check network access for Request an Account page

open-data · May 17, 2024 · d80d20d · d80d20d
1 parent 3508fce
commit d80d20d
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/ckanext/canada/helpers.py b/ckanext/canada/helpers.py
@@ -29,6 +29,8 @@
     from ckanext.xloader.utils import XLoaderFormats
 except ImportError:
     XLoaderFormats = None
+import os
+import ipaddress
 
 
 ORG_MAY_PUBLISH_OPTION = 'canada.publish_datasets_organization_name'
@@ -773,6 +775,40 @@ def date_field(field, pkg):
         return pkg.get(field).split(' ')[0]
     return pkg.get(field, None)
 
+def registry_network_access(remote_addr):
+    """
+    Only allow requests from GOC network to access
+    user account registration view
+   """
+    try:
+        client_ip = ipaddress.ip_address(remote_addr)
+    except ValueError:
+        return False
+
+    netlist_path = config.get('ckanext.canada.registry_network_list', '')
+    if not netlist_path:
+        return False
+    if not os.path.isfile(netlist_path):
+        return False
+
+    with open(netlist_path) as allow_list:
+        for line in allow_list:
+            # the netlist_path file is a combination of text, ip addresses and subnets
+            try:
+                ip = ipaddress.ip_address(line)
+                if client_ip == ip:
+                    return True
+            except ValueError:
+                pass
+
+            try:
+                ip_network = ipaddress.ip_network(line)
+                if client_ip in ip_network:
+                    return True
+            except ValueError:
+                pass
+        return False
+
 
 def split_piped_bilingual_field(field_text, client_lang):
     if field_text is not None and ' | ' in field_text:

diff --git a/ckanext/canada/plugins.py b/ckanext/canada/plugins.py
@@ -723,6 +723,7 @@ def get_helpers(self):
             'get_resource_view',
             'resource_view_type',
             'fgp_viewer_url',
+            'registry_network_access',
             'date_field',
             'split_piped_bilingual_field',
             'search_filter_pill_link_label',

diff --git a/ckanext/canada/view.py b/ckanext/canada/view.py
@@ -202,6 +202,15 @@ def post(self, package_type, id):
 
 
 class CanadaUserRegisterView(UserRegisterView):
+    def get(self, data=None, errors=None, error_summary=None):
+        # additional check to ensure user can access the Request an Account page
+        # only possible if accessing from GOC network
+        remote_addr = request.headers.get('X-Forwarded-For') or \
+                      request.environ.get('REMOTE_ADDR')
+        if not h.registry_network_access(remote_addr):
+            abort(403, _('Not authorized to see this page'))
+        return super(CanadaUserRegisterView, self).get()
+
     def post(self):
         params = parse_params(request.form)
         email=params.get('email', '')