Commit 079bb714 authored by Tim Steiner's avatar Tim Steiner
Browse files

Add a configuration option for trusting proxies in the IP Whitelist auth...

Add a configuration option for trusting proxies in the IP Whitelist auth module (rather than blinding trusting any proxy).
parent 88efddf3
......@@ -8,87 +8,115 @@
*/
class Unl_Auth_Adapter_IpWhitelist implements Zend_Auth_Adapter_Interface
{
/**
* An array of whitelisted IP addresses.
* @var array
*/
protected $_whitelist = array();
/**
* The client's IP Address.
* @var string
*/
protected $_clientIp;
/**
* @param array $whitelist
*/
public function __construct($whitelist = array())
{
$this->setWhitelist($whitelist);
}
/**
* Sets the whitelist to the supplied array.
* @param array $whitelist
* @throws Zend_Exception
*/
public function setWhitelist($whitelist)
{
if (!is_array($whitelist)) {
throw new Zend_Exception('Whitelist is not an array!');
}
$this->_whitelist = array();
foreach ($whitelist as $ipAddress => $username) {
$this->addToWhitelist($ipAddress, $username);
}
}
/**
* Register an IP address to a user.
* @param string $ipAddress
* @param srting $username
* @throws Zend_Exception
*/
public function addToWhitelist($ipAddress, $username)
{
if (!Zend_Validate::is($ipAddress, 'Ip')) {
throw new Zend_Exception('The entry "' . $ipAddress . '" is not an IP address!');
}
$this->_whitelist[$ipAddress] = $username;
}
public function getClientIpAddress()
{
if (!$this->_clientIp) {
$request = Zend_Controller_Front::getInstance()->getRequest();
if ($request instanceof Zend_Controller_Request_Http) {
$this->_clientIp = $request->getClientIp();
} else if (isset($_SERVER['REMOTE_ADDR'])) {
$this->_clientIp = $_SERVER['REMOTE_ADDR'];
} else {
throw new Zend_Exception('Could not determine client IP address');
}
}
return $this->_clientIp;
}
public function setClientIpAddress($ipAddress)
{
if (!Zend_Validate::is($ipAddress, 'Ip')) {
throw new Zend_Exception('"' . $ipAddress . '" is not an IP address!');
}
$this->_clientIp = $ipAddress;
}
public function authenticate()
{
foreach ($this->_whitelist as $ipAddress => $username) {
if ($this->getClientIpAddress() == $ipAddress) {
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $username, array('Authentication successful.'));
}
}
return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, NULL, array('Client IP address not on whitelist.'));
}
/**
* An array of whitelisted IP addresses.
* @var array
*/
protected $_whitelist = array();
/**
* The client's IP Address.
* @var string
*/
protected $_clientIp;
/**
* A list of proxies to trust when a X_FORWARDED_FOR header exists.
* @var array
*/
protected $_trustedProxyAddresses = array();
/**
* @param array $whitelist
*/
public function __construct($whitelist = array())
{
$this->setWhitelist($whitelist);
}
/**
* Sets the whitelist to the supplied array.
* @param array $whitelist
* @throws Zend_Exception
*/
public function setWhitelist($whitelist)
{
if (!is_array($whitelist)) {
throw new Zend_Exception('Whitelist is not an array!');
}
$this->_whitelist = array();
foreach ($whitelist as $ipAddress => $username) {
$this->addToWhitelist($ipAddress, $username);
}
}
/**
* Register an IP address to a user.
* @param string $ipAddress
* @param srting $username
* @throws Zend_Exception
*/
public function addToWhitelist($ipAddress, $username)
{
if (!Zend_Validate::is($ipAddress, 'Ip')) {
throw new Zend_Exception('The entry "' . $ipAddress . '" is not an IP address!');
}
$this->_whitelist[$ipAddress] = $username;
}
public function getClientIpAddress()
{
if (!$this->_clientIp) {
$request = Zend_Controller_Front::getInstance()->getRequest();
if ($request instanceof Zend_Controller_Request_Http) {
$this->_clientIp = $request->getClientIp(false);
} else if (isset($_SERVER['REMOTE_ADDR'])) {
$this->_clientIp = $_SERVER['REMOTE_ADDR'];
} else {
throw new Zend_Exception('Could not determine client IP address');
}
if (in_array($this->_clientIp, $this->getTrustedProxyAddresses())) {
if ($request instanceof Zend_Controller_Request_Http) {
$this->_clientIp = $request->getClientIp(true);
} else {
$this->_clientIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
}
}
return $this->_clientIp;
}
public function setClientIpAddress($ipAddress)
{
if (!Zend_Validate::is($ipAddress, 'Ip')) {
throw new Zend_Exception('"' . $ipAddress . '" is not an IP address!');
}
$this->_clientIp = $ipAddress;
}
public function authenticate()
{
foreach ($this->_whitelist as $ipAddress => $username) {
if ($this->getClientIpAddress() == $ipAddress) {
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $username, array('Authentication successful.'));
}
}
return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, NULL, array('Client IP address not on whitelist.'));
}
public function setTrustedProxyAddresses($trustedProxyAddresses)
{
if (!is_array($trustedProxyAddresses)) {
throw new Exception('$trustedProxyAddresses must be an array.');
}
$this->_trustedProxyAddresses = $trustedProxyAddresses;
}
public function getTrustedProxyAddresses()
{
return $this->_trustedProxyAddresses;
}
}
\ No newline at end of file
......@@ -8,8 +8,9 @@
*
* and the optional configuration lines:
* unl.ipWhitelist.table = <name of the database table that contains the whitelist>
* unl.ipWhitelist.column.ipAddress = <name of the column that contains the IP address>
* unl.ipWhitelist.column.username = <name of the column that contains the username>
* unl.ipWhitelist.columns.ipAddress = <name of the column that contains the IP address>
* unl.ipWhitelist.columns.username = <name of the column that contains the username>
* unl.ipWhitelist.trustedProxies = <array of IP addresses to trust when an X_FORWARDED_FOR header exists>
*
* @author tsteiner
*
......@@ -31,6 +32,7 @@ class Unl_Controller_Plugin_Auth_IpWhitelist extends Zend_Controller_Plugin_Abst
$table = isset($options['table']) ? $options['table'] : 'ip_whitelist';
$ipAddressColumn = isset($options['columns']['ipAddress']) ? $options['columns']['ipAddress'] : 'ip_address';
$usernameColumn = isset($options['columns']['username']) ? $options['columns']['username'] : 'username';
$trustedProxies = isset($options['trustedProxies']) && is_array($options['trustedProxies']) ? $options['trustedProxies'] : array();
// Not configured. Don't do anything.
if (!$db instanceof Zend_Db_Adapter_Abstract) {
......@@ -47,6 +49,8 @@ class Unl_Controller_Plugin_Auth_IpWhitelist extends Zend_Controller_Plugin_Abst
foreach ($whitelistData as $row) {
$whitelistAdapter->addToWhitelist($row[$ipAddressColumn], $row[$usernameColumn]);
}
$whitelistAdapter->setTrustedProxyAddresses($trustedProxies);
// Attempt authentication.
Zend_Auth::getInstance()->authenticate($whitelistAdapter);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment