codeforamerica · mrotondo · Jan 27, 2025 · Feb 18, 2025
diff --git a/app/controllers/state_file/state_file_pages_controller.rb b/app/controllers/state_file/state_file_pages_controller.rb
@@ -23,7 +23,12 @@ def fake_direct_file_transfer_page
 
     def data_import_failed; end
 
-    def about_page; end
+    def about_page
+      puts "HELLO!!!!"
+      Rails.application.configure do
+        puts config.action_dispatch.trusted_proxies
+      end
+    end
 
     def privacy_policy; end
 

diff --git a/app/jobs/configure_trusted_proxies_job.rb b/app/jobs/configure_trusted_proxies_job.rb
@@ -0,0 +1,15 @@
+class ConfigureTrustedProxiesJob < ApplicationJob
+  def perform(current_or_cached:)
+    puts "HELLO I AM RUNNING WITH #{current_or_cached}"
+    trusted_proxies = if current_or_cached == :current
+                        RemoteIpTrustedProxiesService.load_current_aws_ip_ranges
+                      elsif current_or_cached == :cached
+                        RemoteIpTrustedProxiesService.load_cached_aws_ip_ranges
+                      end
+    RemoteIpTrustedProxiesService.configure_trusted_proxies(trusted_proxies)
+  end
+
+  def priority
+    PRIORITY_MEDIUM
+  end
+end
diff --git a/app/services/remote_ip_trusted_proxies_service.rb b/app/services/remote_ip_trusted_proxies_service.rb
@@ -0,0 +1,30 @@
+class RemoteIpTrustedProxiesService
+  class << self
+
+    def configure_trusted_proxies(trusted_proxy_ip_ranges)
+      return unless trusted_proxy_ip_ranges.present? && trusted_proxy_ip_ranges.count > 1
+      # Telling ActionDispatch about AWS' IP ranges prevents their load balancers etc from being interpreted as the client IP
+      Rails.application.configure do
+        config.action_dispatch.trusted_proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES + trusted_proxy_ip_ranges
+      end
+    end
+
+    def load_current_aws_ip_ranges
+      url = "https://ip-ranges.amazonaws.com/ip-ranges.json"
+      parse_aws_ip_ranges(Net::HTTP.get_response(URI(url)).body)
+    end
+
+    def load_cached_aws_ip_ranges
+      path = "config/aws_ip_ranges.json"
+      parse_aws_ip_ranges(File.read(path))
+    end
+
+    private
+
+    def parse_aws_ip_ranges(aws_ip_ranges_json)
+      ip_strings = JSON.parse(aws_ip_ranges_json)["prefixes"].map { |ip_json| ip_json["ip_prefix"] }
+      ip_strings.map { |ip_string| IPAddr.new(ip_string) }
+    end
+
+  end
+end
diff --git a/config/application.rb b/config/application.rb
@@ -138,22 +138,6 @@ class Application < Rails::Application
     config.intercom_app_id_statefile = "rtcpj4hf"
     config.google_login_enabled = true
 
-    # These are the default trusted proxies, copied from ActionDispatch's remote_ip.rb.
-    #  See this quote from that file for why they are duplicated here:
-    # "Note that passing an enumerable will *replace* the default set of trusted proxies."
-    local_network_ip_ranges = [
-      "127.0.0.0/8",    # localhost IPv4 range, per RFC-3330
-      "::1",            # localhost IPv6
-      "fc00::/7",       # private IPv6 range fc00::/7
-      "10.0.0.0/8",     # private IPv4 range 10.x.x.x
-      "172.16.0.0/12",  # private IPv4 range 172.16.0.0 .. 172.31.255.255
-      "192.168.0.0/16", # private IPv4 range 192.168.x.x
-    ]
-    # This file is downloaded from https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html#aws-ip-download
-    aws_ip_ranges = JSON.parse(File.read("config/aws_ip_ranges.json"))["prefixes"].map { |ip_json| ip_json["ip_prefix"] }
-    # Telling ActionDispatch about AWS' IP ranges prevents their load balancers etc from being interpreted as the client IP
-    config.action_dispatch.trusted_proxies = (local_network_ip_ranges + aws_ip_ranges).map { |ip_string| IPAddr.new(ip_string) }
-
     # Add pdftk to PATH
     ENV['PATH'] += ":#{Rails.root}/vendor/pdftk"
 

diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb
@@ -0,0 +1,8 @@
+# These need to happen after initialization because classes haven't been loaded yet
+Rails.application.server do
+  Rails.application.configure do
+    puts "HELLO I AM RAILS.APPLICATION.SERVER"
+    ConfigureTrustedProxiesJob.perform_now(current_or_cached: :cached)
+    ConfigureTrustedProxiesJob.perform_later(current_or_cached: :current)
+  end
+end
diff --git a/lib/tasks/configure_trusted_proxies.rake b/lib/tasks/configure_trusted_proxies.rake
@@ -0,0 +1,6 @@
+namespace :trusted_proxies do
+  desc "Downloads AWS' IP ranges and loads them into ActionDispatch::RemoteIp's trusted_proxies"
+  task configure_trusted_proxies_to_current_aws_ip_ranges: [:environment] do
+    ConfigureTrustedProxiesJob.perform_now(current_or_cached: :current)
+  end
+end