From e072ac2fa8bc93ed782df1ff95130f4794f9640f Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:55:19 -0700 Subject: api: added allow ability to limit what IPs can access api using a static configured auth token. --- .../controller_extension/token_authentication.rb | 2 +- app/models/api_token.rb | 27 ++++++++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) (limited to 'app') diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb index 15ddef7..c41d61b 100644 --- a/app/controllers/controller_extension/token_authentication.rb +++ b/app/controllers/controller_extension/token_authentication.rb @@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication def token @token ||= authenticate_with_http_token do |token, options| - Token.find_by_token(token) || ApiToken.find_by_token(token) + Token.find_by_token(token) || ApiToken.find_by_token(token, request.headers['REMOTE_ADDR']) end end diff --git a/app/models/api_token.rb b/app/models/api_token.rb index 49b1870..5c7923d 100644 --- a/app/models/api_token.rb +++ b/app/models/api_token.rb @@ -14,10 +14,12 @@ class ApiToken # Searches static config to see if there is a matching api token string. # Return an ApiToken if successful, or nil otherwise. # - def self.find_by_token(token) + def self.find_by_token(token, ip_address=nil) if APP_CONFIG["api_tokens"].nil? || APP_CONFIG["api_tokens"].empty? # no api auth tokens are configured return nil + elsif ip_address && !ip_allowed?(ip_address) + return nil elsif !token.is_a?(String) || token.size < 24 # don't allow obviously invalid token strings return nil @@ -25,8 +27,8 @@ class ApiToken token_digest = Digest::SHA512.hexdigest(token) username = self.static_auth_tokens[token_digest] if username - if username == "test" - return ApiTestToken.new + if username == "monitor" + return ApiMonitorToken.new elsif username == "admin" # not yet supported return nil @@ -51,14 +53,25 @@ class ApiToken # def self.static_auth_tokens @static_auth_tokens ||= APP_CONFIG["api_tokens"].inject({}) {|hsh, entry| - hsh[Digest::SHA512.hexdigest(entry[1])] = entry[0] + if ["monitor", "admin"].include?(entry[0]) + hsh[Digest::SHA512.hexdigest(entry[1])] = entry[0] + end hsh }.freeze end + def self.ip_allowed?(ip) + ip == "0.0.0.0" || + ip == "127.0.0.1" || ( + APP_CONFIG["api_tokens"] && + APP_CONFIG["api_tokens"]["allowed_ips"].is_a?(Array) && + APP_CONFIG["api_tokens"]["allowed_ips"].include?(ip) + ) + end + end -class ApiAdminToken < Token +class ApiAdminToken < ApiToken # not yet supported #def authenticate # AdminUser.new @@ -69,8 +82,8 @@ end # These tokens used by the platform to run regular monitor tests # of a production infrastructure. # -class ApiTestToken < Token +class ApiMonitorToken < ApiToken def authenticate - ApiTestUser.new + ApiMonitorUser.new end end -- cgit v1.2.3