Commit 40c2945a authored by BAIRE Anthony's avatar BAIRE Anthony

allow using network prefixes in ALLGO_ALLOWED_IP_ADMIN

Rationale: in development the ip address of the local machine is not
easily predictible because when docker creates virtual networks it
assigns the ip prefixes/addres dynamically by default (and i do not want
to configure static addresses because of it may interefere and cause
nasty side-effects if using docker for other projects on the same
machine)

Now in development we allow admin actions from 0.0.0.0/0 (which means
all ip addresses)

Note: I used the IPy package (whose purpose is to handle ranges of
IP addresses)
parent 40da9c2d
Pipeline #31191 failed with stage
in 1 minute and 7 seconds
......@@ -8,7 +8,8 @@ RUN apt-getq update && apt-getq install \
python3-django python3-django-allauth python3-misaka \
nginx-light zip gcc python3-dev python3-pip python3-wheel python3-mysqldb \
python-mysqldb python3-crypto gunicorn3 python3-redis python-mysqldb \
python3-crypto python3-natsort python3-aiohttp python3-aioredis supervisor
python3-crypto python3-natsort python3-aiohttp python3-aioredis supervisor \
python3-ipy
COPY requirements.txt /tmp/
RUN cd /tmp && pip3 install -r requirements.txt && rm requirements.txt
......
......@@ -3,10 +3,11 @@ import hashlib
import os
import redis
import IPy
from django.conf import settings
import config
from .models import Job
from . import models
DEFAULT_ENTROPY = 32 # number of bytes to return by default
......@@ -104,8 +105,20 @@ def notify_controller(obj):
"""
conn = get_redis_connection()
if isinstance(obj, Job):
if isinstance(obj, models.Job):
conn.publish(REDIS_CHANNEL_CONTROLLER, REDIS_MESSAGE_JOB_UPDATED % obj.id)
else:
raise TypeError(obj)
_ALLOWED_IP_NETWORKS = list(map(IPy.IP, config.env.ALLGO_ALLOWED_IP_ADMIN.split(",")))
def is_allowed_ip_admin(ip):
"""Return true if admin actions are allowed from this IP address
The function return true if the provided ip address is included in at least
one network listed in ALLGO_ALLOWED_IP_ADMIN.
"""
return any(ip in net for net in _ALLOWED_IP_NETWORKS)
......@@ -7,7 +7,7 @@ from django.dispatch import receiver
from django.utils.crypto import get_random_string
import config.env
from .helpers import is_allowed_ip_admin
def generate_token(length=32):
""" Generate a random string according to its length.
......@@ -183,15 +183,15 @@ class Webapp(TimeStampModel):
`client_ip` is client IP address (used for limiting admin/open_bar
access to the adresses listed in ALLGO_ALLOWED_IP_ADMIN)
"""
if isinstance(actor, Runner) and actor.open_bar and (client_ip in
config.env.ALLGO_ALLOWED_IP_ADMIN.split(',')):
if (isinstance(actor, Runner) and actor.open_bar
and is_allowed_ip_admin(client_ip)):
return True
user = self._resolve_user(actor)
if user == self.user:
return True
elif user is not None and user.is_superuser and client_ip:
return client_ip in config.env.ALLGO_ALLOWED_IP_ADMIN.split(',')
return is_allowed_ip_admin(client_ip)
return False
def is_pushable_by(self, actor):
......
......@@ -54,10 +54,9 @@ with env_loader.EnvironmentVarLoader(__name__, "ALLGO_",
default="/vol/rw/datastore",
help="path where the jobs files are stored")
env_var("ALLGO_ALLOWED_IP_ADMIN", protected=True,
default="127.0.0.1",
help="Admin token's can be used only if request comes from one of this ip address (comma separated list)")
env_var("ALLGO_ALLOWED_IP_ADMIN",
default="127.0.0.1/32",
help="Comma-separated list of IP networks from where admin tokens (for the open-bar runners and for the controller) can be requested")
#
# runner
......
......@@ -6,6 +6,7 @@ import requests
from django.http import JsonResponse, HttpResponse
from django.views.decorators.csrf import csrf_exempt
from main.models import User, AllgoUser, Runner, Webapp, WebappVersion
from main.helpers import is_allowed_ip_admin
from .tokens import Token
......@@ -166,7 +167,7 @@ def jwt_auth(request):
allowed_actions = []
if resource_type == "repository":
if actor == "CONTROLLER":
if get_client_ip(request) in config.env.ALLGO_ALLOWED_IP_ADMIN.split(","):
if is_allowed_ip_admin(get_client_ip(request)):
allowed_actions.extend(("pull", "push"))
else:
try:
......
......@@ -36,6 +36,7 @@ services:
DJANGO_DEBUG: 1
DJANGO_LOG_LEVEL: "DEBUG"
ALLGO_ALLOWED_HOSTS: 0.0.0.0,dev-django,localhost
ALLGO_ALLOWED_IP_ADMIN: "0.0.0.0/0"
ALLGO_DATASTORE: "/vol/rw/datastore"
ALLGO_DEBUG: "True"
ALLGO_JUPYTER_URL: "http://0.0.0.0:8000/hub/login"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment