upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-15 22:11:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

feat(security): Add public API to allow validating IP Ranges and checking for "in range"

Browse source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
This commit is contained in:
Joas Schilling 2024-07-17 15:25:51 +02:00 committed by Benjamin Gaussorgues
parent 202e5b1e95
commit 047479ccf9
No known key found for this signature in database
GPG key ID: 5DAC1CAFAA6DB883
17 changed files with 311 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
apps/settings/lib/SetupChecks/AllowedAdminRanges.php
View file

@ -8,8 +8,8 @@ declare(strict_types=1);
*/
namespace OCA\Settings\SetupChecks;
use IPLib\Factory;
use OC\Security\RemoteIpAddress;
use OC\Security\Ip\Range;
use OC\Security\Ip\RemoteAddress;
use OCP\IConfig;
use OCP\IL10N;
use OCP\SetupCheck\ISetupCheck;
@ -31,8 +31,11 @@ class AllowedAdminRanges implements ISetupCheck {
}
public function run(): SetupResult {
$allowedAdminRanges = $this->config->getSystemValue(RemoteIpAddress::SETTING_NAME, false);
if ($allowedAdminRanges === false) {
$allowedAdminRanges = $this->config->getSystemValue(RemoteAddress::SETTING_NAME, false);
if (
$allowedAdminRanges === false
|| (is_array($allowedAdminRanges) && empty($allowedAdminRanges))
) {
return SetupResult::success($this->l10n->t('Admin IP filtering isnt applied.'));
}
@ -40,23 +43,17 @@ class AllowedAdminRanges implements ISetupCheck {
return SetupResult::error(
$this->l10n->t(
'Configuration key "%1$s" expects an array (%2$s found). Admin IP range validation will not be applied.',
[RemoteIpAddress::SETTING_NAME, gettype($allowedAdminRanges)],
[RemoteAddress::SETTING_NAME, gettype($allowedAdminRanges)],
)
);
}
$invalidRanges = array_reduce($allowedAdminRanges, static function (array $carry, mixed $range) {
if (!is_string($range) || Factory::parseRangeString($range) === null) {
$carry[] = $range;
}
return $carry;
}, []);
if (count($invalidRanges) > 0) {
$invalidRanges = array_filter($allowedAdminRanges, static fn (mixed $range): bool => !is_string($range) || !Range::isValid($range));
if (!empty($invalidRanges)) {
return SetupResult::warning(
$this->l10n->t(
'Configuration key "%1$s" contains invalid IP range(s): "%2$s"',
[RemoteIpAddress::SETTING_NAME, implode('", "', $invalidRanges)],
[RemoteAddress::SETTING_NAME, implode('", "', $invalidRanges)],
),
);
}

7
lib/composer/composer/autoload_classmap.php
View file

@ -644,6 +644,9 @@ return array(
'OCP\\Security\\IRemoteHostValidator' => $baseDir . '/lib/public/Security/IRemoteHostValidator.php',
'OCP\\Security\\ISecureRandom' => $baseDir . '/lib/public/Security/ISecureRandom.php',
'OCP\\Security\\ITrustedDomainHelper' => $baseDir . '/lib/public/Security/ITrustedDomainHelper.php',
'OCP\\Security\\Ip\\IAddress' => $baseDir . '/lib/public/Security/Ip/IAddress.php',
'OCP\\Security\\Ip\\IRange' => $baseDir . '/lib/public/Security/Ip/IRange.php',
'OCP\\Security\\Ip\\IRemoteAddress' => $baseDir . '/lib/public/Security/Ip/IRemoteAddress.php',
'OCP\\Security\\RateLimiting\\ILimiter' => $baseDir . '/lib/public/Security/RateLimiting/ILimiter.php',
'OCP\\Security\\RateLimiting\\IRateLimitExceededException' => $baseDir . '/lib/public/Security/RateLimiting/IRateLimitExceededException.php',
'OCP\\Security\\VerificationToken\\IVerificationToken' => $baseDir . '/lib/public/Security/VerificationToken/IVerificationToken.php',
@ -1808,6 +1811,9 @@ return array(
'OC\\Security\\IdentityProof\\Key' => $baseDir . '/lib/private/Security/IdentityProof/Key.php',
'OC\\Security\\IdentityProof\\Manager' => $baseDir . '/lib/private/Security/IdentityProof/Manager.php',
'OC\\Security\\IdentityProof\\Signer' => $baseDir . '/lib/private/Security/IdentityProof/Signer.php',
'OC\\Security\\Ip\\Address' => $baseDir . '/lib/private/Security/Ip/Address.php',
'OC\\Security\\Ip\\Range' => $baseDir . '/lib/private/Security/Ip/Range.php',
'OC\\Security\\Ip\\RemoteAddress' => $baseDir . '/lib/private/Security/Ip/RemoteAddress.php',
'OC\\Security\\Normalizer\\IpAddress' => $baseDir . '/lib/private/Security/Normalizer/IpAddress.php',
'OC\\Security\\RateLimiting\\Backend\\DatabaseBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php',
'OC\\Security\\RateLimiting\\Backend\\IBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
@ -1815,7 +1821,6 @@ return array(
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => $baseDir . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
'OC\\Security\\RateLimiting\\Limiter' => $baseDir . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\RemoteHostValidator' => $baseDir . '/lib/private/Security/RemoteHostValidator.php',
'OC\\Security\\RemoteIpAddress' => $baseDir . '/lib/private/Security/RemoteIpAddress.php',
'OC\\Security\\SecureRandom' => $baseDir . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => $baseDir . '/lib/private/Security/TrustedDomainHelper.php',
'OC\\Security\\VerificationToken\\CleanUpJob' => $baseDir . '/lib/private/Security/VerificationToken/CleanUpJob.php',

7
lib/composer/composer/autoload_static.php
View file

@ -677,6 +677,9 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OCP\\Security\\IRemoteHostValidator' => __DIR__ . '/../../..' . '/lib/public/Security/IRemoteHostValidator.php',
'OCP\\Security\\ISecureRandom' => __DIR__ . '/../../..' . '/lib/public/Security/ISecureRandom.php',
'OCP\\Security\\ITrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/public/Security/ITrustedDomainHelper.php',
'OCP\\Security\\Ip\\IAddress' => __DIR__ . '/../../..' . '/lib/public/Security/Ip/IAddress.php',
'OCP\\Security\\Ip\\IRange' => __DIR__ . '/../../..' . '/lib/public/Security/Ip/IRange.php',
'OCP\\Security\\Ip\\IRemoteAddress' => __DIR__ . '/../../..' . '/lib/public/Security/Ip/IRemoteAddress.php',
'OCP\\Security\\RateLimiting\\ILimiter' => __DIR__ . '/../../..' . '/lib/public/Security/RateLimiting/ILimiter.php',
'OCP\\Security\\RateLimiting\\IRateLimitExceededException' => __DIR__ . '/../../..' . '/lib/public/Security/RateLimiting/IRateLimitExceededException.php',
'OCP\\Security\\VerificationToken\\IVerificationToken' => __DIR__ . '/../../..' . '/lib/public/Security/VerificationToken/IVerificationToken.php',
@ -1841,6 +1844,9 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OC\\Security\\IdentityProof\\Key' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Key.php',
'OC\\Security\\IdentityProof\\Manager' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Manager.php',
'OC\\Security\\IdentityProof\\Signer' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Signer.php',
'OC\\Security\\Ip\\Address' => __DIR__ . '/../../..' . '/lib/private/Security/Ip/Address.php',
'OC\\Security\\Ip\\Range' => __DIR__ . '/../../..' . '/lib/private/Security/Ip/Range.php',
'OC\\Security\\Ip\\RemoteAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Ip/RemoteAddress.php',
'OC\\Security\\Normalizer\\IpAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Normalizer/IpAddress.php',
'OC\\Security\\RateLimiting\\Backend\\DatabaseBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php',
'OC\\Security\\RateLimiting\\Backend\\IBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
@ -1848,7 +1854,6 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
'OC\\Security\\RateLimiting\\Limiter' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\RemoteHostValidator' => __DIR__ . '/../../..' . '/lib/private/Security/RemoteHostValidator.php',
'OC\\Security\\RemoteIpAddress' => __DIR__ . '/../../..' . '/lib/private/Security/RemoteIpAddress.php',
'OC\\Security\\SecureRandom' => __DIR__ . '/../../..' . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/private/Security/TrustedDomainHelper.php',
'OC\\Security\\VerificationToken\\CleanUpJob' => __DIR__ . '/../../..' . '/lib/private/Security/VerificationToken/CleanUpJob.php',

4
lib/private/AppFramework/DependencyInjection/DIContainer.php
View file

@ -21,7 +21,6 @@ use OC\AppFramework\Utility\SimpleContainer;
use OC\Core\Middleware\TwoFactorMiddleware;
use OC\Diagnostics\EventLogger;
use OC\Log\PsrLoggerAdapter;
use OC\Security\RemoteIpAddress;
use OC\ServerContainer;
use OC\Settings\AuthorizedGroupMapper;
use OCA\WorkflowEngine\Manager;
@ -47,6 +46,7 @@ use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Security\Ip\IRemoteAddress;
use Psr\Container\ContainerInterface;
use Psr\Log\LoggerInterface;
@ -234,7 +234,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$server->getL10N('lib'),
$c->get(AuthorizedGroupMapper::class),
$server->get(IUserSession::class),
$c->get(RemoteIpAddress::class),
$c->get(IRemoteAddress::class),
);
$dispatcher->registerMiddleware($securityMiddleware);
$dispatcher->registerMiddleware(

10
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
View file

@ -17,7 +17,6 @@ use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RemoteIpAddress;
use OC\Settings\AuthorizedGroupMapper;
use OC\User\Session;
use OCP\App\AppPathNotFoundException;
@ -42,6 +41,7 @@ use OCP\INavigationManager;
use OCP\IRequest;
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Security\Ip\IRemoteAddress;
use OCP\Util;
use Psr\Log\LoggerInterface;
use ReflectionMethod;
@ -67,7 +67,7 @@ class SecurityMiddleware extends Middleware {
private IL10N $l10n,
private AuthorizedGroupMapper $groupAuthorizationMapper,
private IUserSession $userSession,
private RemoteIpAddress $remoteIpAddress,
private IRemoteAddress $remoteAddress,
) {
}
@ -134,7 +134,7 @@ class SecurityMiddleware extends Middleware {
if (!$authorized) {
throw new NotAdminException($this->l10n->t('Logged in account must be an admin, a sub admin or gotten special right to access this setting'));
}
if (!$this->remoteIpAddress->allowsAdminActions()) {
if (!$this->remoteAddress->allowsAdminActions()) {
throw new AdminIpNotAllowedException($this->l10n->t('Your current IP address doesnt allow you to perform admin actions'));
}
}
@ -151,12 +151,12 @@ class SecurityMiddleware extends Middleware {
throw new NotAdminException($this->l10n->t('Logged in account must be an admin'));
}
if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
&& !$this->remoteIpAddress->allowsAdminActions()) {
&& !$this->remoteAddress->allowsAdminActions()) {
throw new AdminIpNotAllowedException($this->l10n->t('Your current IP address doesnt allow you to perform admin actions'));
}
if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
&& !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoAdminRequired', NoAdminRequired::class)
&& !$this->remoteIpAddress->allowsAdminActions()) {
&& !$this->remoteAddress->allowsAdminActions()) {
throw new AdminIpNotAllowedException($this->l10n->t('Your current IP address doesnt allow you to perform admin actions'));
}

6
lib/private/Group/Manager.php
View file

@ -8,7 +8,6 @@
namespace OC\Group;
use OC\Hooks\PublicEmitter;
use OC\Security\RemoteIpAddress;
use OCP\EventDispatcher\IEventDispatcher;
use OCP\Group\Backend\IBatchMethodsBackend;
use OCP\Group\Backend\ICreateNamedGroupBackend;
@ -20,6 +19,7 @@ use OCP\ICacheFactory;
use OCP\IGroup;
use OCP\IGroupManager;
use OCP\IUser;
use OCP\Security\Ip\IRemoteAddress;
use Psr\Log\LoggerInterface;
use function is_string;
@ -60,7 +60,7 @@ class Manager extends PublicEmitter implements IGroupManager {
private IEventDispatcher $dispatcher,
private LoggerInterface $logger,
ICacheFactory $cacheFactory,
private RemoteIpAddress $remoteIpAddress,
private IRemoteAddress $remoteAddress,
) {
$this->displayNameCache = new DisplayNameCache($cacheFactory, $this);
@ -321,7 +321,7 @@ class Manager extends PublicEmitter implements IGroupManager {
* @return bool if admin
*/
public function isAdmin($userId) {
if (!$this->remoteIpAddress->allowsAdminActions()) {
if (!$this->remoteAddress->allowsAdminActions()) {
return false;
}

48
lib/private/Security/Ip/Address.php Normal file
View file

@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\Ip;
use InvalidArgumentException;
use IPLib\Address\AddressInterface;
use IPLib\Factory;
use OCP\Security\Ip\IAddress;
use OCP\Security\Ip\IRange;
/**
* @since 30.0.0
*/
class Address implements IAddress {
private readonly AddressInterface $ip;
public function __construct(string $ip) {
$ip = Factory::parseAddressString($ip);
if ($ip === null) {
throw new InvalidArgumentException('Given IP address cant be parsed');
}
$this->ip = $ip;
}
public static function isValid(string $ip): bool {
return Factory::parseAddressString($ip) !== null;
}
public function matches(IRange... $ranges): bool {
foreach($ranges as $range) {
if ($range->contains($this)) {
return true;
}
}
return false;
}
public function __toString(): string {
return $this->ip->toString();
}
}

39
lib/private/Security/Ip/Range.php Normal file
View file

@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\Ip;
use InvalidArgumentException;
use IPLib\Factory;
use IPLib\Range\RangeInterface;
use OCP\Security\Ip\IAddress;
use OCP\Security\Ip\IRange;
class Range implements IRange {
private readonly RangeInterface $range;
public function __construct(string $range) {
$range = Factory::parseRangeString($range);
if ($range === null) {
throw new InvalidArgumentException('Given range cant be parsed');
}
$this->range = $range;
}
public static function isValid(string $range): bool {
return Factory::parseRangeString($range) !== null;
}
public function contains(IAddress $address): bool {
return $this->range->contains(Factory::parseAddressString((string) $address));
}
public function __toString(): string {
return $this->range->toString();
}
}

71
lib/private/Security/Ip/RemoteAddress.php Normal file
View file

@ -0,0 +1,71 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\Ip;
use OCP\IConfig;
use OCP\IRequest;
use OCP\Security\Ip\IAddress;
use OCP\Security\Ip\IRange;
use OCP\Security\Ip\IRemoteAddress;
class RemoteAddress implements IRemoteAddress, IAddress {
public const SETTING_NAME = 'allowed_admin_ranges';
private readonly ?IAddress $ip;
public function __construct(
private IConfig $config,
IRequest $request,
) {
$remoteAddress = $request->getRemoteAddress();
$this->ip = $remoteAddress === ''
? null
: new Address($remoteAddress);
}
public static function isValid(string $ip): bool {
return Address::isValid($ip);
}
public function matches(IRange... $ranges): bool {
return $this->ip === null
? true
: $this->ip->matches(... $ranges);
}
public function allowsAdminActions(): bool {
if ($this->ip === null) {
return true;
}
$allowedAdminRanges = $this->config->getSystemValue(self::SETTING_NAME, false);
// Don't apply restrictions on empty or invalid configuration
if (
$allowedAdminRanges === false
|| !is_array($allowedAdminRanges)
|| empty($allowedAdminRanges)
) {
return true;
}
foreach ($allowedAdminRanges as $allowedAdminRange) {
if ((new Range($allowedAdminRange))->contains($this->ip)) {
return true;
}
}
return false;
}
public function __toString(): string {
return (string) $this->ip;
}
}

64
lib/private/Security/RemoteIpAddress.php
View file

@ -1,64 +0,0 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security;
use IPLib\Factory;
use OCP\IConfig;
use OCP\IRequest;
use Psr\Log\LoggerInterface;
class RemoteIpAddress {
public const SETTING_NAME = 'allowed_admin_ranges';
public function __construct(
private IConfig $config,
private IRequest $request,
private LoggerInterface $logger,
) {
}
public function allowsAdminActions(): bool {
$allowedAdminRanges = $this->config->getSystemValue(self::SETTING_NAME, false);
if ($allowedAdminRanges === false) {
// No restriction applied
return true;
}
if (!is_array($allowedAdminRanges)) {
return true;
}
if (empty($allowedAdminRanges)) {
return true;
}
$ipAddress = Factory::parseAddressString($this->request->getRemoteAddress());
if ($ipAddress === null) {
$this->logger->warning(
'Unable to parse remote IP "{ip}"',
['ip' => $ipAddress,]
);
return false;
}
foreach ($allowedAdminRanges as $rangeString) {
$range = Factory::parseRangeString($rangeString);
if ($range === null) {
continue;
}
if ($range->contains($ipAddress)) {
return true;
}
}
return false;
}
}

7
lib/private/Server.php
View file

@ -100,8 +100,8 @@ use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\CSRF\TokenStorage\SessionStorage;
use OC\Security\Hasher;
use OC\Security\Ip\RemoteAddress;
use OC\Security\RateLimiting\Limiter;
use OC\Security\RemoteIpAddress;
use OC\Security\SecureRandom;
use OC\Security\TrustedDomainHelper;
use OC\Security\VerificationToken\VerificationToken;
@ -214,6 +214,7 @@ use OCP\Security\IContentSecurityPolicyManager;
use OCP\Security\ICredentialsManager;
use OCP\Security\ICrypto;
use OCP\Security\IHasher;
use OCP\Security\Ip\IRemoteAddress;
use OCP\Security\ISecureRandom;
use OCP\Security\ITrustedDomainHelper;
use OCP\Security\RateLimiting\ILimiter;
@ -466,7 +467,7 @@ class Server extends ServerContainer implements IServerContainer {
$this->get(IEventDispatcher::class),
$this->get(LoggerInterface::class),
$this->get(ICacheFactory::class),
$this->get(RemoteIpAddress::class),
$this->get(IRemoteAddress::class),
);
return $groupManager;
});
@ -1405,6 +1406,8 @@ class Server extends ServerContainer implements IServerContainer {
$this->registerAlias(\OCP\TaskProcessing\IManager::class, \OC\TaskProcessing\Manager::class);
$this->registerAlias(IRemoteAddress::class, RemoteAddress::class);
$this->connectDispatcher();
}

35
lib/public/Security/Ip/IAddress.php Normal file
View file

@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OCP\Security\Ip;
/**
* @since 30.0.0
*/
interface IAddress {
/**
* Check if a given IP address is valid
*
* @since 30.0.0
*/
public static function isValid(string $ip): bool;
/**
* Check if current address is contained by given ranges
*
* @since 30.0.0
*/
public function matches(IRange... $ranges): bool;
/**
* Normalized IP address
*
* @since 30.0.0
*/
public function __toString(): string;
}

37
lib/public/Security/Ip/IRange.php Normal file
View file

@ -0,0 +1,37 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OCP\Security\Ip;
/**
* IP Range (IPv4 or IPv6)
*
* @since 30.0.0
*/
interface IRange {
/**
* Check if a given range is valid
*
* @since 30.0.0
*/
public static function isValid(string $range): bool;
/**
* Check if an address is in the current range
*
* @since 30.0.0
*/
public function contains(IAddress $address): bool;
/**
* Normalized IP range
*
* @since 30.0.0
*/
public function __toString(): string;
}

22
lib/public/Security/Ip/IRemoteAddress.php Normal file
View file

@ -0,0 +1,22 @@
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OCP\Security\Ip;
/**
* IP address of the connected client
*
* @since 30.0.0
*/
interface IRemoteAddress {
/**
* Check if the current remote address is allowed to perform admin actions
* @since 30.0.0
*/
public function allowsAdminActions(): bool;
}

4
tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
View file

@ -18,7 +18,6 @@ use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OC\Appframework\Middleware\Security\Exceptions\StrictCookieMissingException;
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RemoteIpAddress;
use OC\Settings\AuthorizedGroupMapper;
use OC\User\Session;
use OCP\App\IAppManager;
@ -33,6 +32,7 @@ use OCP\IRequestId;
use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Security\Ip\IRemoteAddress;
use Psr\Log\LoggerInterface;
use Test\AppFramework\Middleware\Security\Mock\NormalController;
use Test\AppFramework\Middleware\Security\Mock\OCSController;
@ -91,7 +91,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->appManager->expects($this->any())
->method('isEnabledForUser')
->willReturn($isAppEnabledForUser);
$remoteIpAddress = $this->createMock(RemoteIpAddress::class);
$remoteIpAddress = $this->createMock(IRemoteAddress::class);
$remoteIpAddress->method('allowsAdminActions')->willReturn(true);
return new SecurityMiddleware(

6
tests/lib/Group/ManagerTest.php
View file

@ -9,7 +9,6 @@
namespace Test\Group;
use OC\Group\Database;
use OC\Security\RemoteIpAddress;
use OC\User\Manager;
use OC\User\User;
use OCP\EventDispatcher\IEventDispatcher;
@ -17,6 +16,7 @@ use OCP\Group\Backend\ISearchableGroupBackend;
use OCP\GroupInterface;
use OCP\ICacheFactory;
use OCP\IUser;
use OCP\Security\Ip\IRemoteAddress;
use PHPUnit\Framework\MockObject\MockObject;
use Psr\Log\LoggerInterface;
use Test\TestCase;
@ -33,7 +33,7 @@ class ManagerTest extends TestCase {
protected $logger;
/** @var ICacheFactory|MockObject */
private $cache;
/** @var RemoteIpAddress|MockObject */
/** @var IRemoteAddress|MockObject */
private $remoteIpAddress;
protected function setUp(): void {
@ -44,7 +44,7 @@ class ManagerTest extends TestCase {
$this->logger = $this->createMock(LoggerInterface::class);
$this->cache = $this->createMock(ICacheFactory::class);
$this->remoteIpAddress = $this->createMock(RemoteIpAddress::class);
$this->remoteIpAddress = $this->createMock(IRemoteAddress::class);
$this->remoteIpAddress->method('allowsAdminActions')->willReturn(true);
}

29
tests/lib/Security/RemoteIpAddressTest.php → tests/lib/Security/Ip/RemoteAddressTest.php
View file

@ -7,33 +7,27 @@ declare(strict_types=1);
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace Test\Security;
namespace Test\Security\Ip;
use OC\Security\RemoteIpAddress;
use OC\Security\Ip\RemoteAddress;
use OCP\IConfig;
use OCP\IRequest;
use Psr\Log\LoggerInterface;
class RemoteIpAddressTest extends \Test\TestCase {
class RemoteAddressTest extends \Test\TestCase {
private IConfig $config;
private IRequest $request;
private LoggerInterface $logger;
private RemoteIpAddress $remoteIpAddress;
protected function setUp(): void {
parent::setUp();
$this->config = $this->createMock(IConfig::class);
$this->request = $this->createMock(IRequest::class);
$this->logger = $this->createMock(LoggerInterface::class);
$this->remoteIpAddress = new RemoteIpAddress($this->config, $this->request, $this->logger);
}
/**
* @param mixed $allowedRanges
* @dataProvider dataProvider
*/
public function testEmptyConfig(string $remoteIp, $allowedRanges, bool $expected): void {
public function testAllowedIps(string $remoteIp, $allowedRanges, bool $expected): void {
$this->request
->method('getRemoteAddress')
->willReturn($remoteIp);
@ -42,7 +36,9 @@ class RemoteIpAddressTest extends \Test\TestCase {
->with('allowed_admin_ranges', false)
->willReturn($allowedRanges);
$this->assertEquals($expected, $this->remoteIpAddress->allowsAdminActions());
$remoteAddress = new RemoteAddress($this->config, $this->request);
$this->assertEquals($expected, $remoteAddress->allowsAdminActions());
}
/**
@ -50,6 +46,9 @@ class RemoteIpAddressTest extends \Test\TestCase {
*/
public function dataProvider(): array {
return [
// No IP (ie. CLI)
['', ['192.168.1.2/24'], true],
['', ['fe80/8'], true],
// No configuration
['1.2.3.4', false, true],
['1234:4567:8910::', false, true],
@ -59,6 +58,10 @@ class RemoteIpAddressTest extends \Test\TestCase {
// Invalid configuration
['1.2.3.4', 'hello', true],
['1234:4567:8910::', 'world', true],
// Mixed configuration
['192.168.1.5', ['1.2.3.*', '1234::/8'], false],
['::1', ['127.0.0.1', '1234::/8'], false],
['192.168.1.5', ['192.168.1.0/24', '1234::/8'], true],
// Allowed IP
['1.2.3.4', ['1.2.3.*'], true],
['fc00:1:2:3::1', ['fc00::/7'], true],
@ -66,9 +69,9 @@ class RemoteIpAddressTest extends \Test\TestCase {
['1234:4567:8910::1', ['fe80::/8','1234:4567::/16'], true],
// Blocked IP
['192.168.1.5', ['1.2.3.*'], false],
['9234:4567:8910::', ['1234:4567:*'], false],
['9234:4567:8910::', ['1234:4567::1'], false],
['192.168.2.1', ['192.168.1.2/24', '1.2.3.0/24'], false],
['9234:4567:8910::', ['fe80/8','1234:4567/16'], false],
['9234:4567:8910::', ['fe80::/8','1234:4567::/16'], false],
];
}
}