Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nested IP whitelist #217

Merged
merged 3 commits into from
Jan 26, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions doc/configuration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,10 @@ Bundle Configuration
# Supports IPv4, IPv6 and IP subnet masks.
ip_whitelist:
- 127.0.0.1 # One IPv4
- 192.168.0.0/16 # IPv4 subnet
- 192.168.0.0/16 # One IPv4 subnet
- 2001:0db8:85a3:0000:0000:8a2e:0370:7334 # One IPv6
- 2001:db8:abcd:0012::0/64 # IPv6 subnet
- 2001:db8:abcd:0012::0/64 # One IPv6 subnet
- !php/const Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS # All private IPv4 and IPv6 subnets

# If you want to have your own implementation to retrieve the whitelisted IPs.
# The configuration option "ip_whitelist" becomes meaningless in that case.
Expand Down
32 changes: 32 additions & 0 deletions src/bundle/DependencyInjection/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
use function interface_exists;
use function is_iterable;

/**
* @final
Expand Down Expand Up @@ -42,6 +43,17 @@ public function getConfigTreeBuilder(): TreeBuilder
->prototype('scalar')->end()
->end()
->arrayNode('ip_whitelist')
->beforeNormalization()
->ifArray()
->then(static function (mixed $value): array {
$values = [];
foreach (self::flatten($value) as $v) {
$values[] = $v;
}

return $values;
})
danielburger1337 marked this conversation as resolved.
Show resolved Hide resolved
->end()
->defaultValue([])
->prototype('scalar')->end()
->end()
Expand Down Expand Up @@ -212,4 +224,24 @@ private function addGoogleAuthenticatorConfiguration(ArrayNodeDefinition $rootNo
->end()
->end();
}

/**
* @param iterable<mixed> $iterableValue
*
* @return iterable<mixed>
*/
private static function flatten(iterable $iterableValue): iterable
{
foreach ($iterableValue as $value) {
if (is_iterable($value)) {
foreach (self::flatten($value) as $x) {
yield $x;
}

continue;
}

yield $value;
}
}
}
3 changes: 2 additions & 1 deletion tests/DependencyInjection/SchebTwoFactorExtensionTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ public function load_fullConfig_setConfigValues(): void
$this->assertHasParameter('cookie.example.org', 'scheb_two_factor.trusted_device.cookie_domain');
$this->assertHasParameter('/cookie-path', 'scheb_two_factor.trusted_device.cookie_path');
$this->assertHasParameter(['Symfony\Component\Security\Core\Authentication\Token\SomeToken'], 'scheb_two_factor.security_tokens');
$this->assertHasParameter(['127.0.0.1'], 'scheb_two_factor.ip_whitelist');
$this->assertHasParameter(['127.0.0.1', '10.0.0.0/8', '192.168.0.0/16'], 'scheb_two_factor.ip_whitelist');
}

/**
Expand Down Expand Up @@ -647,6 +647,7 @@ private function getFullConfig(): array
- Symfony\Component\Security\Core\Authentication\Token\SomeToken
ip_whitelist:
- 127.0.0.1
- ['10.0.0.0/8', '192.168.0.0/16']
ip_whitelist_provider: acme_test.ip_whitelist_provider
two_factor_token_factory: acme_test.two_factor_token_factory
two_factor_provider_decider: acme_test.two_factor_provider_decider
Expand Down