auth_proxy: proxy MUST be whitelisted

plugins/auth_proxy/init.php

@@ -20,11 +20,47 @@ class Auth_Proxy extends Plugin implements IAuthModule {
 		$host->add_hook($host::HOOK_AUTH_USER, $this);
 	}
 
+	/*
+	 * is_whitelisted check if an IP is whitelisted by defined values in config.php
+	 * it will check by-IP and by-NAME
+	 * currently, only exact IP is supported (no cidr, no wildcard); this is a TODO
+	 * check by 
+	 */
+	private function is_whitelisted($client_ip) {
+		if(!defined('AUTHPROXY_WHITELIST_IP') && !defined('AUTHPROXY_WHITELIST_NAME')) {
+			// TODO: send a warning: this is a misconfiguration!
+			return false;
+		}
+		if(defined('AUTHPROXY_WHITELIST_IP')) {
+			$whitelist = explode(' ', AUTHPROXY_WHITELIST_IP);
+			foreach($whitelist as $w_ip) {
+				if($client_ip === $w_ip) {
+					return true;
+				}
+			}
+		}
+		if(defined('AUTHPROXY_WHITELIST_NAME')) {
+			$whitelist = explode(' ', AUTHPROXY_WHITELIST_NAME);
+			foreach($whitelist as $w_name) {
+				foreach(gethostbynamel($w_name) as $w_ip) {
+					if($client_ip === $w_ip) {
+						return true;
+					}
+				}
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
 	 */
 	function authenticate($login, $password) {
-		// TODO: check source ip!
+		$client_ip = $_SERVER['REMOTE_ADDR'];
+		if($this->is_whitelisted($client_ip) === false) {
+			return false;
+		}
+
 		if(!array_key_exists("HTTP_X_FORWARDED_USER", $_SERVER)) {
 			return false;
 		}