From 0814e8457c5430dfca8924896ed29d6c90542e13 Mon Sep 17 00:00:00 2001
From: Erik Hommel <hommel@ee-atwork.nl>
Date: Wed, 19 Jul 2017 16:40:09 +0200
Subject: [PATCH] add ip whitelisting fix #12

---
 proxy/config.php | 28 +++++++++++++++++++++-------
 proxy/proxy.php  | 21 +++++++++++++++++++++
 proxy/rest.php   |  8 ++++++--
 3 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/proxy/config.php b/proxy/config.php
index eeda1fc..85baa24 100644
--- a/proxy/config.php
+++ b/proxy/config.php
@@ -74,11 +74,25 @@ $file_cache_include = array(
 /****************************************************************
  **                   REST API OPTIONS                         **
  ****************************************************************/
+// whitelisting is done per IP address ($_SERVER['REMOTE_ADDR']) with a default for the generic stuff that applies to all IP addresses
+// - if a request comes in and the IP does not occur in the array, the whitelisted in 'default' are used
+// - if a request comes in and the Ip does occur in the array, the whitelisted in the IP are checked first. If nothing is
+//   found ,the 'default' ones are checked next.
 $rest_allowed_actions = array(
-  // this is an example:
-  'Contact' => array(
-      'getsingle'      => array(
-                            'email' => 'string'
-                            ),
-    )
-  );
+  'default' => array(
+    'Contact' => array(
+      'getsingle' => array(
+        'email' => 'string',
+      ),
+    ),
+  ),
+  '123.45.678.1' => array(
+    'Contact' => array(
+      'getsingle' => array(
+        'first_name' => 'string',
+        'last_name' => 'string',
+      ),
+    ),
+  ),
+);
+
diff --git a/proxy/proxy.php b/proxy/proxy.php
index 1b2f87f..b02efd6 100644
--- a/proxy/proxy.php
+++ b/proxy/proxy.php
@@ -255,3 +255,24 @@ function civicrm_api3($entity, $action, $data) {
   }
 }
 
+/**
+ * Function to get the valid rest_allowed_actions key
+ *
+ * @param $action
+ * @return bool
+ */
+function civiproxy_get_valid_allowed_actions_key($action) {
+  $remote_addr = $_SERVER['REMOTE_ADDR'];
+  // check IP specific whitelisting if specified for this address
+  if (isset($rest_allowed_actions[$remote_addr])) {
+    if (isset($rest_allowed_actions[$remote_addr][$action['entity']]) && isset($rest_allowed_actions[$remote_addr][$action['entity']][$action['action']])) {
+      $valid_key = $remote_addr;
+    } else {
+      $valid_key = 'default';
+    }
+  } else {
+    $valid_key = 'default';
+  }
+  return $valid_key;
+}
+
diff --git a/proxy/rest.php b/proxy/rest.php
index 21bdc97..5ba8d6a 100644
--- a/proxy/rest.php
+++ b/proxy/rest.php
@@ -46,8 +46,12 @@ $action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'stri
 if (!isset($action['version']) || $action['version'] != 3) {
   civiproxy_rest_error("Invalid entity/action.");
 }
-if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
-  $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
+
+// get valid key for the rest_allowed_actions
+$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action);
+
+if (isset($rest_allowed_actions[$valid_allowed_key][$action['entity']]) && isset($rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']])) {
+  $valid_parameters = $rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']];
 } else {
   civiproxy_rest_error("Invalid entity/action.");
 }