1
0

RequestRemoteAddress.php 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-License-Identifier: AGPL-3.0-or-later
  5. */
  6. namespace OCA\WorkflowEngine\Check;
  7. use OCP\IL10N;
  8. use OCP\IRequest;
  9. use OCP\WorkflowEngine\ICheck;
  10. class RequestRemoteAddress implements ICheck {
  11. /**
  12. * @param IL10N $l
  13. * @param IRequest $request
  14. */
  15. public function __construct(
  16. protected IL10N $l,
  17. protected IRequest $request,
  18. ) {
  19. }
  20. /**
  21. * @param string $operator
  22. * @param string $value
  23. * @return bool
  24. */
  25. public function executeCheck($operator, $value) {
  26. $actualValue = $this->request->getRemoteAddress();
  27. $decodedValue = explode('/', $value);
  28. if ($operator === 'matchesIPv4') {
  29. return $this->matchIPv4($actualValue, $decodedValue[0], $decodedValue[1]);
  30. } elseif ($operator === '!matchesIPv4') {
  31. return !$this->matchIPv4($actualValue, $decodedValue[0], $decodedValue[1]);
  32. } elseif ($operator === 'matchesIPv6') {
  33. return $this->matchIPv6($actualValue, $decodedValue[0], $decodedValue[1]);
  34. } else {
  35. return !$this->matchIPv6($actualValue, $decodedValue[0], $decodedValue[1]);
  36. }
  37. }
  38. /**
  39. * @param string $operator
  40. * @param string $value
  41. * @throws \UnexpectedValueException
  42. */
  43. public function validateCheck($operator, $value) {
  44. if (!in_array($operator, ['matchesIPv4', '!matchesIPv4', 'matchesIPv6', '!matchesIPv6'])) {
  45. throw new \UnexpectedValueException($this->l->t('The given operator is invalid'), 1);
  46. }
  47. $decodedValue = explode('/', $value);
  48. if (count($decodedValue) !== 2) {
  49. throw new \UnexpectedValueException($this->l->t('The given IP range is invalid'), 2);
  50. }
  51. if (in_array($operator, ['matchesIPv4', '!matchesIPv4'])) {
  52. if (!filter_var($decodedValue[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
  53. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv4'), 3);
  54. }
  55. if ($decodedValue[1] > 32 || $decodedValue[1] <= 0) {
  56. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv4'), 4);
  57. }
  58. } else {
  59. if (!filter_var($decodedValue[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
  60. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv6'), 3);
  61. }
  62. if ($decodedValue[1] > 128 || $decodedValue[1] <= 0) {
  63. throw new \UnexpectedValueException($this->l->t('The given IP range is not valid for IPv6'), 4);
  64. }
  65. }
  66. }
  67. /**
  68. * Based on https://stackoverflow.com/a/594134
  69. * @param string $ip
  70. * @param string $rangeIp
  71. * @param int $bits
  72. * @return bool
  73. */
  74. protected function matchIPv4($ip, $rangeIp, $bits) {
  75. $rangeDecimal = ip2long($rangeIp);
  76. $ipDecimal = ip2long($ip);
  77. $mask = -1 << (32 - $bits);
  78. return ($ipDecimal & $mask) === ($rangeDecimal & $mask);
  79. }
  80. /**
  81. * Based on https://stackoverflow.com/a/7951507
  82. * @param string $ip
  83. * @param string $rangeIp
  84. * @param int $bits
  85. * @return bool
  86. */
  87. protected function matchIPv6($ip, $rangeIp, $bits) {
  88. $ipNet = inet_pton($ip);
  89. $binaryIp = $this->ipv6ToBits($ipNet);
  90. $ipNetBits = substr($binaryIp, 0, $bits);
  91. $rangeNet = inet_pton($rangeIp);
  92. $binaryRange = $this->ipv6ToBits($rangeNet);
  93. $rangeNetBits = substr($binaryRange, 0, $bits);
  94. return $ipNetBits === $rangeNetBits;
  95. }
  96. /**
  97. * Based on https://stackoverflow.com/a/7951507
  98. * @param string $packedIp
  99. * @return string
  100. */
  101. protected function ipv6ToBits($packedIp) {
  102. $unpackedIp = unpack('A16', $packedIp);
  103. $unpackedIp = str_split($unpackedIp[1]);
  104. $binaryIp = '';
  105. foreach ($unpackedIp as $char) {
  106. $binaryIp .= str_pad(decbin(ord($char)), 8, '0', STR_PAD_LEFT);
  107. }
  108. return str_pad($binaryIp, 128, '0', STR_PAD_RIGHT);
  109. }
  110. /**
  111. * returns a list of Entities the checker supports. The values must match
  112. * the class name of the entity.
  113. *
  114. * An empty result means the check is universally available.
  115. *
  116. * @since 18.0.0
  117. */
  118. public function supportedEntities(): array {
  119. return [];
  120. }
  121. /**
  122. * returns whether the operation can be used in the requested scope.
  123. *
  124. * Scope IDs are defined as constants in OCP\WorkflowEngine\IManager. At
  125. * time of writing these are SCOPE_ADMIN and SCOPE_USER.
  126. *
  127. * For possibly unknown future scopes the recommended behaviour is: if
  128. * user scope is permitted, the default behaviour should return `true`,
  129. * otherwise `false`.
  130. *
  131. * @since 18.0.0
  132. */
  133. public function isAvailableForScope(int $scope): bool {
  134. return true;
  135. }
  136. }