chore: implement ip restriction on api endpoints

Author: gitstart_bot

server/covmanager/views.py

@@ -10,10 +10,11 @@
 from django.shortcuts import get_object_or_404, redirect, render
 from django.views.decorators.csrf import csrf_exempt
 from rest_framework import filters, mixins, viewsets
-from rest_framework.authentication import SessionAuthentication, TokenAuthentication
+from rest_framework.authentication import SessionAuthentication
 
 from crashmanager.models import Tool
 from server.views import JsonQueryFilterBackend, SimpleQueryFilterBackend
+from server.utils import IPRestrictedTokenAuthentication
 
 from .models import Collection, Report, ReportConfiguration, ReportSummary, Repository
 from .serializers import (
@@ -705,7 +706,7 @@ class CollectionViewSet(
     API endpoint that allows adding/viewing Collections
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = Collection.objects.all()
     serializer_class = CollectionSerializer
     paginate_by_param = "limit"
@@ -754,7 +755,7 @@ class ReportViewSet(
     API endpoint that allows viewing Reports
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = Report.objects.all()
     serializer_class = ReportSerializer
     paginate_by_param = "limit"
@@ -778,7 +779,7 @@ class RepositoryViewSet(
     API endpoint that allows viewing Repositories
     """
 
-    authentication_classes = (TokenAuthentication,)
+    authentication_classes = (IPRestrictedTokenAuthentication,)
     queryset = Repository.objects.all()
     serializer_class = RepositorySerializer
     filter_backends = [JsonQueryFilterBackend]
@@ -819,7 +820,7 @@ class ReportConfigurationViewSet(
     API endpoint that allows adding/updating/viewing Report Configurations
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = ReportConfiguration.objects.all()
     serializer_class = ReportConfigurationSerializer
     filter_backends = [

server/crashmanager/tests/test_ip_restricted_token.py

@@ -0,0 +1,31 @@
+import pytest
+from django.conf import settings
+from django.contrib.auth.models import User
+from rest_framework.authtoken.models import Token
+import requests
+
+@pytest.fixture
+def allowed_ip():
+    return "127.0.0.1"
+
+@pytest.fixture
+def blocked_ip():
+    return "203.0.113.10"
+
+@pytest.fixture(autouse=True)
+def override_settings(allowed_ip):
+    settings.ALLOWED_IPS = [allowed_ip]
+
+@pytest.mark.django_db
+def test_allowed_ip_can_authenticate(api_client, user_normal, allowed_ip):
+    """Ensure authentication works for an allowed IP"""
+    response = api_client.get("/crashmanager/rest/crashes/", REMOTE_ADDR=allowed_ip)
+    assert response.status_code == 200
+
+@pytest.mark.django_db
+def test_blocked_ip_is_rejected(api_client, allowed_ip, blocked_ip):
+    """Ensure authentication fails for a blocked IP"""
+    response = api_client.get("/crashmanager/rest/crashes/", REMOTE_ADDR=blocked_ip)
+    assert response.status_code == 403
+    assert response.json()['detail'] == 'IP address restricted. Access denied.'
+

server/crashmanager/views.py

@@ -18,7 +18,7 @@
 from django.views.generic.list import ListView
 from notifications.models import Notification
 from rest_framework import mixins, status, viewsets
-from rest_framework.authentication import SessionAuthentication, TokenAuthentication
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.exceptions import MethodNotAllowed, ValidationError
 from rest_framework.filters import BaseFilterBackend, OrderingFilter
@@ -28,6 +28,7 @@
 from FTB.ProgramConfiguration import ProgramConfiguration
 from FTB.Signatures.CrashInfo import CrashInfo
 from server.auth import CheckAppPermission
+from server.utils import IPRestrictedTokenAuthentication
 
 from .forms import (
     BugzillaTemplateBugForm,
@@ -1017,7 +1018,7 @@ class CrashEntryViewSet(
 ):
     """API endpoint that allows adding/viewing CrashEntries"""
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = CrashEntry.objects.all().select_related(
         "product", "platform", "os", "client", "tool", "testcase"
     )
@@ -1143,7 +1144,7 @@ class BucketViewSet(
 ):
     """API endpoint that allows viewing Buckets"""
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = Bucket.objects.all().select_related("bug", "bug__externalType")
     serializer_class = BucketSerializer
     filter_backends = [
@@ -1430,7 +1431,7 @@ class BugProviderViewSet(mixins.ListModelMixin, viewsets.GenericViewSet):
     API endpoint that allows listing BugProviders
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = BugProvider.objects.all()
     serializer_class = BugProviderSerializer
 
@@ -1442,7 +1443,7 @@ class BugzillaTemplateViewSet(
     API endpoint that allows viewing BugzillaTemplates
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = BugzillaTemplate.objects.all()
     serializer_class = BugzillaTemplateSerializer
 
@@ -1452,7 +1453,7 @@ class NotificationViewSet(mixins.ListModelMixin, viewsets.GenericViewSet):
     API endpoint that allows listing unread Notifications
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     serializer_class = NotificationSerializer
     filter_backends = [
         JsonQueryFilterBackend,
@@ -1545,7 +1546,7 @@ def get_query_obj(obj, key=None):
 
 
 class AbstractDownloadView(APIView):
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     permission_classes = (CheckAppPermission,)
 
     def response(self, file_path, filename, content_type="application/octet-stream"):
@@ -1765,7 +1766,7 @@ class CrashStatsViewSet(viewsets.GenericViewSet):
     API endpoint that allows retrieving CrashManager statistics
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     queryset = CrashEntry.objects.all()
     filter_backends = [
         ToolFilterCrashesBackend,

server/ec2spotmanager/views.py

@@ -14,11 +14,12 @@
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils.timezone import now, timedelta
 from rest_framework import mixins, serializers, status, viewsets
-from rest_framework.authentication import SessionAuthentication, TokenAuthentication
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from server.auth import CheckAppPermission
+from server.utils import IPRestrictedTokenAuthentication
 
 from .CloudProvider.CloudProvider import (
     INSTANCE_STATE,
@@ -917,7 +918,7 @@ def get_labels(self, pool, entries):
 
 
 class MachineStatusViewSet(APIView):
-    authentication_classes = (TokenAuthentication,)
+    authentication_classes = (IPRestrictedTokenAuthentication,)
 
     def get(self, request, *args, **kwargs):
         result = {}
@@ -947,7 +948,7 @@ class PoolConfigurationViewSet(
     API endpoint that allows viewing PoolConfigurations
     """
 
-    authentication_classes = (TokenAuthentication,)
+    authentication_classes = (IPRestrictedTokenAuthentication,)
     permission_classes = (CheckAppPermission,)
     queryset = PoolConfiguration.objects.all()
     serializer_class = PoolConfigurationSerializer
@@ -964,7 +965,7 @@ def retrieve(self, request, *args, **kwds):
 
 
 class PoolCycleView(APIView):
-    authentication_classes = (TokenAuthentication,)
+    authentication_classes = (IPRestrictedTokenAuthentication,)
     permission_classes = (CheckAppPermission,)
 
     def post(self, request, poolid, format=None):
@@ -982,7 +983,7 @@ def post(self, request, poolid, format=None):
 
 
 class PoolEnableView(APIView):
-    authentication_classes = (TokenAuthentication,)
+    authentication_classes = (IPRestrictedTokenAuthentication,)
     permission_classes = (CheckAppPermission,)
 
     def post(self, request, poolid, format=None):
@@ -1002,7 +1003,7 @@ def post(self, request, poolid, format=None):
 
 
 class PoolDisableView(APIView):
-    authentication_classes = (TokenAuthentication,)
+    authentication_classes = (IPRestrictedTokenAuthentication,)
     permission_classes = (CheckAppPermission,)
 
     def post(self, request, poolid, format=None):

server/server/utils.py

@@ -4,6 +4,10 @@
 
 import redis
 
+from rest_framework.authentication import TokenAuthentication
+from rest_framework.exceptions import PermissionDenied
+from django.conf import settings
+
 LOG = logging.getLogger("fuzzmanager.utils")
 
 
@@ -64,3 +68,31 @@ def release(self):
             "Failed to release lock: %s(%s) != %s", self.name, self.unique_id, existing
         )
         return False
+
+def get_client_ip(request):
+    """
+    Extracts the client IP address from request headers.
+    """
+    x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
+    if x_forwarded_for:
+        ip = x_forwarded_for.split(",")[0].strip()
+    else:
+        ip = request.META.get("REMOTE_ADDR")
+    
+    return ip
+
+class IPRestrictedTokenAuthentication(TokenAuthentication):
+    def authenticate(self, request):
+        if  self.is_ip_restricted(request):
+            raise PermissionDenied("IP address restricted. Access denied.")
+
+        return super().authenticate(request)
+
+    def is_ip_restricted(self, request):
+        allowed_ips = set(getattr(settings, "ALLOWED_IPS", []))
+        client_ip = get_client_ip(request)
+        if client_ip not in allowed_ips:
+            LOG.warning(f"IP address restricted: {client_ip}")
+            return True
+
+        return False

server/taskmanager/views.py

@@ -5,13 +5,14 @@
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils import timezone
 from rest_framework import mixins, status, viewsets
-from rest_framework.authentication import SessionAuthentication, TokenAuthentication
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
 
 from server.auth import CheckAppPermission
 from server.views import JsonQueryFilterBackend, SimpleQueryFilterBackend
+from server.utils import IPRestrictedTokenAuthentication
 
 from .models import Pool, Task
 from .serializers import (
@@ -54,7 +55,7 @@ class PoolViewSet(viewsets.ReadOnlyModelViewSet):
     API endpoint that allows viewing Pools
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     permission_classes = (CheckAppPermission,)
     queryset = Pool.objects.all()
     serializer_class = PoolSerializer
@@ -82,7 +83,7 @@ class TaskViewSet(
     API endpoint that allows viewing Tasks
     """
 
-    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    authentication_classes = (IPRestrictedTokenAuthentication, SessionAuthentication)
     permission_classes = (CheckAppPermission,)
     queryset = Task.objects.all()
     serializer_class = TaskSerializer
@@ -103,7 +104,7 @@ def get_serializer(self, *args, **kwds):
         return super().get_serializer(*args, **kwds)
 
     @action(
-        detail=False, methods=["post"], authentication_classes=(TokenAuthentication,)
+        detail=False, methods=["post"], authentication_classes=(IPRestrictedTokenAuthentication,)
     )
     def update_status(self, request):
         if set(request.data.keys()) != {"client", "status_data"}: