Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to Disable IP Whitelisting #24

Closed
bdukes opened this issue Jun 4, 2018 · 15 comments
Closed

Ability to Disable IP Whitelisting #24

bdukes opened this issue Jun 4, 2018 · 15 comments
Labels
enhancement New feature or request

Comments

@bdukes
Copy link
Contributor

bdukes commented Jun 4, 2018

I would like to create a task for VSTS to use their CI/CD pipeline to deploy to different environments. However, because tasks are run from a pool of build agents in the cloud, I don't have a reliable IP address to whitelist (it is possible to get a list of public IP addresses used by VSTS, but it's a pretty long list and can change on a weekly basis).

So, for this scenario, it would be nice to be able to disable the IP whitelist for the deploy client. Is this an option y'all are open to?

@StevenFisherCantarus
Copy link
Contributor

I think it's definitely an option that we are open to providing that the setting is enabled by default and perhaps displays a short warning if disabled.

@Swimburger
Copy link

@bdukes , a workaround could be to connect to your servers using VSTS, and then running the commands on the webservers themselves.
Though I agree, your scenario is viable and we should be able to disable ip-whitelisting.

@bdukes
Copy link
Contributor Author

bdukes commented Jun 5, 2018

Would we want that to be a setting on the API user, rather than on the module itself?

@Sniels that's a good idea, I should be able to use that workaround in the meantime

@Swimburger
Copy link

For me personally, I'm mostly interested in the API for automation.
For the GUI, I'm of the opinion it should integrate with DNN Roles system.
I would want to create a custom role "Module Installers", or use an existing role "Administrators" to only allow that role to access the PolyDeploy GUI.
This could be set in a config file, or in a setting to set via PolyDeploy GUI.

@bdukes bdukes mentioned this issue Jun 5, 2018
@ghost
Copy link

ghost commented Jun 6, 2018

@bdukes I think it would be great to have the flexibility to disable the IP Whitelist globally as well as being able to exclude particular API Users from it.

@Sniels Currently PolyDeploy is designed to only be accessible to host users, regardless of the permissions which are applied to the module on the page. This is intentional as it helps to ensure that PolyDeploy is secure by default.

@ghost ghost added the enhancement New feature or request label Jun 6, 2018
@bdukes
Copy link
Contributor Author

bdukes commented Jun 6, 2018

A module that can install extensions must only be accessible to host users. However, I don't know that the IP whitelist to access the GUI interface is enough of a security benefit that it's worth the hassle. If a hacker can authenticate as a host user, it's trivial for them to add themselves to the IP whitelist, or just install via the standard interface. In my opinion, the IP whitelist is only useful for API access.

@bdukes
Copy link
Contributor Author

bdukes commented Jun 6, 2018

FYI, I'm 99% of the way through implementing a Bypass IP Whitelist option for API users, just need to finish testing (hopefully today)

@ghost
Copy link

ghost commented Jun 8, 2018

@bdukes I agree, once an attacker has access to a host account within DNN it's game over as far as what PolyDeploy would allow them to do versus what they can do through DNN's UI.

I'll raise the discussion to see if we can just apply IP Whitelisting for API users.

@ghost ghost closed this as completed Jun 11, 2018
@ghost ghost reopened this Jun 11, 2018
@mitchelsellers
Copy link
Collaborator

@can-anierzad & @StevenFisherCantarus Any additional thoughts on removing the whitelist.

I'm attempting to use Version 0.7.0 and cannot even get the module to function. I've added the IP, but I'm guessing it is something about Azure and how it works that might be causing issues. as I'm not able to use.

@ghost
Copy link

ghost commented Jul 17, 2018

@mitchelsellers it's possible what you're experiencing is a bug where the action filter for whitelisting fails to determine the request originated on the local machine. Aside from that, you can check PolyDeploy's own EventLog table and it'll tell you what IP address is failing the whitelist check. That should allow you to get it up and running.

I think that being able to enable/disable the whitelist globally is a worthwhile addition, but the issue mentioned above needs to be fixed as well.

@mitchelsellers
Copy link
Collaborator

@can-anierzad It appears that it is due to the IP appearing to have a port on it....but that port changes

@mitchelsellers
Copy link
Collaborator

I created #36 to properly document my concern

@ghost
Copy link

ghost commented Oct 4, 2018

@bdukes am I right in thinking that you raised an MR that resolves this issue? Just wondering if I can close.

@bdukes
Copy link
Contributor Author

bdukes commented Oct 4, 2018

#31 resolves the issue for API users, but I haven't submitted a PR to turn off IP whitelisting for the module UI.

@bdukes bdukes mentioned this issue Jan 16, 2019
@ghost
Copy link

ghost commented Feb 12, 2019

Resolved by #31 and #47.

@ghost ghost closed this as completed Feb 12, 2019
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants