Allow ip subnet comparison in ussd ip access check

2021-04-06 18:24:49 +02:00 · 2021-04-06 18:24:49 +02:00 · e668d0b8b3
commit e668d0b8b3
parent 7728f38f14
8 changed files with 19 additions and 11 deletions
--- a/apps/cic-notify/docker/Dockerfile
+++ b/apps/cic-notify/docker/Dockerfile
@ -1,4 +1,4 @@
-FROM python:3.8.6
+FROM python:3.8.6-slim-buster

 RUN apt-get update && \
 	apt install -y gcc gnupg libpq-dev wget make g++ gnupg bash procps
@ -6,7 +6,7 @@ RUN apt-get update && \
 WORKDIR /usr/src/cic-notify

 ARG pip_extra_index_url_flag='--index https://pypi.org/simple --extra-index-url https://pip.grassrootseconomics.net:8433'
-RUN pip install $pip_extra_index_url_flag cic-base[full_graph]==0.1.2a44
+RUN pip install $pip_extra_index_url_flag cic-base[full_graph]==0.1.2a61

 COPY cic-notify/setup.cfg \
 	 cic-notify/setup.py \
--- a/apps/cic-notify/requirements.txt
+++ b/apps/cic-notify/requirements.txt
@ -1 +1 @@
-cic_base[full_graph]~=0.1.2a46
+cic_base[full_graph]~=0.1.2a61
--- a/apps/cic-notify/setup.cfg
+++ b/apps/cic-notify/setup.cfg
@ -1,6 +1,6 @@
 [metadata]
 name = cic-notify
-version= 0.4.0a2
+version= 0.4.0a3
 description = CIC notifications service
 author = Louis Holbrook
 author_email = dev@holbrook.no
--- a/apps/cic-ussd/.config/app.ini
+++ b/apps/cic-ussd/.config/app.ini
@ -1,5 +1,5 @@
 [app]
-ALLOWED_IP=127.0.0.1
+ALLOWED_IP=0.0.0.0/0
 LOCALE_FALLBACK=en
 LOCALE_PATH=var/lib/locale/
 MAX_BODY_LENGTH=1024
--- a/apps/cic-ussd/cic_ussd/validator.py
+++ b/apps/cic-ussd/cic_ussd/validator.py
@ -1,6 +1,7 @@
 # standard imports
 import logging
 import re
+import ipaddress

 # third-party imports
 from confini import Config
@ -20,7 +21,14 @@ def check_ip(config: Config, env: dict):
    :return: Request IP validity
    :rtype: boolean
    """
-    return env.get('REMOTE_ADDR') == config.get('APP_ALLOWED_IP')
+    # TODO: do once at boot time
+    actual_ip = ipaddress.ip_network(env.get('REMOTE_ADDR') + '/32')
+    for allowed_net_src in config.get('APP_ALLOWED_IP').split(','):
+        allowed_net = ipaddress.ip_network(allowed_net_src)
+        if actual_ip.subnet_of(allowed_net):
+            return True
+
+    return False


 def check_request_content_length(config: Config, env: dict):
--- a/apps/cic-ussd/docker/Dockerfile
+++ b/apps/cic-ussd/docker/Dockerfile
@ -51,4 +51,4 @@ RUN cd cic-ussd && \
 COPY cic-ussd/.config/ /usr/local/etc/cic-ussd/
 COPY cic-ussd/cic_ussd/db/migrations/ /usr/local/share/cic-ussd/alembic

-WORKDIR /root
+WORKDIR /root
--- a/apps/cic-ussd/requirements.txt
+++ b/apps/cic-ussd/requirements.txt
@ -1,4 +1,4 @@
-cic_base[full_graph]~=0.1.2a58
-cic-eth~=0.11.0a4
+cic_base[full_graph]~=0.1.2a61
+cic-eth~=0.11.0b1
 cic-notify~=0.4.0a3
 cic-types~=0.1.0a10
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -490,9 +490,9 @@ services:
      DATABASE_ENGINE: postgresql
      DATABASE_DRIVER: psycopg2
      PGP_PASSPHRASE: merman
-      SERVER_PORT: 8000
+      SERVER_PORT: 9000
    ports:
-      - ${HTTP_PORT_CIC_USSD:-63315}:8000
+      - ${HTTP_PORT_CIC_USSD:-63315}:9000
    depends_on:
      - postgres
      - redis