RequestRemoteAddress.php 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
  4. *
  5. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  6. * @author J0WI <J0WI@users.noreply.github.com>
  7. * @author Joas Schilling <coding@schilljs.com>
  8. * @author Julius Härtl <jus@bitgrid.net>
  9. * @author Morris Jobke <hey@morrisjobke.de>
  10. *
  11. * @license GNU AGPL version 3 or any later version
  12. *
  13. * This program is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License as
  15. * published by the Free Software Foundation, either version 3 of the
  16. * License, or (at your option) any later version.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU Affero General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU Affero General Public License
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  25. *
  26. */
  27. namespace OCA\WorkflowEngine\Check;
  28. use OCP\IL10N;
  29. use OCP\IRequest;
  30. use OCP\WorkflowEngine\ICheck;
  31. class RequestRemoteAddress implements ICheck {
  32. /** @var IL10N */
  33. protected $l;
  34. /** @var IRequest */
  35. protected $request;
  36. /**
  37. * @param IL10N $l
  38. * @param IRequest $request
  39. */
  40. public function __construct(IL10N $l, IRequest $request) {
  41. $this->l = $l;
  42. $this->request = $request;
  43. }
  44. /**
  45. * @param string $operator
  46. * @param string $value
  47. * @return bool
  48. */
  49. public function executeCheck($operator, $value) {
  50. $actualValue = $this->request->getRemoteAddress();
  51. $decodedValue = explode('/', $value);
  52. if ($operator === 'matchesIPv4') {
  53. return $this->matchIPv4($actualValue, $decodedValue[0], $decodedValue[1]);
  54. } elseif ($operator === '!matchesIPv4') {
  55. return !$this->matchIPv4($actualValue, $decodedValue[0], $decodedValue[1]);
  56. } elseif ($operator === 'matchesIPv6') {
  57. return $this->matchIPv6($actualValue, $decodedValue[0], $decodedValue[1]);
  58. } else {
  59. return !$this->matchIPv6($actualValue, $decodedValue[0], $decodedValue[1]);
  60. }
  61. }
  62. /**
  63. * @param string $operator
  64. * @param string $value
  65. * @throws \UnexpectedValueException
  66. */
  67. public function validateCheck($operator, $value) {
  68. if (!in_array($operator, ['matchesIPv4', '!matchesIPv4', 'matchesIPv6', '!matchesIPv6'])) {
  69. throw new \UnexpectedValueException($this->l->t('The given operator is invalid'), 1);
  70. }
  71. $decodedValue = explode('/', $value);
  72. if (count($decodedValue) !== 2) {
  73. throw new \UnexpectedValueException($this->l->t('The given IP range is invalid'), 2);
  74. }
  75. if (in_array($operator, ['matchesIPv4', '!matchesIPv4'])) {
  76. if (!filter_var($decodedValue[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
  77. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv4'), 3);
  78. }
  79. if ($decodedValue[1] > 32 || $decodedValue[1] <= 0) {
  80. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv4'), 4);
  81. }
  82. } else {
  83. if (!filter_var($decodedValue[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
  84. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv6'), 3);
  85. }
  86. if ($decodedValue[1] > 128 || $decodedValue[1] <= 0) {
  87. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv6'), 4);
  88. }
  89. }
  90. }
  91. /**
  92. * Based on https://stackoverflow.com/a/594134
  93. * @param string $ip
  94. * @param string $rangeIp
  95. * @param int $bits
  96. * @return bool
  97. */
  98. protected function matchIPv4($ip, $rangeIp, $bits) {
  99. $rangeDecimal = ip2long($rangeIp);
  100. $ipDecimal = ip2long($ip);
  101. $mask = -1 << (32 - $bits);
  102. return ($ipDecimal & $mask) === ($rangeDecimal & $mask);
  103. }
  104. /**
  105. * Based on https://stackoverflow.com/a/7951507
  106. * @param string $ip
  107. * @param string $rangeIp
  108. * @param int $bits
  109. * @return bool
  110. */
  111. protected function matchIPv6($ip, $rangeIp, $bits) {
  112. $ipNet = inet_pton($ip);
  113. $binaryIp = $this->ipv6ToBits($ipNet);
  114. $ipNetBits = substr($binaryIp, 0, $bits);
  115. $rangeNet = inet_pton($rangeIp);
  116. $binaryRange = $this->ipv6ToBits($rangeNet);
  117. $rangeNetBits = substr($binaryRange, 0, $bits);
  118. return $ipNetBits === $rangeNetBits;
  119. }
  120. /**
  121. * Based on https://stackoverflow.com/a/7951507
  122. * @param string $packedIp
  123. * @return string
  124. */
  125. protected function ipv6ToBits($packedIp) {
  126. $unpackedIp = unpack('A16', $packedIp);
  127. $unpackedIp = str_split($unpackedIp[1]);
  128. $binaryIp = '';
  129. foreach ($unpackedIp as $char) {
  130. $binaryIp .= str_pad(decbin(ord($char)), 8, '0', STR_PAD_LEFT);
  131. }
  132. return str_pad($binaryIp, 128, '0', STR_PAD_RIGHT);
  133. }
  134. /**
  135. * returns a list of Entities the checker supports. The values must match
  136. * the class name of the entity.
  137. *
  138. * An empty result means the check is universally available.
  139. *
  140. * @since 18.0.0
  141. */
  142. public function supportedEntities(): array {
  143. return [];
  144. }
  145. /**
  146. * returns whether the operation can be used in the requested scope.
  147. *
  148. * Scope IDs are defined as constants in OCP\WorkflowEngine\IManager. At
  149. * time of writing these are SCOPE_ADMIN and SCOPE_USER.
  150. *
  151. * For possibly unknown future scopes the recommended behaviour is: if
  152. * user scope is permitted, the default behaviour should return `true`,
  153. * otherwise `false`.
  154. *
  155. * @since 18.0.0
  156. */
  157. public function isAvailableForScope(int $scope): bool {
  158. return true;
  159. }
  160. }