Ability to Disable IP Whitelisting
bdukes opened this issue · 15 comments
I would like to create a task for VSTS to use their CI/CD pipeline to deploy to different environments. However, because tasks are run from a pool of build agents in the cloud, I don't have a reliable IP address to whitelist (it is possible to get a list of public IP addresses used by VSTS, but it's a pretty long list and can change on a weekly basis).
So, for this scenario, it would be nice to be able to disable the IP whitelist for the deploy client. Is this an option y'all are open to?
I think it's definitely an option that we are open to providing that the setting is enabled by default and perhaps displays a short warning if disabled.
@bdukes , a workaround could be to connect to your servers using VSTS, and then running the commands on the webservers themselves.
Though I agree, your scenario is viable and we should be able to disable ip-whitelisting.
Would we want that to be a setting on the API user, rather than on the module itself?
@Sniels that's a good idea, I should be able to use that workaround in the meantime
For me personally, I'm mostly interested in the API for automation.
For the GUI, I'm of the opinion it should integrate with DNN Roles system.
I would want to create a custom role "Module Installers", or use an existing role "Administrators" to only allow that role to access the PolyDeploy GUI.
This could be set in a config file, or in a setting to set via PolyDeploy GUI.
@bdukes I think it would be great to have the flexibility to disable the IP Whitelist globally as well as being able to exclude particular API Users from it.
@Sniels Currently PolyDeploy is designed to only be accessible to host users, regardless of the permissions which are applied to the module on the page. This is intentional as it helps to ensure that PolyDeploy is secure by default.
A module that can install extensions must only be accessible to host users. However, I don't know that the IP whitelist to access the GUI interface is enough of a security benefit that it's worth the hassle. If a hacker can authenticate as a host user, it's trivial for them to add themselves to the IP whitelist, or just install via the standard interface. In my opinion, the IP whitelist is only useful for API access.
FYI, I'm 99% of the way through implementing a Bypass IP Whitelist option for API users, just need to finish testing (hopefully today)
@bdukes I agree, once an attacker has access to a host account within DNN it's game over as far as what PolyDeploy would allow them to do versus what they can do through DNN's UI.
I'll raise the discussion to see if we can just apply IP Whitelisting for API users.
@can-anierzad & @StevenFisherCantarus Any additional thoughts on removing the whitelist.
I'm attempting to use Version 0.7.0 and cannot even get the module to function. I've added the IP, but I'm guessing it is something about Azure and how it works that might be causing issues. as I'm not able to use.
@mitchelsellers it's possible what you're experiencing is a bug where the action filter for whitelisting fails to determine the request originated on the local machine. Aside from that, you can check PolyDeploy's own EventLog table and it'll tell you what IP address is failing the whitelist check. That should allow you to get it up and running.
I think that being able to enable/disable the whitelist globally is a worthwhile addition, but the issue mentioned above needs to be fixed as well.
@can-anierzad It appears that it is due to the IP appearing to have a port on it....but that port changes
I created #36 to properly document my concern
@bdukes am I right in thinking that you raised an MR that resolves this issue? Just wondering if I can close.
#31 resolves the issue for API users, but I haven't submitted a PR to turn off IP whitelisting for the module UI.