Page MenuHomePhabricator

Support "request is from IP / subnet" policy rule
Closed, WontfixPublic

Description

We'd like to have the ability to restrict what IP addresses people can access repositories and code reviews from, while still allowing access to other resources on Phabricator. This is so that we can allow access to repositories from within the office and build servers, while preventing access from home.

Event Timeline

hach-que assigned this task to epriestley.
hach-que raised the priority of this task from to Needs Triage.
hach-que updated the task description. (Show Details)
hach-que added a project: Policy.
hach-que added a subscriber: hach-que.

You may be able to implement this as an extension (subclass PhabricatorPolicyRule).

Getting it right in non-web contexts seems tricky. For example:

  • If we're generating mail in a daemon, we probably want to automatically pass these constraints, so these users can get email about repositories.
  • But, if we're processing email, we probably want to automatically fail these constraints, so users can't interact with these objects when not on approved subnets?

So I think we'd have to add some new concept to cover the various cases where we don't have a reliable remote IP.

chad triaged this task as Wishlist priority.Nov 13 2014, 5:34 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

We haven't seen other requests for this in nearly two years, and it can likely be implemented as an extension, except possibly for the weird cases mentioned above.

I think this access pattern (versus using a VPN?) is fairly unusual. I do expect that tokens/keys will get more flexible ways to configure access in the future (e.g., T11277 and related tasks, possibly including the ability to restrict source IPs) which might address some of this, although not exactly the original use case.

@hach-que, did you end up implementing a solution for this?