ctl stop ;; restart) echo "$1 que monitor and server" - cd $APP_ROOT && RAILS_ENV=$RAILS_ENV $RUBY_BUNDLE_PATH exec rake daemon:que:restart + cd $APP_ROOT && RAILS_ENV=$RAILS_ENV QUE_USER=$QUE_USER $RUBY_BUNDLE exec rake daemon:que:restart ;; *) echo >&2 "Usage: $0 " From 3a4744f32c2b40ec69737c36e3e486ed3da6d906 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 16 Jul 2015 19:00:11 +0300 Subject: [PATCH 11/20] Separate Que log and pid dir #2724 --- config/daemons.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/daemons.yml b/config/daemons.yml index 55e5cdb25..2ea44d51a 100644 --- a/config/daemons.yml +++ b/config/daemons.yml @@ -1,5 +1,6 @@ dir_mode: script dir: ../../tmp/pids +log_dir: ../../log multiple: true backtrace: true monitor: true From 918e85dc64ffd69fadffa6837ec7e3058972458b Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 16 Jul 2015 19:11:55 +0300 Subject: [PATCH 12/20] Que log separate path fix #2724 --- config/daemons.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/daemons.yml b/config/daemons.yml index 2ea44d51a..856ff19ab 100644 --- a/config/daemons.yml +++ b/config/daemons.yml @@ -1,6 +1,6 @@ dir_mode: script dir: ../../tmp/pids -log_dir: ../../log +log_dir: <%= File.expand_path("../../log", __FILE__) %> multiple: true backtrace: true monitor: true From c484fbd99dcc412f910fa05140ead0b9f4d926a3 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 16 Jul 2015 19:23:49 +0300 Subject: [PATCH 13/20] Que log/pid moved to log/que #2724 --- config/daemons.yml | 3 +-- config/deploy.rb | 8 ++++---- doc/que/README.md | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/config/daemons.yml b/config/daemons.yml index 856ff19ab..e5c5f1b0d 100644 --- a/config/daemons.yml +++ b/config/daemons.yml @@ -1,6 +1,5 @@ dir_mode: script -dir: ../../tmp/pids -log_dir: <%= File.expand_path("../../log", __FILE__) %> +dir: ../../log/que multiple: true backtrace: true monitor: true diff --git a/config/deploy.rb b/config/deploy.rb index 40a8a5ace..b24060f6b 100644 --- a/config/deploy.rb +++ b/config/deploy.rb @@ -181,8 +181,8 @@ task setup: :environment do queue! %(mkdir -p "#{deploy_to}/shared/import/legal_documents") queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/import/legal_documents") - queue! %(mkdir -p "#{deploy_to}/shared/tmp/pids") - queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/tmp/pids") + queue! %(mkdir -p "#{deploy_to}/shared/log/que") + queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/log/que") queue! %(touch "#{deploy_to}/shared/config/database.yml") deploy do @@ -205,8 +205,8 @@ task deploy: :environment do invoke :load_commit_hash # TEMP until all servers are updated - queue! %(mkdir -p "#{deploy_to}/shared/tmp/pids") - queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/tmp/pids") + queue! %(mkdir -p "#{deploy_to}/shared/log/que") + queue! %(chmod g+rx,u+rwx "#{deploy_to}/shared/log/que") invoke :'deploy:link_shared_paths' invoke :'bundle:install' diff --git a/doc/que/README.md b/doc/que/README.md index 1dddd8fc3..e7d3032d0 100644 --- a/doc/que/README.md +++ b/doc/que/README.md @@ -25,7 +25,7 @@ Installation at deployed server: PID files --------- -All pid files are at tmp/pids directory. +All pid files are at log/que directory. Debugging --------- From 48c22bb53852763fee0d83fffed375ebf90ce525 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Fri, 17 Jul 2015 18:43:37 +0300 Subject: [PATCH 14/20] Stop/restar que without trace output #2724 --- config/deploy.rb | 7 ++++++- lib/daemons/que.rb | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/config/deploy.rb b/config/deploy.rb index b24060f6b..5571ecaa9 100644 --- a/config/deploy.rb +++ b/config/deploy.rb @@ -214,7 +214,7 @@ task deploy: :environment do to :launch do invoke :restart invoke :'deploy:cleanup' - queue! "QUE_WORKER_COUNT=1 #{rake} daemon:que:restart" if que_restart + invoke :que_restart if que_restart end end end @@ -245,6 +245,11 @@ task restart: :environment do queue "mkdir -p #{deploy_to}/current/tmp; touch #{deploy_to}/current/tmp/restart.txt" end +desc 'Restart que server' +task que_restart: :environment do + queue "/etc/init.d/que restart" +end + namespace :cron do desc 'Setup cron tasks.' task setup: :environment do diff --git a/lib/daemons/que.rb b/lib/daemons/que.rb index 683024ddd..df16014f7 100755 --- a/lib/daemons/que.rb +++ b/lib/daemons/que.rb @@ -26,7 +26,7 @@ Que.mode = :async # the rake task in tasks/safe_shutdown.rb. stop = false -%w( INT TERM ).each do |signal| +%w( INT ).each do |signal| trap(signal) { stop = true } end From c3479137320e53030a9e70cbc50b7be2cec25e08 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Mon, 20 Jul 2015 12:28:04 +0300 Subject: [PATCH 15/20] Wake que less often, now every 1 second instead of 0.01 second #2724 --- lib/daemons/que.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/daemons/que.rb b/lib/daemons/que.rb index df16014f7..e246212ba 100755 --- a/lib/daemons/que.rb +++ b/lib/daemons/que.rb @@ -19,7 +19,7 @@ end Que.logger.level = Logger.const_get((ENV['QUE_LOG_LEVEL'] || 'INFO').upcase) Que.worker_count = 1 -Que.wake_interval = (ENV['QUE_WAKE_INTERVAL'] || 0.1).to_f +Que.wake_interval = (ENV['QUE_WAKE_INTERVAL'] || 1).to_f Que.mode = :async # When changing how signals are caught, be sure to test the behavior with @@ -38,6 +38,6 @@ at_exit do end loop do - sleep 0.01 + sleep 1 break if stop end From a7807eb2884b70deefda3cc848758f590c757a00 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 21 Jul 2015 13:11:19 +0300 Subject: [PATCH 16/20] Replaced remote ip to ip for counter #2348 --- app/controllers/epp_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/epp_controller.rb b/app/controllers/epp_controller.rb index 2cd1c8bc7..5425c8b57 100644 --- a/app/controllers/epp_controller.rb +++ b/app/controllers/epp_controller.rb @@ -328,6 +328,6 @@ class EppController < ApplicationController def iptables_counter_update return if ENV['iptables_counter_enabled'].blank? && ENV['iptables_counter_enabled'] != 'true' return if current_user.blank? - counter_update(current_user.registrar_code, request.remote_ip) + counter_update(current_user.registrar_code, request.ip) end end From 1dd751bab26c1983f9a82d55fabccf03deadcc15 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 21 Jul 2015 19:25:59 +0300 Subject: [PATCH 17/20] Update translation #2720 --- config/locales/en.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/en.yml b/config/locales/en.yml index 0b71bf267..2b2c28632 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -832,7 +832,7 @@ en: unset_force_delete: 'Unset force delete' domain_expiring: 'Domain expiring' domain_validation_rules: 'Domain validation rules' - bank_statement_desc: 'Import file row will match only when matching following attributes:
ref number
payment amount
invoice number (the very first number in comment field).' + bank_statement_desc: 'Import file row will match only when matching following attributes:
ref number
payment amount
invoice number (the first numerical value in comment field).' create_bank_statement: 'Create bank statement' create_bank_transaction: 'Create bank transaction' create_new_invoice: 'Create new invoice' From dff7e3047d5d01ea693b964b4f0bfed6ac3bf5df Mon Sep 17 00:00:00 2001 From: Martin Lensment Date: Mon, 20 Jul 2015 16:57:12 +0300 Subject: [PATCH 18/20] Allow specifying multiple ips for webclients #2744 --- app/api/repp/api.rb | 5 +++-- app/controllers/epp/sessions_controller.rb | 8 +++++--- config/application-example.yml | 6 +++--- config/initializers/env_required.rb | 2 +- doc/certificates.md | 2 +- spec/requests/v1/account_spec.rb | 4 ++-- 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb index af83d235d..976376f76 100644 --- a/app/api/repp/api.rb +++ b/app/api/repp/api.rb @@ -8,7 +8,8 @@ module Repp end before do - if request.ip != ENV['webclient_ip'] + webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip) + unless webclient_request error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip) end @@ -20,7 +21,7 @@ module Repp message = 'Certificate mismatch! Cert common name should be:' request_name = env['HTTP_SSL_CLIENT_S_DN_CN'] - if request.ip == ENV['webclient_ip'] + if webclient_request webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient' error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name else diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb index 99a148c9c..49464901a 100644 --- a/app/controllers/epp/sessions_controller.rb +++ b/app/controllers/epp/sessions_controller.rb @@ -13,7 +13,8 @@ class Epp::SessionsController < EppController success = true @api_user = ApiUser.find_by(login_params) - if request.ip == ENV['webclient_ip'] && !Rails.env.test? && !Rails.env.development? + webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip) + if webclient_request && !Rails.env.test? && !Rails.env.development? client_md5 = Certificate.parse_md_from_string(request.env['HTTP_SSL_CLIENT_CERT']) server_md5 = Certificate.parse_md_from_string(File.read(ENV['cert_path'])) if client_md5 != server_md5 @@ -22,7 +23,7 @@ class Epp::SessionsController < EppController end end - if request.ip != ENV['webclient_ip'] && @api_user + if !webclient_request && @api_user unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN']) @msg = 'Authentication error; server closing connection (certificate is not valid)' success = false @@ -71,7 +72,8 @@ class Epp::SessionsController < EppController # rubocop: enable Metrics/CyclomaticComplexity def ip_white? - return true if request.ip == ENV['webclient_ip'] + webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip) + return true if webclient_request if @api_user return false unless @api_user.registrar.api_ip_white?(request.ip) end diff --git a/config/application-example.yml b/config/application-example.yml index c01412138..7f6bc4250 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -4,7 +4,7 @@ app_name: '.EE Registry' zonefile_export_dir: 'export/zonefiles' bank_statement_import_dir: 'import/bank_statements' legal_documents_dir: 'import/legal_documents' -time_zone: 'Tallinn' # more zones by rake time:zones:all +time_zone: 'Tallinn' # more zones by rake time:zones:all # New Relic app name, keep only current mode, remove other names. # Example: 'Admin, EPP, REPP' will have name 'Admin, EPP, REPP - production' at New Relic. @@ -25,7 +25,7 @@ ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' ca_key_password: 'your-root-key-password' # EPP server configuration -webclient_ip: '127.0.0.1' +webclient_ips: '127.0.0.1,0.0.0.0' #ips, separated with commas webclient_cert_common_name: 'webclient' # Contact epp will not accept org value by default # and returns 2306 "Parameter value policy error" @@ -72,7 +72,7 @@ sk_digi_doc_service_name: 'EIS test' # Autotest config overwrites test: - webclient_ip: '127.0.0.1' # it should match to localhost ip address + webclient_ips: '127.0.0.1' # it should match to localhost ip address crl_dir: '/var/lib/jenkins/workspace/registry/ca/crl' crl_path: '/var/lib/jenkins/workspace/registry/ca/crl/crl.pem' ca_cert_path: '/var/lib/jenkins/workspace/registry/ca/certs/ca.crt.pem' diff --git a/config/initializers/env_required.rb b/config/initializers/env_required.rb index d5921a161..585fd9031 100644 --- a/config/initializers/env_required.rb +++ b/config/initializers/env_required.rb @@ -7,7 +7,7 @@ required = %w( ca_cert_path ca_key_path ca_key_password - webclient_ip + webclient_ips legal_documents_dir bank_statement_import_dir time_zone diff --git a/doc/certificates.md b/doc/certificates.md index 2e400ac66..9d9a4ca7c 100644 --- a/doc/certificates.md +++ b/doc/certificates.md @@ -100,7 +100,7 @@ Configure registry registry/shared/config/application.yml to match the CA settin Configure registry epp registry-epp/shared/config/application.yml: - webclient_ip: '54.154.91.240' + webclient_ips: '54.154.91.240' Configure EPP port 700 virtual host: diff --git a/spec/requests/v1/account_spec.rb b/spec/requests/v1/account_spec.rb index 5a8fd6b0d..712502bf2 100644 --- a/spec/requests/v1/account_spec.rb +++ b/spec/requests/v1/account_spec.rb @@ -2,7 +2,7 @@ require 'rails_helper' describe Repp::AccountV1 do it 'should fail without whitelisted IP' do - ENV['webclient_ip'] = '192.188.1.1' + ENV['webclient_ips'] = '192.188.1.1' @registrar1 = Fabricate(:registrar, white_ips: [Fabricate(:white_ip_registrar)]) @api_user = Fabricate(:api_user, registrar: @registrar1) @@ -11,7 +11,7 @@ describe Repp::AccountV1 do body = JSON.parse(response.body) body['error'].should == 'IP is not whitelisted' - ENV['webclient_ip'] = '127.0.0.1' + ENV['webclient_ips'] = '127.0.0.1' end context 'with valid registrar' do From ff5ee99e40ac5902cc723064c9ada8c959dc9ea7 Mon Sep 17 00:00:00 2001 From: Martin Lensment Date: Mon, 20 Jul 2015 17:02:28 +0300 Subject: [PATCH 19/20] Update changelog #2744 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e59ffa327..60551518f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +20.07.2015 +* New syntax for setting webclient IP-s (see config/application-example.yml) + 14.07.2015 * Updated que init script doc example, now status and stop works faster From f0b015bddf48c802434072da4a93ce2a314cfc1b Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 21 Jul 2015 17:29:16 +0300 Subject: [PATCH 20/20] Possible to overwrite trusted proxies list #2769 --- CHANGELOG.md | 5 +++++ config/application-example.yml | 4 ++++ config/initializers/eis_custom_rack.rb | 14 ++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 config/initializers/eis_custom_rack.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index 60551518f..a97d6d7b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,9 @@ +21.07.2015 + +* Possible to define custom trusted proxies at application.yml + 20.07.2015 + * New syntax for setting webclient IP-s (see config/application-example.yml) 14.07.2015 diff --git a/config/application-example.yml b/config/application-example.yml index 7f6bc4250..5cba1c9b2 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -31,6 +31,10 @@ webclient_cert_common_name: 'webclient' # and returns 2306 "Parameter value policy error" contact_org_enabled: 'false' +# Overwrite rack default trusted proxies list in order to +# enable test external interfaces EPP/REPP from webserver network +# eis_trusted_proxies: '1.1.1.1,2.2.2.2' #ips, separated with commas + # Enable iptables counter updater # iptables_counter_enabled: 'true' diff --git a/config/initializers/eis_custom_rack.rb b/config/initializers/eis_custom_rack.rb new file mode 100644 index 000000000..52dbd8244 --- /dev/null +++ b/config/initializers/eis_custom_rack.rb @@ -0,0 +1,14 @@ +# EIS custom rack hack in order to enable test external interfaces EPP/REPP inside webserver network +# rubocop:disable Metrics/LineLength +module Rack + class Request + def trusted_proxy?(ip) + if ENV['eis_trusted_proxies'] + ENV['eis_trusted_proxies'].split(',').map(&:strip).include?(ip) + else + ip =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i + end + end + end +end +# rubocop:enable Metrics/LineLength