cafe-grader-web

Commit r755:17c54fa350f2 public

parent | child
Description:
add ip whitelisting
Commit status:
[Not Reviewed]
References:
algo
Diff options:
Raw Diff | Patch Diff | Download Diff | Show whitespace | Increase context
Comments:
0 Commit comments 0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Side by Side Unified
Expand All Files Collapse All Files Wide Mode Diff
Add another comment
Browse Files

r755:17c54fa350f2 - - 2 files changed: 49 inserted, 7 deleted

Show file before | Show file after | Raw diff | Download diff | Show whitespace Increase context Show commentsHide comments
@@ -1,3 +1,5
1 + require 'ipaddr'
2 +
1 class ApplicationController < ActionController::Base
3 class ApplicationController < ActionController::Base
2 protect_from_forgery
4 protect_from_forgery
3
5
@@ -5,6 +7,8
5
7
6 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
8 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
7 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
9 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
10 + ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only'
11 + WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'
8
12
9 #report and redirect for unauthorized activities
13 #report and redirect for unauthorized activities
10 def unauthorized_redirect
14 def unauthorized_redirect
@@ -46,8 +50,11
46 unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
50 unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
47 end
51 end
48
52
53 +
49 protected
54 protected
50
55
56 + #redirect to root (and also force logout)
57 + #if the user is not logged_in or the system is in "ADMIN ONLY" mode
51 def authenticate
58 def authenticate
52 unless session[:user_id]
59 unless session[:user_id]
53 flash[:notice] = 'You need to login'
60 flash[:notice] = 'You need to login'
@@ -58,24 +65,30
58 return false
65 return false
59 end
66 end
60
67
61 -
62 # check if run in single user mode
68 # check if run in single user mode
63 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
69 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
64 - if @current_user==nil or (not @current_user.admin?)
70 + if @current_user==nil || (not @current_user.admin?)
65 flash[:notice] = 'You cannot log in at this time'
71 flash[:notice] = 'You cannot log in at this time'
66 redirect_to :controller => 'main', :action => 'login'
72 redirect_to :controller => 'main', :action => 'login'
67 return false
73 return false
68 end
74 end
69 - return true
70 end
75 end
71
76
72 # check if the user is enabled
77 # check if the user is enabled
73 - unless @current_user.enabled? or @current_user.admin?
78 + unless @current_user.enabled? || @current_user.admin?
74 flash[:notice] = 'Your account is disabled'
79 flash[:notice] = 'Your account is disabled'
75 redirect_to :controller => 'main', :action => 'login'
80 redirect_to :controller => 'main', :action => 'login'
76 return false
81 return false
77 end
82 end
78
83
84 + # check if user ip is allowed
85 + unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
86 + unless is_request_ip_allowed?
87 + flash[:notice] = 'Your IP is not allowed'
88 + redirect_to root_path
89 + end
90 + end
91 +
79 if GraderConfiguration.multicontests?
92 if GraderConfiguration.multicontests?
80 return true if @current_user.admin?
93 return true if @current_user.admin?
81 begin
94 begin
@@ -89,11 +102,14
89 return true
102 return true
90 end
103 end
91
104
105 + #redirect to root (and also force logout)
106 + #if the user use different ip from the previous connection
107 + # only applicable when MULTIPLE_IP_LOGIN options is false only
92 def authenticate_by_ip_address
108 def authenticate_by_ip_address
93 #this assume that we have already authenticate normally
109 #this assume that we have already authenticate normally
94 unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
110 unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
95 user = User.find(session[:user_id])
111 user = User.find(session[:user_id])
96 - if (not user.admin? and user.last_ip and user.last_ip != request.remote_ip)
112 + if (not @current_user.admin? && user.last_ip && user.last_ip != request.remote_ip)
97 flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
113 flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
98 redirect_to :controller => 'main', :action => 'login'
114 redirect_to :controller => 'main', :action => 'login'
99 puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}"
115 puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}"
@@ -113,7 +129,7
113 unless user.roles.detect { |role|
129 unless user.roles.detect { |role|
114 role.rights.detect{ |right|
130 role.rights.detect{ |right|
115 right.controller == self.class.controller_name and
131 right.controller == self.class.controller_name and
116 - (right.action == 'all' or right.action == action_name)
132 + (right.action == 'all' || right.action == action_name)
117 }
133 }
118 }
134 }
119 flash[:notice] = 'You are not authorized to view the page you requested'
135 flash[:notice] = 'You are not authorized to view the page you requested'
@@ -126,7 +142,7
126 def verify_time_limit
142 def verify_time_limit
127 return true if session[:user_id]==nil
143 return true if session[:user_id]==nil
128 user = User.find(session[:user_id], :include => :site)
144 user = User.find(session[:user_id], :include => :site)
129 - return true if user==nil or user.site == nil
145 + return true if user==nil || user.site == nil
130 if user.contest_finished?
146 if user.contest_finished?
131 flash[:notice] = 'Error: the contest you are participating is over.'
147 flash[:notice] = 'Error: the contest you are participating is over.'
132 redirect_to :back
148 redirect_to :back
@@ -135,4 +151,17
135 return true
151 return true
136 end
152 end
137
153
154 + def is_request_ip_allowed?
155 + if GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
156 + user_ip = IPAddr.new(request.remote_ip)
157 + GraderConfiguration[WHITELIST_IP_LIST_CONF_KEY].delete(' ').split(',').each do |ips|
158 + allow_ips = IPAddr.new(ips)
159 + unless allow_ips.includes(user_ip)
160 + return false
138 end
161 end
162 + end
163 + end
164 + return true
165 + end
166 +
167 + end
Show file before | Show file after | Raw diff | Download diff | Show whitespace Increase context Show commentsHide comments
@@ -173,6 +173,19
173 },
173 },
174
174
175
175
176 + {
177 + :key => 'right.whitelist_ip_only',
178 + :value_type => 'boolean',
179 + :default_value => 'false',
180 + :description => "If true, non-admin user will be able to use the system only when their ip is in the 'whitelist_ip'."
181 + },
182 +
183 + {
184 + :key => 'right.whitelist_ip',
185 + :value_type => 'string',
186 + :default_value => '0.0.0.0/0',
187 + :description => "list of whitelist ip, given in comma separated CIDR notation. For example '161.200.92.0/23, 161.200.80.1/32'"
188 + },
176
189
177 ]
190 ]
178
191
You need to be logged in to leave comments. Login now