feat(piaf): ajoute une retriction d'IP sur la vue de collecte de paiement

master
François Poulain 2018-09-18 18:44:36 +02:00 commité par François Poulain
Parent a398ed0c61
révision 9cd739064d
7 fichiers modifiés avec 46 ajouts et 2 suppressions

Voir le fichier

@ -47,3 +47,6 @@
# Numero de regie TIPI
# NUMERO_REGIE=000001
# SAISIE_TIPI=T
# RESEAU de la regie TIPI
# TIPI_TRUSTED_NETWORK=127.0.0.1

Voir le fichier

@ -14,6 +14,12 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import ipware
import ipaddress
from django.conf import settings
from django.http import HttpResponseNotFound
from piaf.base import models
@ -22,3 +28,16 @@ class HackyMessagesMixin ():
models.HackyMessages.process_messages(self.request)
context = super().get_context_data(**kwargs)
return context
class RestrictToTipiHost ():
def dispatch(self, *args, **kwargs):
trusted_network = ipaddress.ip_network(
settings.TIPI_TRUSTED_NETWORK,
strict=False
)
client_ip, is_routable = ipware.get_client_ip(self.request)
if ipaddress.ip_address(client_ip) not in trusted_network:
return HttpResponseNotFound()
else:
return super().dispatch(*args, **kwargs)

Voir le fichier

@ -449,3 +449,17 @@ class PayInvoiceOnBackendFailure(TestCase):
)
self.client.get(reverse('unpay_invoice'))
self.assertEqual(response.status_code, 200)
class TrustedPaidInvoice(TestCase):
def setUp(self):
self.client = Client()
def test_paid_invoice_authorized___but_fail(self):
response = self.client.post(reverse('paid_invoice'), follow=False)
self.assertEqual(response.status_code, 400)
def test_paid_invoice_unauthorized(self):
with self.settings(TIPI_TRUSTED_NETWORK='192.0.2.0/24'):
response = self.client.post(reverse('paid_invoice'), follow=False)
self.assertEqual(response.status_code, 404)

Voir le fichier

@ -278,16 +278,18 @@ class PrepareMergedInvoices(PrepareInvoice):
return context
class PaidInvoice(generic.edit.FormView):
class PaidInvoice(mixins.RestrictToTipiHost, generic.edit.FormView):
http_method_names = ['post']
success_url = reverse_lazy('home')
form_class = forms.PaidInvoiceForm
context = {}
@method_decorator(csrf_exempt)
def dispatch(self, *args, **kwargs):
return super().dispatch(*args, **kwargs)
def form_invalid(self, form):
return HttpResponseBadRequest()
def form_valid(self, form):
# We don't use response from eopaiement.tipi since django's form
# validation is stronger

Voir le fichier

@ -279,8 +279,11 @@ MESSAGE_TAGS = {
# ------------------------------------------------------------------------------
NUMERO_REGIE = env.str('NUMERO_REGIE', default='000001')
SAISIE_TIPI = env.str('SAISIE_TIPI', default='T')
TIPI_TRUSTED_NETWORK = env.str('TIPI_TRUSTED_NETWORK', default='127.0.0.1')
# RESTHYS CONNECTION
# ------------------------------------------------------------------------------
RESTHYS_BASEURL = env.str('RESTHYS_BASEURL', default='http://127.0.0.1:8080/')

Voir le fichier

@ -101,3 +101,5 @@ if not os.path.isdir(var_dir('log')):
# ------------------------------------------------------------------------------
# APPLICATION AND 3RD PARTY LIBRARY SETTINGS
# ------------------------------------------------------------------------------
TIPI_TRUSTED_NETWORK = env.str('TIPI_TRUSTED_NETWORK')

Voir le fichier

@ -2,3 +2,4 @@ django >=2.0,<2.1
django-environ
git+https://forge.cliss21.org/fpoulain/eopayment.git@wip/python3#egg=eopayment
django-constance[database]
django-ipware