Allow specifying multiple ips for webclients #2744

2025-05-17 17:59:47 +02:00 · 2015-07-20 16:57:12 +03:00 · 2015-07-20 16:57:12 +03:00 · dff7e3047d
commit dff7e3047d
parent 7743f7caac
6 changed files with 15 additions and 12 deletions
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@ -8,7 +8,8 @@ module Repp
    end

    before do
-      if request.ip != ENV['webclient_ip']
+      webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+      unless webclient_request
        error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
      end

@ -20,7 +21,7 @@ module Repp
      message = 'Certificate mismatch! Cert common name should be:'
      request_name = env['HTTP_SSL_CLIENT_S_DN_CN']

-      if request.ip == ENV['webclient_ip']
+      if webclient_request
        webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
        error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
      else
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -13,7 +13,8 @@ class Epp::SessionsController < EppController
    success = true
    @api_user = ApiUser.find_by(login_params)

-    if request.ip == ENV['webclient_ip'] && !Rails.env.test? && !Rails.env.development?
+    webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+    if webclient_request && !Rails.env.test? && !Rails.env.development?
      client_md5 = Certificate.parse_md_from_string(request.env['HTTP_SSL_CLIENT_CERT'])
      server_md5 = Certificate.parse_md_from_string(File.read(ENV['cert_path']))
      if client_md5 != server_md5
@ -22,7 +23,7 @@ class Epp::SessionsController < EppController
      end
    end

-    if request.ip != ENV['webclient_ip'] && @api_user
+    if !webclient_request && @api_user
      unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
        @msg = 'Authentication error; server closing connection (certificate is not valid)'
        success = false
@ -71,7 +72,8 @@ class Epp::SessionsController < EppController
  # rubocop: enable Metrics/CyclomaticComplexity

  def ip_white?
-    return true if request.ip == ENV['webclient_ip']
+    webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+    return true if webclient_request
    if @api_user
      return false unless @api_user.registrar.api_ip_white?(request.ip)
    end
--- a/config/application-example.yml
+++ b/config/application-example.yml
@ -4,7 +4,7 @@ app_name: '.EE Registry'
 zonefile_export_dir: 'export/zonefiles'
 bank_statement_import_dir: 'import/bank_statements'
 legal_documents_dir: 'import/legal_documents'
-time_zone: 'Tallinn' # more zones by rake time:zones:all  
+time_zone: 'Tallinn' # more zones by rake time:zones:all

 # New Relic app name, keep only current mode, remove other names.
 # Example: 'Admin, EPP, REPP' will have name 'Admin, EPP, REPP - production' at New Relic.
@ -25,7 +25,7 @@ ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'your-root-key-password'

 # EPP server configuration
-webclient_ip: '127.0.0.1'
+webclient_ips: '127.0.0.1,0.0.0.0' #ips, separated with commas
 webclient_cert_common_name: 'webclient'
 # Contact epp will not accept org value by default
 # and returns 2306 "Parameter value policy error"
@ -72,7 +72,7 @@ sk_digi_doc_service_name: 'EIS test'

 # Autotest config overwrites
 test:
-  webclient_ip: '127.0.0.1' # it should match to localhost ip address
+  webclient_ips: '127.0.0.1' # it should match to localhost ip address
  crl_dir:      '/var/lib/jenkins/workspace/registry/ca/crl'
  crl_path:     '/var/lib/jenkins/workspace/registry/ca/crl/crl.pem'
  ca_cert_path: '/var/lib/jenkins/workspace/registry/ca/certs/ca.crt.pem'
--- a/config/initializers/env_required.rb
+++ b/config/initializers/env_required.rb
@ -7,7 +7,7 @@ required = %w(
  ca_cert_path
  ca_key_path
  ca_key_password
-  webclient_ip
+  webclient_ips
  legal_documents_dir
  bank_statement_import_dir
  time_zone
--- a/doc/certificates.md
+++ b/doc/certificates.md
@ -100,7 +100,7 @@ Configure registry registry/shared/config/application.yml to match the CA settin

 Configure registry epp registry-epp/shared/config/application.yml:

-    webclient_ip: '54.154.91.240'
+    webclient_ips: '54.154.91.240'

 Configure EPP port 700 virtual host:

--- a/spec/requests/v1/account_spec.rb
+++ b/spec/requests/v1/account_spec.rb
@ -2,7 +2,7 @@ require 'rails_helper'

 describe Repp::AccountV1 do
  it 'should fail without whitelisted IP' do
-    ENV['webclient_ip'] = '192.188.1.1'
+    ENV['webclient_ips'] = '192.188.1.1'
    @registrar1 = Fabricate(:registrar, white_ips: [Fabricate(:white_ip_registrar)])
    @api_user = Fabricate(:api_user, registrar: @registrar1)

@ -11,7 +11,7 @@ describe Repp::AccountV1 do
    body = JSON.parse(response.body)

    body['error'].should == 'IP is not whitelisted'
-    ENV['webclient_ip'] = '127.0.0.1'
+    ENV['webclient_ips'] = '127.0.0.1'
  end

  context 'with valid registrar' do