diff options
author | elijah <elijah@riseup.net> | 2016-03-28 15:55:19 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2016-03-28 16:03:54 -0700 |
commit | e072ac2fa8bc93ed782df1ff95130f4794f9640f (patch) | |
tree | 986c2cfd607af3f6c0e9c34f62d82de07ff0f3f6 /app | |
parent | 67b5aa4198e0f6ab2cd29767aedcb4bf5b5dc4d9 (diff) |
api: added allow ability to limit what IPs can access api using a static configured auth token.
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/controller_extension/token_authentication.rb | 2 | ||||
-rw-r--r-- | app/models/api_token.rb | 27 |
2 files changed, 21 insertions, 8 deletions
diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb index 15ddef7..c41d61b 100644 --- a/app/controllers/controller_extension/token_authentication.rb +++ b/app/controllers/controller_extension/token_authentication.rb @@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication def token @token ||= authenticate_with_http_token do |token, options| - Token.find_by_token(token) || ApiToken.find_by_token(token) + Token.find_by_token(token) || ApiToken.find_by_token(token, request.headers['REMOTE_ADDR']) end end diff --git a/app/models/api_token.rb b/app/models/api_token.rb index 49b1870..5c7923d 100644 --- a/app/models/api_token.rb +++ b/app/models/api_token.rb @@ -14,10 +14,12 @@ class ApiToken # Searches static config to see if there is a matching api token string. # Return an ApiToken if successful, or nil otherwise. # - def self.find_by_token(token) + def self.find_by_token(token, ip_address=nil) if APP_CONFIG["api_tokens"].nil? || APP_CONFIG["api_tokens"].empty? # no api auth tokens are configured return nil + elsif ip_address && !ip_allowed?(ip_address) + return nil elsif !token.is_a?(String) || token.size < 24 # don't allow obviously invalid token strings return nil @@ -25,8 +27,8 @@ class ApiToken token_digest = Digest::SHA512.hexdigest(token) username = self.static_auth_tokens[token_digest] if username - if username == "test" - return ApiTestToken.new + if username == "monitor" + return ApiMonitorToken.new elsif username == "admin" # not yet supported return nil @@ -51,14 +53,25 @@ class ApiToken # def self.static_auth_tokens @static_auth_tokens ||= APP_CONFIG["api_tokens"].inject({}) {|hsh, entry| - hsh[Digest::SHA512.hexdigest(entry[1])] = entry[0] + if ["monitor", "admin"].include?(entry[0]) + hsh[Digest::SHA512.hexdigest(entry[1])] = entry[0] + end hsh }.freeze end + def self.ip_allowed?(ip) + ip == "0.0.0.0" || + ip == "127.0.0.1" || ( + APP_CONFIG["api_tokens"] && + APP_CONFIG["api_tokens"]["allowed_ips"].is_a?(Array) && + APP_CONFIG["api_tokens"]["allowed_ips"].include?(ip) + ) + end + end -class ApiAdminToken < Token +class ApiAdminToken < ApiToken # not yet supported #def authenticate # AdminUser.new @@ -69,8 +82,8 @@ end # These tokens used by the platform to run regular monitor tests # of a production infrastructure. # -class ApiTestToken < Token +class ApiMonitorToken < ApiToken def authenticate - ApiTestUser.new + ApiMonitorUser.new end end |