forest_liana 2.12.0 → 2.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: df754c6c7de93be5e155ea18ca2a236e737ff9ed
-  data.tar.gz: fb4fb5714e04982a5db0e474491c153cbbf28b47
+  metadata.gz: 90cfcbc6a189d0f813ab9be3b691b651147080b1
+  data.tar.gz: 20a7fb7fe5095658f63cd4e83f926959f90d45c3
 SHA512:
-  metadata.gz: 9b9dd0d21d2a2001d980b6aee0d8f519731a331d559d58e394e5d8723033a5e17c1327da5ba8e1db83352189d3b4917c8d85abbe46b2ae5f54e8d23a140f34eb
-  data.tar.gz: 9f10c5cca47362935d125593bb107eeea8d0119bf46ac275d3d096a134f8410ca7fca16e08ea01962ab7b9f9b6059f9f0c465e19e2f7c5e91e23ca1da72f48c9
+  metadata.gz: 33199e1098b84e64b5a90fc289b4f4aa67e40d77296a55887d77f8cd15332eac37eac91ec27df47679d97978366047b6ae3a05ad394d74dce26251c00e53071e
+  data.tar.gz: 59668615c97545bd736bff03f24273fd08e37ee89c51d0b3af2ea331776579c5f2deda5686158f58de8652f7f0e320f284dc43eedc6828d9889b6b205f6eba39

data/app/controllers/forest_liana/base_controller.rb

@@ -2,5 +2,35 @@ module ForestLiana
   class BaseController < ::ActionController::Base
     skip_before_action :verify_authenticity_token, raise: false
     wrap_parameters false
+    before_action :reject_unauthorized_ip
+
+    private
+
+    def reject_unauthorized_ip
+      begin
+        ip = request.remote_ip
+
+        if !IpWhitelist.is_ip_whitelist_retrieved || !IpWhitelist.is_ip_valid(ip)
+          unless IpWhitelist.retrieve
+            raise Errors::HTTP403Error.new("IP whitelist not retrieved")
+          end
+
+          unless IpWhitelist.is_ip_valid(ip)
+            raise Errors::HTTP403Error.new("IP address rejected (#{ip})")
+          end
+        end
+      rescue Errors::ExpectedError => exception
+        exception.display_error
+        error_data = JSONAPI::Serializer.serialize_errors([{
+          status: exception.error_code,
+          detail: exception.message
+        }])
+        render(serializer: nil, json: error_data, status: exception.status)
+      rescue => exception
+        FOREST_LOGGER.error(exception)
+        FOREST_LOGGER.error(exception.backtrace.join("\n"))
+        render(serializer: nil, json: nil, status: :internal_server_error)
+      end
+    end
   end
 end

data/app/controllers/forest_liana/sessions_controller.rb

@@ -53,7 +53,12 @@ module ForestLiana
           raise Errors::HTTP401Error
         end
 
-        # TODO: Add ip whitelist retrieving when it exists.
+        # NOTICE: The IP Whitelist is retrieved on any request if it was not retrieved yet, or when
+        #         an IP is rejected, to ensure the IP is still rejected (meaning the configuration
+        #         on the projects has not changed). To handle the last case, which is rejecting an
+        #         IP which was not initaliy rejected, we need periodically refresh the whitelist.
+        #         This is done here on the login of any user. 
+        IpWhitelist.retrieve
 
         reponse_data = LoginHandler.new(
           rendering_id,

data/app/services/forest_liana/ip_whitelist.rb

@@ -0,0 +1,40 @@
+module ForestLiana
+  class IpWhitelist
+    @@use_ip_whitelist = true
+    @@ip_whitelist_rules = nil
+
+    def self.retrieve
+      begin
+        response = ForestApiRequester.get('/liana/v1/ip-whitelist-rules')
+
+        if response.is_a?(Net::HTTPOK)
+          body = JSON.parse(response.body)
+          ip_whitelist_data = body['data']['attributes']
+
+          @@use_ip_whitelist = ip_whitelist_data['use_ip_whitelist']
+          @@ip_whitelist_rules = ip_whitelist_data['rules']
+          true
+        else
+          raise "Cannot retrieve the data from the Forest server. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
+        end
+      rescue => exception
+        FOREST_LOGGER.error 'Cannot retrieve the IP Whitelist from the Forest server.'
+        FOREST_LOGGER.error 'Which was caused by:'
+        Errors::ExceptionHelper.recursively_print(exception, margin: ' ', is_error: true)
+        false
+      end
+    end
+
+    def self.is_ip_whitelist_retrieved
+      !@@use_ip_whitelist || !@@ip_whitelist_rules.nil?
+    end
+
+    def self.is_ip_valid(ip)
+      if @@use_ip_whitelist
+        return IpWhitelistChecker.is_ip_matches_any_rule(ip, @@ip_whitelist_rules)
+      end
+
+      true
+    end
+  end
+end

data/app/services/forest_liana/ip_whitelist_checker.rb

@@ -0,0 +1,71 @@
+require 'ipaddress'
+
+module ForestLiana
+  class IpWhitelistChecker
+    module RuleType
+      IP = 0
+      RANGE = 1
+      SUBNET = 2
+    end
+
+    def self.is_ip_matches_any_rule(ip, rules)
+      rules.any? { |rule| IpWhitelistChecker.is_ip_matches_rule(ip, rule) }
+    end
+
+    def self.is_ip_matches_rule(ip, rule)
+      if rule['type'] == RuleType::IP
+        return IpWhitelistChecker.is_ip_match_ip(ip, rule['ip'])
+      elsif rule['type'] == RuleType::RANGE
+        return IpWhitelistChecker.is_ip_match_range(ip, rule)
+      elsif rule['type'] == RuleType::SUBNET
+        return IpWhitelistChecker.is_ip_match_subnet(ip, rule['range'])
+      end
+
+      raise 'Invalid rule type'
+    end
+
+    def self.ip_version(ip)
+      (IPAddress ip).is_a?(IPAddress::IPv4) ? :ip_v4 : :ip_v6
+    end
+
+    def self.is_same_ip_version(ip1, ip2)
+      ip1_version = IpWhitelistChecker.ip_version(ip1)
+      ip2_version = IpWhitelistChecker.ip_version(ip2)
+
+      ip1_version == ip2_version
+    end
+
+    def self.is_both_loopback(ip1, ip2)
+      IPAddress(ip1).loopback? && IPAddress(ip2).loopback?
+    end
+
+    def self.is_ip_match_ip(ip1, ip2)
+      if !IpWhitelistChecker.is_same_ip_version(ip1, ip2)
+        return IpWhitelistChecker.is_both_loopback(ip1, ip2)
+      end
+
+      if IPAddress(ip1) == IPAddress(ip2)
+        true
+      else
+        IpWhitelistChecker.is_both_loopback(ip1, ip2)
+      end
+    end
+
+    def self.is_ip_match_range(ip, rule)
+      return false if !IpWhitelistChecker.is_same_ip_version(ip, rule['ip_minimum'])
+
+      ip_range_minimum = (IPAddress rule['ip_minimum']).to_i
+      ip_range_maximum = (IPAddress rule['ip_maximum']).to_i
+      ip_value = (IPAddress ip).to_i
+
+      return ip_value >= ip_range_minimum && ip_value <= ip_range_maximum;
+    end
+
+    def self.is_ip_match_subnet(ip, subnet)
+      return false if !IpWhitelistChecker.is_same_ip_version(ip, subnet)
+
+      IPAddress(subnet).include?(IPAddress(ip))
+    end
+  end
+
+end

data/config/initializers/errors.rb

@@ -22,7 +22,7 @@ module ForestLiana
         @message = message
       end
 
-      def display_error()
+      def display_error
         ExceptionHelper.recursively_print(self)
       end
     end
@@ -33,6 +33,12 @@ module ForestLiana
       end
     end
 
+    class HTTP403Error < ExpectedError
+      def initialize(message = "Forbidden")
+        super(403, :forbidden, message)
+      end
+    end
+
     class ExceptionHelper
       def self.recursively_print(error, margin: '', is_error: false)
         logger = is_error ?

data/lib/forest_liana/version.rb

@@ -1,3 +1,3 @@
 module ForestLiana
-  VERSION = "2.12.0"
+  VERSION = "2.13.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: forest_liana
 version: !ruby/object:Gem::Version
-  version: 2.12.0
+  version: 2.13.0
 platform: ruby
 authors:
 - Sandro Munda
@@ -164,6 +164,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ipaddress
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Forest is a modern admin interface that works on all major web frameworks.
   forest_liana is the gem that makes Forest admin work on any Rails application (Rails
   >= 4.0).
@@ -227,6 +241,8 @@ files:
 - app/services/forest_liana/intercom_attributes_getter.rb
 - app/services/forest_liana/intercom_conversation_getter.rb
 - app/services/forest_liana/intercom_conversations_getter.rb
+- app/services/forest_liana/ip_whitelist.rb
+- app/services/forest_liana/ip_whitelist_checker.rb
 - app/services/forest_liana/line_stat_getter.rb
 - app/services/forest_liana/live_query_checker.rb
 - app/services/forest_liana/login_handler.rb