Skip to content

IP Whitelist Check for Creating Credentials #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spiridonovpolytechnic wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

IP Whitelist Check for Creating Credentials #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
838193d
added white list config parameters, added security function to check …
spiridonovpolytechnic Apr 25, 2017
9110263
added whitelist check prior to displaying navbar
spiridonovpolytechnic Apr 26, 2017
e63501d
added whitelist check to "null/no argument" and "post" branches
spiridonovpolytechnic Apr 26, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions pwpusher_private/config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@
//Maximum life of a shared credential/password (in minutes).
$credMaxLife = (60 * 24 * 90); //90 days

//IP Whitelist for creating credentials
//Whitelist is an array of CIDR notation IP addresses
$checkCreatorIpWhitelist = true;
$creatorIpWhitelist = array(
"10.20.0.0/16"
);


//Email:

Expand Down
31 changes: 30 additions & 1 deletion pwpusher_private/security.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,4 +120,33 @@ function getSalt()
{
$salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22);
return $salt;
}
}

/**
* Check if the client if an ip is in array of supplied CIDR notation IP ranges
*
* @return bool $validIp
*/
function ipInList($ipString, $cidrArray)
{
$validIp = false;
$ipLong = ip2long($ipString);
foreach ($cidrArray as $cidr)
{
try
{
list ($ipWhite, $cidrNum) = explode('/', $cidr);
$ipWhiteLong = ip2long($ipWhite);
$netmask = -1 << (32 - (int)$cidrNum);
if (($ipLong & $netmask) == ($ipWhiteLong & $netmask))
{
$validIp = true;
}
}
catch (Error $error)
{

}
}
return $validIp;
}
19 changes: 16 additions & 3 deletions pwpusher_public/pw.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,25 @@
require '../pwpusher_private/interface.php';
require '../pwpusher_private/CAS/CAS.php';

// check if we need to check for white listing
$creatorIpOk = !$checkCreatorIpWhitelist;
if ($checkCreatorIpWhitelist)
{
$creatorIpOk = false;
$ipClientString = $_SERVER['REMOTE_ADDR'];
$creatorIpOk = ipInList($ipClientString, $creatorIpWhitelist);
}

//Print the header
print getHeader();

//Print the navbar
/** @noinspection PhpToStringImplementationInspection */
print getNavBar();
if ($creatorIpOk)
{
print getNavBar();
}


//Find user arguments, if any.
$arguments = getArguments();
Expand All @@ -37,7 +50,7 @@
}

//If the form function argument doesn't exist, print the form for the user.
if ($arguments['func'] == 'none' || $arguments == false) {
if ($arguments['func'] == 'none' || $arguments == false && $creatorIpOk) {

//Force CAS Authentication in order to load the form
if ($requireCASAuth) {
Expand All @@ -64,7 +77,7 @@
//Get form elements
print getFormElements();

} elseif ($arguments['func'] == 'post') {
} elseif ($arguments['func'] == 'post' && $creatorIpOk) {

//Force CAS Authentication in order to post the form
if ($requireCASAuth) {
Expand Down