#3733 whitelist de réseaux pour éviter les connexions sécurisées

Ip whitelist for secured connection
This commit is contained in:
LeSim 2019-04-03 15:29:27 +02:00 committed by GitHub
commit 4e6f20f660
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 119 additions and 10 deletions

View file

@ -175,6 +175,7 @@ class ApplicationController < ActionController::Base
if gestionnaire_signed_in? &&
sensitive_path &&
Flipflop.enable_email_login_token? &&
!IPService.ip_trusted?(request.headers['X-Forwarded-For']) &&
!trusted_device?
# return at this location

View file

@ -0,0 +1,36 @@
class IPService
class << self
def ip_trusted?(ip)
ip_address = parse_address(ip)
if ip_address.nil?
false
elsif trusted_networks.present?
trusted_networks.any? { |network| network.include?(ip_address) }
else
false
end
end
private
def trusted_networks
if ENV['TRUSTED_NETWORKS'].present?
ENV['TRUSTED_NETWORKS']
.split
.map { |string| parse_address(string) }
.compact
else
[]
end
end
def parse_address(address)
begin
IPAddr.new(address)
rescue
nil
end
end
end
end

View file

@ -57,6 +57,8 @@ API_ENTREPRISE_KEY=""
PIPEDRIVE_KEY=""
TRUSTED_NETWORKS=""
SKYLIGHT_AUTHENTICATION_KEY=""
LOGRAGE_ENABLED="disabled"

View file

@ -158,6 +158,7 @@ describe ApplicationController, type: :controller do
allow(@controller).to receive(:sensitive_path).and_return(sensitive_path)
allow(@controller).to receive(:send_login_token_or_bufferize)
allow(@controller).to receive(:store_location_for)
allow(IPService).to receive(:ip_trusted?).and_return(ip_trusted)
end
subject { @controller.send(:redirect_if_untrusted) }
@ -173,12 +174,16 @@ describe ApplicationController, type: :controller do
Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
end
context 'when the device is trusted' do
let(:trusted_device) { true }
context 'when the ip is not trusted' do
let(:ip_trusted) { false }
before { subject }
context 'when the device is trusted' do
let(:trusted_device) { true }
it { expect(@controller).not_to have_received(:redirect_to) }
before { subject }
it { expect(@controller).not_to have_received(:redirect_to) }
end
end
end
@ -187,14 +192,30 @@ describe ApplicationController, type: :controller do
Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
end
context 'when the device is not trusted' do
let(:trusted_device) { false }
context 'when the ip is untrusted' do
let(:ip_trusted) { false }
before { subject }
context 'when the device is not trusted' do
let(:trusted_device) { false }
it { expect(@controller).to have_received(:redirect_to) }
it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
it { expect(@controller).to have_received(:store_location_for) }
before { subject }
it { expect(@controller).to have_received(:redirect_to) }
it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
it { expect(@controller).to have_received(:store_location_for) }
end
end
context 'when the ip is trusted' do
let(:ip_trusted) { true }
context 'when the device is not trusted' do
let(:trusted_device) { false }
before { subject }
it { expect(@controller).not_to have_received(:redirect_to) }
end
end
end
end

View file

@ -0,0 +1,49 @@
require 'spec_helper'
describe IPService do
describe '.ip_trusted?' do
subject { IPService.ip_trusted?(ip) }
context 'when the ip is nil' do
let(:ip) { nil }
it { is_expected.to be(false) }
end
context 'when the ip is defined' do
let(:ip) { '192.168.1.10' }
context 'when it belongs to a trusted network' do
before do
ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8 192.168.0.0/16 bad_network'
end
it { is_expected.to be(true) }
end
context 'when it does not belong to a trusted network' do
before do
ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8'
end
it { is_expected.to be(false) }
end
end
context 'when a trusted network is defined' do
before { ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8' }
context 'when the ip is nil' do
let(:ip) { nil }
it { is_expected.to be(false) }
end
context 'when the ip is badly formatted' do
let(:ip) { 'yop' }
it { is_expected.to be(false) }
end
end
end
end