Description:
add ip whitelisting
Commit status:
[Not Reviewed]
References:
Diff options:
Comments:
0 Commit comments
0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Author
-
r755:17c54fa350f2 - - 2 files changed: 55 inserted, 13 deleted
| @@ -1,3 +1,5 | |||||
|
|
|
1 | + require 'ipaddr' | ||
|
|
|
2 | + | ||
|
|
1 | class ApplicationController < ActionController::Base |
|
3 | class ApplicationController < ActionController::Base |
|
|
2 | protect_from_forgery |
|
4 | protect_from_forgery |
|
|
3 |
|
5 | ||
| @@ -5,6 +7,8 | |||||
|
|
5 |
|
7 | ||
|
|
6 | SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode' |
|
8 | SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode' |
|
|
7 | MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login' |
|
9 | MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login' |
|
|
|
10 | + ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only' | ||
|
|
|
11 | + WHITELIST_IP_CONF_KEY = 'right.whitelist_ip' | ||
|
|
8 |
|
12 | ||
|
|
9 | #report and redirect for unauthorized activities |
|
13 | #report and redirect for unauthorized activities |
|
|
10 | def unauthorized_redirect |
|
14 | def unauthorized_redirect |
| @@ -46,8 +50,11 | |||||
|
|
46 | unauthorized_redirect unless GraderConfiguration["right.view_testcase"] |
|
50 | unauthorized_redirect unless GraderConfiguration["right.view_testcase"] |
|
|
47 | end |
|
51 | end |
|
|
48 |
|
52 | ||
|
|
|
53 | + | ||
|
|
49 | protected |
|
54 | protected |
|
|
50 |
|
55 | ||
|
|
|
56 | + #redirect to root (and also force logout) | ||
|
|
|
57 | + #if the user is not logged_in or the system is in "ADMIN ONLY" mode | ||
|
|
51 | def authenticate |
|
58 | def authenticate |
|
|
52 | unless session[:user_id] |
|
59 | unless session[:user_id] |
|
|
53 | flash[:notice] = 'You need to login' |
|
60 | flash[:notice] = 'You need to login' |
| @@ -58,24 +65,30 | |||||
|
|
58 | return false |
|
65 | return false |
|
|
59 | end |
|
66 | end |
|
|
60 |
|
67 | ||
|
|
61 | - |
|
||
|
|
62 | # check if run in single user mode |
|
68 | # check if run in single user mode |
|
|
63 | if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY] |
|
69 | if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY] |
|
|
64 |
- if @current_user==nil |
|
70 | + if @current_user==nil || (not @current_user.admin?) |
|
|
65 | flash[:notice] = 'You cannot log in at this time' |
|
71 | flash[:notice] = 'You cannot log in at this time' |
|
|
66 | redirect_to :controller => 'main', :action => 'login' |
|
72 | redirect_to :controller => 'main', :action => 'login' |
|
|
67 | return false |
|
73 | return false |
|
|
68 | end |
|
74 | end |
|
|
69 | - return true |
|
||
|
|
70 | end |
|
75 | end |
|
|
71 |
|
76 | ||
|
|
72 | # check if the user is enabled |
|
77 | # check if the user is enabled |
|
|
73 |
- unless @current_user.enabled? |
|
78 | + unless @current_user.enabled? || @current_user.admin? |
|
|
74 | flash[:notice] = 'Your account is disabled' |
|
79 | flash[:notice] = 'Your account is disabled' |
|
|
75 | redirect_to :controller => 'main', :action => 'login' |
|
80 | redirect_to :controller => 'main', :action => 'login' |
|
|
76 | return false |
|
81 | return false |
|
|
77 | end |
|
82 | end |
|
|
78 |
|
83 | ||
|
|
|
84 | + # check if user ip is allowed | ||
|
|
|
85 | + unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY] | ||
|
|
|
86 | + unless is_request_ip_allowed? | ||
|
|
|
87 | + flash[:notice] = 'Your IP is not allowed' | ||
|
|
|
88 | + redirect_to root_path | ||
|
|
|
89 | + end | ||
|
|
|
90 | + end | ||
|
|
|
91 | + | ||
|
|
79 | if GraderConfiguration.multicontests? |
|
92 | if GraderConfiguration.multicontests? |
|
|
80 | return true if @current_user.admin? |
|
93 | return true if @current_user.admin? |
|
|
81 | begin |
|
94 | begin |
| @@ -89,11 +102,14 | |||||
|
|
89 | return true |
|
102 | return true |
|
|
90 | end |
|
103 | end |
|
|
91 |
|
104 | ||
|
|
|
105 | + #redirect to root (and also force logout) | ||
|
|
|
106 | + #if the user use different ip from the previous connection | ||
|
|
|
107 | + # only applicable when MULTIPLE_IP_LOGIN options is false only | ||
|
|
92 | def authenticate_by_ip_address |
|
108 | def authenticate_by_ip_address |
|
|
93 | #this assume that we have already authenticate normally |
|
109 | #this assume that we have already authenticate normally |
|
|
94 | unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY] |
|
110 | unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY] |
|
|
95 | user = User.find(session[:user_id]) |
|
111 | user = User.find(session[:user_id]) |
|
|
96 |
- if (not user.admin? |
|
112 | + if (not @current_user.admin? && user.last_ip && user.last_ip != request.remote_ip) |
|
|
97 | flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}" |
|
113 | flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}" |
|
|
98 | redirect_to :controller => 'main', :action => 'login' |
|
114 | redirect_to :controller => 'main', :action => 'login' |
|
|
99 | puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}" |
|
115 | puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}" |
| @@ -113,7 +129,7 | |||||
|
|
113 | unless user.roles.detect { |role| |
|
129 | unless user.roles.detect { |role| |
|
|
114 | role.rights.detect{ |right| |
|
130 | role.rights.detect{ |right| |
|
|
115 | right.controller == self.class.controller_name and |
|
131 | right.controller == self.class.controller_name and |
|
|
116 |
- (right.action == 'all' |
|
132 | + (right.action == 'all' || right.action == action_name) |
|
|
117 | } |
|
133 | } |
|
|
118 | } |
|
134 | } |
|
|
119 | flash[:notice] = 'You are not authorized to view the page you requested' |
|
135 | flash[:notice] = 'You are not authorized to view the page you requested' |
| @@ -126,7 +142,7 | |||||
|
|
126 | def verify_time_limit |
|
142 | def verify_time_limit |
|
|
127 | return true if session[:user_id]==nil |
|
143 | return true if session[:user_id]==nil |
|
|
128 | user = User.find(session[:user_id], :include => :site) |
|
144 | user = User.find(session[:user_id], :include => :site) |
|
|
129 |
- return true if user==nil |
|
145 | + return true if user==nil || user.site == nil |
|
|
130 | if user.contest_finished? |
|
146 | if user.contest_finished? |
|
|
131 | flash[:notice] = 'Error: the contest you are participating is over.' |
|
147 | flash[:notice] = 'Error: the contest you are participating is over.' |
|
|
132 | redirect_to :back |
|
148 | redirect_to :back |
| @@ -135,4 +151,17 | |||||
|
|
135 | return true |
|
151 | return true |
|
|
136 | end |
|
152 | end |
|
|
137 |
|
153 | ||
|
|
|
154 | + def is_request_ip_allowed? | ||
|
|
|
155 | + if GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY] | ||
|
|
|
156 | + user_ip = IPAddr.new(request.remote_ip) | ||
|
|
|
157 | + GraderConfiguration[WHITELIST_IP_LIST_CONF_KEY].delete(' ').split(',').each do |ips| | ||
|
|
|
158 | + allow_ips = IPAddr.new(ips) | ||
|
|
|
159 | + unless allow_ips.includes(user_ip) | ||
|
|
|
160 | + return false | ||
|
|
|
161 | + end | ||
|
|
|
162 | + end | ||
|
|
|
163 | + end | ||
|
|
|
164 | + return true | ||
|
|
|
165 | + end | ||
|
|
|
166 | + | ||
|
|
138 | end |
|
167 | end |
| @@ -173,15 +173,28 | |||||
|
|
173 | }, |
|
173 | }, |
|
|
174 |
|
174 | ||
|
|
175 |
|
175 | ||
|
|
|
176 | + { | ||
|
|
|
177 | + :key => 'right.whitelist_ip_only', | ||
|
|
|
178 | + :value_type => 'boolean', | ||
|
|
|
179 | + :default_value => 'false', | ||
|
|
|
180 | + :description => "If true, non-admin user will be able to use the system only when their ip is in the 'whitelist_ip'." | ||
|
|
|
181 | + }, | ||
|
|
|
182 | + | ||
|
|
|
183 | + { | ||
|
|
|
184 | + :key => 'right.whitelist_ip', | ||
|
|
|
185 | + :value_type => 'string', | ||
|
|
|
186 | + :default_value => '0.0.0.0/0', | ||
|
|
|
187 | + :description => "list of whitelist ip, given in comma separated CIDR notation. For example '161.200.92.0/23, 161.200.80.1/32'" | ||
|
|
|
188 | + }, | ||
|
|
176 |
|
189 | ||
|
|
177 | ] |
|
190 | ] |
|
|
178 |
|
191 | ||
|
|
179 |
|
192 | ||
|
|
180 |
- def create_configuration_key(key, |
|
193 | + def create_configuration_key(key, |
|
|
181 |
- value_type, |
|
194 | + value_type, |
|
|
182 |
- default_value, |
|
195 | + default_value, |
|
|
183 | description='') |
|
196 | description='') |
|
|
184 |
- conf = (GraderConfiguration.find_by_key(key) || |
|
197 | + conf = (GraderConfiguration.find_by_key(key) || |
|
|
185 | GraderConfiguration.new(:key => key, |
|
198 | GraderConfiguration.new(:key => key, |
|
|
186 | :value_type => value_type, |
|
199 | :value_type => value_type, |
|
|
187 | :value => default_value)) |
|
200 | :value => default_value)) |
| @@ -196,7 +209,7 | |||||
|
|
196 | else |
|
209 | else |
|
|
197 | desc = '' |
|
210 | desc = '' |
|
|
198 | end |
|
211 | end |
|
|
199 |
- create_configuration_key(conf[:key], |
|
212 | + create_configuration_key(conf[:key], |
|
|
200 | conf[:value_type], |
|
213 | conf[:value_type], |
|
|
201 | conf[:default_value], |
|
214 | conf[:default_value], |
|
|
202 | desc) |
|
215 | desc) |
| @@ -217,7 +230,7 | |||||
|
|
217 | graders_right = Right.create(:name => 'graders_admin', |
|
230 | graders_right = Right.create(:name => 'graders_admin', |
|
|
218 | :controller => 'graders', |
|
231 | :controller => 'graders', |
|
|
219 | :action => 'all') |
|
232 | :action => 'all') |
|
|
220 | - |
|
233 | + |
|
|
221 | role.rights << user_admin_right; |
|
234 | role.rights << user_admin_right; |
|
|
222 | role.rights << problem_admin_right; |
|
235 | role.rights << problem_admin_right; |
|
|
223 | role.rights << graders_right; |
|
236 | role.rights << graders_right; |
You need to be logged in to leave comments.
Login now