Skip to content
Snippets Groups Projects
Commit f56d3c01 authored by Imre Farkas's avatar Imre Farkas :palm_tree: Committed by GitLab Release Tools Bot
Browse files

Set IP in ActionContoller filter before IP enforcement is evaluated

Merge branch 'security-407891-ip_enforcement_for_public_projects' into 'master'

See merge request gitlab-org/security/gitlab!3238

Changelog: security
parent 95fea5b3
No related branches found
No related tags found
1 merge request!122683Sync canonical master with security master
......@@ -43,6 +43,14 @@ module GitHttpClientController
prepend_before_action do
redirect_to(geo_primary_full_url) if geo_redirect?
end
# Order of ActionController filters are important. IP must be set prior
# to using it in IpRestriction::Enforcer.
# However, Repositories::GitHttpClientController#authenticate_user
# (triggered via a controller filter) evaluates policies before setting
# the IP. The evaluated policies are cached, so IP enforcement is not
# checked anymore - even if IP is set at this point.
prepend_around_action :set_current_ip_address
end
private
......
......@@ -33,4 +33,57 @@
end
end
end
context 'group IP restriction' do
let_it_be(:group) { create(:group, :public) }
let_it_be(:project) { create(:project, :public, :repository, group: group) }
let(:repository_path) { "#{project.full_path}.git" }
let(:params) { { repository_path: repository_path, service: 'git-upload-pack' } }
before do
stub_licensed_features(group_ip_restriction: true)
allow(controller).to receive(:verify_workhorse_api!).and_return(true)
end
subject(:send_request) { get :info_refs, params: params }
context 'without enforced IP allowlist' do
it 'allows the request' do
send_request
expect(response).to have_gitlab_http_status(:ok)
end
end
context 'with enforced IP allowlist' do
before_all do
create(:ip_restriction, group: group, range: '192.168.0.0/24')
end
context 'when IP is allowed' do
before do
request.env['REMOTE_ADDR'] = '192.168.0.42'
end
it 'allows the request' do
send_request
expect(response).to have_gitlab_http_status(:ok)
end
end
context 'when IP is not allowed' do
before do
request.env['REMOTE_ADDR'] = '42.42.42.42'
end
it 'returns unauthorized' do
send_request
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
end
end
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment