remove references to ip address restriction for third party access (#…

…3046)
Enterprise-CMCS · Jan 3, 2025 · 5b4f0da · 5b4f0da
1 parent 7d5c5f5
commit 5b4f0da
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 48 deletions.
diff --git a/.envrc b/.envrc
@@ -26,7 +26,6 @@ export DATABASE_URL='postgresql://postgres:shhhsecret@localhost:5432/postgres?sc
 export EMAILER_MODE='LOCAL'
 export LD_SDK_KEY='this-value-must-be-set-in-local'
 export PARAMETER_STORE_MODE='LOCAL'
-export ALLOWED_IP_ADDRESSES='127.0.0.1'
 export JWT_SECRET='3fd2e448ed2cec1fa46520f1b64bcb243c784f68db41ea67ef9abc45c12951d3e770162829103c439f01d2b860d06ed0da1a08895117b1ef338f1e4ed176448a' # pragma: allowlist secret
 
 export VITE_APP_OTEL_COLLECTOR_URL='http://localhost:3030/local/otel'

diff --git a/docs/Configuration.md b/docs/Configuration.md
@@ -52,12 +52,6 @@ valid values: A URL where a running app-web can be reached
 
 It's used as the redirects for login by app-web when it configures login via IDM.
 
-### `ALLOWED_IP_ADDRESSES`
-
-Read by `app-api` and Cypress
-
-Third party access to the MC-Review API is restricted by IP address. It must be set to a string that contains a comma separated list of IP address OR it can be set to `ALLOW_ALL` for the dev environment and for testing purposes.
-
 ### `APP_VERSION`
 
 Read by `app-api`

diff --git a/services/app-api/serverless.yml b/services/app-api/serverless.yml
@@ -33,7 +33,6 @@ custom:
   apiAppOtelCollectorUrl: ${env:API_APP_OTEL_COLLECTOR_URL, ssm:/configuration/api_app_otel_collector_url}
   dbURL: ${env:DATABASE_URL}
   ldSDKKey: ${env:LD_SDK_KEY, ssm:/configuration/ld_sdk_key_feds}
-  allowedIpAddresses: ${env:ALLOWED_IP_ADDRESSES, ssm:/configuration/allowed_ip_addresses}
   # because the secret is in JSON in secret manager, we have to pass it into jwtSecret when not running locally
   jwtSecretJSON: ${env:CF_CONFIG_IGNORED_LOCALLY, ssm:/aws/reference/secretsmanager/api_jwt_secret_${sls:stage}}
   jwtSecret: ${env:JWT_SECRET, self:custom.jwtSecretJSON.jwtsigningkey}
@@ -142,7 +141,6 @@ provider:
     AWS_LAMBDA_EXEC_WRAPPER: /opt/otel-handler
     OPENTELEMETRY_COLLECTOR_CONFIG_FILE: /var/task/collector.yml
     LD_SDK_KEY: ${self:custom.ldSDKKey}
-    ALLOWED_IP_ADDRESSES: ${self:custom.allowedIpAddresses}
     JWT_SECRET: ${self:custom.jwtSecret}
     VITE_APP_S3_QA_BUCKET: ${self:custom.reactAppS3QABucket}
     VITE_APP_S3_DOCUMENTS_BUCKET: ${self:custom.reactAppS3DocumentUploadsBucket}

diff --git a/services/app-api/src/handlers/apollo_gql.ts b/services/app-api/src/handlers/apollo_gql.ts
@@ -150,38 +150,6 @@ function localAuthMiddleware(wrapped: APIGatewayProxyHandler): Handler {
     }
 }
 
-function ipRestrictionMiddleware(
-    allowedIps: string
-): (wrappedArg: Handler) => Handler {
-    return function (wrapped: Handler): Handler {
-        return async function (event, context, completion) {
-            const ipAddress = event.requestContext.identity.sourceIp
-            const fromThirdPartyAuthorizer = event.requestContext.path.includes(
-                '/v1/graphql/external'
-            )
-
-            if (fromThirdPartyAuthorizer) {
-                const isValidIpAddress =
-                    allowedIps.includes(ipAddress) ||
-                    allowedIps.includes('ALLOW_ALL')
-
-                if (!isValidIpAddress) {
-                    return Promise.resolve({
-                        statusCode: 403,
-                        body: `{ "error": IP Address ${ipAddress} is not in the allowed list }\n`,
-                        headers: {
-                            'Access-Control-Allow-Origin': '*',
-                            'Access-Control-Allow-Credentials': true,
-                        },
-                    })
-                }
-            }
-
-            return await wrapped(event, context, completion)
-        }
-    }
-}
-
 // This asynchronous function is started on the cold-load of this script
 // and is awaited by our handler function
 // Pattern is explained here https://serverlessfirst.com/function-initialisation/
@@ -200,7 +168,6 @@ async function initializeGQLHandler(): Promise<Handler> {
     const otelCollectorUrl = process.env.API_APP_OTEL_COLLECTOR_URL
     const parameterStoreMode = process.env.PARAMETER_STORE_MODE
     const ldSDKKey = process.env.LD_SDK_KEY
-    const allowedIpAddresses = process.env.ALLOWED_IP_ADDRESSES
     const jwtSecret = process.env.JWT_SECRET
     const s3DocumentsBucket = process.env.VITE_APP_S3_DOCUMENTS_BUCKET
     const s3QABucket = process.env.VITE_APP_S3_QA_BUCKET
@@ -218,9 +185,6 @@ async function initializeGQLHandler(): Promise<Handler> {
     if (stageName === undefined)
         throw new Error('Configuration Error: stage is required')
 
-    if (allowedIpAddresses === undefined)
-        throw new Error('Configuration Error: allowed IP addresses is required')
-
     if (!dbURL) {
         throw new Error('Init Error: DATABASE_URL is required to run app-api')
     }
@@ -454,11 +418,9 @@ async function initializeGQLHandler(): Promise<Handler> {
         },
     })
 
-    const combinedHandler = ipRestrictionMiddleware(allowedIpAddresses)(handler)
-
     // Locally, we wrap our handler in a middleware that returns 403 for unauthenticated requests
     const isLocal = authMode === 'LOCAL'
-    return isLocal ? localAuthMiddleware(combinedHandler) : combinedHandler
+    return isLocal ? localAuthMiddleware(handler) : handler
 }
 
 const handlerPromise = initializeGQLHandler()