#3733 whitelist de réseaux pour éviter les connexions sécurisées
Ip whitelist for secured connection
This commit is contained in:
commit
4e6f20f660
5 changed files with 119 additions and 10 deletions
|
@ -175,6 +175,7 @@ class ApplicationController < ActionController::Base
|
|||
if gestionnaire_signed_in? &&
|
||||
sensitive_path &&
|
||||
Flipflop.enable_email_login_token? &&
|
||||
!IPService.ip_trusted?(request.headers['X-Forwarded-For']) &&
|
||||
!trusted_device?
|
||||
|
||||
# return at this location
|
||||
|
|
36
app/services/ip_service.rb
Normal file
36
app/services/ip_service.rb
Normal file
|
@ -0,0 +1,36 @@
|
|||
class IPService
|
||||
class << self
|
||||
def ip_trusted?(ip)
|
||||
ip_address = parse_address(ip)
|
||||
|
||||
if ip_address.nil?
|
||||
false
|
||||
elsif trusted_networks.present?
|
||||
trusted_networks.any? { |network| network.include?(ip_address) }
|
||||
else
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def trusted_networks
|
||||
if ENV['TRUSTED_NETWORKS'].present?
|
||||
ENV['TRUSTED_NETWORKS']
|
||||
.split
|
||||
.map { |string| parse_address(string) }
|
||||
.compact
|
||||
else
|
||||
[]
|
||||
end
|
||||
end
|
||||
|
||||
def parse_address(address)
|
||||
begin
|
||||
IPAddr.new(address)
|
||||
rescue
|
||||
nil
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -57,6 +57,8 @@ API_ENTREPRISE_KEY=""
|
|||
|
||||
PIPEDRIVE_KEY=""
|
||||
|
||||
TRUSTED_NETWORKS=""
|
||||
|
||||
SKYLIGHT_AUTHENTICATION_KEY=""
|
||||
|
||||
LOGRAGE_ENABLED="disabled"
|
||||
|
|
|
@ -158,6 +158,7 @@ describe ApplicationController, type: :controller do
|
|||
allow(@controller).to receive(:sensitive_path).and_return(sensitive_path)
|
||||
allow(@controller).to receive(:send_login_token_or_bufferize)
|
||||
allow(@controller).to receive(:store_location_for)
|
||||
allow(IPService).to receive(:ip_trusted?).and_return(ip_trusted)
|
||||
end
|
||||
|
||||
subject { @controller.send(:redirect_if_untrusted) }
|
||||
|
@ -173,12 +174,16 @@ describe ApplicationController, type: :controller do
|
|||
Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
|
||||
end
|
||||
|
||||
context 'when the device is trusted' do
|
||||
let(:trusted_device) { true }
|
||||
context 'when the ip is not trusted' do
|
||||
let(:ip_trusted) { false }
|
||||
|
||||
before { subject }
|
||||
context 'when the device is trusted' do
|
||||
let(:trusted_device) { true }
|
||||
|
||||
it { expect(@controller).not_to have_received(:redirect_to) }
|
||||
before { subject }
|
||||
|
||||
it { expect(@controller).not_to have_received(:redirect_to) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -187,14 +192,30 @@ describe ApplicationController, type: :controller do
|
|||
Flipflop::FeatureSet.current.test!.switch!(:enable_email_login_token, true)
|
||||
end
|
||||
|
||||
context 'when the device is not trusted' do
|
||||
let(:trusted_device) { false }
|
||||
context 'when the ip is untrusted' do
|
||||
let(:ip_trusted) { false }
|
||||
|
||||
before { subject }
|
||||
context 'when the device is not trusted' do
|
||||
let(:trusted_device) { false }
|
||||
|
||||
it { expect(@controller).to have_received(:redirect_to) }
|
||||
it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
|
||||
it { expect(@controller).to have_received(:store_location_for) }
|
||||
before { subject }
|
||||
|
||||
it { expect(@controller).to have_received(:redirect_to) }
|
||||
it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
|
||||
it { expect(@controller).to have_received(:store_location_for) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the ip is trusted' do
|
||||
let(:ip_trusted) { true }
|
||||
|
||||
context 'when the device is not trusted' do
|
||||
let(:trusted_device) { false }
|
||||
|
||||
before { subject }
|
||||
|
||||
it { expect(@controller).not_to have_received(:redirect_to) }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
49
spec/services/ip_service_spec.rb
Normal file
49
spec/services/ip_service_spec.rb
Normal file
|
@ -0,0 +1,49 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe IPService do
|
||||
describe '.ip_trusted?' do
|
||||
subject { IPService.ip_trusted?(ip) }
|
||||
|
||||
context 'when the ip is nil' do
|
||||
let(:ip) { nil }
|
||||
|
||||
it { is_expected.to be(false) }
|
||||
end
|
||||
|
||||
context 'when the ip is defined' do
|
||||
let(:ip) { '192.168.1.10' }
|
||||
|
||||
context 'when it belongs to a trusted network' do
|
||||
before do
|
||||
ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8 192.168.0.0/16 bad_network'
|
||||
end
|
||||
|
||||
it { is_expected.to be(true) }
|
||||
end
|
||||
|
||||
context 'when it does not belong to a trusted network' do
|
||||
before do
|
||||
ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8'
|
||||
end
|
||||
|
||||
it { is_expected.to be(false) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when a trusted network is defined' do
|
||||
before { ENV['TRUSTED_NETWORKS'] = '10.0.0.0/8' }
|
||||
|
||||
context 'when the ip is nil' do
|
||||
let(:ip) { nil }
|
||||
|
||||
it { is_expected.to be(false) }
|
||||
end
|
||||
|
||||
context 'when the ip is badly formatted' do
|
||||
let(:ip) { 'yop' }
|
||||
|
||||
it { is_expected.to be(false) }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue