consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restrict access to admin functions by IP

Browse Source 
There are many possible ways to implement this feature:

* Adding a custom middleware
* Using rack-attack with a blocklist
* Using routes constraints

We're choosing to use a controller concern with a redirect because it's
what we do to handle unauthorized cancancan exceptions.
This commit is contained in:
CoslaJohn
2024-07-22 17:15:39 +01:00
committed by Javi Martín
parent 07202fea10
commit 424cedc0c8
8 changed files with 175 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/admin/base_controller.rb
View File

@@ -1,4 +1,5 @@
class Admin::BaseController < ApplicationController class Admin::BaseController < ApplicationController
include IpDeniedHandler
layout "admin" layout "admin"
before_action :authenticate_user! before_action :authenticate_user!

17
app/controllers/concerns/ip_denied_handler.rb Normal file
View File

@@ -0,0 +1,17 @@
module IpDeniedHandler
extend ActiveSupport::Concern
included do
before_action :restrict_ip, unless: :allowed_ip?
end
private
def restrict_ip
redirect_to root_path, alert: t("ip_denied_handler.unauthorized")
end
def allowed_ip?
RestrictAdminIps.new(request.remote_ip).allowed?
end
end

37
app/lib/restrict_admin_ips.rb Normal file
View File

@@ -0,0 +1,37 @@
class RestrictAdminIps
attr_reader :ip
def initialize(ip)
@ip = ip
end
def allowed?
unrestricted_access? || allowed_ip?
end
private
def unrestricted_access?
allowed_ips.blank?
end
def allowed_ips
Array(Tenant.current_secrets.dig(:security, :allowed_admin_ips))
end
def allowed_ip?
normalized_allowed_ips.any? { |allowed_ip| allowed_ip.include?(ip) }
rescue IPAddr::Error
false
end
def normalized_allowed_ips
allowed_ips.map do |allowed_ip|
IPAddr.new(allowed_ip)
rescue IPAddr::Error
Rails.logger.warn "Your allowed_admin_ips configuration includes the " \
"address \"#{allowed_ip}\", which is not valid"
nil
end.compact
end
end

2
config/locales/en/general.yml
View File

@@ -759,6 +759,8 @@ en:
youtube: "%{org} YouTube" youtube: "%{org} YouTube"
telegram: "%{org} Telegram" telegram: "%{org} Telegram"
instagram: "%{org} Instagram" instagram: "%{org} Instagram"
ip_denied_handler:
unauthorized: "Access denied. Your IP address is not allowed."
unauthorized: unauthorized:
default: You do not have permission to access this page. default: You do not have permission to access this page.
manage: manage:

2
config/locales/es/general.yml
View File

@@ -759,6 +759,8 @@ es:
youtube: "YouTube de %{org}" youtube: "YouTube de %{org}"
telegram: "Telegram de %{org}" telegram: "Telegram de %{org}"
instagram: "Instagram de %{org}" instagram: "Instagram de %{org}"
ip_denied_handler:
unauthorized: "Acceso denegado. Tu IP no tiene permiso para ver este contenido."
unauthorized: unauthorized:
default: No tienes permiso para acceder a esta página. default: No tienes permiso para acceder a esta página.
manage: manage:

4
config/secrets.yml.example
View File

@@ -23,6 +23,7 @@ development:
devise_lockable: false devise_lockable: false
multitenancy: false multitenancy: false
security: security:
# allowed_admin_ips: ["123.45.67.89", "192.168.1.0/24"]
last_sign_in: false last_sign_in: false
password_complexity: false password_complexity: false
# lockable: # lockable:
@@ -64,6 +65,7 @@ staging:
managers_application_key: "" managers_application_key: ""
multitenancy: false multitenancy: false
security: security:
# allowed_admin_ips: ["123.45.67.89", "192.168.1.0/24"]
last_sign_in: false last_sign_in: false
password_complexity: false password_complexity: false
# lockable: # lockable:
@@ -118,6 +120,7 @@ preproduction:
managers_application_key: "" managers_application_key: ""
multitenancy: false multitenancy: false
security: security:
# allowed_admin_ips: ["123.45.67.89", "192.168.1.0/24"]
last_sign_in: false last_sign_in: false
password_complexity: false password_complexity: false
# lockable: # lockable:
@@ -171,6 +174,7 @@ production:
managers_application_key: "" managers_application_key: ""
multitenancy: false multitenancy: false
security: security:
# allowed_admin_ips: ["123.45.67.89", "192.168.1.0/24"]
last_sign_in: false last_sign_in: false
password_complexity: false password_complexity: false
# lockable: # lockable:

31
spec/controllers/admin/base_controller_spec.rb Normal file
View File

@@ -0,0 +1,31 @@
require "rails_helper"
describe Admin::BaseController, :admin do
controller do
def index
render plain: "Index"
end
end
describe "#restrict_ip" do
before do
stub_secrets(security: { allowed_admin_ips: ["1.2.3.4", "5.6.7.8"] })
end
it "renders the content when the IP is allowed" do
request.env["REMOTE_ADDR"] = "1.2.3.4"
get :index
expect(response).to be_successful
expect(response.body).to eq "Index"
end
it "redirects to the root path when the IP isn't allowed" do
request.env["REMOTE_ADDR"] = "9.10.11.12"
get :index
expect(response).to redirect_to root_path
expect(flash[:alert]).to eq "Access denied. Your IP address is not allowed."
end
end
end

81
spec/lib/restrict_admin_ips_spec.rb Normal file
View File

@@ -0,0 +1,81 @@
require "rails_helper"
describe RestrictAdminIps do
it "allows any IP when allowed_admin_ips isn't configured" do
stub_secrets(security: {})
expect(RestrictAdminIps.new("1.2.3.4")).to be_allowed
expect(RestrictAdminIps.new("whatever")).to be_allowed
end
it "allows any IP when allowed_admin_ips is empty" do
stub_secrets(security: { allowed_admin_ips: [] })
expect(RestrictAdminIps.new("1.2.3.4")).to be_allowed
expect(RestrictAdminIps.new("whatever")).to be_allowed
end
it "only allows IPs present in allowed_admin_ips" do
stub_secrets(security: { allowed_admin_ips: ["1.2.3.4", "5.6.7.8"] })
expect(RestrictAdminIps.new("1.2.3.4")).to be_allowed
expect(RestrictAdminIps.new("5.6.7.8")).to be_allowed
expect(RestrictAdminIps.new("9.9.9.9")).not_to be_allowed
expect(RestrictAdminIps.new("whatever")).not_to be_allowed
end
it "restricts every IP when there are only malformed IPs on the list" do
stub_secrets(security: { allowed_admin_ips: ["not_an_ip"] })
expect(RestrictAdminIps.new("1.2.3.4")).not_to be_allowed
expect(RestrictAdminIps.new("not_an_ip")).not_to be_allowed
end
it "ignores malformed IPs in the allowed_admin_ips list" do
stub_secrets(security: { allowed_admin_ips: ["1.2.3.4", "not_an_ip"] })
expect(RestrictAdminIps.new("1.2.3.4")).to be_allowed
expect(RestrictAdminIps.new("not_an_ip")).not_to be_allowed
end
it "supports ranges of IPs" do
stub_secrets(security: { allowed_admin_ips: ["1.2.3.0/16"] })
expect(RestrictAdminIps.new("1.2.3.4")).to be_allowed
expect(RestrictAdminIps.new("1.2.3.5")).to be_allowed
expect(RestrictAdminIps.new("5.6.7.8")).not_to be_allowed
end
context "tenant overwriting secrets" do
before do
stub_secrets({
security: {
allowed_admin_ips: ["1.2.3.4", "5.6.7.8"]
},
tenants: {
private: {
security: {
allowed_admin_ips: ["127.0.0.1", "192.168.1.1"]
}
}
}
})
end
it "uses the general secrets for the main tenant" do
expect(RestrictAdminIps.new("1.2.3.4")).to be_allowed
expect(RestrictAdminIps.new("5.6.7.8")).to be_allowed
expect(RestrictAdminIps.new("127.0.0.1")).not_to be_allowed
expect(RestrictAdminIps.new("192.168.1.1")).not_to be_allowed
end
it "uses the tenant secrets for a tenant" do
allow(Tenant).to receive(:current_schema).and_return("private")
expect(RestrictAdminIps.new("127.0.0.1")).to be_allowed
expect(RestrictAdminIps.new("192.168.1.1")).to be_allowed
expect(RestrictAdminIps.new("1.2.3.4")).not_to be_allowed
expect(RestrictAdminIps.new("5.6.7.8")).not_to be_allowed
end
end
end