Merge pull request #28 from SonicGarden/good_job_ip_limit

[review] 本番環境のgood_jobダッシュボードにはproxy経由以外ではアクセス不可に
SonicGarden · Nov 7, 2023 · 68c8ac0 · 68c8ac0
2 parents 44c2e32 + ae7b909
commit 68c8ac0
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 32 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -6,7 +6,6 @@ PATH
       aws-sdk-scheduler (~> 1.10)
       lograge (~> 0.12)
       puma
-      rack-attack (~> 6.6)
 
 GEM
   remote: https://rubygems.org/
@@ -71,8 +70,6 @@ GEM
       nio4r (~> 2.0)
     racc (1.6.2)
     rack (2.2.6.2)
-    rack-attack (6.7.0)
-      rack (>= 1.0, < 4)
     rack-test (2.0.2)
       rack (>= 1.3)
     rails-dom-testing (2.0.3)

diff --git a/lib/sg_fargate_rails/config.rb b/lib/sg_fargate_rails/config.rb
@@ -1,10 +1,13 @@
 module SgFargateRails
   class Config
-    attr_accessor :paths_to_allow_access_only_from_proxy
     attr_reader :proxy_ip_addresses
 
+    # NOTE: good_jobダッシュボードへのアクセスをproxy経由のアクセスに制限するかどうか
+    attr_accessor :restrict_access_to_good_job_dashboard
+
     def initialize
       self.proxy_ip_addresses = ENV['SG_PROXY_IP_ADDRESSES']
+      self.restrict_access_to_good_job_dashboard = Rails.env.production?
     end
 
     def proxy_ip_addresses=(ip_addresses)

diff --git a/lib/sg_fargate_rails/rack_attack.rb b/lib/sg_fargate_rails/rack_attack.rb
diff --git a/lib/sg_fargate_rails/railtie.rb b/lib/sg_fargate_rails/railtie.rb
@@ -1,7 +1,6 @@
 require 'sg_fargate_rails/adjust_cloudfront_headers'
 require 'sg_fargate_rails/healthcheck'
 require 'sg_fargate_rails/maintenance'
-require 'sg_fargate_rails/rack_attack'
 require 'sg_fargate_rails/remote_ip'
 require 'sg_fargate_rails/task_protection'
 
@@ -13,13 +12,21 @@ class Railtie < ::Rails::Railtie
 
     initializer :initialize_sg_fargate_rails do |app|
       unless ::Rails.env.in?(%w[development test])
-        SgFargateRails::RackAttack.setup
-
         app.config.middleware.insert 0, SgFargateRails::AdjustCloudfrontHeaders
         app.config.middleware.insert 1, SgFargateRails::Healthcheck
         app.config.middleware.insert 2, SgFargateRails::Maintenance
         app.config.middleware.swap ActionDispatch::RemoteIp, SgFargateRails::RemoteIp, app.config.action_dispatch.ip_spoofing_check, app.config.action_dispatch.trusted_proxies
       end
+
+      ActiveSupport.on_load(:good_job_application_controller) do
+        before_action :sg_fargate_rails_proxy_access!, if: -> { SgFargateRails.config.restrict_access_to_good_job_dashboard }
+
+        def sg_fargate_rails_proxy_access!
+          unless SgFargateRails.config.proxy_access?(request.remote_ip)
+            render plain: 'Forbidden', status: :forbidden
+          end
+        end
+      end
     end
   end
 end
diff --git a/sg_fargate_rails.gemspec b/sg_fargate_rails.gemspec
@@ -38,7 +38,6 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'puma'
   spec.add_dependency 'lograge', '~> 0.12'
-  spec.add_dependency 'rack-attack', '~> 6.6'
   spec.add_dependency 'aws-sdk-ec2', '~> 1.413'
   spec.add_dependency 'aws-sdk-scheduler', '~> 1.10'