Description:
add ip whitelisting
Commit status:
[Not Reviewed]
References:
Diff options:
Comments:
0 Commit comments
0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Author
-
r755:17c54fa350f2 - - 2 files changed: 55 inserted, 13 deleted
| @@ -1,3 +1,5 | |||
|
|
1 | + require 'ipaddr' | |
|
|
2 | + | |
|
|
1 | 3 | class ApplicationController < ActionController::Base |
|
|
2 | 4 | protect_from_forgery |
|
|
3 | 5 | |
| @@ -5,6 +7,8 | |||
|
|
5 | 7 | |
|
|
6 | 8 | SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode' |
|
|
7 | 9 | MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login' |
|
|
10 | + ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only' | |
|
|
11 | + WHITELIST_IP_CONF_KEY = 'right.whitelist_ip' | |
|
|
8 | 12 | |
|
|
9 | 13 | #report and redirect for unauthorized activities |
|
|
10 | 14 | def unauthorized_redirect |
| @@ -46,8 +50,11 | |||
|
|
46 | 50 | unauthorized_redirect unless GraderConfiguration["right.view_testcase"] |
|
|
47 | 51 | end |
|
|
48 | 52 | |
|
|
53 | + | |
|
|
49 | 54 | protected |
|
|
50 | 55 | |
|
|
56 | + #redirect to root (and also force logout) | |
|
|
57 | + #if the user is not logged_in or the system is in "ADMIN ONLY" mode | |
|
|
51 | 58 | def authenticate |
|
|
52 | 59 | unless session[:user_id] |
|
|
53 | 60 | flash[:notice] = 'You need to login' |
| @@ -58,24 +65,30 | |||
|
|
58 | 65 | return false |
|
|
59 | 66 | end |
|
|
60 | 67 | |
|
|
61 | - | |
|
|
62 | 68 | # check if run in single user mode |
|
|
63 | 69 | if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY] |
|
|
64 |
- if @current_user==nil |
|
|
|
70 | + if @current_user==nil || (not @current_user.admin?) | |
|
|
65 | 71 | flash[:notice] = 'You cannot log in at this time' |
|
|
66 | 72 | redirect_to :controller => 'main', :action => 'login' |
|
|
67 | 73 | return false |
|
|
68 | 74 | end |
|
|
69 | - return true | |
|
|
70 | 75 | end |
|
|
71 | 76 | |
|
|
72 | 77 | # check if the user is enabled |
|
|
73 |
- unless @current_user.enabled? |
|
|
|
78 | + unless @current_user.enabled? || @current_user.admin? | |
|
|
74 | 79 | flash[:notice] = 'Your account is disabled' |
|
|
75 | 80 | redirect_to :controller => 'main', :action => 'login' |
|
|
76 | 81 | return false |
|
|
77 | 82 | end |
|
|
78 | 83 | |
|
|
84 | + # check if user ip is allowed | |
|
|
85 | + unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY] | |
|
|
86 | + unless is_request_ip_allowed? | |
|
|
87 | + flash[:notice] = 'Your IP is not allowed' | |
|
|
88 | + redirect_to root_path | |
|
|
89 | + end | |
|
|
90 | + end | |
|
|
91 | + | |
|
|
79 | 92 | if GraderConfiguration.multicontests? |
|
|
80 | 93 | return true if @current_user.admin? |
|
|
81 | 94 | begin |
| @@ -89,11 +102,14 | |||
|
|
89 | 102 | return true |
|
|
90 | 103 | end |
|
|
91 | 104 | |
|
|
105 | + #redirect to root (and also force logout) | |
|
|
106 | + #if the user use different ip from the previous connection | |
|
|
107 | + # only applicable when MULTIPLE_IP_LOGIN options is false only | |
|
|
92 | 108 | def authenticate_by_ip_address |
|
|
93 | 109 | #this assume that we have already authenticate normally |
|
|
94 | 110 | unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY] |
|
|
95 | 111 | user = User.find(session[:user_id]) |
|
|
96 |
- if (not user.admin? |
|
|
|
112 | + if (not @current_user.admin? && user.last_ip && user.last_ip != request.remote_ip) | |
|
|
97 | 113 | flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}" |
|
|
98 | 114 | redirect_to :controller => 'main', :action => 'login' |
|
|
99 | 115 | puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}" |
| @@ -113,7 +129,7 | |||
|
|
113 | 129 | unless user.roles.detect { |role| |
|
|
114 | 130 | role.rights.detect{ |right| |
|
|
115 | 131 | right.controller == self.class.controller_name and |
|
|
116 |
- (right.action == 'all' |
|
|
|
132 | + (right.action == 'all' || right.action == action_name) | |
|
|
117 | 133 | } |
|
|
118 | 134 | } |
|
|
119 | 135 | flash[:notice] = 'You are not authorized to view the page you requested' |
| @@ -126,7 +142,7 | |||
|
|
126 | 142 | def verify_time_limit |
|
|
127 | 143 | return true if session[:user_id]==nil |
|
|
128 | 144 | user = User.find(session[:user_id], :include => :site) |
|
|
129 |
- return true if user==nil |
|
|
|
145 | + return true if user==nil || user.site == nil | |
|
|
130 | 146 | if user.contest_finished? |
|
|
131 | 147 | flash[:notice] = 'Error: the contest you are participating is over.' |
|
|
132 | 148 | redirect_to :back |
| @@ -135,4 +151,17 | |||
|
|
135 | 151 | return true |
|
|
136 | 152 | end |
|
|
137 | 153 | |
|
|
154 | + def is_request_ip_allowed? | |
|
|
155 | + if GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY] | |
|
|
156 | + user_ip = IPAddr.new(request.remote_ip) | |
|
|
157 | + GraderConfiguration[WHITELIST_IP_LIST_CONF_KEY].delete(' ').split(',').each do |ips| | |
|
|
158 | + allow_ips = IPAddr.new(ips) | |
|
|
159 | + unless allow_ips.includes(user_ip) | |
|
|
160 | + return false | |
|
|
161 | + end | |
|
|
162 | + end | |
|
|
163 | + end | |
|
|
164 | + return true | |
|
|
165 | + end | |
|
|
166 | + | |
|
|
138 | 167 | end |
| @@ -173,15 +173,28 | |||
|
|
173 | 173 | }, |
|
|
174 | 174 | |
|
|
175 | 175 | |
|
|
176 | + { | |
|
|
177 | + :key => 'right.whitelist_ip_only', | |
|
|
178 | + :value_type => 'boolean', | |
|
|
179 | + :default_value => 'false', | |
|
|
180 | + :description => "If true, non-admin user will be able to use the system only when their ip is in the 'whitelist_ip'." | |
|
|
181 | + }, | |
|
|
182 | + | |
|
|
183 | + { | |
|
|
184 | + :key => 'right.whitelist_ip', | |
|
|
185 | + :value_type => 'string', | |
|
|
186 | + :default_value => '0.0.0.0/0', | |
|
|
187 | + :description => "list of whitelist ip, given in comma separated CIDR notation. For example '161.200.92.0/23, 161.200.80.1/32'" | |
|
|
188 | + }, | |
|
|
176 | 189 | |
|
|
177 | 190 | ] |
|
|
178 | 191 | |
|
|
179 | 192 | |
|
|
180 |
- def create_configuration_key(key, |
|
|
|
181 |
- value_type, |
|
|
|
182 |
- default_value, |
|
|
|
193 | + def create_configuration_key(key, | |
|
|
194 | + value_type, | |
|
|
195 | + default_value, | |
|
|
183 | 196 | description='') |
|
|
184 |
- conf = (GraderConfiguration.find_by_key(key) || |
|
|
|
197 | + conf = (GraderConfiguration.find_by_key(key) || | |
|
|
185 | 198 | GraderConfiguration.new(:key => key, |
|
|
186 | 199 | :value_type => value_type, |
|
|
187 | 200 | :value => default_value)) |
| @@ -196,7 +209,7 | |||
|
|
196 | 209 | else |
|
|
197 | 210 | desc = '' |
|
|
198 | 211 | end |
|
|
199 |
- create_configuration_key(conf[:key], |
|
|
|
212 | + create_configuration_key(conf[:key], | |
|
|
200 | 213 | conf[:value_type], |
|
|
201 | 214 | conf[:default_value], |
|
|
202 | 215 | desc) |
| @@ -217,7 +230,7 | |||
|
|
217 | 230 | graders_right = Right.create(:name => 'graders_admin', |
|
|
218 | 231 | :controller => 'graders', |
|
|
219 | 232 | :action => 'all') |
|
|
220 | - | |
|
|
233 | + | |
|
|
221 | 234 | role.rights << user_admin_right; |
|
|
222 | 235 | role.rights << problem_admin_right; |
|
|
223 | 236 | role.rights << graders_right; |
You need to be logged in to leave comments.
Login now