cafe-grader-web

Commit r755:17c54fa350f2 public

parent | child
Description:
add ip whitelisting
Commit status:
[Not Reviewed]
References:
algo
Diff options:
Raw Diff | Patch Diff | Download Diff | Ignore whitespace | Increase context
Comments:
0 Commit comments 0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Side by Side Unified
Expand All Files Collapse All Files Wide Mode Diff
Add another comment
Browse Files

r755:17c54fa350f2 - - 2 files changed: 55 inserted, 13 deleted

Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,13 +1,17
1 + require 'ipaddr'
2 +
1 3 class ApplicationController < ActionController::Base
2 4 protect_from_forgery
3 5
4 6 before_action :current_user
5 7
6 8 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
7 9 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
10 + ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only'
11 + WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'
8 12
9 13 #report and redirect for unauthorized activities
10 14 def unauthorized_redirect
11 15 flash[:notice] = 'You are not authorized to view the page you requested'
12 16 redirect_to :controller => 'main', :action => 'login'
13 17 end
@@ -43,42 +47,51
43 47 return true
44 48 end
45 49
46 50 unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
47 51 end
48 52
53 +
49 54 protected
50 55
56 + #redirect to root (and also force logout)
57 + #if the user is not logged_in or the system is in "ADMIN ONLY" mode
51 58 def authenticate
52 59 unless session[:user_id]
53 60 flash[:notice] = 'You need to login'
54 61 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
55 62 flash[:notice] = 'You need to login but you cannot log in at this time'
56 63 end
57 64 redirect_to :controller => 'main', :action => 'login'
58 65 return false
59 66 end
60 67
61 -
62 68 # check if run in single user mode
63 69 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
64 - if @current_user==nil or (not @current_user.admin?)
70 + if @current_user==nil || (not @current_user.admin?)
65 71 flash[:notice] = 'You cannot log in at this time'
66 72 redirect_to :controller => 'main', :action => 'login'
67 73 return false
68 74 end
69 - return true
70 75 end
71 76
72 77 # check if the user is enabled
73 - unless @current_user.enabled? or @current_user.admin?
78 + unless @current_user.enabled? || @current_user.admin?
74 79 flash[:notice] = 'Your account is disabled'
75 80 redirect_to :controller => 'main', :action => 'login'
76 81 return false
77 82 end
78 83
84 + # check if user ip is allowed
85 + unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
86 + unless is_request_ip_allowed?
87 + flash[:notice] = 'Your IP is not allowed'
88 + redirect_to root_path
89 + end
90 + end
91 +
79 92 if GraderConfiguration.multicontests?
80 93 return true if @current_user.admin?
81 94 begin
82 95 if @current_user.contest_stat(true).forced_logout
83 96 flash[:notice] = 'You have been automatically logged out.'
84 97 redirect_to :controller => 'main', :action => 'index'
@@ -86,17 +99,20
86 99 rescue
87 100 end
88 101 end
89 102 return true
90 103 end
91 104
105 + #redirect to root (and also force logout)
106 + #if the user use different ip from the previous connection
107 + # only applicable when MULTIPLE_IP_LOGIN options is false only
92 108 def authenticate_by_ip_address
93 109 #this assume that we have already authenticate normally
94 110 unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
95 111 user = User.find(session[:user_id])
96 - if (not user.admin? and user.last_ip and user.last_ip != request.remote_ip)
112 + if (not @current_user.admin? && user.last_ip && user.last_ip != request.remote_ip)
97 113 flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
98 114 redirect_to :controller => 'main', :action => 'login'
99 115 puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}"
100 116 return false
101 117 end
102 118 unless user.last_ip
@@ -110,29 +126,42
110 126 def authorization
111 127 return false unless authenticate
112 128 user = User.find(session[:user_id])
113 129 unless user.roles.detect { |role|
114 130 role.rights.detect{ |right|
115 131 right.controller == self.class.controller_name and
116 - (right.action == 'all' or right.action == action_name)
132 + (right.action == 'all' || right.action == action_name)
117 133 }
118 134 }
119 135 flash[:notice] = 'You are not authorized to view the page you requested'
120 136 #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')
121 137 redirect_to :controller => 'main', :action => 'login'
122 138 return false
123 139 end
124 140 end
125 141
126 142 def verify_time_limit
127 143 return true if session[:user_id]==nil
128 144 user = User.find(session[:user_id], :include => :site)
129 - return true if user==nil or user.site == nil
145 + return true if user==nil || user.site == nil
130 146 if user.contest_finished?
131 147 flash[:notice] = 'Error: the contest you are participating is over.'
132 148 redirect_to :back
133 149 return false
134 150 end
135 151 return true
136 152 end
137 153
154 + def is_request_ip_allowed?
155 + if GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
156 + user_ip = IPAddr.new(request.remote_ip)
157 + GraderConfiguration[WHITELIST_IP_LIST_CONF_KEY].delete(' ').split(',').each do |ips|
158 + allow_ips = IPAddr.new(ips)
159 + unless allow_ips.includes(user_ip)
160 + return false
161 + end
162 + end
163 + end
164 + return true
165 + end
166 +
138 167 end
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -170,21 +170,34
170 170 :value_type => 'boolean',
171 171 :default_value => 'false',
172 172 :description => "If true, available problem to the user will be only ones associated with the group of the user."
173 173 },
174 174
175 175
176 + {
177 + :key => 'right.whitelist_ip_only',
178 + :value_type => 'boolean',
179 + :default_value => 'false',
180 + :description => "If true, non-admin user will be able to use the system only when their ip is in the 'whitelist_ip'."
181 + },
182 +
183 + {
184 + :key => 'right.whitelist_ip',
185 + :value_type => 'string',
186 + :default_value => '0.0.0.0/0',
187 + :description => "list of whitelist ip, given in comma separated CIDR notation. For example '161.200.92.0/23, 161.200.80.1/32'"
188 + },
176 189
177 190 ]
178 191
179 192
180 - def create_configuration_key(key,
181 - value_type,
182 - default_value,
193 + def create_configuration_key(key,
194 + value_type,
195 + default_value,
183 196 description='')
184 - conf = (GraderConfiguration.find_by_key(key) ||
197 + conf = (GraderConfiguration.find_by_key(key) ||
185 198 GraderConfiguration.new(:key => key,
186 199 :value_type => value_type,
187 200 :value => default_value))
188 201 conf.description = description
189 202 conf.save
190 203 end
@@ -193,13 +206,13
193 206 CONFIGURATIONS.each do |conf|
194 207 if conf.has_key? :description
195 208 desc = conf[:description]
196 209 else
197 210 desc = ''
198 211 end
199 - create_configuration_key(conf[:key],
212 + create_configuration_key(conf[:key],
200 213 conf[:value_type],
201 214 conf[:default_value],
202 215 desc)
203 216 end
204 217 end
205 218
@@ -214,13 +227,13
214 227 :controller => 'problems',
215 228 :action => 'all')
216 229
217 230 graders_right = Right.create(:name => 'graders_admin',
218 231 :controller => 'graders',
219 232 :action => 'all')
220 -
233 +
221 234 role.rights << user_admin_right;
222 235 role.rights << problem_admin_right;
223 236 role.rights << graders_right;
224 237 role.save
225 238 end
226 239
You need to be logged in to leave comments. Login now