Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Implement IP blacklist for user-initiated requests.
- Loading branch information
Showing
13 changed files
with
539 additions
and
131 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| // Sandstorm - Personal Cloud Sandbox | ||
| // Copyright (c) 2017 Sandstorm Development Group, Inc. and contributors | ||
| // All rights reserved. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| import { PRIVATE_IPV4_ADDRESSES, PRIVATE_IPV6_ADDRESSES } from "/imports/constants.js"; | ||
|
|
||
| const DEFAULT_IP_BLACKLIST = PRIVATE_IPV4_ADDRESSES.concat(PRIVATE_IPV6_ADDRESSES).join("\n"); | ||
|
|
||
| Template.newAdminNetworking.onCreated(function () { | ||
| this.originalIpBlacklist = globalDb.getSettingWithFallback("ipBlacklist", ""); | ||
| this.ipBlacklist = new ReactiveVar(this.originalIpBlacklist); | ||
| this.formState = new ReactiveVar({ | ||
| state: "edit", // Other allowed states: "submitting", "success", and "error" | ||
| message: undefined, | ||
| }); | ||
| }); | ||
|
|
||
| Template.newAdminNetworking.helpers({ | ||
| ipBlacklist() { | ||
| const instance = Template.instance(); | ||
| return instance.ipBlacklist.get(); | ||
| }, | ||
|
|
||
| saveDisabled() { | ||
| const instance = Template.instance(); | ||
| return instance.formState.get().state === "submitting" || | ||
| instance.ipBlacklist.get() === instance.originalIpBlacklist; | ||
| }, | ||
|
|
||
| restoreDisabled() { | ||
| const instance = Template.instance(); | ||
| return instance.ipBlacklist.get() === DEFAULT_IP_BLACKLIST; | ||
| }, | ||
|
|
||
| hasError() { | ||
| const instance = Template.instance(); | ||
| return instance.formState.get().state === "error"; | ||
| }, | ||
|
|
||
| hasSuccess() { | ||
| const instance = Template.instance(); | ||
| return instance.formState.get().state === "success"; | ||
| }, | ||
|
|
||
| message() { | ||
| const instance = Template.instance(); | ||
| return instance.formState.get().message; | ||
| }, | ||
| }); | ||
|
|
||
| Template.newAdminNetworking.events({ | ||
| "submit .admin-networking"(evt) { | ||
| evt.preventDefault(); | ||
| evt.stopPropagation(); | ||
| }, | ||
|
|
||
| "input textarea.ip-blacklist"(evt) { | ||
| evt.preventDefault(); | ||
| evt.stopPropagation(); | ||
| const instance = Template.instance(); | ||
| instance.ipBlacklist.set(evt.currentTarget.value); | ||
| }, | ||
|
|
||
| "click .save"(evt) { | ||
| const instance = Template.instance(); | ||
| const newIpBlacklist = instance.ipBlacklist.get(); | ||
|
|
||
| instance.formState.set({ | ||
| state: "submitting", | ||
| message: "", | ||
| }); | ||
|
|
||
| Meteor.call("setSetting", undefined, "ipBlacklist", newIpBlacklist, (err) => { | ||
| if (err) { | ||
| instance.formState.set({ | ||
| state: "error", | ||
| message: err.message, | ||
| }); | ||
| } else { | ||
| instance.originalIpBlacklist = newIpBlacklist; | ||
| instance.formState.set({ | ||
| state: "success", | ||
| message: "Saved changes.", | ||
| }); | ||
| } | ||
| }); | ||
| }, | ||
|
|
||
| "click .restore"(evt) { | ||
| const instance = Template.instance(); | ||
| instance.ipBlacklist.set(DEFAULT_IP_BLACKLIST); | ||
| }, | ||
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| <template name="newAdminNetworking"> | ||
| <h1> | ||
| <ul class="admin-breadcrumbs"> | ||
| <li>{{#linkTo route="newAdminRoot"}}Admin{{/linkTo}}</li> | ||
| <li>Security</li> | ||
| </ul> | ||
| </h1> | ||
|
|
||
| {{#if hasSuccess}} | ||
| {{#focusingSuccessBox}} | ||
| {{message}} | ||
| {{/focusingSuccessBox}} | ||
| {{/if}} | ||
| {{#if hasError}} | ||
| {{#focusingErrorBox}} | ||
| {{message}} | ||
| {{/focusingErrorBox}} | ||
| {{/if}} | ||
|
|
||
| <form class="admin-networking"> | ||
| <div class="form-group"> | ||
| <label> | ||
| Server-side request IP blacklist: | ||
| <textarea class="ip-blacklist" value="{{ ipBlacklist }}"></textarea> | ||
| </label> | ||
| <span class="form-subtext">Users will be prohibited from making requests to these IP addresses. This includes making a request from an app, downloading an SPK file from a user-provided URL, etc. You may specify one IP address or network (in CIDR notation, e.g. "127.0.0.0/8") per line. The default value includes standard local and private network addresses. Note that when an HTTP proxy is in use, this setting may be ignored; the proxy must implement its own blacklist.</span> | ||
| </div> | ||
|
|
||
| {{!-- TODO(someday): Allow whitelisting certain IPs or hosts? --}} | ||
| {{!-- TODO(someday): Configure HTTP proxy here. --}} | ||
|
|
||
| <div class="button-row"> | ||
| <button type="submit" class="save" disabled="{{saveDisabled}}">Save</button> | ||
| <button type="button" class="restore" disabled="{{restoreDisabled}}">Restore defaults</button> | ||
| </div> | ||
| </form> | ||
| </template> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| .admin-networking { | ||
| @extend %standard-form; | ||
|
|
||
| textarea { | ||
| min-height: 200px; | ||
| font-family: monospace; | ||
| } | ||
|
|
||
| .save { | ||
| @extend %button-base; | ||
| @extend %button-primary; | ||
| margin-left: 10px; | ||
| } | ||
|
|
||
| .restore { | ||
| @extend %button-base; | ||
| @extend %button-secondary; | ||
| margin-left: 10px; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.