Class: ScreenedIpAddress
- Inherits:
-
ActiveRecord::Base
- Object
- ActiveRecord::Base
- ScreenedIpAddress
- Includes:
- ScreeningModel
- Defined in:
- app/models/screened_ip_address.rb
Overview
A ScreenedIpAddress record represents an IP address or subnet that is being watched, and possibly blocked from creating accounts.
Constant Summary collapse
- ROLLED_UP_BLOCKS =
[ # IPv4 [4, 32, 24], # IPv6 [6, (65..128).to_a, 64], [6, 64, 60], [6, 60, 56], [6, 56, 52], [6, 52, 48], ]
Class Method Summary collapse
- .block_admin_login?(user, ip_address) ⇒ Boolean
- .exists_for_ip_address_and_action?(ip_address, action_type, opts = {}) ⇒ Boolean
- .is_allowed?(ip_address) ⇒ Boolean
- .match_for_ip_address(ip_address) ⇒ Object
- .roll_up(current_user = Discourse.system_user) ⇒ Object
- .should_block?(ip_address) ⇒ Boolean
- .subnets(family, from_masklen, to_masklen) ⇒ Object
- .watch(ip_address, opts = {}) ⇒ Object
Instance Method Summary collapse
- #check_for_match ⇒ Object
-
#ip_address=(val) ⇒ Object
In Rails 4.0.0, validators are run to handle invalid assignments to inet columns (as they should).
-
#ip_address_with_mask ⇒ Object
Return a string with the ip address and mask in standard format.
Methods included from ScreeningModel
#action_name=, #record_match!, #set_default_action
Class Method Details
.block_admin_login?(user, ip_address) ⇒ Boolean
100 101 102 103 104 105 106 107 |
# File 'app/models/screened_ip_address.rb', line 100 def self.block_admin_login?(user, ip_address) return false unless SiteSetting.use_admin_ip_allowlist return false if user.nil? return false if !user.admin? return false if ScreenedIpAddress.where(action_type: actions[:allow_admin]).count == 0 return true if ip_address.nil? !exists_for_ip_address_and_action?(ip_address, actions[:allow_admin], record_match: false) end |
.exists_for_ip_address_and_action?(ip_address, action_type, opts = {}) ⇒ Boolean
93 94 95 96 97 98 |
# File 'app/models/screened_ip_address.rb', line 93 def self.exists_for_ip_address_and_action?(ip_address, action_type, opts = {}) b = match_for_ip_address(ip_address) found = !!b && b.action_type == action_type b.record_match! if found && opts[:record_match] != false found end |
.is_allowed?(ip_address) ⇒ Boolean
89 90 91 |
# File 'app/models/screened_ip_address.rb', line 89 def self.is_allowed?(ip_address) exists_for_ip_address_and_action?(ip_address, actions[:do_nothing]) end |
.match_for_ip_address(ip_address) ⇒ Object
74 75 76 77 78 79 80 81 82 83 |
# File 'app/models/screened_ip_address.rb', line 74 def self.match_for_ip_address(ip_address) # The <<= operator on inet columns means "is contained within or equal to". # # Read more about PostgreSQL's inet data type here: # # http://www.postgresql.org/docs/9.1/static/datatype-net-types.html # http://www.postgresql.org/docs/9.1/static/functions-net.html ip_address = IPAddr === ip_address ? ip_address.to_cidr_s : ip_address.to_s order("masklen(ip_address) DESC").find_by("? <<= ip_address", ip_address) end |
.roll_up(current_user = Discourse.system_user) ⇒ Object
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 |
# File 'app/models/screened_ip_address.rb', line 135 def self.roll_up(current_user = Discourse.system_user) ROLLED_UP_BLOCKS.each do |family, from_masklen, to_masklen| ScreenedIpAddress .subnets(family, from_masklen, to_masklen) .map do |subnet| next if ScreenedIpAddress.where("? <<= ip_address", subnet).exists? old_ips = ScreenedIpAddress .where(action_type: ScreenedIpAddress.actions[:block]) .where("ip_address << ?", subnet) .where("family(ip_address) = ?", family) .where("masklen(ip_address) IN (?)", from_masklen) sum_match_count, max_last_match_at, min_created_at = old_ips.pick("SUM(match_count), MAX(last_match_at), MIN(created_at)") ScreenedIpAddress.create!( ip_address: subnet, match_count: sum_match_count, last_match_at: max_last_match_at, created_at: min_created_at, ) StaffActionLogger.new(current_user).log_roll_up(subnet, old_ips.map(&:ip_address)) old_ips.delete_all end end end |
.should_block?(ip_address) ⇒ Boolean
85 86 87 |
# File 'app/models/screened_ip_address.rb', line 85 def self.should_block?(ip_address) exists_for_ip_address_and_action?(ip_address, actions[:block]) end |
.subnets(family, from_masklen, to_masklen) ⇒ Object
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# File 'app/models/screened_ip_address.rb', line 109 def self.subnets(family, from_masklen, to_masklen) sql = <<~SQL WITH ips_and_subnets AS ( SELECT ip_address, network(inet(host(ip_address) || '/' || :to_masklen))::text subnet FROM screened_ip_addresses WHERE family(ip_address) = :family AND masklen(ip_address) IN (:from_masklen) AND action_type = :blocked ) SELECT subnet FROM ips_and_subnets GROUP BY subnet HAVING COUNT(*) >= :min_ban_entries_for_roll_up SQL DB.query_single( sql, family: family, from_masklen: from_masklen, to_masklen: to_masklen, blocked: ScreenedIpAddress.actions[:block], min_ban_entries_for_roll_up: SiteSetting.min_ban_entries_for_roll_up, ) end |
.watch(ip_address, opts = {}) ⇒ Object
26 27 28 29 |
# File 'app/models/screened_ip_address.rb', line 26 def self.watch(ip_address, opts = {}) match_for_ip_address(ip_address) || create(opts.slice(:action_type).merge(ip_address: ip_address)) end |
Instance Method Details
#check_for_match ⇒ Object
31 32 33 34 35 36 37 38 |
# File 'app/models/screened_ip_address.rb', line 31 def check_for_match if self.errors[:ip_address].blank? matched = self.class.match_for_ip_address(self.ip_address) if matched && matched.action_type == self.action_type self.errors.add(:ip_address, :ip_address_already_screened) end end end |
#ip_address=(val) ⇒ Object
In Rails 4.0.0, validators are run to handle invalid assignments to inet columns (as they should). In Rails 4.0.1, an exception is raised before validation happens, so we need this hack for inet/cidr columns:
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'app/models/screened_ip_address.rb', line 43 def ip_address=(val) if val.nil? self.errors.add(:ip_address, :invalid) return end if val.is_a?(IPAddr) write_attribute(:ip_address, val) return end v = IPAddr.handle_wildcards(val) if v.nil? self.errors.add(:ip_address, :invalid) return end write_attribute(:ip_address, v) # this gets even messier, Ruby 1.9.2 raised a different exception to Ruby 2.0.0 # handle both exceptions rescue ArgumentError, IPAddr::InvalidAddressError self.errors.add(:ip_address, :invalid) end |
#ip_address_with_mask ⇒ Object
Return a string with the ip address and mask in standard format. e.g., “127.0.0.0/8”.
70 71 72 |
# File 'app/models/screened_ip_address.rb', line 70 def ip_address_with_mask ip_address.try(:to_cidr_s) end |