PageRenderTime 76ms CodeModel.GetById 15ms RepoModel.GetById 0ms app.codeStats 0ms

/concrete/src/Permission/IpAccessControlService.php

http://github.com/concrete5/concrete5
PHP | 479 lines | 277 code | 43 blank | 159 comment | 27 complexity | 82d26a1f2af53e962ad301a5f00beb80 MD5 | raw file
Possible License(s): MIT, LGPL-2.1, MPL-2.0-no-copyleft-exception, BSD-3-Clause 
    

  1. <?php
    2. 

  2. 

  3. namespace Concrete\Core\Permission;
    4. 

  4. 

  5. use Concrete\Core\Entity\Permission\IpAccessControlCategory;
    6. 

  6. use Concrete\Core\Entity\Permission\IpAccessControlEvent;
    7. 

  7. use Concrete\Core\Entity\Permission\IpAccessControlRange;
    8. 

  8. use Concrete\Core\Entity\Site\Site;
    9. 

  9. use Concrete\Core\Logging\LoggerAwareInterface;
    10. 

  10. use Concrete\Core\Logging\LoggerAwareTrait;
    11. 

  11. use DateTime;
    12. 

  12. use Doctrine\Common\Collections\Criteria;
    13. 

  13. use Doctrine\ORM\EntityManagerInterface;
    14. 

  14. use IPLib\Address\AddressInterface;
    15. 

  15. use IPLib\Factory as IPFactory;
    16. 

  16. use IPLib\Range\RangeInterface;
    17. 

  17. 

  18. class IpAccessControlService implements LoggerAwareInterface
    19. 

  19. {
    20. 

  20.     use LoggerAwareTrait;
    21. 

  21. 

  22.     /**
    23. 

  23.      * Bit mask for blacklist ranges.
    24. 

  24.      *
    25. 

  25.      * @var int
    26. 

  26.      */
    27. 

  27.     const IPRANGEFLAG_BLACKLIST = 0x0001;
    28. 

  28. 

  29.     /**
    30. 

  30.      * Bit mask for whitelist ranges.
    31. 

  31.      *
    32. 

  32.      * @var int
    33. 

  33.      */
    34. 

  34.     const IPRANGEFLAG_WHITELIST = 0x0002;
    35. 

  35. 

  36.     /**
    37. 

  37.      * Bit mask for manually generated ranges.
    38. 

  38.      *
    39. 

  39.      * @var int
    40. 

  40.      */
    41. 

  41.     const IPRANGEFLAG_MANUAL = 0x0010;
    42. 

  42. 

  43.     /**
    44. 

  44.      * Bit mask for automatically generated ranges.
    45. 

  45.      *
    46. 

  46.      * @var int
    47. 

  47.      */
    48. 

  48.     const IPRANGEFLAG_AUTOMATIC = 0x0020;
    49. 

  49. 

  50.     /**
    51. 

  51.      * IP range type: manually added to the blacklist.
    52. 

  52.      *
    53. 

  53.      * @var int
    54. 

  54.      */
    55. 

  55.     const IPRANGETYPE_BLACKLIST_MANUAL = 0x0011; // IPRANGEFLAG_BLACKLIST | IPRANGEFLAG_MANUAL
    56. 

  56. 

  57.     /**
    58. 

  58.      * IP range type: automatically added to the blacklist.
    59. 

  59.      *
    60. 

  60.      * @var int
    61. 

  61.      */
    62. 

  62.     const IPRANGETYPE_BLACKLIST_AUTOMATIC = 0x0021; // IPRANGEFLAG_BLACKLIST | IPRANGEFLAG_AUTOMATIC
    63. 

  63. 

  64.     /**
    65. 

  65.      * IP range type: manually added to the whitelist.
    66. 

  66.      *
    67. 

  67.      * @var int
    68. 

  68.      */
    69. 

  69.     const IPRANGETYPE_WHITELIST_MANUAL = 0x0012; // IPRANGEFLAG_WHITELIST | IPRANGEFLAG_MANUAL
    70. 

  70. 

  71.     /**
    72. 

  72.      * @var \Doctrine\ORM\EntityManagerInterface
    73. 

  73.      */
    74. 

  74.     protected $em;
    75. 

  75. 

  76.     /**
    77. 

  77.      * @var \Concrete\Core\Entity\Site\Site
    78. 

  78.      */
    79. 

  79.     protected $site;
    80. 

  80. 

  81.     /**
    82. 

  82.      * The IP Access Control Category.
    83. 

  83.      *
    84. 

  84.      * @var \Concrete\Core\Entity\Permission\IpAccessControlCategory
    85. 

  85.      */
    86. 

  86.     protected $category;
    87. 

  87. 

  88.     /**
    89. 

  89.      * @var \IPLib\Address\AddressInterface
    90. 

  90.      */
    91. 

  91.     protected $defaultIpAddress;
    92. 

  92. 

  93.     /**
    94. 

  94.      * Initialize the instance.
    95. 

  95.      *
    96. 

  96.      * @param \Doctrine\ORM\EntityManagerInterface $em
    97. 

  97.      * @param \Concrete\Core\Entity\Site\Site $site
    98. 

  98.      * @param \Concrete\Core\Entity\Permission\IpAccessControlCategory $category
    99. 

  99.      * @param \IPLib\Address\AddressInterface $defaultIpAddress
    100. 

  100.      */
    101. 

  101.     public function __construct(EntityManagerInterface $em, Site $site, IpAccessControlCategory $category, AddressInterface $defaultIpAddress)
    102. 

  102.     {
    103. 

  103.         $this->em = $em;
    104. 

  104.         $this->site = $site;
    105. 

  105.         $this->category = $category;
    106. 

  106.         $this->defaultIpAddress = $defaultIpAddress;
    107. 

  107.     }
    108. 

  108. 

  109.     /**
    110. 

  110.      * Get the IP Access Control Category.
    111. 

  111.      *
    112. 

  112.      * @return \Concrete\Core\Entity\Permission\IpAccessControlCategory
    113. 

  113.      */
    114. 

  114.     public function getCategory()
    115. 

  115.     {
    116. 

  116.         return $this->category;
    117. 

  117.     }
    118. 

  118. 

  119.     /**
    120. 

  120.      * Check if an IP address is blacklisted.
    121. 

  121.      *
    122. 

  122.      * @param \IPLib\Address\AddressInterface|null $ipAddress
    123. 

  123.      *
    124. 

  124.      * @return bool
    125. 

  125.      */
    126. 

  126.     public function isBlacklisted(AddressInterface $ipAddress = null)
    127. 

  127.     {
    128. 

  128.         $range = $this->getRange($ipAddress);
    129. 

  129. 

  130.         return $range !== null && ($range->getType() & self::IPRANGEFLAG_BLACKLIST);
    131. 

  131.     }
    132. 

  132. 

  133.     /**
    134. 

  134.      * Check if an IP address is whitelisted.
    135. 

  135.      *
    136. 

  136.      * @param \IPLib\Address\AddressInterface|null $ipAddress
    137. 

  137.      *
    138. 

  138.      * @return bool
    139. 

  139.      */
    140. 

  140.     public function isWhitelisted(AddressInterface $ipAddress = null)
    141. 

  141.     {
    142. 

  142.         $range = $this->getRange($ipAddress);
    143. 

  143. 

  144.         return $range !== null && ($range->getType() & self::IPRANGEFLAG_WHITELIST);
    145. 

  145.     }
    146. 

  146. 

  147.     /**
    148. 

  148.      * Create and save an IP Access Control Event.
    149. 

  149.      *
    150. 

  150.      * @param \IPLib\Address\AddressInterface|null $ipAddress
    151. 

  151.      * @param bool $evenIfDisabled
    152. 

  152.      *
    153. 

  153.      * @return \Concrete\Core\Entity\Permission\IpAccessControlEvent|null
    154. 

  154.      */
    155. 

  155.     public function registerEvent(AddressInterface $ipAddress = null, $evenIfDisabled = false)
    156. 

  156.     {
    157. 

  157.         if (!$evenIfDisabled && !$this->getCategory()->isEnabled()) {
    158. 

  158.             return null;
    159. 

  159.         }
    160. 

  160.         $event = new IpAccessControlEvent();
    161. 

  161.         $event
    162. 

  162.             ->setCategory($this->getCategory())
    163. 

  163.             ->setSite($this->site)
    164. 

  164.             ->setIpAddress($ipAddress ?: $this->defaultIpAddress)
    165. 

  165.             ->setDateTime(new DateTime('now'))
    166. 

  166.         ;
    167. 

  167.         $this->em->persist($event);
    168. 

  168.         $this->em->flush($event);
    169. 

  169. 

  170.         return $event;
    171. 

  171.     }
    172. 

  172. 

  173.     /**
    174. 

  174.      * Check if the IP address has reached the threshold.
    175. 

  175.      *
    176. 

  176.      * @param \IPLib\Address\AddressInterface $ipAddress
    177. 

  177.      * @param bool $evenIfDisabled
    178. 

  178.      *
    179. 

  179.      * @return bool
    180. 

  180.      */
    181. 

  181.     public function isThresholdReached(AddressInterface $ipAddress = null, $evenIfDisabled = false)
    182. 

  182.     {
    183. 

  183.         if (!$evenIfDisabled && !$this->getCategory()->isEnabled()) {
    184. 

  184.             return false;
    185. 

  185.         }
    186. 

  186.         if ($this->isWhitelisted($ipAddress)) {
    187. 

  187.             return false;
    188. 

  188.         }
    189. 

  189.         if ($ipAddress === null) {
    190. 

  190.             $ipAddress = $this->defaultIpAddress;
    191. 

  191.         }
    192. 

  192.         $qb = $this->em->createQueryBuilder();
    193. 

  193.         $x = $qb->expr();
    194. 

  194.         $qb
    195. 

  195.             ->from(IpAccessControlEvent::class, 'e')
    196. 

  196.             ->select($x->count('e.ipAccessControlEventID'))
    197. 

  197.             ->where($x->eq('e.ip', ':ip'))
    198. 

  198.             ->andWhere($x->eq('e.category', ':category'))
    199. 

  199.             ->setParameter('ip', $ipAddress->getComparableString())
    200. 

  200.             ->setParameter('category', $this->getCategory()->getIpAccessControlCategoryID())
    201. 

  201.         ;
    202. 

  202.         if ($this->getCategory()->getTimeWindow() !== null) {
    203. 

  203.             $dateTimeLimit = new DateTime('-' . $this->getCategory()->getTimeWindow() . ' seconds');
    204. 

  204.             $qb
    205. 

  205.                 ->andWhere($x->gt('e.dateTime', ':dateTimeLimit'))
    206. 

  206.                 ->setParameter('dateTimeLimit', $dateTimeLimit)
    207. 

  207.             ;
    208. 

  208.         }
    209. 

  209.         if ($this->getCategory()->isSiteSpecific()) {
    210. 

  210.             $qb
    211. 

  211.                 ->andWhere(
    212. 

  212.                     $x->orX(
    213. 

  213.                         $x->isNull('e.site'),
    214. 

  214.                         $x->eq('e.site', ':site')
    215. 

  215.                     )
    216. 

  216.                 )
    217. 

  217.                 ->setParameter('site', $this->site->getSiteID())
    218. 

  218.             ;
    219. 

  219.         }
    220. 

  220.         $numEvents = (int) $qb->getQuery()->getSingleScalarResult();
    221. 

  221. 

  222.         return $numEvents >= $this->getCategory()->getMaxEvents();
    223. 

  223.     }
    224. 

  224. 

  225.     /**
    226. 

  226.      * Add an IP address to the list of blacklisted IP address when too many events occur.
    227. 

  227.      *
    228. 

  228.      * @param \IPLib\Address\AddressInterface $ipAddress the IP to add to the blacklist (if null, we'll use the current IP address)
    229. 

  229.      * @param bool $evenIfDisabled if set to true, we'll add the IP address even if the IP ban system is disabled in the configuration
    230. 

  230.      *
    231. 

  231.      * @return \Concrete\Core\Entity\Permission\IpAccessControlRange|null
    232. 

  232.      */
    233. 

  233.     public function addToBlacklistForThresholdReached(AddressInterface $ipAddress = null, $evenIfDisabled = false)
    234. 

  234.     {
    235. 

  235.         if (!$evenIfDisabled && !$this->getCategory()->isEnabled()) {
    236. 

  236.             return null;
    237. 

  237.         }
    238. 

  238.         if ($ipAddress === null) {
    239. 

  239.             $ipAddress = $this->defaultIpAddress;
    240. 

  240.         }
    241. 

  241.         if ($this->getCategory()->getBanDuration() === null) {
    242. 

  242.             $banExpiration = null;
    243. 

  243.         } else {
    244. 

  244.             $banExpiration = new DateTime('+' . $this->getCategory()->getBanDuration() . ' minutes');
    245. 

  245.         }
    246. 

  246. 

  247.         $range = $this->createRange(
    248. 

  248.             IPFactory::rangeFromBoundaries($ipAddress, $ipAddress),
    249. 

  249.             static::IPRANGETYPE_BLACKLIST_AUTOMATIC,
    250. 

  250.             $banExpiration
    251. 

  251.         );
    252. 

  252. 

  253.         if ($this->getCategory()->getLogChannelHandle() !== '') {
    254. 

  254.             $this->logger->warning(
    255. 

  255.                 t('IP address %1$s added to blacklist for the category %2$s.', $ipAddress->toString(), $this->getCategory()->getDisplayName()),
    256. 

  256.                 [
    257. 

  257.                     'ip_address' => $ipAddress->toString(),
    258. 

  258.                     'category' => $this->getCategory()->getHandle(),
    259. 

  259.                 ]
    260. 

  260.             );
    261. 

  261.         }
    262. 

  262. 

  263.         return $range;
    264. 

  264.     }
    265. 

  265. 

  266.     /**
    267. 

  267.      * Add persist an IP address range type.
    268. 

  268.      *
    269. 

  269.      * @param \IPLib\Range\RangeInterface $range the IP address range to persist
    270. 

  270.      * @param int $type The range type (one of the IpAccessControlService::IPRANGETYPE_... constants)
    271. 

  271.      * @param \DateTime $expiration The optional expiration of the range type
    272. 

  272.      *
    273. 

  273.      * @return \Concrete\Core\Entity\Permission\IpAccessControlRange
    274. 

  274.      */
    275. 

  275.     public function createRange(RangeInterface $range, $type, DateTime $expiration = null)
    276. 

  276.     {
    277. 

  277.         $result = new IpAccessControlRange();
    278. 

  278.         $result
    279. 

  279.             ->setCategory($this->getCategory())
    280. 

  280.             ->setIpRange($range)
    281. 

  281.             ->setType($type)
    282. 

  282.             ->setExpiration($expiration)
    283. 

  283.             ->setSite($this->site)
    284. 

  284.         ;
    285. 

  285.         $this->em->persist($result);
    286. 

  286.         $this->em->flush($result);
    287. 

  287. 

  288.         return $result;
    289. 

  289.     }
    290. 

  290. 

  291.     /**
    292. 

  292.      * Get the list of currently available ranges.
    293. 

  293.      *
    294. 

  294.      * @param int $type (one of the IPService::IPRANGETYPE_... constants)
    295. 

  295.      * @param bool $includeExpired Include expired records?
    296. 

  296.      *
    297. 

  297.      * @return \Doctrine\Common\Collections\Collection|\Concrete\Core\Entity\Permission\IpAccessControlRange[]
    298. 

  298.      */
    299. 

  299.     public function getRanges($type, $includeExpired = false)
    300. 

  300.     {
    301. 

  301.         $criteria = new Criteria();
    302. 

  302.         $x = $criteria->expr();
    303. 

  303.         $criteria->andWhere($x->eq('type', (int) $type));
    304. 

  304.         if (!$includeExpired) {
    305. 

  305.             $criteria->andWhere(
    306. 

  306.                 $x->orX(
    307. 

  307.                     $x->isNull('expiration'),
    308. 

  308.                     $x->gt('expiration', new DateTime('now'))
    309. 

  309.                 )
    310. 

  310.             );
    311. 

  311.         }
    312. 

  312. 

  313.         return $this->getCategory()->getRanges()->matching($criteria);
    314. 

  314.     }
    315. 

  315. 

  316.     /**
    317. 

  317.      * Get a saved range for this category given its ID.
    318. 

  318.      *
    319. 

  319.      * @param int $id
    320. 

  320.      *
    321. 

  321.      * \Concrete\Core\Entity\Permission\IpAccessControlRange|null
    322. 

  322.      */
    323. 

  323.     public function getRangeByID($id)
    324. 

  324.     {
    325. 

  325.         if (!$id) {
    326. 

  326.             return null;
    327. 

  327.         }
    328. 

  328.         $entity = $this->em->find(IpAccessControlRange::class, ['ipAccessControlRangeID' => (int) $id]);
    329. 

  329.         if ($entity === null) {
    330. 

  330.             return null;
    331. 

  331.         }
    332. 

  332.         if ($entity->getCategory() !== $this->getCategory()) {
    333. 

  333.             return null;
    334. 

  334.         }
    335. 

  335. 

  336.         return $entity;
    337. 

  337.     }
    338. 

  338. 

  339.     /**
    340. 

  340.      * Delete a saved range given its instance or its ID.
    341. 

  341.      *
    342. 

  342.      * @param \Concrete\Core\Entity\Permission\IpAccessControlRange|int $range
    343. 

  343.      */
    344. 

  344.     public function deleteRange($range)
    345. 

  345.     {
    346. 

  346.         $entity = is_numeric($range) ? $this->getRangeByID($range) : $range;
    347. 

  347.         if (!($entity instanceof IpAccessControlRange) || $entity->getCategory() !== $this->getCategory()) {
    348. 

  348.             return;
    349. 

  349.         }
    350. 

  350.         $this->em->remove($entity);
    351. 

  351.         $this->em->flush($entity);
    352. 

  352.     }
    353. 

  353. 

  354.     /**
    355. 

  355.      * Delete the recorded events.
    356. 

    357. 

  357.      *
    358. 

  358.      * @param int|null $minAge the minimum age (in seconds) of the records (specify an empty value to delete all records)
    359. 

  359.      *
    360. 

  360.      * @return int the number of records deleted
    361. 

  361.      */
    362. 

  362.     public function deleteEvents($minAge = null)
    363. 

  363.     {
    364. 

  364.         $qb = $this->em->createQueryBuilder();
    365. 

  365.         $x = $qb->expr();
    366. 

  366.         $qb
    367. 

  367.             ->delete(IpAccessControlEvent::class, 'e')
    368. 

  368.             ->where($x->eq('e.category', ':category'))
    369. 

  369.             ->setParameter('category', $this->getCategory()->getIpAccessControlCategoryID())
    370. 

  370.         ;
    371. 

  371.         if ($minAge) {
    372. 

  372.             $dateTimeLimit = new DateTime('-' . ((int) $minAge) . ' seconds');
    373. 

  373.             $qb
    374. 

  374.                 ->andWhere($x->lte('e.dateTime', ':dateTimeLimit'))
    375. 

  375.                 ->setParameter('dateTimeLimit', $dateTimeLimit)
    376. 

  376.             ;
    377. 

  377.         }
    378. 

  378. 

  379.         return (int) $qb->getQuery()->execute();
    380. 

  380.     }
    381. 

  381. 

  382.     /**
    383. 

  383.      * Clear the IP addresses automatically blacklisted.
    384. 

  384.      *
    385. 

  385.      * @param bool $onlyExpired
    386. 

  386.      *
    387. 

  387.      * @return int the number of records deleted
    388. 

  388.      */
    389. 

  389.     public function deleteAutomaticBlacklist($onlyExpired = true)
    390. 

  390.     {
    391. 

  391.         $qb = $this->em->createQueryBuilder();
    392. 

  392.         $x = $qb->expr();
    393. 

  393.         $qb
    394. 

  394.             ->delete(IpAccessControlRange::class, 'r')
    395. 

  395.             ->where($x->eq('r.category', ':category'))
    396. 

  396.             ->andWhere($x->eq('r.type', ':type'))
    397. 

  397.             ->setParameter('category', $this->getCategory()->getIpAccessControlCategoryID())
    398. 

  398.             ->setParameter('type', self::IPRANGETYPE_BLACKLIST_AUTOMATIC)
    399. 

  399.         ;
    400. 

  400.         if ($onlyExpired) {
    401. 

  401.             $dateTimeLimit = new DateTime('now');
    402. 

  402.             $qb
    403. 

  403.                 ->andWhere($x->lte('r.expiration', ':dateTimeLimit'))
    404. 

  404.                 ->setParameter('dateTimeLimit', $dateTimeLimit)
    405. 

  405.             ;
    406. 

  406.         }
    407. 

  407. 

  408.         return (int) $qb->getQuery()->execute();
    409. 

  409.     }
    410. 

  410. 

  411.     /**
    412. 

  412.      * Get the (localized) message telling the users that their IP address has been banned.
    413. 

  413.      *
    414. 

  414.      * @return string
    415. 

  415.      */
    416. 

  416.     public function getErrorMessage()
    417. 

  417.     {
    418. 

  418.         return t('Unable to complete action: your IP address has been banned. Please contact the administrator of this site for more information.');
    419. 

  419.     }
    420. 

  420. 

  421.     /**
    422. 

  422.      * {@inheritdoc}
    423. 

  423.      *
    424. 

  424.      * @see \Concrete\Core\Logging\LoggerAwareInterface::getLoggerChannel()
    425. 

  425.      */
    426. 

  426.     public function getLoggerChannel()
    427. 

  427.     {
    428. 

  428.         return $this->getCategory()->getLogChannelHandle();
    429. 

  429.     }
    430. 

  430. 

  431.     /**
    432. 

  432.      * @param \IPLib\Address\AddressInterface $ipAddress
    433. 

  433.      *
    434. 

  434.      * @return \Concrete\Core\Entity\Permission\IpAccessControlRange|null
    435. 

  435.      */
    436. 

  436.     public function getRange(AddressInterface $ipAddress = null)
    437. 

  437.     {
    438. 

  438.         if ($ipAddress === null) {
    439. 

  439.             $ipAddress = $this->defaultIpAddress;
    440. 

  440.         }
    441. 

  441.         $qb = $this->em->createQueryBuilder();
    442. 

  442.         $x = $qb->expr();
    443. 

  443.         $qb
    444. 

  444.             ->from(IpAccessControlRange::class, 'r')
    445. 

  445.             ->select('r')
    446. 

  446.             ->where($x->lte('r.ipFrom', ':ip'))
    447. 

  447.             ->andWhere($x->gte('r.ipTo', ':ip'))
    448. 

  448.             ->andWhere(
    449. 

  449.                 $x->orX(
    450. 

  450.                     $x->isNull('r.expiration'),
    451. 

  451.                     $x->gt('r.expiration', ':now')
    452. 

  452.                 )
    453. 

  453.             )
    454. 

  454.             ->setParameter('ip', $ipAddress->getComparableString())
    455. 

  455.             ->setParameter('now', new DateTime('now'))
    456. 

  456.         ;
    457. 

  457.         if ($this->getCategory()->isSiteSpecific()) {
    458. 

  458.             $qb
    459. 

  459.                 ->andWhere(
    460. 

  460.                     $x->orX(
    461. 

  461.                         $x->isNull('r.site'),
    462. 

  462.                         $x->eq('r.site', ':site')
    463. 

  463.                     )
    464. 

  464.                 )
    465. 

  465.                 ->setParameter('site', $this->site->getSiteID())
    466. 

  466.             ;
    467. 

  467.         }
    468. 

  468.         $query = $qb->getQuery();
    469. 

  469.         $result = null;
    470. 

  470.         foreach ($query->getResult() as $range) {
    471. 

  471.             $result = $range;
    472. 

  472.             if ($range->getType() & self::IPRANGEFLAG_WHITELIST) {
    473. 

  473.                 break;
    474. 

  474.             }
    475. 

  475.         }
    476. 

  476. 

  477.         return $result;
    478. 

  478.     }
    479. 

  479. }
    480. 

  480.