2013-10-21 14:49:51 -04:00
|
|
|
require_dependency 'screening_model'
|
2014-11-21 12:16:06 -05:00
|
|
|
require_dependency 'ip_addr'
|
2013-10-21 14:49:51 -04:00
|
|
|
|
|
|
|
# A ScreenedIpAddress record represents an IP address or subnet that is being watched,
|
|
|
|
# and possibly blocked from creating accounts.
|
|
|
|
class ScreenedIpAddress < ActiveRecord::Base
|
|
|
|
|
|
|
|
include ScreeningModel
|
|
|
|
|
|
|
|
default_action :block
|
|
|
|
|
2013-10-22 16:30:30 -04:00
|
|
|
validates :ip_address, ip_address_format: true, presence: true
|
2018-03-19 14:34:43 -04:00
|
|
|
after_validation :check_for_match
|
2013-10-21 14:49:51 -04:00
|
|
|
|
2017-07-27 21:20:09 -04:00
|
|
|
def self.watch(ip_address, opts = {})
|
2013-10-21 14:49:51 -04:00
|
|
|
match_for_ip_address(ip_address) || create(opts.slice(:action_type).merge(ip_address: ip_address))
|
|
|
|
end
|
|
|
|
|
2018-03-19 14:34:43 -04:00
|
|
|
def check_for_match
|
|
|
|
unless self.errors[:ip_address].present?
|
|
|
|
matched = self.class.match_for_ip_address(self.ip_address)
|
|
|
|
if matched && matched.action_type == self.action_type
|
|
|
|
self.errors.add(:ip_address, :ip_address_already_screened)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-11-05 11:24:13 -05:00
|
|
|
# In Rails 4.0.0, validators are run to handle invalid assignments to inet columns (as they should).
|
|
|
|
# In Rails 4.0.1, an exception is raised before validation happens, so we need this hack for
|
|
|
|
# inet/cidr columns:
|
2013-11-04 18:32:35 -05:00
|
|
|
def ip_address=(val)
|
2014-02-18 13:00:46 -05:00
|
|
|
if val.nil?
|
|
|
|
self.errors.add(:ip_address, :invalid)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-02-10 13:38:59 -05:00
|
|
|
if val.is_a?(IPAddr)
|
2014-02-18 13:00:46 -05:00
|
|
|
write_attribute(:ip_address, val)
|
2015-02-10 13:38:59 -05:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
v = IPAddr.handle_wildcards(val)
|
|
|
|
|
|
|
|
if v.nil?
|
|
|
|
self.errors.add(:ip_address, :invalid)
|
|
|
|
return
|
2014-02-18 13:00:46 -05:00
|
|
|
end
|
2013-11-17 17:31:44 -05:00
|
|
|
|
2015-02-10 13:38:59 -05:00
|
|
|
write_attribute(:ip_address, v)
|
|
|
|
|
2013-11-17 17:31:44 -05:00
|
|
|
# this gets even messier, Ruby 1.9.2 raised a different exception to Ruby 2.0.0
|
|
|
|
# handle both exceptions
|
|
|
|
rescue ArgumentError, IPAddr::InvalidAddressError
|
2013-11-04 18:32:35 -05:00
|
|
|
self.errors.add(:ip_address, :invalid)
|
|
|
|
end
|
|
|
|
|
2014-02-18 10:33:08 -05:00
|
|
|
# Return a string with the ip address and mask in standard format. e.g., "127.0.0.0/8".
|
|
|
|
def ip_address_with_mask
|
2014-11-21 12:16:06 -05:00
|
|
|
ip_address.try(:to_cidr_s)
|
2014-02-18 10:33:08 -05:00
|
|
|
end
|
|
|
|
|
2013-10-21 14:49:51 -04:00
|
|
|
def self.match_for_ip_address(ip_address)
|
|
|
|
# The <<= operator on inet columns means "is contained within or equal to".
|
|
|
|
#
|
|
|
|
# Read more about PostgreSQL's inet data type here:
|
|
|
|
#
|
|
|
|
# http://www.postgresql.org/docs/9.1/static/datatype-net-types.html
|
|
|
|
# http://www.postgresql.org/docs/9.1/static/functions-net.html
|
2016-07-18 03:35:12 -04:00
|
|
|
find_by("? <<= ip_address", ip_address.to_s)
|
2013-10-21 14:49:51 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def self.should_block?(ip_address)
|
2013-10-23 17:11:11 -04:00
|
|
|
exists_for_ip_address_and_action?(ip_address, actions[:block])
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.is_whitelisted?(ip_address)
|
|
|
|
exists_for_ip_address_and_action?(ip_address, actions[:do_nothing])
|
|
|
|
end
|
|
|
|
|
2017-07-27 21:20:09 -04:00
|
|
|
def self.exists_for_ip_address_and_action?(ip_address, action_type, opts = {})
|
2013-10-21 14:49:51 -04:00
|
|
|
b = match_for_ip_address(ip_address)
|
2017-07-27 21:20:09 -04:00
|
|
|
found = (!!b && b.action_type == (action_type))
|
|
|
|
b.record_match! if found && opts[:record_match] != (false)
|
2014-09-04 18:50:27 -04:00
|
|
|
found
|
|
|
|
end
|
|
|
|
|
2015-03-02 12:13:10 -05:00
|
|
|
def self.block_admin_login?(user, ip_address)
|
2015-09-21 16:56:25 -04:00
|
|
|
return false unless SiteSetting.use_admin_ip_whitelist
|
2014-09-04 18:50:27 -04:00
|
|
|
return false if user.nil?
|
|
|
|
return false if !user.admin?
|
|
|
|
return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0
|
|
|
|
return true if ip_address.nil?
|
|
|
|
!exists_for_ip_address_and_action?(ip_address, actions[:allow_admin], record_match: false)
|
2013-10-21 14:49:51 -04:00
|
|
|
end
|
2015-03-09 13:55:17 -04:00
|
|
|
|
|
|
|
def self.star_subnets_query
|
|
|
|
@star_subnets_query ||= <<-SQL
|
|
|
|
SELECT network(inet(host(ip_address) || '/24')) AS ip_range
|
|
|
|
FROM screened_ip_addresses
|
|
|
|
WHERE action_type = #{ScreenedIpAddress.actions[:block]}
|
|
|
|
AND family(ip_address) = 4
|
|
|
|
AND masklen(ip_address) = 32
|
|
|
|
GROUP BY ip_range
|
|
|
|
HAVING COUNT(*) >= :min_count
|
|
|
|
SQL
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.star_star_subnets_query
|
|
|
|
@star_star_subnets_query ||= <<-SQL
|
|
|
|
WITH weighted_subnets AS (
|
|
|
|
SELECT network(inet(host(ip_address) || '/16')) AS ip_range,
|
|
|
|
CASE masklen(ip_address)
|
|
|
|
WHEN 32 THEN 1
|
|
|
|
WHEN 24 THEN :roll_up_weight
|
|
|
|
ELSE 0
|
|
|
|
END AS weight
|
|
|
|
FROM screened_ip_addresses
|
|
|
|
WHERE action_type = #{ScreenedIpAddress.actions[:block]}
|
|
|
|
AND family(ip_address) = 4
|
|
|
|
)
|
|
|
|
SELECT ip_range
|
|
|
|
FROM weighted_subnets
|
|
|
|
GROUP BY ip_range
|
|
|
|
HAVING SUM(weight) >= :min_count
|
|
|
|
SQL
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.star_subnets
|
|
|
|
min_count = SiteSetting.min_ban_entries_for_roll_up
|
|
|
|
ScreenedIpAddress.exec_sql(star_subnets_query, min_count: min_count).values.flatten
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.star_star_subnets
|
|
|
|
weight = SiteSetting.min_ban_entries_for_roll_up
|
|
|
|
ScreenedIpAddress.exec_sql(star_star_subnets_query, min_count: 10, roll_up_weight: weight).values.flatten
|
|
|
|
end
|
|
|
|
|
2017-07-27 21:20:09 -04:00
|
|
|
def self.roll_up(current_user = Discourse.system_user)
|
2015-03-09 13:55:17 -04:00
|
|
|
subnets = [star_subnets, star_star_subnets].flatten
|
|
|
|
|
|
|
|
StaffActionLogger.new(current_user).log_roll_up(subnets) unless subnets.blank?
|
|
|
|
|
|
|
|
subnets.each do |subnet|
|
2018-06-13 16:47:23 -04:00
|
|
|
ScreenedIpAddress.create(ip_address: subnet) unless ScreenedIpAddress.where("? <<= ip_address", subnet).exists?
|
2015-03-09 13:55:17 -04:00
|
|
|
|
|
|
|
sql = <<-SQL
|
|
|
|
UPDATE screened_ip_addresses
|
2018-06-13 16:47:23 -04:00
|
|
|
SET match_count = sum_match_count
|
|
|
|
, created_at = min_created_at
|
|
|
|
, last_match_at = max_last_match_at
|
2015-03-09 13:55:17 -04:00
|
|
|
FROM (
|
2018-06-13 16:47:23 -04:00
|
|
|
SELECT SUM(match_count) AS sum_match_count
|
|
|
|
, MIN(created_at) AS min_created_at
|
|
|
|
, MAX(last_match_at) AS max_last_match_at
|
2015-03-09 13:55:17 -04:00
|
|
|
FROM screened_ip_addresses
|
|
|
|
WHERE action_type = #{ScreenedIpAddress.actions[:block]}
|
|
|
|
AND family(ip_address) = 4
|
|
|
|
AND ip_address << :ip_address
|
|
|
|
) s
|
|
|
|
WHERE ip_address = :ip_address
|
|
|
|
SQL
|
|
|
|
|
|
|
|
ScreenedIpAddress.exec_sql(sql, ip_address: subnet)
|
|
|
|
|
|
|
|
ScreenedIpAddress.where(action_type: ScreenedIpAddress.actions[:block])
|
2017-07-27 21:20:09 -04:00
|
|
|
.where("family(ip_address) = 4")
|
|
|
|
.where("ip_address << ?", subnet)
|
|
|
|
.delete_all
|
2015-03-09 13:55:17 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
subnets
|
|
|
|
end
|
|
|
|
|
2013-10-21 14:49:51 -04:00
|
|
|
end
|
2013-12-05 01:40:35 -05:00
|
|
|
|
|
|
|
# == Schema Information
|
|
|
|
#
|
|
|
|
# Table name: screened_ip_addresses
|
|
|
|
#
|
|
|
|
# id :integer not null, primary key
|
|
|
|
# ip_address :inet not null
|
|
|
|
# action_type :integer not null
|
|
|
|
# match_count :integer default(0), not null
|
|
|
|
# last_match_at :datetime
|
2014-08-27 01:19:25 -04:00
|
|
|
# created_at :datetime not null
|
|
|
|
# updated_at :datetime not null
|
2013-12-05 01:40:35 -05:00
|
|
|
#
|
|
|
|
# Indexes
|
|
|
|
#
|
|
|
|
# index_screened_ip_addresses_on_ip_address (ip_address) UNIQUE
|
|
|
|
# index_screened_ip_addresses_on_last_match_at (last_match_at)
|
|
|
|
#
|