Merge branch 'main' into feat--secret-generation

Author: nimish-ks

backend/api/migrations/0100_networkaccesspolicy_and_more.py

@@ -0,0 +1,36 @@
+# Generated by Django 4.2.16 on 2025-04-23 07:58
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0099_remove_secretfolder_unique_secret_folder_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='NetworkAccessPolicy',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=100)),
+                ('allowed_ips', models.TextField(help_text='Comma-separated list of IP addresses or CIDR ranges (e.g. 192.168.1.1, 10.0.0.0/24)')),
+                ('is_global', models.BooleanField(default=True)),
+                ('created_at', models.DateTimeField(auto_now_add=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.organisation')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='organisationmember',
+            name='network_policies',
+            field=models.ManyToManyField(blank=True, related_name='members', to='api.networkaccesspolicy'),
+        ),
+        migrations.AddField(
+            model_name='serviceaccount',
+            name='network_policies',
+            field=models.ManyToManyField(blank=True, related_name='service_accounts', to='api.networkaccesspolicy'),
+        ),
+    ]

backend/api/migrations/0101_networkaccesspolicy_updated_at.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.16 on 2025-04-27 09:31
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0100_networkaccesspolicy_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='networkaccesspolicy',
+            name='updated_at',
+            field=models.DateTimeField(auto_now=True),
+        ),
+    ]

backend/api/migrations/0102_networkaccesspolicy_created_by_and_more.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.16 on 2025-04-28 10:14
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0101_networkaccesspolicy_updated_at'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='networkaccesspolicy',
+            name='created_by',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='network_policies_created', to='api.organisationmember'),
+        ),
+        migrations.AddField(
+            model_name='networkaccesspolicy',
+            name='updated_by',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='network_policies_updated', to='api.organisationmember'),
+        ),
+    ]

backend/api/models.py

@@ -185,6 +185,38 @@ def __str__(self):
         return f"{self.name} ({self.organisation.name})"
 
 
+class NetworkAccessPolicy(models.Model):
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    name = models.CharField(max_length=100)
+    organisation = models.ForeignKey(Organisation, on_delete=models.CASCADE)
+    allowed_ips = models.TextField(
+        help_text="Comma-separated list of IP addresses or CIDR ranges (e.g. 192.168.1.1, 10.0.0.0/24)"
+    )
+    is_global = models.BooleanField(default=True)
+    created_at = models.DateTimeField(auto_now_add=True)
+    created_by = models.ForeignKey(
+        "OrganisationMember",
+        on_delete=models.CASCADE,
+        blank=True,
+        null=True,
+        related_name="network_policies_created",
+    )
+    updated_at = models.DateTimeField(auto_now=True)
+    updated_by = models.ForeignKey(
+        "OrganisationMember",
+        on_delete=models.CASCADE,
+        blank=True,
+        null=True,
+        related_name="network_policies_updated",
+    )
+
+    def get_ip_list(self):
+        return [ip.strip() for ip in self.allowed_ips.split(",") if ip.strip()]
+
+    def __str__(self):
+        return self.name
+
+
 class OrganisationMember(models.Model):
 
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
@@ -205,6 +237,9 @@ class OrganisationMember(models.Model):
     identity_key = models.CharField(max_length=256, null=True, blank=True)
     wrapped_keyring = models.TextField(blank=True)
     wrapped_recovery = models.TextField(blank=True)
+    network_policies = models.ManyToManyField(
+        NetworkAccessPolicy, blank=True, related_name="members"
+    )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
     updated_at = models.DateTimeField(auto_now=True)
     deleted_at = models.DateTimeField(null=True, blank=True)
@@ -241,6 +276,9 @@ class ServiceAccount(models.Model):
     identity_key = models.CharField(max_length=256, null=True, blank=True)
     server_wrapped_keyring = models.TextField(null=True)
     server_wrapped_recovery = models.TextField(null=True)
+    network_policies = models.ManyToManyField(
+        NetworkAccessPolicy, blank=True, related_name="service_accounts"
+    )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
     updated_at = models.DateTimeField(auto_now=True)
     deleted_at = models.DateTimeField(null=True, blank=True)

backend/api/utils/access/middleware.py

@@ -0,0 +1,62 @@
+# permissions.py
+
+from api.models import NetworkAccessPolicy, Organisation
+from rest_framework.permissions import BasePermission
+from itertools import chain
+
+
+class IsIPAllowed(BasePermission):
+    """
+    Checks if the client's IP is allowed based on attached network access policies.
+    """
+
+    message = (
+        "Access denied: a network access policy restricts access from your IP address."
+    )
+
+    def get_client_ip(self, request):
+        x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
+        if x_forwarded_for:
+            return x_forwarded_for.split(",")[0].strip()
+        return request.META.get("REMOTE_ADDR")
+
+    def has_permission(self, request, view):
+        ip = self.get_client_ip(request)
+
+        org_member = request.auth.get("org_member", None)
+        service_account = request.auth.get("service_account", None)
+        service_token = request.auth.get("service_token")
+
+        org = None
+        account_policies = NetworkAccessPolicy.objects.none()
+
+        if org_member:
+            account_policies = org_member.network_policies.all()
+            org = org_member.organisation
+        elif service_account:
+            account_policies = service_account.network_policies.all()
+            org = service_account.organisation
+        elif service_token:
+            org = service_token.app.organisation
+
+        if org is None or org.plan == Organisation.FREE_PLAN:
+            return True
+        else:
+            from ee.access.utils.network import is_ip_allowed
+
+            global_policies = (
+                (
+                    NetworkAccessPolicy.objects.filter(organisation=org, is_global=True)
+                    if org
+                    else NetworkAccessPolicy.objects.none()
+                )
+                if org.plan == Organisation.ENTERPRISE_PLAN
+                else []
+            )
+
+            all_policies = list(chain(account_policies, global_policies))
+
+            if not all_policies:
+                return True  # Allow if no policies defined
+
+            return is_ip_allowed(ip, all_policies)

backend/api/utils/access/roles.py

@@ -14,6 +14,7 @@
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
+            "NetworkAccessPolicies": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
@@ -43,6 +44,7 @@
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
+            "NetworkAccessPolicies": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["create", "read", "update", "delete"],
@@ -71,6 +73,7 @@
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
+            "NetworkAccessPolicies": ["create", "read", "update", "delete"],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update"],
@@ -103,6 +106,7 @@
                 "read",
                 "update",
             ],
+            "NetworkAccessPolicies": ["read"],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update"],
@@ -131,6 +135,7 @@
             "ServiceAccountTokens": ["read"],
             "Roles": ["read"],
             "IntegrationCredentials": ["read"],
+            "NetworkAccessPolicies": ["read"],
         },
         "app_permissions": {
             "Environments": ["read", "create", "update", "delete"],

backend/api/views/auth.py

@@ -1,6 +1,7 @@
 import requests
 import json
 import base64
+from api.utils.access.middleware import IsIPAllowed
 import jwt
 import os
 from api.serializers import (
@@ -174,12 +175,12 @@ def complete_login(self, request, app, token, **kwargs):
             if emails:
                 # First try to get primary email
                 for email_obj in emails:
-                    if email_obj.get('primary'):
-                        extra_data["email"] = email_obj['email']
+                    if email_obj.get("primary"):
+                        extra_data["email"] = email_obj["email"]
                         break
                 # If no primary email found, use the first one
                 if not extra_data.get("email") and len(emails) > 0:
-                    extra_data["email"] = emails[0]['email']
+                    extra_data["email"] = emails[0]["email"]
 
         email = extra_data["email"]
 
@@ -332,7 +333,11 @@ def service_token_kms(request):
 
 
 @api_view(["GET"])
-@permission_classes([AllowAny])
+@permission_classes(
+    [
+        AllowAny,
+    ]
+)
 def secrets_tokens(request):
     auth_token = request.headers["authorization"]
 

backend/api/views/secrets.py

@@ -29,6 +29,7 @@
 
 import json
 from api.content_negotiation import CamelCaseContentNegotiation
+from api.utils.access.middleware import IsIPAllowed
 from rest_framework.views import APIView
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.exceptions import PermissionDenied
@@ -44,7 +45,7 @@
 
 class E2EESecretsView(APIView):
     authentication_classes = [PhaseTokenAuthentication]
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, IsIPAllowed]
     content_negotiation_class = CamelCaseContentNegotiation
 
     def initial(self, request, *args, **kwargs):
@@ -351,7 +352,7 @@ def delete(self, request, *args, **kwargs):
 
 class PublicSecretsView(APIView):
     authentication_classes = [PhaseTokenAuthentication]
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, IsIPAllowed]
     renderer_classes = [
         CamelCaseJSONRenderer,
     ]

backend/backend/graphene/middleware.py

@@ -0,0 +1,76 @@
+from graphql import GraphQLResolveInfo
+from graphql import GraphQLError
+from api.models import NetworkAccessPolicy, Organisation, OrganisationMember
+
+from itertools import chain
+
+
+class IPRestrictedError(GraphQLError):
+    def __init__(self, organisation_name: str):
+        super().__init__(
+            message=f"Your IP address is not allowed to access {organisation_name}",
+            extensions={
+                "code": "IP_RESTRICTED",
+                "organisation_name": organisation_name,
+            },
+        )
+
+
+class IPWhitelistMiddleware:
+    """
+    Graphene middleware to enforce network access policy for human users
+    based on their organisation membership and IP address.
+    """
+
+    def resolve(self, next, root, info: GraphQLResolveInfo, **kwargs):
+        request = info.context
+        user = getattr(request, "user", None)
+
+        organisation_id = kwargs.get("organisation_id")
+        if not user or not user.is_authenticated:
+            raise GraphQLError("Authentication required")
+
+        if not organisation_id:
+            # If the operation doesn't involve an org, skip check
+            return next(root, info, **kwargs)
+
+        org = Organisation.objects.get(id=organisation_id)
+
+        if org.plan == Organisation.FREE_PLAN:
+            return next(root, info, **kwargs)
+
+        else:
+            from ee.access.utils.network import is_ip_allowed
+
+            try:
+                org_member = OrganisationMember.objects.get(
+                    organisation_id=organisation_id,
+                    user_id=user.userId,
+                    deleted_at__isnull=True,
+                )
+            except OrganisationMember.DoesNotExist:
+                raise GraphQLError("You are not a member of this organisation")
+
+            ip = self.get_client_ip(request)
+
+            account_policies = org_member.network_policies.all()
+            global_policies = (
+                NetworkAccessPolicy.objects.filter(
+                    organisation_id=organisation_id, is_global=True
+                )
+                if org.plan == Organisation.ENTERPRISE_PLAN
+                else []
+            )
+
+            all_policies = list(chain(account_policies, global_policies))
+
+            if not all_policies or is_ip_allowed(ip, all_policies):
+                return next(root, info, **kwargs)
+
+            raise IPRestrictedError(org_member.organisation.name)
+
+    def get_client_ip(self, request):
+        x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
+        if x_forwarded_for:
+            return x_forwarded_for.split(",")[0].strip()
+        return request.META.get("REMOTE_ADDR")