From e072ac2fa8bc93ed782df1ff95130f4794f9640f Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Mon, 28 Mar 2016 15:55:19 -0700
Subject: api: added allow ability to limit what IPs can access api using a
 static configured auth token.

---
 .../controller_extension/token_authentication.rb   |  2 +-
 app/models/api_token.rb                            | 27 ++++++++++++++++------
 2 files changed, 21 insertions(+), 8 deletions(-)

(limited to 'app')

diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb
index 15ddef7..c41d61b 100644
--- a/app/controllers/controller_extension/token_authentication.rb
+++ b/app/controllers/controller_extension/token_authentication.rb
@@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication
 
   def token
     @token ||= authenticate_with_http_token do |token, options|
-      Token.find_by_token(token) || ApiToken.find_by_token(token)
+      Token.find_by_token(token) || ApiToken.find_by_token(token, request.headers['REMOTE_ADDR'])
     end
   end
 
diff --git a/app/models/api_token.rb b/app/models/api_token.rb
index 49b1870..5c7923d 100644
--- a/app/models/api_token.rb
+++ b/app/models/api_token.rb
@@ -14,10 +14,12 @@ class ApiToken
   # Searches static config to see if there is a matching api token string.
   # Return an ApiToken if successful, or nil otherwise.
   #
-  def self.find_by_token(token)
+  def self.find_by_token(token, ip_address=nil)
     if APP_CONFIG["api_tokens"].nil? || APP_CONFIG["api_tokens"].empty?
       # no api auth tokens are configured
       return nil
+    elsif ip_address && !ip_allowed?(ip_address)
+      return nil
     elsif !token.is_a?(String) || token.size < 24
       # don't allow obviously invalid token strings
       return nil
@@ -25,8 +27,8 @@ class ApiToken
       token_digest = Digest::SHA512.hexdigest(token)
       username = self.static_auth_tokens[token_digest]
       if username
-        if username == "test"
-          return ApiTestToken.new
+        if username == "monitor"
+          return ApiMonitorToken.new
         elsif username == "admin"
           # not yet supported
           return nil
@@ -51,14 +53,25 @@ class ApiToken
   #
   def self.static_auth_tokens
     @static_auth_tokens ||= APP_CONFIG["api_tokens"].inject({}) {|hsh, entry|
-      hsh[Digest::SHA512.hexdigest(entry[1])] = entry[0]
+      if ["monitor", "admin"].include?(entry[0])
+        hsh[Digest::SHA512.hexdigest(entry[1])] = entry[0]
+      end
       hsh
     }.freeze
   end
 
+  def self.ip_allowed?(ip)
+    ip == "0.0.0.0" ||
+    ip == "127.0.0.1" || (
+      APP_CONFIG["api_tokens"] &&
+      APP_CONFIG["api_tokens"]["allowed_ips"].is_a?(Array) &&
+      APP_CONFIG["api_tokens"]["allowed_ips"].include?(ip)
+    )
+  end
+
 end
 
-class ApiAdminToken < Token
+class ApiAdminToken < ApiToken
   # not yet supported
   #def authenticate
   #  AdminUser.new
@@ -69,8 +82,8 @@ end
 # These tokens used by the platform to run regular monitor tests
 # of a production infrastructure.
 #
-class ApiTestToken < Token
+class ApiMonitorToken < ApiToken
   def authenticate
-    ApiTestUser.new
+    ApiMonitorUser.new
   end
 end
-- 
cgit v1.2.3