Class: ScreenedIpAddress

Inherits:

ActiveRecord::Base

• Object
• ActiveRecord::Base
• ScreenedIpAddress

Includes:

ScreeningModel

Defined in:

app/models/screened_ip_address.rb

Overview

A ScreenedIpAddress record represents an IP address or subnet that is being watched, and possibly blocked from creating accounts.

Constant Summary

ROLLED_UP_BLOCKS =

[
  # IPv4
  [4, 32, 24],
  # IPv6
  [6, (65..128).to_a, 64],
  [6, 64, 60],
  [6, 60, 56],
  [6, 56, 52],
  [6, 52, 48],
]

Class Method Summary

• .block_admin_login?(user, ip_address) ⇒ Boolean
• .exists_for_ip_address_and_action?(ip_address, action_type, opts = {}) ⇒ Boolean
• .is_allowed?(ip_address) ⇒ Boolean
• .match_for_ip_address(ip_address) ⇒ Object
• .roll_up(current_user = Discourse.system_user) ⇒ Object
• .should_block?(ip_address) ⇒ Boolean
• .subnets(family, from_masklen, to_masklen) ⇒ Object
• .watch(ip_address, opts = {}) ⇒ Object

Instance Method Summary

• #check_for_match ⇒ Object
• #ip_address=(val) ⇒ Object

  In Rails 4.0.0, validators are run to handle invalid assignments to inet columns (as they should).

• #ip_address_with_mask ⇒ Object

  Return a string with the ip address and mask in standard format.

Methods included from ScreeningModel

#action_name=, #record_match!, #set_default_action

Class Method Details

.block_admin_login?(user, ip_address) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/screened_ip_address.rb', line 100

def self.block_admin_login?(user, ip_address)
  return false unless SiteSetting.use_admin_ip_allowlist
  return false if user.nil?
  return false if !user.admin?
  return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0
  return true if ip_address.nil?
  !exists_for_ip_address_and_action?(ip_address, actions[:allow_admin], record_match: false)
end

.exists_for_ip_address_and_action?(ip_address, action_type, opts = {}) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/screened_ip_address.rb', line 93

def self.exists_for_ip_address_and_action?(ip_address, action_type, opts = {})
  b = match_for_ip_address(ip_address)
  found = !!b && b.action_type == action_type
  b.record_match! if found && opts[:record_match] != false
  found
end

.is_allowed?(ip_address) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/screened_ip_address.rb', line 89

def self.is_allowed?(ip_address)
  exists_for_ip_address_and_action?(ip_address, actions[:do_nothing])
end

.match_for_ip_address(ip_address) ⇒ Object

# File 'app/models/screened_ip_address.rb', line 74

def self.match_for_ip_address(ip_address)
  # The <<= operator on inet columns means "is contained within or equal to".
  #
  # Read more about PostgreSQL's inet data type here:
  #
  #   http://www.postgresql.org/docs/9.1/static/datatype-net-types.html
  #   http://www.postgresql.org/docs/9.1/static/functions-net.html
  ip_address = IPAddr === ip_address ? ip_address.to_cidr_s : ip_address.to_s
  order("masklen(ip_address) DESC").find_by("? <<= ip_address", ip_address)
end

.roll_up(current_user = Discourse.system_user) ⇒ Object

# File 'app/models/screened_ip_address.rb', line 135

def self.roll_up(current_user = Discourse.system_user)
  ROLLED_UP_BLOCKS.each do |family, from_masklen, to_masklen|
    ScreenedIpAddress
      .subnets(family, from_masklen, to_masklen)
      .map do |subnet|
        next if ScreenedIpAddress.where("? <<= ip_address", subnet).exists?

        old_ips =
          ScreenedIpAddress
            .where(action_type: ScreenedIpAddress.actions[:block])
            .where("ip_address << ?", subnet)
            .where("family(ip_address) = ?", family)
            .where("masklen(ip_address) IN (?)", from_masklen)

        sum_match_count, max_last_match_at, min_created_at =
          old_ips.pick("SUM(match_count), MAX(last_match_at), MIN(created_at)")

        ScreenedIpAddress.create!(
          ip_address: subnet,
          match_count: sum_match_count,
          last_match_at: max_last_match_at,
          created_at: min_created_at,
        )

        StaffActionLogger.new(current_user).log_roll_up(subnet, old_ips.map(&:ip_address))
        old_ips.delete_all
      end
  end
end

.should_block?(ip_address) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/screened_ip_address.rb', line 85

def self.should_block?(ip_address)
  exists_for_ip_address_and_action?(ip_address, actions[:block])
end

.subnets(family, from_masklen, to_masklen) ⇒ Object

# File 'app/models/screened_ip_address.rb', line 109

def self.subnets(family, from_masklen, to_masklen)
  sql = <<~SQL
    WITH ips_and_subnets AS (
      SELECT ip_address,
             network(inet(host(ip_address) || '/' || :to_masklen))::text subnet
      FROM screened_ip_addresses
      WHERE family(ip_address) = :family AND
            masklen(ip_address) IN (:from_masklen) AND
            action_type = :blocked
    )
    SELECT subnet
    FROM ips_and_subnets
    GROUP BY subnet
    HAVING COUNT(*) >= :min_ban_entries_for_roll_up
  SQL

  DB.query_single(
    sql,
    family: family,
    from_masklen: from_masklen,
    to_masklen: to_masklen,
    blocked: ScreenedIpAddress.actions[:block],
    min_ban_entries_for_roll_up: SiteSetting.min_ban_entries_for_roll_up,
  )
end

.watch(ip_address, opts = {}) ⇒ Object

# File 'app/models/screened_ip_address.rb', line 26

def self.watch(ip_address, opts = {})
  match_for_ip_address(ip_address) ||
    create(opts.slice(:action_type).merge(ip_address: ip_address))
end

Instance Method Details

#check_for_match ⇒ Object

# File 'app/models/screened_ip_address.rb', line 31

def check_for_match
  unless self.errors[:ip_address].present?
    matched = self.class.match_for_ip_address(self.ip_address)
    if matched && matched.action_type == self.action_type
      self.errors.add(:ip_address, :ip_address_already_screened)
    end
  end
end

#ip_address=(val) ⇒ Object

In Rails 4.0.0, validators are run to handle invalid assignments to inet columns (as they should). In Rails 4.0.1, an exception is raised before validation happens, so we need this hack for inet/cidr columns:

# File 'app/models/screened_ip_address.rb', line 43

def ip_address=(val)
  if val.nil?
    self.errors.add(:ip_address, :invalid)
    return
  end

  if val.is_a?(IPAddr)
    write_attribute(:ip_address, val)
    return
  end

  v = IPAddr.handle_wildcards(val)

  if v.nil?
    self.errors.add(:ip_address, :invalid)
    return
  end

  write_attribute(:ip_address, v)

  # this gets even messier, Ruby 1.9.2 raised a different exception to Ruby 2.0.0
  # handle both exceptions
rescue ArgumentError, IPAddr::InvalidAddressError
  self.errors.add(:ip_address, :invalid)
end

#ip_address_with_mask ⇒ Object

Return a string with the ip address and mask in standard format. e.g., “127.0.0.0/8”.

# File 'app/models/screened_ip_address.rb', line 70

def ip_address_with_mask
  ip_address.try(:to_cidr_s)
end