Support IP whitelisting for throttling.

Signed-off-by: EdmondFrank <[email protected]>
oss-compass · Feb 14, 2024 · b4dbee4 · b4dbee4
1 parent bf36f58
commit b4dbee4
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/.env.example b/.env.example
@@ -175,6 +175,9 @@ export OTEL_RESOURCE_ATTRIBUTES=application=compass-web-service
 # Lab
 export LAB_MODEL_TRIGGER_COUNT=5
 
+# Safelist
+export SAFELIST_IPS=5.6.7.0/24,192.168.1.0/24
+
 # Protected Reports
 export RESTRICTED_LABEL_LIST=oss-compass
 export RESTRICTED_LABEL_VIEWERS=2

diff --git a/app/controllers/concerns/common.rb b/app/controllers/concerns/common.rb
@@ -19,6 +19,7 @@ module Common
   META_REPO = ENV.fetch('WORKFLOW_REPO_NAME') { 'compass-projects-information' }
   ADMIN_WEB_TOKEN = ENV.fetch('ADMIN_WEB_TOKEN')
   ADMIN_SLACK_WEBHOOK = ENV.fetch('ADMIN_SLACK_WEBBHOOK') { nil }
+  SAFELIST_IPS = (ENV.fetch('SAFELIST_IPS') { '' })&.split(',')
   RESTRICTED_LABEL_LIST = (ENV.fetch('RESTRICTED_LABEL_LIST') { '' })&.split(',')
   RESTRICTED_LABEL_VIEWERS = (ENV.fetch('RESTRICTED_LABEL_VIEWERS') { '' })&.split(',')
 

diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
@@ -34,7 +34,7 @@ def execute
 
     t << real_ip
 
-    t.throttle! if !current_user || real_ip
+    t.throttle! if !current_user || (real_ip && !safelist_ip(real_ip))
 
     result = CompassWebServiceSchema.execute(query, variables: variables, context: context, operation_name: operation_name)
     render json: result
@@ -53,6 +53,12 @@ def throttle_redis
     @throttle_redis ||= Redis.new(url: ENV.fetch('REDIS_URL') { 'redis://redis:6379/1' })
   end
 
+  def safelist_ip(target_ip)
+    Common::SAFELIST_IPS.any? do |safe_ip|
+      IPAddr.new(safe_ip).include?(IPAddr.new(target_ip))
+    end
+  end
+
   # Handle variables in form data, JSON body, or a blank value
   def prepare_variables(variables_param)
     case variables_param