From d26dd3da98e7d91702ecc968addb0d66d4a8cb74 Mon Sep 17 00:00:00 2001
From: Martin Lensment <mlensment@gmail.com>
Date: Fri, 14 Aug 2015 17:34:05 +0300
Subject: [PATCH] Check API whitelist IP-s when loggin into registrar with pw
 #2713

---
 .../registrar/sessions_controller.rb          | 26 ++++++++++++++++++-
 app/models/api_user.rb                        |  7 +++++
 app/models/registrar.rb                       | 12 +++------
 app/models/white_ip.rb                        |  8 ++----
 .../contacts/form_partials/_general.haml      |  2 --
 5 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 6875d9291..53e858564 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -47,6 +47,16 @@ class Registrar::SessionsController < Devise::SessionsController
       end
     end
 
+    unless @api_user.registrar.registrar_ip_white?(request.ip)
+      @depp_user.errors.add(:base, I18n.t(:ip_is_not_whitelisted))
+    end
+
+    if @api_user.can_make_api_calls?
+      unless @api_user.registrar.api_ip_white?(request.ip)
+        @depp_user.errors.add(:base, I18n.t(:ip_is_not_whitelisted))
+      end
+    end
+
     if @depp_user.errors.none? && @depp_user.valid?
       if @api_user.active?
         sign_in @api_user
@@ -64,9 +74,23 @@ class Registrar::SessionsController < Devise::SessionsController
   # rubocop:enable Metrics/MethodLength
   # rubocop:enable Metrics/AbcSize
 
-  def switch_user
+  def switch_user # rubocop:disable Metrics/CyclomaticComplexity
     @api_user = ApiUser.find(params[:id])
+
+    unless @api_user.registrar.registrar_ip_white?(request.ip)
+      flash[:alert] = I18n.t(:ip_is_not_whitelisted)
+      redirect_to :back and return
+    end
+
+    if @api_user.can_make_api_calls?
+      unless @api_user.registrar.api_ip_white?(request.ip)
+        flash[:alert] = I18n.t(:ip_is_not_whitelisted)
+        redirect_to :back and return
+      end
+    end
+
     sign_in @api_user if @api_user.identity_code == current_user.identity_code
+
     redirect_to :back
   end
 
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 51f4d54b9..a8e0174bd 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -24,6 +24,9 @@ class ApiUser < User
 
   attr_accessor :registrar_typeahead
 
+  SUPER = 'super'
+  EPP = 'epp'
+
   ROLES = %w(super epp billing) # should not match to admin roles
 
   def ability
@@ -41,6 +44,10 @@ class ApiUser < User
     @registrar_typeahead || registrar || nil
   end
 
+  def can_make_api_calls?
+    ([SUPER, EPP] & roles).any?
+  end
+
   def to_s
     username
   end
diff --git a/app/models/registrar.rb b/app/models/registrar.rb
index 0110e5a16..5afaad52e 100644
--- a/app/models/registrar.rb
+++ b/app/models/registrar.rb
@@ -45,8 +45,8 @@ class Registrar < ActiveRecord::Base
     end
   end
 
-  validates :email, :billing_email, 
-    email_format: { message: :invalid }, 
+  validates :email, :billing_email,
+    email_format: { message: :invalid },
     allow_blank: true, if: proc { |c| c.email_changed? }
 
   WHOIS_TRIGGERS = %w(name email phone street city state zip)
@@ -165,15 +165,11 @@ class Registrar < ActiveRecord::Base
 
   def api_ip_white?(ip)
     return true unless Setting.api_ip_whitelist_enabled
-    white_ips.api.pluck(:ipv4, :ipv6).flatten.include?(ip) || global_ip_white?(ip)
+    white_ips.api.pluck(:ipv4, :ipv6).flatten.include?(ip)
   end
 
   def registrar_ip_white?(ip)
     return true unless Setting.registrar_ip_whitelist_enabled
-    white_ips.registrar.pluck(:ipv4, :ipv6).flatten.include?(ip) || global_ip_white?(ip)
-  end
-
-  def global_ip_white?(ip)
-    white_ips.global.pluck(:ipv4, :ipv6).flatten.include?(ip)
+    white_ips.registrar.pluck(:ipv4, :ipv6).flatten.include?(ip)
   end
 end
diff --git a/app/models/white_ip.rb b/app/models/white_ip.rb
index d8f9dd7fa..7a35a33f6 100644
--- a/app/models/white_ip.rb
+++ b/app/models/white_ip.rb
@@ -15,12 +15,10 @@ class WhiteIp < ActiveRecord::Base
 
   API = 'api'
   REGISTRAR = 'registrar'
-  GLOBAL = 'global'
-  INTERFACES = [GLOBAL, API, REGISTRAR]
+  INTERFACES = [API, REGISTRAR]
 
   scope :api, -> { where(interface: API) }
   scope :registrar, -> { where(interface: REGISTRAR) }
-  scope :global, -> { where(interface: GLOBAL) }
 
   class << self
     def registrar_ip_white?(ip)
@@ -28,9 +26,7 @@ class WhiteIp < ActiveRecord::Base
 
       at = WhiteIp.arel_table
       WhiteIp.where(
-        at[:interface].eq(REGISTRAR).or(
-          at[:interface].eq(GLOBAL)
-        ).and(
+        at[:interface].eq(REGISTRAR).and(
           at[:ipv4].eq(ip)
         )
       ).any?
diff --git a/app/views/registrar/contacts/form_partials/_general.haml b/app/views/registrar/contacts/form_partials/_general.haml
index c695d6ada..b5f9eb0f9 100644
--- a/app/views/registrar/contacts/form_partials/_general.haml
+++ b/app/views/registrar/contacts/form_partials/_general.haml
@@ -64,5 +64,3 @@
       .col-md-7
         = f.text_field :phone, class: 'form-control',
           placeholder: '+372.12323344', required: true
-
-