Add IP-based rules (#14963)

2020-10-12 16:33:49 +02:00 · 2020-10-12 16:33:49 +02:00 · 5e1364c448
commit 5e1364c448
parent dc52a778e1
30 changed files with 530 additions and 21 deletions
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -42,6 +42,10 @@ class Rack::Attack
    req.remote_ip == '127.0.0.1' || req.remote_ip == '::1'
  end

+  Rack::Attack.blocklist('deny from blocklist') do |req|
+    IpBlock.blocked?(req.remote_ip)
+  end
+
  throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req|
    req.authenticated_user_id if req.api_request?
  end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -223,12 +223,14 @@ en:
        create_domain_allow: Create Domain Allow
        create_domain_block: Create Domain Block
        create_email_domain_block: Create E-mail Domain Block
+        create_ip_block: Create IP rule
        demote_user: Demote User
        destroy_announcement: Delete Announcement
        destroy_custom_emoji: Delete Custom Emoji
        destroy_domain_allow: Delete Domain Allow
        destroy_domain_block: Delete Domain Block
        destroy_email_domain_block: Delete e-mail domain block
+        destroy_ip_block: Delete IP rule
        destroy_status: Delete Status
        disable_2fa_user: Disable 2FA
        disable_custom_emoji: Disable Custom Emoji
@ -259,12 +261,14 @@ en:
        create_domain_allow: "%{name} allowed federation with domain %{target}"
        create_domain_block: "%{name} blocked domain %{target}"
        create_email_domain_block: "%{name} blocked e-mail domain %{target}"
+        create_ip_block: "%{name} created rule for IP %{target}"
        demote_user: "%{name} demoted user %{target}"
        destroy_announcement: "%{name} deleted announcement %{target}"
        destroy_custom_emoji: "%{name} destroyed emoji %{target}"
        destroy_domain_allow: "%{name} disallowed federation with domain %{target}"
        destroy_domain_block: "%{name} unblocked domain %{target}"
        destroy_email_domain_block: "%{name} unblocked e-mail domain %{target}"
+        destroy_ip_block: "%{name} deleted rule for IP %{target}"
        destroy_status: "%{name} removed status by %{target}"
        disable_2fa_user: "%{name} disabled two factor requirement for user %{target}"
        disable_custom_emoji: "%{name} disabled emoji %{target}"
@ -449,6 +453,21 @@ en:
        expired: Expired
        title: Filter
      title: Invites
+    ip_blocks:
+      add_new: Create rule
+      created_msg: Successfully added new IP rule
+      delete: Delete
+      expires_in:
+        '1209600': 2 weeks
+        '15778476': 6 months
+        '2629746': 1 month
+        '31556952': 1 year
+        '86400': 1 day
+        '94670856': 3 years
+      new:
+        title: Create new IP rule
+      no_ip_block_selected: No IP rules were changed as none were selected
+      title: IP rules
    pending_accounts:
      title: Pending accounts (%{count})
    relationships:
--- a/config/locales/simple_form.en.yml
+++ b/config/locales/simple_form.en.yml
@ -65,6 +65,14 @@ en:
        data: CSV file exported from another Mastodon server
      invite_request:
        text: This will help us review your application
+      ip_block:
+        comment: Optional. Remember why you added this rule.
+        expires_in: IP addresses are a finite resource, they are sometimes shared and often change hands. For this reason, indefinite IP blocks are not recommended.
+        ip: Enter an IPv4 or IPv6 address. You can block entire ranges using the CIDR syntax. Be careful not to lock yourself out!
+        severities:
+          no_access: Block access to all resources
+          sign_up_requires_approval: New sign-ups will require your approval
+        severity: Choose what will happen with requests from this IP
      sessions:
        otp: 'Enter the two-factor code generated by your phone app or use one of your recovery codes:'
        webauthn: If it's an USB key be sure to insert it and, if necessary, tap it.
@ -170,6 +178,13 @@ en:
        comment: Comment
      invite_request:
        text: Why do you want to join?
+      ip_block:
+        comment: Comment
+        ip: IP
+        severities:
+          no_access: Block access
+          sign_up_requires_approval: Limit sign-ups
+        severity: Rule
      notification_emails:
        digest: Send digest e-mails
        favourite: Someone favourited your status
--- a/config/navigation.rb
+++ b/config/navigation.rb
@ -41,6 +41,7 @@ SimpleNavigation::Configuration.run do |navigation|
      s.item :tags, safe_join([fa_icon('hashtag fw'), t('admin.tags.title')]), admin_tags_path, highlights_on: %r{/admin/tags}
      s.item :instances, safe_join([fa_icon('cloud fw'), t('admin.instances.title')]), admin_instances_url(limited: whitelist_mode? ? nil : '1'), highlights_on: %r{/admin/instances|/admin/domain_blocks|/admin/domain_allows}, if: -> { current_user.admin? }
      s.item :email_domain_blocks, safe_join([fa_icon('envelope fw'), t('admin.email_domain_blocks.title')]), admin_email_domain_blocks_url, highlights_on: %r{/admin/email_domain_blocks}, if: -> { current_user.admin? }
+      s.item :ip_blocks, safe_join([fa_icon('ban fw'), t('admin.ip_blocks.title')]), admin_ip_blocks_url, highlights_on: %r{/admin/ip_blocks}, if: -> { current_user.admin? }
    end

    n.item :admin, safe_join([fa_icon('cogs fw'), t('admin.title')]), admin_dashboard_url, if: proc { current_user.staff? } do |s|
--- a/config/routes.rb
+++ b/config/routes.rb
@ -283,6 +283,12 @@ Rails.application.routes.draw do
      end
    end

+    resources :ip_blocks, only: [:index, :new, :create] do
+      collection do
+        post :batch
+      end
+    end
+
    resources :account_moderation_notes, only: [:create, :destroy]

    resources :tags, only: [:index, :show, :update] do