Added IP Whitelist Check contributed by https://github.com/spiridonov…

…polytechnic in bemosior#49, while implementing the changes suggested by besmosior in bemosior#49 (comment) * Resolves bemosior#49
thnilsen · Oct 16, 2018 · 55d0e0f · 55d0e0f
1 parent 094f081
commit 55d0e0f
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 4 deletions.
diff --git a/pwpusher_private/config.php b/pwpusher_private/config.php
@@ -47,6 +47,12 @@
     //Maximum life of a shared credential/password (in minutes).
     $credMaxLife = (60 * 24 * 90); //90 days
 
+    //IP Whitelist for creating credentials
+    //Whitelist is an array of CIDR notation IP addresses
+    $checkCreatorIpWhitelist = false;
+    $creatorIpWhitelist = array(
+        "10.0.0.0/24"
+    );
 
 //Email:
 

diff --git a/pwpusher_private/security.php b/pwpusher_private/security.php
@@ -120,4 +120,32 @@ function getSalt()
 {
     $salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22);
     return $salt;
-}
+}
+
+/**
+ * Check if the client if an ip is in array of supplied CIDR notation IP ranges
+ *
+ * @return bool $validIp
+ */
+function ipInList($ipString, $cidrArray)
+{
+    $validIp = false;
+    $ipLong = ip2long($ipString);
+    foreach ($cidrArray as $cidr)
+        {
+            try
+            {
+                list ($ipWhite, $cidrNum) = explode('/', $cidr);
+                $ipWhiteLong = ip2long($ipWhite);
+                $netmask = -1 << (32 - (int)$cidrNum);
+                if (($ipLong & $netmask) == ($ipWhiteLong & $netmask))
+                {
+                    $validIp = true;
+                }
+            }
+            catch (Error $error)
+            {
+            }
+        }
+    return $validIp;
+}
diff --git a/pwpusher_public/pw.php b/pwpusher_public/pw.php
@@ -13,6 +13,15 @@
 require '../pwpusher_private/interface.php';
 require '../pwpusher_private/CAS/CAS.php';
 
+// check if we need to check for white listing
+$creatorIpOk = !$checkCreatorIpWhitelist;
+if ($checkCreatorIpWhitelist)
+{
+    $creatorIpOk = false;
+    $ipClientString = $_SERVER['REMOTE_ADDR'];
+    $creatorIpOk = ipInList($ipClientString, $creatorIpWhitelist);
+}
+
 //Print the header
 print getHeader();
 
@@ -37,7 +46,7 @@
 }
 
 //If the form function argument doesn't exist, print the form for the user.
-if ($arguments['func'] == 'none' || $arguments == false) {
+if ($arguments['func'] == 'none' || $arguments == false && $creatorIpOk) {
 
     //Force CAS Authentication in order to load the form
     if ($requireCASAuth) {
@@ -51,7 +60,7 @@
         }
 
         //Fail Apache Authentication if configured but not successful
-    } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER'])) {
+    } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER']) || $checkCreatorIpWhitelist && !$creatorIpOk) {
         //This section is a courtesy check; PHP_AUTH_USER can possibly be spoofed
         //if web auth isn't configured.
         /** @noinspection PhpToStringImplementationInspection */
@@ -75,7 +84,7 @@
             $_SERVER['PHP_AUTH_NAME'] = $attributes[$casSamlNameAttribute];
         }
 
-    } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER'])) {
+    } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER']) || $checkCreatorIpWhitelist && !$creatorIpOk) {
         //This section is a courtesy check; PHP_AUTH_USER can possibly be spoofed
         //if web auth isn't configured.
         /** @noinspection PhpToStringImplementationInspection */