Implemented ip whitelist

scheb · Feb 14, 2016 · 2640fb7 · 2640fb7
1 parent 23d7ba4
commit 2640fb7
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 5 deletions.
diff --git a/Resources/config/listeners.xml b/Resources/config/listeners.xml
@@ -9,6 +9,7 @@
 			<tag name="kernel.event_listener" event="security.interactive_login" method="onSecurityInteractiveLogin" />
 			<argument type="service" id="scheb_two_factor.trusted_filter" />
 			<argument>%scheb_two_factor.security_tokens%</argument>
+			<argument>%scheb_two_factor.ip_whitelist%</argument>
 		</service>
 		<service id="scheb_two_factor.security.request_listener" class="%scheb_two_factor.security.request_listener.class%">
 			<tag name="kernel.event_listener" event="kernel.request" method="onCoreRequest" priority="-1" />

diff --git a/Security/TwoFactor/EventListener/InteractiveLoginListener.php b/Security/TwoFactor/EventListener/InteractiveLoginListener.php
@@ -18,16 +18,23 @@ class InteractiveLoginListener
      */
     private $supportedTokens;
 
+    /**
+     * @var array
+     */
+    private $ipWhitelist;
+
     /**
      * Construct a listener for login events.
      *
      * @param AuthenticationHandlerInterface $authHandler
      * @param array                          $supportedTokens
+     * @param array                          $ipWhitelist
      */
-    public function __construct(AuthenticationHandlerInterface $authHandler, array $supportedTokens)
+    public function __construct(AuthenticationHandlerInterface $authHandler, array $supportedTokens, array $ipWhitelist)
     {
         $this->authHandler = $authHandler;
         $this->supportedTokens = $supportedTokens;
+        $this->ipWhitelist = $ipWhitelist;
     }
 
     /**
@@ -39,6 +46,11 @@ public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
     {
         $request = $event->getRequest();
 
+        // Skip two-factor authentication for whitelisted IPs
+        if (in_array($request->getClientIp(), $this->ipWhitelist)) {
+            return;
+        }
+
         // Check if security token is supported
         $token = $event->getAuthenticationToken();
         if (!$this->isTokenSupported($token)) {

diff --git a/Tests/Security/TwoFactor/EventListener/InteractiveLoginListenerTest.php b/Tests/Security/TwoFactor/EventListener/InteractiveLoginListenerTest.php
@@ -8,6 +8,9 @@
 
 class InteractiveLoginListenerTest extends \PHPUnit_Framework_TestCase
 {
+    const WHITELISTED_IP = '1.2.3.4';
+    const NON_WHITELISTED_IP = '1.1.1.1';
+
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
@@ -28,15 +31,20 @@ public function setUp()
         $this->authHandler = $this->getMock("Scheb\TwoFactorBundle\Security\TwoFactor\AuthenticationHandlerInterface");
 
         $supportedTokens = array("Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken");
-        $this->listener = new InteractiveLoginListener($this->authHandler, $supportedTokens);
+        $this->listener = new InteractiveLoginListener($this->authHandler, $supportedTokens, array(self::WHITELISTED_IP));
     }
 
     /**
      * @return \PHPUnit_Framework_MockObject_MockObject
      */
-    private function createEvent($token)
+    private function createEvent($token, $clientIp)
     {
         $this->request = $this->getMock("Symfony\Component\HttpFoundation\Request");
+        $this->request
+            ->expects($this->any())
+            ->method('getClientIp')
+            ->will($this->returnValue($clientIp));
+
         $event = $this->getMockBuilder("Symfony\Component\Security\Http\Event\InteractiveLoginEvent")
             ->disableOriginalConstructor()
             ->getMock();
@@ -58,7 +66,7 @@ private function createEvent($token)
     public function onSecurityInteractiveLogin_tokenClassSupported_beginAuthentication()
     {
         $token = new UsernamePasswordToken('user', array(), 'key');
-        $event = $this->createEvent($token);
+        $event = $this->createEvent($token, self::NON_WHITELISTED_IP);
 
         //Expect TwoFactorProvider to be called
         $expectedContext = new AuthenticationContext($this->request, $token);
@@ -76,7 +84,23 @@ public function onSecurityInteractiveLogin_tokenClassSupported_beginAuthenticati
     public function onSecurityInteractiveLogin_tokenClassNotSupported_doNothing()
     {
         $token = $this->getMock("Symfony\Component\Security\Core\Authentication\Token\TokenInterface");
-        $event = $this->createEvent($token);
+        $event = $this->createEvent($token, self::NON_WHITELISTED_IP);
+
+        //Expect TwoFactorProvider not to be called
+        $this->authHandler
+            ->expects($this->never())
+            ->method('beginAuthentication');
+
+        $this->listener->onSecurityInteractiveLogin($event);
+    }
+
+    /**
+     * @test
+     */
+    public function onSecurityInteractiveLogin_ipWhitelisted_doNothing()
+    {
+        $token = $this->getMock("Symfony\Component\Security\Core\Authentication\Token\TokenInterface");
+        $event = $this->createEvent($token, self::WHITELISTED_IP);
 
         //Expect TwoFactorProvider not to be called
         $this->authHandler