From 65ae5adbb8259b7932e0d56721a62316ebf8be9d Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Thu, 13 Jul 2023 11:19:11 +0300 Subject: [PATCH 1/8] Validation of user certificates --- app/controllers/repp/v1/base_controller.rb | 99 +++++++++++++++---- .../repp/v1/registrar/auth_controller.rb | 8 +- 2 files changed, 84 insertions(+), 23 deletions(-) diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index d2057599ea..3da75c6725 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -7,46 +7,78 @@ class BaseController < ActionController::API # rubocop:disable Metrics/ClassLeng before_action :authenticate_user before_action :set_locale before_action :validate_webclient_ca - before_action :validate_client_certs + before_action :validate_api_user_cert before_action :check_ip_restriction before_action :set_paper_trail_whodunnit private + # rubocop:disable Metrics/MethodLength def log_request yield rescue ActiveRecord::RecordNotFound + handle_record_not_found + rescue ActionController::ParameterMissing, Apipie::ParamMissing => e + handle_parameter_missing(e) + rescue Apipie::ParamInvalid => e + handle_param_invalid(e) + rescue CanCan::AccessDenied => e + handle_access_denied(e) + rescue Shunter::ThrottleError => e + handle_throttle_error(e) + ensure + create_repp_log + end + # rubocop:enable Metrics/MethodLength + + def handle_record_not_found @response = { code: 2303, message: 'Object does not exist' } render(json: @response, status: :not_found) - rescue ActionController::ParameterMissing, Apipie::ParamMissing => e + end + + def handle_parameter_missing(e) @response = { code: 2003, message: e.message.gsub(/\n/, '. ') } render(json: @response, status: :bad_request) - rescue Apipie::ParamInvalid => e + end + + def handle_param_invalid(e) @response = { code: 2005, message: e.message.gsub(/\n/, '. ') } render(json: @response, status: :bad_request) - rescue CanCan::AccessDenied => e + end + + def handle_access_denied(e) @response = { code: 2201, message: 'Authorization error' } logger.error e.to_s render(json: @response, status: :unauthorized) - rescue Shunter::ThrottleError => e + end + + def handle_throttle_error(e) @response = { code: 2502, message: Shunter.default_error_message } logger.error e.to_s unless Rails.env.test? render(json: @response, status: :bad_request) - ensure - create_repp_log end - # rubocop:disable Metrics/AbcSize def create_repp_log - ApiLog::ReppLog.create( - request_path: request.path, request_method: request.request_method, - request_params: request.params.except('route_info').to_json, uuid: request.try(:uuid), - response: @response.to_json, response_code: response.status, ip: request.ip, + log_attributes = build_log_attributes + ApiLog::ReppLog.create(log_attributes) + end + + def build_log_attributes + { + request_path: request.path, ip: request.ip, + request_method: request.request_method, + request_params: build_request_params_json, + uuid: request.try(:uuid), + response: @response.to_json, + response_code: response.status, api_user_name: current_user.try(:username), api_user_registrar: current_user.try(:registrar).try(:to_s) - ) + } + end + + def build_request_params_json + request.params.except('route_info').to_json end - # rubocop:enable Metrics/AbcSize def set_domain registrar = current_user.registrar @@ -122,11 +154,11 @@ def authenticate_user end def check_ip_restriction - ip = webclient_request? ? request.headers['X-Client-IP'] : request.ip + ip = webclient_request? ? request.headers['Request-IP'] : request.ip return if registrar_ip_white?(ip) && webclient_request? return if api_ip_white?(ip) && !webclient_request? - render_unauthorized_response(ip) + render_unauthorized_ip_response(ip) end def registrar_ip_white?(ip) @@ -139,7 +171,7 @@ def api_ip_white?(ip) @current_user.registrar.api_ip_white?(ip) end - def render_unauthorized_response(ip) + def render_unauthorized_ip_response(ip) @response = { code: 2202, message: I18n.t('registrar.authorization.ip_not_allowed', ip: ip) } render json: @response, status: :unauthorized end @@ -167,16 +199,41 @@ def validate_webclient_ca render(json: @response, status: :unauthorized) end - def validate_client_certs + def validate_api_user_cert return if Rails.env.development? || Rails.env.test? return if webclient_request? - return if @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], - request.env['HTTP_SSL_CLIENT_S_DN_CN']) - @response = { code: 2202, message: 'Invalid certificate' } + crt = request.env['HTTP_SSL_CLIENT_CERT'] + com = request.env['HTTP_SSL_CLIENT_S_DN_CN'] + + return if @current_user.pki_ok?(crt, com) + + render_invalid_cert_response + end + + def validate_webclient_user_cert + return if skip_webclient_user_cert_validation? + + crt = request.headers['User-Certificate'] + com = request.headers['User-Certificate-CN'] + + return if @current_user.pki_ok?(crt, com, api: false) + + render_invalid_cert_response + end + + def render_invalid_cert_response + @response = { code: 2202, message: 'Invalid user certificate' } render(json: @response, status: :unauthorized) end + def skip_webclient_user_cert_validation? + Rails.env.development? || + Rails.env.test? || + !webclient_request? || + request.headers['Requester'] == 'tara' + end + def logger Rails.logger end diff --git a/app/controllers/repp/v1/registrar/auth_controller.rb b/app/controllers/repp/v1/registrar/auth_controller.rb index 5da1b3a383..0c7361f334 100644 --- a/app/controllers/repp/v1/registrar/auth_controller.rb +++ b/app/controllers/repp/v1/registrar/auth_controller.rb @@ -2,9 +2,10 @@ module Repp module V1 module Registrar class AuthController < BaseController + before_action :validate_webclient_user_cert, only: :index skip_before_action :authenticate_user, only: :tara_callback skip_before_action :check_ip_restriction, only: :tara_callback - skip_before_action :validate_client_certs, only: :tara_callback + skip_before_action :validate_api_user_cert, only: :tara_callback THROTTLED_ACTIONS = %i[index tara_callback].freeze include Shunter::Integration::Throttle @@ -21,7 +22,10 @@ def index def tara_callback user = ApiUser.from_omniauth(auth_params) response = { code: 401, message: I18n.t(:no_such_user), data: {} } - render(json: response, status: :unauthorized) and return unless user && user&.active + unless user&.active && webclient_request? + render(json: response, status: :unauthorized) + return + end token = Base64.urlsafe_encode64("#{user.username}:#{user.plain_text_password}") render_success(data: { token: token, username: user.username }) From cbe78e505b4b9ac2542e8752e45d025b27d92289 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Thu, 13 Jul 2023 12:32:33 +0300 Subject: [PATCH 2/8] Fixed codeclimate issues --- app/controllers/concerns/epp_requestable.rb | 4 +- .../concerns/error_and_log_handler.rb | 80 +++++++++++++++++++ app/controllers/repp/v1/base_controller.rb | 74 +---------------- 3 files changed, 84 insertions(+), 74 deletions(-) create mode 100644 app/controllers/concerns/error_and_log_handler.rb diff --git a/app/controllers/concerns/epp_requestable.rb b/app/controllers/concerns/epp_requestable.rb index 59d0646449..05f39d93f2 100644 --- a/app/controllers/concerns/epp_requestable.rb +++ b/app/controllers/concerns/epp_requestable.rb @@ -9,8 +9,8 @@ def create authorize! :create, Epp::Server result = server.request(request_params[:payload]) render_success(data: { xml: result.force_encoding('UTF-8') }) - rescue StandardError - handle_non_epp_errors(nil, I18n.t('errors.messages.epp_conn_error')) + rescue StandardError => e + handle_non_epp_errors(nil, e.message.presence || I18n.t('errors.messages.epp_conn_error')) end private diff --git a/app/controllers/concerns/error_and_log_handler.rb b/app/controllers/concerns/error_and_log_handler.rb new file mode 100644 index 0000000000..57f8c6b089 --- /dev/null +++ b/app/controllers/concerns/error_and_log_handler.rb @@ -0,0 +1,80 @@ +module ErrorAndLogHandler + extend ActiveSupport::Concern + + included do + around_action :log_request + end + + private + + # rubocop:disable Metrics/MethodLength + def log_request + yield + rescue ActiveRecord::RecordNotFound + handle_record_not_found + rescue ActionController::ParameterMissing, Apipie::ParamMissing => e + handle_parameter_missing(e) + rescue Apipie::ParamInvalid => e + handle_param_invalid(e) + rescue CanCan::AccessDenied => e + handle_access_denied(e) + rescue Shunter::ThrottleError => e + handle_throttle_error(e) + ensure + create_repp_log + end + # rubocop:enable Metrics/MethodLength + + def handle_record_not_found + @response = { code: 2303, message: 'Object does not exist' } + render(json: @response, status: :not_found) + end + + def handle_parameter_missing(error) + @response = { code: 2003, message: error.message.gsub(/\n/, '. ') } + render(json: @response, status: :bad_request) + end + + def handle_param_invalid(error) + @response = { code: 2005, message: error.message.gsub(/\n/, '. ') } + render(json: @response, status: :bad_request) + end + + def handle_access_denied(error) + @response = { code: 2201, message: 'Authorization error' } + logger.error error.to_s + render(json: @response, status: :unauthorized) + end + + def handle_throttle_error(error) + @response = { code: 2502, message: Shunter.default_error_message } + logger.error error.to_s unless Rails.env.test? + render(json: @response, status: :bad_request) + end + + def create_repp_log + log_attributes = build_log_attributes + ApiLog::ReppLog.create(log_attributes) + end + + def build_log_attributes + { + request_path: request.path, ip: request.ip, + request_method: request.request_method, + request_params: build_request_params_json, + uuid: request.try(:uuid), + response: @response.to_json, + response_code: response.status, + api_user_name: current_user.try(:username), + api_user_registrar: current_user.try(:registrar).try(:to_s) + } + end + + def build_request_params_json + request.params.except('route_info').to_json + end + + def logger + Rails.logger + end +end diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index 3da75c6725..fd360d4d3d 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -3,7 +3,8 @@ module V1 class BaseController < ActionController::API # rubocop:disable Metrics/ClassLength attr_reader :current_user - around_action :log_request + include ErrorAndLogHandler + before_action :authenticate_user before_action :set_locale before_action :validate_webclient_ca @@ -13,73 +14,6 @@ class BaseController < ActionController::API # rubocop:disable Metrics/ClassLeng private - # rubocop:disable Metrics/MethodLength - def log_request - yield - rescue ActiveRecord::RecordNotFound - handle_record_not_found - rescue ActionController::ParameterMissing, Apipie::ParamMissing => e - handle_parameter_missing(e) - rescue Apipie::ParamInvalid => e - handle_param_invalid(e) - rescue CanCan::AccessDenied => e - handle_access_denied(e) - rescue Shunter::ThrottleError => e - handle_throttle_error(e) - ensure - create_repp_log - end - # rubocop:enable Metrics/MethodLength - - def handle_record_not_found - @response = { code: 2303, message: 'Object does not exist' } - render(json: @response, status: :not_found) - end - - def handle_parameter_missing(e) - @response = { code: 2003, message: e.message.gsub(/\n/, '. ') } - render(json: @response, status: :bad_request) - end - - def handle_param_invalid(e) - @response = { code: 2005, message: e.message.gsub(/\n/, '. ') } - render(json: @response, status: :bad_request) - end - - def handle_access_denied(e) - @response = { code: 2201, message: 'Authorization error' } - logger.error e.to_s - render(json: @response, status: :unauthorized) - end - - def handle_throttle_error(e) - @response = { code: 2502, message: Shunter.default_error_message } - logger.error e.to_s unless Rails.env.test? - render(json: @response, status: :bad_request) - end - - def create_repp_log - log_attributes = build_log_attributes - ApiLog::ReppLog.create(log_attributes) - end - - def build_log_attributes - { - request_path: request.path, ip: request.ip, - request_method: request.request_method, - request_params: build_request_params_json, - uuid: request.try(:uuid), - response: @response.to_json, - response_code: response.status, - api_user_name: current_user.try(:username), - api_user_registrar: current_user.try(:registrar).try(:to_s) - } - end - - def build_request_params_json - request.params.except('route_info').to_json - end - def set_domain registrar = current_user.registrar @domain = Epp::Domain.find_by(registrar: registrar, name: params[:domain_id]) @@ -234,10 +168,6 @@ def skip_webclient_user_cert_validation? request.headers['Requester'] == 'tara' end - def logger - Rails.logger - end - def auth_values_to_data(registrar:) data = current_user.as_json(only: %i[id username roles]) data[:registrar_name] = registrar.name From 684f80891a262b519b8d59aa53579b92e6a1875a Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Thu, 13 Jul 2023 12:41:38 +0300 Subject: [PATCH 3/8] Corrected integration test --- test/integration/repp/v1/base_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/repp/v1/base_test.rb b/test/integration/repp/v1/base_test.rb index ed69eba13d..ee89efd69a 100644 --- a/test/integration/repp/v1/base_test.rb +++ b/test/integration/repp/v1/base_test.rb @@ -67,7 +67,7 @@ def test_takes_ip_whitelist_into_account_if_webclient_request Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do - get repp_v1_contacts_path, headers: @auth_headers.merge!({ 'X-Client-IP' => whiteip.ipv4 }) + get repp_v1_contacts_path, headers: @auth_headers.merge!({ 'Request-IP' => whiteip.ipv4 }) end end From 52b3b3a6cf8034dfd2b44d33d2ab879a9837a0a4 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Thu, 13 Jul 2023 13:03:10 +0300 Subject: [PATCH 4/8] Added integration tests for user certificate validation --- app/controllers/repp/v1/base_controller.rb | 5 +-- test/integration/repp/v1/base_test.rb | 45 ++++++++++++++++++++++ 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index fd360d4d3d..393c7264bf 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -162,10 +162,7 @@ def render_invalid_cert_response end def skip_webclient_user_cert_validation? - Rails.env.development? || - Rails.env.test? || - !webclient_request? || - request.headers['Requester'] == 'tara' + !webclient_request? || request.headers['Requester'] == 'tara' end def auth_values_to_data(registrar:) diff --git a/test/integration/repp/v1/base_test.rb b/test/integration/repp/v1/base_test.rb index ee89efd69a..1d51c9a1e2 100644 --- a/test/integration/repp/v1/base_test.rb +++ b/test/integration/repp/v1/base_test.rb @@ -77,6 +77,43 @@ def test_takes_ip_whitelist_into_account_if_webclient_request Setting.registrar_ip_whitelist_enabled = false end + def test_validates_webclient_user_certificate_ok + cert = certificates(:registrar) + @auth_headers.merge!({ 'User-Certificate' => cert.crt, 'User-Certificate-CN' => cert.common_name }) + + Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do + Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do + get repp_v1_registrar_auth_index_path, headers: @auth_headers + end + end + + assert_response :ok + end + + def test_validates_webclient_user_certificate_if_missing + Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do + Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do + get repp_v1_registrar_auth_index_path, headers: @auth_headers + end + end + + assert_unauthorized_user_cert + end + + def test_validates_webclient_user_certificate_if_revoked + cert = certificates(:registrar) + cert.update(revoked: true) + @auth_headers.merge!({ 'User-Certificate' => cert.crt, 'User-Certificate-CN' => cert.common_name }) + + Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do + Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do + get repp_v1_registrar_auth_index_path, headers: @auth_headers + end + end + + assert_unauthorized_user_cert + end + private def assert_unauthorized_ip @@ -86,4 +123,12 @@ def assert_unauthorized_ip assert_equal 2202, response_json[:code] assert response_json[:message].include? 'Access denied from IP' end + + def assert_unauthorized_user_cert + response_json = JSON.parse(response.body, symbolize_names: true) + + assert_response :unauthorized + assert_equal 2202, response_json[:code] + assert response_json[:message].include? 'Invalid user certificate' + end end From 597766dba0ca10796dd81b55378fafb3c26d0f4e Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Thu, 13 Jul 2023 13:12:46 +0300 Subject: [PATCH 5/8] Corrected integration test --- .../v1/registrar/auth/tara_callback_test.rb | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/test/integration/repp/v1/registrar/auth/tara_callback_test.rb b/test/integration/repp/v1/registrar/auth/tara_callback_test.rb index 918fce9ccf..0493f47f4a 100644 --- a/test/integration/repp/v1/registrar/auth/tara_callback_test.rb +++ b/test/integration/repp/v1/registrar/auth/tara_callback_test.rb @@ -18,7 +18,12 @@ def test_validates_user_from_omniauth_params }, } - post '/repp/v1/registrar/auth/tara_callback', headers: @auth_headers, params: request_body + Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do + Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do + post '/repp/v1/registrar/auth/tara_callback', headers: @auth_headers, params: request_body + end + end + json = JSON.parse(response.body, symbolize_names: true) assert_response :ok @@ -43,4 +48,21 @@ def test_invalidates_user_with_wrong_omniauth_params assert_response :unauthorized assert_equal 'No such user', json[:message] end + + def test_invalidates_user_if_not_webclient_request + request_body = { + auth: { + uid: 'EE1234', + }, + } + + Repp::V1::BaseController.stub_any_instance(:webclient_request?, false) do + post '/repp/v1/registrar/auth/tara_callback', headers: @auth_headers, params: request_body + end + + json = JSON.parse(response.body, symbolize_names: true) + + assert_response :unauthorized + assert_equal 'No such user', json[:message] + end end From d150c1bc3dde19ecbedd5507b2697d72757a3dad Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Fri, 4 Aug 2023 11:59:40 +0300 Subject: [PATCH 6/8] Modified registrar ip restriction --- app/controllers/repp/v1/base_controller.rb | 25 +++++++++---------- .../repp/v1/registrar/auth_controller.rb | 3 ++- config/application.yml.sample | 7 ++++++ 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index 393c7264bf..2cb6d1414e 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -9,7 +9,7 @@ class BaseController < ActionController::API # rubocop:disable Metrics/ClassLeng before_action :set_locale before_action :validate_webclient_ca before_action :validate_api_user_cert - before_action :check_ip_restriction + before_action :check_api_ip_restriction before_action :set_paper_trail_whodunnit private @@ -87,22 +87,20 @@ def authenticate_user render(json: @response, status: :unauthorized) end - def check_ip_restriction - ip = webclient_request? ? request.headers['Request-IP'] : request.ip - return if registrar_ip_white?(ip) && webclient_request? - return if api_ip_white?(ip) && !webclient_request? + def check_api_ip_restriction + return if webclient_request? + return if @current_user.registrar.api_ip_white?(request.ip) - render_unauthorized_ip_response(ip) + render_unauthorized_ip_response(request.ip) end - def registrar_ip_white?(ip) - return true unless ip + def check_registrar_ip_restriction + return unless webclient_request? - @current_user.registrar.registrar_ip_white?(ip) - end + ip = request.headers['Request-IP'] + return if @current_user.registrar.registrar_ip_white?(ip) - def api_ip_white?(ip) - @current_user.registrar.api_ip_white?(ip) + render_unauthorized_ip_response(ip) end def render_unauthorized_ip_response(ip) @@ -162,7 +160,8 @@ def render_invalid_cert_response end def skip_webclient_user_cert_validation? - !webclient_request? || request.headers['Requester'] == 'tara' + !webclient_request? || request.headers['Requester'] == 'tara' || + Rails.env.development? || Rails.env.test? end def auth_values_to_data(registrar:) diff --git a/app/controllers/repp/v1/registrar/auth_controller.rb b/app/controllers/repp/v1/registrar/auth_controller.rb index 0c7361f334..3c831f4a90 100644 --- a/app/controllers/repp/v1/registrar/auth_controller.rb +++ b/app/controllers/repp/v1/registrar/auth_controller.rb @@ -2,9 +2,10 @@ module Repp module V1 module Registrar class AuthController < BaseController + before_action :check_registrar_ip_restriction, only: :index before_action :validate_webclient_user_cert, only: :index skip_before_action :authenticate_user, only: :tara_callback - skip_before_action :check_ip_restriction, only: :tara_callback + skip_before_action :check_api_ip_restriction, only: :tara_callback skip_before_action :validate_api_user_cert, only: :tara_callback THROTTLED_ACTIONS = %i[index tara_callback].freeze diff --git a/config/application.yml.sample b/config/application.yml.sample index 2de9c29cbf..0d2fd399cd 100644 --- a/config/application.yml.sample +++ b/config/application.yml.sample @@ -187,6 +187,13 @@ default_response_timeout: '1' epp_sessions_per_registrar: '4' +shunter_default_adapter: "Shunter::Adapters::Redis" +shunter_enabled: "false" +shunter_redis_host: "redis" +shunter_redis_port: "6379" +shunter_default_timespan: '60' +shunter_default_threshold: '100' + # Since the keys for staging are absent from the repo, we need to supply them separate for testing. test: payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem' From b86fac03b50884de3e9c702385dad6629a744b7f Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Fri, 4 Aug 2023 12:46:56 +0300 Subject: [PATCH 7/8] Corrected integration tests --- app/controllers/repp/v1/base_controller.rb | 2 +- test/application_system_test_case.rb | 1 + test/integration/repp/v1/base_test.rb | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index 2cb6d1414e..f6b3b4f7dd 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -161,7 +161,7 @@ def render_invalid_cert_response def skip_webclient_user_cert_validation? !webclient_request? || request.headers['Requester'] == 'tara' || - Rails.env.development? || Rails.env.test? + Rails.env.development? end def auth_values_to_data(registrar:) diff --git a/test/application_system_test_case.rb b/test/application_system_test_case.rb index 7267673905..63c91fcde4 100644 --- a/test/application_system_test_case.rb +++ b/test/application_system_test_case.rb @@ -19,6 +19,7 @@ class ApplicationSystemTestCase < ActionDispatch::IntegrationTest class JavaScriptApplicationSystemTestCase < ApplicationSystemTestCase self.use_transactional_tests = false DatabaseCleaner.strategy = :truncation + Webdrivers::Chromedriver.required_version = '114.0.5735.90' Capybara.register_driver(:chrome) do |app| options = ::Selenium::WebDriver::Chrome::Options.new diff --git a/test/integration/repp/v1/base_test.rb b/test/integration/repp/v1/base_test.rb index 1d51c9a1e2..9d976d30c8 100644 --- a/test/integration/repp/v1/base_test.rb +++ b/test/integration/repp/v1/base_test.rb @@ -43,7 +43,7 @@ def test_processes_invalid_base64_token_format_properly assert_equal 'Invalid authorization information', response_json[:message] end - def test_takes_ip_whitelist_into_account + def test_takes_ip_whitelist_into_account_if_api_request Setting.api_ip_whitelist_enabled = true Setting.registrar_ip_whitelist_enabled = true @@ -67,7 +67,7 @@ def test_takes_ip_whitelist_into_account_if_webclient_request Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do - get repp_v1_contacts_path, headers: @auth_headers.merge!({ 'Request-IP' => whiteip.ipv4 }) + get repp_v1_registrar_auth_index_path, headers: @auth_headers.merge!({ 'Request-IP' => whiteip.ipv4 }) end end From 7863322c9d4012f0a0c29303851d586db36d4c0b Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Fri, 4 Aug 2023 13:43:02 +0300 Subject: [PATCH 8/8] Registrar ip restriction on every request --- app/controllers/repp/v1/base_controller.rb | 1 + app/controllers/repp/v1/registrar/auth_controller.rb | 2 +- test/integration/repp/v1/accounts/switch_user_test.rb | 8 ++++---- test/integration/repp/v1/base_test.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index f6b3b4f7dd..1faca4e68d 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -9,6 +9,7 @@ class BaseController < ActionController::API # rubocop:disable Metrics/ClassLeng before_action :set_locale before_action :validate_webclient_ca before_action :validate_api_user_cert + before_action :check_registrar_ip_restriction before_action :check_api_ip_restriction before_action :set_paper_trail_whodunnit diff --git a/app/controllers/repp/v1/registrar/auth_controller.rb b/app/controllers/repp/v1/registrar/auth_controller.rb index 3c831f4a90..676ea670ef 100644 --- a/app/controllers/repp/v1/registrar/auth_controller.rb +++ b/app/controllers/repp/v1/registrar/auth_controller.rb @@ -2,9 +2,9 @@ module Repp module V1 module Registrar class AuthController < BaseController - before_action :check_registrar_ip_restriction, only: :index before_action :validate_webclient_user_cert, only: :index skip_before_action :authenticate_user, only: :tara_callback + skip_before_action :check_registrar_ip_restriction, only: :tara_callback skip_before_action :check_api_ip_restriction, only: :tara_callback skip_before_action :validate_api_user_cert, only: :tara_callback diff --git a/test/integration/repp/v1/accounts/switch_user_test.rb b/test/integration/repp/v1/accounts/switch_user_test.rb index 2299f2bf5c..fa26b442d4 100644 --- a/test/integration/repp/v1/accounts/switch_user_test.rb +++ b/test/integration/repp/v1/accounts/switch_user_test.rb @@ -53,8 +53,8 @@ def test_switches_to_unlinked_api_user end def test_returns_error_response_if_throttled - ENV["shunter_default_threshold"] = '1' - ENV["shunter_enabled"] = 'true' + ENV['shunter_default_threshold'] = '1' + ENV['shunter_enabled'] = 'true' new_user = users(:api_goodnames) new_user.update(identity_code: '1234') @@ -71,7 +71,7 @@ def test_returns_error_response_if_throttled assert_response :bad_request assert_equal json[:code], 2502 assert response.body.include?(Shunter.default_error_message) - ENV["shunter_default_threshold"] = '10000' - ENV["shunter_enabled"] = 'false' + ENV['shunter_default_threshold'] = '10000' + ENV['shunter_enabled'] = 'false' end end diff --git a/test/integration/repp/v1/base_test.rb b/test/integration/repp/v1/base_test.rb index 9d976d30c8..3fdc84c30e 100644 --- a/test/integration/repp/v1/base_test.rb +++ b/test/integration/repp/v1/base_test.rb @@ -67,7 +67,7 @@ def test_takes_ip_whitelist_into_account_if_webclient_request Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do - get repp_v1_registrar_auth_index_path, headers: @auth_headers.merge!({ 'Request-IP' => whiteip.ipv4 }) + get repp_v1_contacts_path, headers: @auth_headers.merge!({ 'Request-IP' => whiteip.ipv4 }) end end