auth_proxy: proxy MUST be whitelisted

This commit is contained in:
boyska 2018-09-17 12:02:28 +02:00
parent 7e1a483db2
commit d6ab5df482

View file

@ -20,11 +20,47 @@ class Auth_Proxy extends Plugin implements IAuthModule {
$host->add_hook($host::HOOK_AUTH_USER, $this); $host->add_hook($host::HOOK_AUTH_USER, $this);
} }
/*
* is_whitelisted check if an IP is whitelisted by defined values in config.php
* it will check by-IP and by-NAME
* currently, only exact IP is supported (no cidr, no wildcard); this is a TODO
* check by
*/
private function is_whitelisted($client_ip) {
if(!defined('AUTHPROXY_WHITELIST_IP') && !defined('AUTHPROXY_WHITELIST_NAME')) {
// TODO: send a warning: this is a misconfiguration!
return false;
}
if(defined('AUTHPROXY_WHITELIST_IP')) {
$whitelist = explode(' ', AUTHPROXY_WHITELIST_IP);
foreach($whitelist as $w_ip) {
if($client_ip === $w_ip) {
return true;
}
}
}
if(defined('AUTHPROXY_WHITELIST_NAME')) {
$whitelist = explode(' ', AUTHPROXY_WHITELIST_NAME);
foreach($whitelist as $w_name) {
foreach(gethostbynamel($w_name) as $w_ip) {
if($client_ip === $w_ip) {
return true;
}
}
}
}
return false;
}
/** /**
* @SuppressWarnings(PHPMD.UnusedFormalParameter) * @SuppressWarnings(PHPMD.UnusedFormalParameter)
*/ */
function authenticate($login, $password) { function authenticate($login, $password) {
// TODO: check source ip! $client_ip = $_SERVER['REMOTE_ADDR'];
if($this->is_whitelisted($client_ip) === false) {
return false;
}
if(!array_key_exists("HTTP_X_FORWARDED_USER", $_SERVER)) { if(!array_key_exists("HTTP_X_FORWARDED_USER", $_SERVER)) {
return false; return false;
} }