From ffebff72dd54805238df2a7e6fdc50aab848e166 Mon Sep 17 00:00:00 2001
From: Martin Lensment <mlensment@gmail.com>
Date: Mon, 29 Jun 2015 12:31:47 +0300
Subject: [PATCH] Add feature to disable IP whitelist #2707

---
 app/controllers/registrar_controller.rb  |  1 -
 app/models/registrar.rb                  |  4 +++-
 app/models/white_ip.rb                   |  2 ++
 app/views/admin/settings/index.haml      |  2 ++
 config/initializers/initial_settings.rb  |  3 +++
 spec/features/registrar/sessions_spec.rb | 22 ++++++++++++++++++++++
 6 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/app/controllers/registrar_controller.rb b/app/controllers/registrar_controller.rb
index e1b6b5a3c..37ec99bfd 100644
--- a/app/controllers/registrar_controller.rb
+++ b/app/controllers/registrar_controller.rb
@@ -1,6 +1,5 @@
 class RegistrarController < ApplicationController
   before_action :authenticate_user!, :check_ip
-  # before_action :check_ip
   layout 'registrar/application'
 
   include Registrar::ApplicationHelper
diff --git a/app/models/registrar.rb b/app/models/registrar.rb
index bc4eb3297..2cb375ea6 100644
--- a/app/models/registrar.rb
+++ b/app/models/registrar.rb
@@ -75,7 +75,7 @@ class Registrar < ActiveRecord::Base
 
   # rubocop:disable Metrics/AbcSize
   # rubocop:disable Metrics/MethodLength
-  def issue_prepayment_invoice(amount, description = nil) 
+  def issue_prepayment_invoice(amount, description = nil)
     # Currently only EIS can issue invoices
     eis = self.class.eis
 
@@ -157,10 +157,12 @@ class Registrar < ActiveRecord::Base
   end
 
   def api_ip_white?(ip)
+    return true unless Setting.api_ip_whitelist_enabled
     white_ips.api.pluck(:ipv4, :ipv6).flatten.include?(ip) || global_ip_white?(ip)
   end
 
   def registrar_ip_white?(ip)
+    return true unless Setting.registrar_ip_whitelist_enabled
     white_ips.registrar.pluck(:ipv4, :ipv6).flatten.include?(ip) || global_ip_white?(ip)
   end
 
diff --git a/app/models/white_ip.rb b/app/models/white_ip.rb
index f62cb2f9f..d8f9dd7fa 100644
--- a/app/models/white_ip.rb
+++ b/app/models/white_ip.rb
@@ -24,6 +24,8 @@ class WhiteIp < ActiveRecord::Base
 
   class << self
     def registrar_ip_white?(ip)
+      return true unless Setting.registrar_ip_whitelist_enabled
+
       at = WhiteIp.arel_table
       WhiteIp.where(
         at[:interface].eq(REGISTRAR).or(
diff --git a/app/views/admin/settings/index.haml b/app/views/admin/settings/index.haml
index cd0e1d9a4..3838e7e5b 100644
--- a/app/views/admin/settings/index.haml
+++ b/app/views/admin/settings/index.haml
@@ -67,6 +67,8 @@
           = render 'setting_row', var: :transfer_wait_time
           = render 'setting_row', var: :ds_algorithm
           = render 'setting_row', var: :client_side_status_editing_enabled
+          = render 'setting_row', var: :api_ip_whitelist_enabled
+          = render 'setting_row', var: :registrar_ip_whitelist_enabled
   .row
     .col-md-12.text-right
       %button.btn.btn-primary=t(:save)
diff --git a/config/initializers/initial_settings.rb b/config/initializers/initial_settings.rb
index 3f63f3ecd..b34cb2510 100644
--- a/config/initializers/initial_settings.rb
+++ b/config/initializers/initial_settings.rb
@@ -34,6 +34,9 @@ if con.present? && con.table_exists?('settings')
   Setting.save_default(:days_to_renew_domain_before_expire, 90)
   Setting.save_default(:expire_warning_period, 15)
   Setting.save_default(:redemption_grace_period, 30)
+
+  Setting.save_default(:registrar_ip_whitelist_enabled, true)
+  Setting.save_default(:api_ip_whitelist_enabled, true)
 end
 
 # dev only setting
diff --git a/spec/features/registrar/sessions_spec.rb b/spec/features/registrar/sessions_spec.rb
index af68065df..07db0774a 100644
--- a/spec/features/registrar/sessions_spec.rb
+++ b/spec/features/registrar/sessions_spec.rb
@@ -8,6 +8,14 @@ feature 'Sessions', type: :feature do
       page.should have_text('Access denied')
     end
 
+    it 'should see login page when whitelist disabled' do
+      Setting.registrar_ip_whitelist_enabled = false
+      WhiteIp.destroy_all
+      visit registrar_login_path
+      page.should_not have_text('Access denied')
+      Setting.registrar_ip_whitelist_enabled = true
+    end
+
     it 'should see log in' do
       @fixed_registrar.white_ips = [Fabricate(:white_ip_registrar)]
       visit registrar_login_path
@@ -26,6 +34,20 @@ feature 'Sessions', type: :feature do
       page.should have_text('Access denied')
     end
 
+    it 'should get in with invalid when whitelist disabled' do
+      Setting.registrar_ip_whitelist_enabled = false
+      Fabricate(:registrar, white_ips: [Fabricate(:white_ip), Fabricate(:white_ip_registrar)])
+      @api_user_invalid_ip = Fabricate(
+        :api_user, identity_code: '37810013294', registrar: Fabricate(:registrar, white_ips: [])
+      )
+      visit registrar_login_path
+      fill_in 'depp_user_tag', with: @api_user_invalid_ip.username
+      fill_in 'depp_user_password', with: @api_user_invalid_ip.password
+      click_button 'Log in'
+      page.should have_text('Log out')
+      Setting.registrar_ip_whitelist_enabled = true
+    end
+
     it 'should not get in with invalid user' do
       visit registrar_login_path
       fill_in 'depp_user_tag', with: 'bla'