Check API whitelist IP-s when loggin into registrar with pw #2713

app/controllers/registrar/sessions_controller.rb

@@ -47,6 +47,16 @@ class Registrar::SessionsController < Devise::SessionsController
       end
     end
 
+    unless @api_user.registrar.registrar_ip_white?(request.ip)
+      @depp_user.errors.add(:base, I18n.t(:ip_is_not_whitelisted))
+    end
+
+    if @api_user.can_make_api_calls?
+      unless @api_user.registrar.api_ip_white?(request.ip)
+        @depp_user.errors.add(:base, I18n.t(:ip_is_not_whitelisted))
+      end
+    end
+
     if @depp_user.errors.none? && @depp_user.valid?
       if @api_user.active?
         sign_in @api_user
@@ -64,9 +74,23 @@ class Registrar::SessionsController < Devise::SessionsController
   # rubocop:enable Metrics/MethodLength
   # rubocop:enable Metrics/AbcSize
 
-  def switch_user
+  def switch_user # rubocop:disable Metrics/CyclomaticComplexity
     @api_user = ApiUser.find(params[:id])
+
+    unless @api_user.registrar.registrar_ip_white?(request.ip)
+      flash[:alert] = I18n.t(:ip_is_not_whitelisted)
+      redirect_to :back and return
+    end
+
+    if @api_user.can_make_api_calls?
+      unless @api_user.registrar.api_ip_white?(request.ip)
+        flash[:alert] = I18n.t(:ip_is_not_whitelisted)
+        redirect_to :back and return
+      end
+    end
+
     sign_in @api_user if @api_user.identity_code == current_user.identity_code
+
     redirect_to :back
   end
 

app/models/api_user.rb

@@ -24,6 +24,9 @@ class ApiUser < User
 
   attr_accessor :registrar_typeahead
 
+  SUPER = 'super'
+  EPP = 'epp'
+
   ROLES = %w(super epp billing) # should not match to admin roles
 
   def ability
@@ -41,6 +44,10 @@ class ApiUser < User
     @registrar_typeahead || registrar || nil
   end
 
+  def can_make_api_calls?
+    ([SUPER, EPP] & roles).any?
+  end
+
   def to_s
     username
   end

app/models/registrar.rb

@@ -45,8 +45,8 @@ class Registrar < ActiveRecord::Base
     end
   end
 
-  validates :email, :billing_email, 
-    email_format: { message: :invalid }, 
+  validates :email, :billing_email,
+    email_format: { message: :invalid },
     allow_blank: true, if: proc { |c| c.email_changed? }
 
   WHOIS_TRIGGERS = %w(name email phone street city state zip)
@@ -165,15 +165,11 @@ class Registrar < ActiveRecord::Base
 
   def api_ip_white?(ip)
     return true unless Setting.api_ip_whitelist_enabled
-    white_ips.api.pluck(:ipv4, :ipv6).flatten.include?(ip) || global_ip_white?(ip)
+    white_ips.api.pluck(:ipv4, :ipv6).flatten.include?(ip)
   end
 
   def registrar_ip_white?(ip)
     return true unless Setting.registrar_ip_whitelist_enabled
-    white_ips.registrar.pluck(:ipv4, :ipv6).flatten.include?(ip) || global_ip_white?(ip)
-  end
-
-  def global_ip_white?(ip)
-    white_ips.global.pluck(:ipv4, :ipv6).flatten.include?(ip)
+    white_ips.registrar.pluck(:ipv4, :ipv6).flatten.include?(ip)
   end
 end

app/models/white_ip.rb

@@ -15,12 +15,10 @@ class WhiteIp < ActiveRecord::Base
 
   API = 'api'
   REGISTRAR = 'registrar'
-  GLOBAL = 'global'
-  INTERFACES = [GLOBAL, API, REGISTRAR]
+  INTERFACES = [API, REGISTRAR]
 
   scope :api, -> { where(interface: API) }
   scope :registrar, -> { where(interface: REGISTRAR) }
-  scope :global, -> { where(interface: GLOBAL) }
 
   class << self
     def registrar_ip_white?(ip)
@@ -28,9 +26,7 @@ class WhiteIp < ActiveRecord::Base
 
       at = WhiteIp.arel_table
       WhiteIp.where(
-        at[:interface].eq(REGISTRAR).or(
-          at[:interface].eq(GLOBAL)
-        ).and(
+        at[:interface].eq(REGISTRAR).and(
           at[:ipv4].eq(ip)
         )
       ).any?

app/views/registrar/contacts/form_partials/_general.haml

@@ -64,5 +64,3 @@
       .col-md-7
         = f.text_field :phone, class: 'form-control',
           placeholder: '+372.12323344', required: true
-
-