#3733 whitelist de réseaux pour éviter les connexions sécurisées

Ip whitelist for secured connection

app/controllers/application_controller.rb

@@ -175,6 +175,7 @@ class ApplicationController < ActionController::Base
     if gestionnaire_signed_in? &&
         sensitive_path &&
         Flipflop.enable_email_login_token? &&
+        !IPService.ip_trusted?(request.headers['X-Forwarded-For']) &&
         !trusted_device?
 
       # return at this location

app/services/ip_service.rb

@@ -0,0 +1,36 @@
+class IPService
+  class << self
+    def ip_trusted?(ip)
+      ip_address = parse_address(ip)
+
+      if ip_address.nil?
+        false
+      elsif trusted_networks.present?
+        trusted_networks.any? { |network| network.include?(ip_address) }
+      else
+        false
+      end
+    end
+
+    private
+
+    def trusted_networks
+      if ENV['TRUSTED_NETWORKS'].present?
+        ENV['TRUSTED_NETWORKS']
+          .split
+          .map { |string| parse_address(string) }
+          .compact
+      else
+        []
+      end
+    end
+
+    def parse_address(address)
+      begin
+        IPAddr.new(address)
+      rescue
+        nil
+      end
+    end
+  end
+end

config/env.example

@@ -57,6 +57,8 @@ API_ENTREPRISE_KEY=""
 
 PIPEDRIVE_KEY=""
 
+TRUSTED_NETWORKS=""
+
 SKYLIGHT_AUTHENTICATION_KEY=""
 
 LOGRAGE_ENABLED="disabled"

spec/controllers/application_controller_spec.rb

@@ -158,6 +158,7 @@ describe ApplicationController, type: :controller do
       allow(@controller).to receive(:sensitive_path).and_return(sensitive_path)
       allow(@controller).to receive(:send_login_token_or_bufferize)
       allow(@controller).to receive(:store_location_for)
+      allow(IPService).to receive(:ip_trusted?).and_return(ip_trusted)
     end
 
     subject { @controller.send(:redirect_if_untrusted) }
@@ -173,12 +174,16 @@ describe ApplicationController, type: :controller do
             Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
           end
 
-          context 'when the device is trusted' do
+          context 'when the ip is  not trusted' do
-            let(:trusted_device) { true }
+            let(:ip_trusted) { false }
 
-            before { subject }
+            context 'when the device is trusted' do
+              let(:trusted_device) { true }
 
-            it { expect(@controller).not_to have_received(:redirect_to) }
+              before { subject }
+
+              it { expect(@controller).not_to have_received(:redirect_to) }
+            end
           end
         end
 
@@ -187,14 +192,30 @@ describe ApplicationController, type: :controller do
             Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
           end
 
-          context 'when the device is not trusted' do
+          context 'when the ip is untrusted' do
-            let(:trusted_device) { false }
+            let(:ip_trusted) { false }
 
-            before { subject }
+            context 'when the device is not trusted' do
+              let(:trusted_device) { false }
 
-            it { expect(@controller).to have_received(:redirect_to) }
+              before { subject }
-            it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
+
-            it { expect(@controller).to have_received(:store_location_for) }
+              it { expect(@controller).to have_received(:redirect_to) }
+              it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
+              it { expect(@controller).to have_received(:store_location_for) }
+            end
+          end
+
+          context 'when the ip is trusted' do
+            let(:ip_trusted) { true }
+
+            context 'when the device is not trusted' do
+              let(:trusted_device) { false }
+
+              before { subject }
+
+              it { expect(@controller).not_to have_received(:redirect_to) }
+            end
           end
         end
       end

spec/services/ip_service_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe IPService do
+  describe '.ip_trusted?' do
+    subject { IPService.ip_trusted?(ip) }
+
+    context 'when the ip is nil' do
+      let(:ip) { nil }
+
+      it { is_expected.to be(false) }
+    end
+
+    context 'when the ip is defined' do
+      let(:ip) { '192.168.1.10' }
+
+      context 'when it belongs to a trusted network' do
+        before do
+          ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8 192.168.0.0/16 bad_network'
+        end
+
+        it { is_expected.to be(true) }
+      end
+
+      context 'when it does not belong to a trusted network' do
+        before do
+          ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8'
+        end
+
+        it { is_expected.to be(false) }
+      end
+    end
+
+    context 'when a trusted network is defined' do
+      before { ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8' }
+
+      context 'when the ip is nil' do
+        let(:ip) { nil }
+
+        it { is_expected.to be(false) }
+      end
+
+      context 'when the ip is badly formatted' do
+        let(:ip) { 'yop' }
+
+        it { is_expected.to be(false) }
+      end
+    end
+  end
+end