#3733 whitelist de réseaux pour éviter les connexions sécurisées

Ip whitelist for secured connection
2019-04-03 15:29:27 +02:00 · 2019-04-03 15:29:27 +02:00 · 4e6f20f660
commit 4e6f20f660
parent 28c4dc8f60 6d42c8f08a
5 changed files with 119 additions and 10 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -175,6 +175,7 @@ class ApplicationController < ActionController::Base
    if gestionnaire_signed_in? &&
        sensitive_path &&
        Flipflop.enable_email_login_token? &&
+        !IPService.ip_trusted?(request.headers['X-Forwarded-For']) &&
        !trusted_device?

      # return at this location
--- a/app/services/ip_service.rb
+++ b/app/services/ip_service.rb
@ -0,0 +1,36 @@
+class IPService
+  class << self
+    def ip_trusted?(ip)
+      ip_address = parse_address(ip)
+
+      if ip_address.nil?
+        false
+      elsif trusted_networks.present?
+        trusted_networks.any? { |network| network.include?(ip_address) }
+      else
+        false
+      end
+    end
+
+    private
+
+    def trusted_networks
+      if ENV['TRUSTED_NETWORKS'].present?
+        ENV['TRUSTED_NETWORKS']
+          .split
+          .map { |string| parse_address(string) }
+          .compact
+      else
+        []
+      end
+    end
+
+    def parse_address(address)
+      begin
+        IPAddr.new(address)
+      rescue
+        nil
+      end
+    end
+  end
+end
--- a/config/env.example
+++ b/config/env.example
@ -57,6 +57,8 @@ API_ENTREPRISE_KEY=""

 PIPEDRIVE_KEY=""

+TRUSTED_NETWORKS=""
+
 SKYLIGHT_AUTHENTICATION_KEY=""

 LOGRAGE_ENABLED="disabled"
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@ -158,6 +158,7 @@ describe ApplicationController, type: :controller do
      allow(@controller).to receive(:sensitive_path).and_return(sensitive_path)
      allow(@controller).to receive(:send_login_token_or_bufferize)
      allow(@controller).to receive(:store_location_for)
+      allow(IPService).to receive(:ip_trusted?).and_return(ip_trusted)
    end

    subject { @controller.send(:redirect_if_untrusted) }
@ -173,12 +174,16 @@ describe ApplicationController, type: :controller do
            Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
          end

-          context 'when the device is trusted' do
-            let(:trusted_device) { true }
+          context 'when the ip is  not trusted' do
+            let(:ip_trusted) { false }

-            before { subject }
+            context 'when the device is trusted' do
+              let(:trusted_device) { true }

-            it { expect(@controller).not_to have_received(:redirect_to) }
+              before { subject }
+
+              it { expect(@controller).not_to have_received(:redirect_to) }
+            end
          end
        end

@ -187,14 +192,30 @@ describe ApplicationController, type: :controller do
            Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
          end

-          context 'when the device is not trusted' do
-            let(:trusted_device) { false }
+          context 'when the ip is untrusted' do
+            let(:ip_trusted) { false }

-            before { subject }
+            context 'when the device is not trusted' do
+              let(:trusted_device) { false }

-            it { expect(@controller).to have_received(:redirect_to) }
-            it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
-            it { expect(@controller).to have_received(:store_location_for) }
+              before { subject }
+
+              it { expect(@controller).to have_received(:redirect_to) }
+              it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
+              it { expect(@controller).to have_received(:store_location_for) }
+            end
+          end
+
+          context 'when the ip is trusted' do
+            let(:ip_trusted) { true }
+
+            context 'when the device is not trusted' do
+              let(:trusted_device) { false }
+
+              before { subject }
+
+              it { expect(@controller).not_to have_received(:redirect_to) }
+            end
          end
        end
      end
--- a/spec/services/ip_service_spec.rb
+++ b/spec/services/ip_service_spec.rb
@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe IPService do
+  describe '.ip_trusted?' do
+    subject { IPService.ip_trusted?(ip) }
+
+    context 'when the ip is nil' do
+      let(:ip) { nil }
+
+      it { is_expected.to be(false) }
+    end
+
+    context 'when the ip is defined' do
+      let(:ip) { '192.168.1.10' }
+
+      context 'when it belongs to a trusted network' do
+        before do
+          ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8 192.168.0.0/16 bad_network'
+        end
+
+        it { is_expected.to be(true) }
+      end
+
+      context 'when it does not belong to a trusted network' do
+        before do
+          ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8'
+        end
+
+        it { is_expected.to be(false) }
+      end
+    end
+
+    context 'when a trusted network is defined' do
+      before { ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8' }
+
+      context 'when the ip is nil' do
+        let(:ip) { nil }
+
+        it { is_expected.to be(false) }
+      end
+
+      context 'when the ip is badly formatted' do
+        let(:ip) { 'yop' }
+
+        it { is_expected.to be(false) }
+      end
+    end
+  end
+end