FIX: If an IP is blocked, don't allow people to login using it

This commit is contained in:
Robin Ward 2015-02-25 15:59:11 -05:00
parent 1a070b16e4
commit 3e2ba5b30b
2 changed files with 40 additions and 6 deletions

View File

@ -52,14 +52,16 @@ class SessionController < ApplicationController
def sso_login def sso_login
unless SiteSetting.enable_sso unless SiteSetting.enable_sso
render nothing: true, status: 404 return render(nothing: true, status: 404)
return
end end
sso = DiscourseSingleSignOn.parse(request.query_string) sso = DiscourseSingleSignOn.parse(request.query_string)
if !sso.nonce_valid? if !sso.nonce_valid?
render text: I18n.t("sso.timeout_expired"), status: 500 return render(text: I18n.t("sso.timeout_expired"), status: 500)
return end
if ScreenedIpAddress.should_block?(request.remote_ip)
return render(text: I18n.t("sso.unknown_error"), status: 500)
end end
return_path = sso.return_path return_path = sso.return_path
@ -145,7 +147,8 @@ class SessionController < ApplicationController
return return
end end
if ScreenedIpAddress.block_login?(user, request.remote_ip) if ScreenedIpAddress.block_login?(user, request.remote_ip) ||
ScreenedIpAddress.should_block?(request.remote_ip)
return not_allowed_from_ip_address(user) return not_allowed_from_ip_address(user)
end end

View File

@ -67,21 +67,39 @@ describe SessionController do
expect(logged_on_user.single_sign_on_record.external_username).to eq('sam') expect(logged_on_user.single_sign_on_record.external_username).to eq('sam')
end end
it 'respects IP restrictions' do def sso_for_ip_specs
sso = get_sso('/a/') sso = get_sso('/a/')
sso.external_id = '666' # the number of the beast sso.external_id = '666' # the number of the beast
sso.email = 'bob@bob.com' sso.email = 'bob@bob.com'
sso.name = 'Sam Saffron' sso.name = 'Sam Saffron'
sso.username = 'sam' sso.username = 'sam'
sso
end
it 'respects IP restrictions on create' do
screened_ip = Fabricate(:screened_ip_address) screened_ip = Fabricate(:screened_ip_address)
ActionDispatch::Request.any_instance.stubs(:remote_ip).returns(screened_ip.ip_address) ActionDispatch::Request.any_instance.stubs(:remote_ip).returns(screened_ip.ip_address)
sso = sso_for_ip_specs
get :sso_login, Rack::Utils.parse_query(sso.payload) get :sso_login, Rack::Utils.parse_query(sso.payload)
logged_on_user = Discourse.current_user_provider.new(request.env).current_user logged_on_user = Discourse.current_user_provider.new(request.env).current_user
expect(logged_on_user).to eq(nil) expect(logged_on_user).to eq(nil)
end end
it 'respects IP restrictions on login' do
sso = sso_for_ip_specs
user = DiscourseSingleSignOn.parse(sso.payload).lookup_or_create_user(request.remote_ip)
sso = sso_for_ip_specs
screened_ip = Fabricate(:screened_ip_address)
ActionDispatch::Request.any_instance.stubs(:remote_ip).returns(screened_ip.ip_address)
get :sso_login, Rack::Utils.parse_query(sso.payload)
logged_on_user = Discourse.current_user_provider.new(request.env).current_user
expect(logged_on_user).to be_blank
end
it 'respects email restrictions' do it 'respects email restrictions' do
sso = get_sso('/a/') sso = get_sso('/a/')
sso.external_id = '666' # the number of the beast sso.external_id = '666' # the number of the beast
@ -367,6 +385,19 @@ describe SessionController do
end end
end end
describe 'with a blocked IP' do
before do
screened_ip = Fabricate(:screened_ip_address)
ActionDispatch::Request.any_instance.stubs(:remote_ip).returns(screened_ip.ip_address)
xhr :post, :create, login: "@" + user.username, password: 'myawesomepassword'
user.reload
end
it "doesn't log in" do
expect(session[:current_user_id]).to be_nil
end
end
describe 'strips leading @ symbol' do describe 'strips leading @ symbol' do
before do before do
xhr :post, :create, login: "@" + user.username, password: 'myawesomepassword' xhr :post, :create, login: "@" + user.username, password: 'myawesomepassword'