Skip to content

Commit

Permalink
Add support for IpUtils::PRIVATE_SUBNETS ip whitelist
Browse files Browse the repository at this point in the history
  • Loading branch information
danielburger1337 authored and scheb committed Jan 26, 2024
1 parent 1298dfc commit 1783e49
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 3 deletions.
5 changes: 3 additions & 2 deletions doc/configuration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,10 @@ Bundle Configuration
# Supports IPv4, IPv6 and IP subnet masks.
ip_whitelist:
- 127.0.0.1 # One IPv4
- 192.168.0.0/16 # IPv4 subnet
- 192.168.0.0/16 # One IPv4 subnet
- 2001:0db8:85a3:0000:0000:8a2e:0370:7334 # One IPv6
- 2001:db8:abcd:0012::0/64 # IPv6 subnet
- 2001:db8:abcd:0012::0/64 # One IPv6 subnet
- !php/const Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS # All private IPv4 and IPv6 subnets
# If you want to have your own implementation to retrieve the whitelisted IPs.
# The configuration option "ip_whitelist" becomes meaningless in that case.
Expand Down
29 changes: 29 additions & 0 deletions src/bundle/DependencyInjection/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,17 @@ public function getConfigTreeBuilder(): TreeBuilder
->prototype('scalar')->end()
->end()
->arrayNode('ip_whitelist')
->beforeNormalization()
->ifArray()
->then(static function (mixed $value): array {
$values = [];
foreach (self::flatten($value) as $v) {
$values[] = $v;
}

return $values;
})
->end()
->defaultValue([])
->prototype('scalar')->end()
->end()
Expand Down Expand Up @@ -212,4 +223,22 @@ private function addGoogleAuthenticatorConfiguration(ArrayNodeDefinition $rootNo
->end()
->end();
}

/**
* @return iterable<mixed>
*/
private static function flatten(array $arrayValue): iterable
{
foreach ($arrayValue as $value) {
if (is_array($value)) {
foreach (self::flatten($value) as $x) {
yield $x;
}

continue;
}

yield $value;
}
}
}
3 changes: 2 additions & 1 deletion tests/DependencyInjection/SchebTwoFactorExtensionTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ public function load_fullConfig_setConfigValues(): void
$this->assertHasParameter('cookie.example.org', 'scheb_two_factor.trusted_device.cookie_domain');
$this->assertHasParameter('/cookie-path', 'scheb_two_factor.trusted_device.cookie_path');
$this->assertHasParameter(['Symfony\Component\Security\Core\Authentication\Token\SomeToken'], 'scheb_two_factor.security_tokens');
$this->assertHasParameter(['127.0.0.1'], 'scheb_two_factor.ip_whitelist');
$this->assertHasParameter(['127.0.0.1', '10.0.0.0/8', '192.168.0.0/16'], 'scheb_two_factor.ip_whitelist');
}

/**
Expand Down Expand Up @@ -647,6 +647,7 @@ private function getFullConfig(): array
- Symfony\Component\Security\Core\Authentication\Token\SomeToken
ip_whitelist:
- 127.0.0.1
- ['10.0.0.0/8', '192.168.0.0/16']
ip_whitelist_provider: acme_test.ip_whitelist_provider
two_factor_token_factory: acme_test.two_factor_token_factory
two_factor_provider_decider: acme_test.two_factor_provider_decider
Expand Down

0 comments on commit 1783e49

Please sign in to comment.