From b22045fa3db0c8f857edbf7540ddcab16423871d Mon Sep 17 00:00:00 2001 From: Erik Hommel Date: Wed, 19 Jul 2017 14:53:59 +0200 Subject: [PATCH 1/5] add .idea to gitignore to ignore phpstorm projects --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 14058d7..1ed28af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ secrets.php proxy/file_cache debug.log +.idea \ No newline at end of file From 0814e8457c5430dfca8924896ed29d6c90542e13 Mon Sep 17 00:00:00 2001 From: Erik Hommel Date: Wed, 19 Jul 2017 16:40:09 +0200 Subject: [PATCH 2/5] add ip whitelisting fix #12 --- proxy/config.php | 28 +++++++++++++++++++++------- proxy/proxy.php | 21 +++++++++++++++++++++ proxy/rest.php | 8 ++++++-- 3 files changed, 48 insertions(+), 9 deletions(-) diff --git a/proxy/config.php b/proxy/config.php index eeda1fc..85baa24 100644 --- a/proxy/config.php +++ b/proxy/config.php @@ -74,11 +74,25 @@ $file_cache_include = array( /**************************************************************** ** REST API OPTIONS ** ****************************************************************/ +// whitelisting is done per IP address ($_SERVER['REMOTE_ADDR']) with a default for the generic stuff that applies to all IP addresses +// - if a request comes in and the IP does not occur in the array, the whitelisted in 'default' are used +// - if a request comes in and the Ip does occur in the array, the whitelisted in the IP are checked first. If nothing is +// found ,the 'default' ones are checked next. $rest_allowed_actions = array( - // this is an example: - 'Contact' => array( - 'getsingle' => array( - 'email' => 'string' - ), - ) - ); + 'default' => array( + 'Contact' => array( + 'getsingle' => array( + 'email' => 'string', + ), + ), + ), + '123.45.678.1' => array( + 'Contact' => array( + 'getsingle' => array( + 'first_name' => 'string', + 'last_name' => 'string', + ), + ), + ), +); + diff --git a/proxy/proxy.php b/proxy/proxy.php index 1b2f87f..b02efd6 100644 --- a/proxy/proxy.php +++ b/proxy/proxy.php @@ -255,3 +255,24 @@ function civicrm_api3($entity, $action, $data) { } } +/** + * Function to get the valid rest_allowed_actions key + * + * @param $action + * @return bool + */ +function civiproxy_get_valid_allowed_actions_key($action) { + $remote_addr = $_SERVER['REMOTE_ADDR']; + // check IP specific whitelisting if specified for this address + if (isset($rest_allowed_actions[$remote_addr])) { + if (isset($rest_allowed_actions[$remote_addr][$action['entity']]) && isset($rest_allowed_actions[$remote_addr][$action['entity']][$action['action']])) { + $valid_key = $remote_addr; + } else { + $valid_key = 'default'; + } + } else { + $valid_key = 'default'; + } + return $valid_key; +} + diff --git a/proxy/rest.php b/proxy/rest.php index 21bdc97..5ba8d6a 100644 --- a/proxy/rest.php +++ b/proxy/rest.php @@ -46,8 +46,12 @@ $action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'stri if (!isset($action['version']) || $action['version'] != 3) { civiproxy_rest_error("Invalid entity/action."); } -if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) { - $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']]; + +// get valid key for the rest_allowed_actions +$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action); + +if (isset($rest_allowed_actions[$valid_allowed_key][$action['entity']]) && isset($rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']])) { + $valid_parameters = $rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']]; } else { civiproxy_rest_error("Invalid entity/action."); } From 4b93dfae7d1651d48e1f2a9af61bfc8088a3c949 Mon Sep 17 00:00:00 2001 From: Erik Hommel Date: Wed, 19 Jul 2017 18:57:30 +0200 Subject: [PATCH 3/5] work in progress issue 12 --- proxy/config.php | 10 +++++----- proxy/proxy.php | 4 ++-- proxy/rest.php | 22 ++++++++++++++++------ 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/proxy/config.php b/proxy/config.php index 85baa24..1d90e38 100644 --- a/proxy/config.php +++ b/proxy/config.php @@ -74,12 +74,12 @@ $file_cache_include = array( /**************************************************************** ** REST API OPTIONS ** ****************************************************************/ -// whitelisting is done per IP address ($_SERVER['REMOTE_ADDR']) with a default for the generic stuff that applies to all IP addresses -// - if a request comes in and the IP does not occur in the array, the whitelisted in 'default' are used -// - if a request comes in and the Ip does occur in the array, the whitelisted in the IP are checked first. If nothing is -// found ,the 'default' ones are checked next. +// whitelisting is done per IP address ($_SERVER['REMOTE_ADDR']) with a 'all' for the generic stuff that applies to all IP addresses +// - if a request comes in and the IP is not a key in the array, the whitelisted in 'all' are used +// - if a request comes in and the IP is indeed a key in the array, the whitelisted in the IP are checked first. If nothing is +// found ,the 'all' ones are checked next. $rest_allowed_actions = array( - 'default' => array( + 'all' => array( 'Contact' => array( 'getsingle' => array( 'email' => 'string', diff --git a/proxy/proxy.php b/proxy/proxy.php index b02efd6..b4cd504 100644 --- a/proxy/proxy.php +++ b/proxy/proxy.php @@ -268,10 +268,10 @@ function civiproxy_get_valid_allowed_actions_key($action) { if (isset($rest_allowed_actions[$remote_addr][$action['entity']]) && isset($rest_allowed_actions[$remote_addr][$action['entity']][$action['action']])) { $valid_key = $remote_addr; } else { - $valid_key = 'default'; + $valid_key = 'all'; } } else { - $valid_key = 'default'; + $valid_key = 'all'; } return $valid_key; } diff --git a/proxy/rest.php b/proxy/rest.php index 5ba8d6a..8b5e062 100644 --- a/proxy/rest.php +++ b/proxy/rest.php @@ -47,14 +47,24 @@ if (!isset($action['version']) || $action['version'] != 3) { civiproxy_rest_error("Invalid entity/action."); } -// get valid key for the rest_allowed_actions -$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action); +// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility, +// the previous test is still used when no 'all' key is found in the array +if (isset($relst_allowed_actions['all'] { + // get valid key for the rest_allowed_actions + $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action); -if (isset($rest_allowed_actions[$valid_allowed_key][$action['entity']]) && isset($rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']])) { - $valid_parameters = $rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']]; + if (isset($rest_allowed_actions[$valid_allowed_key][$action['entity']]) && isset($rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']])) { + $valid_parameters = $rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']]; + } else { + civiproxy_rest_error("Invalid entity/action."); + } } else { - civiproxy_rest_error("Invalid entity/action."); -} + if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) { + $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']]; + } else { + civiproxy_rest_error("Invalid entity/action."); + } +} // extract parameters and add credentials and action data $parameters = civiproxy_get_parameters($valid_parameters); From 662f2175704bd9b8aecedcc26935db35138d749c Mon Sep 17 00:00:00 2001 From: Erik Hommel Date: Thu, 20 Jul 2017 09:46:58 +0200 Subject: [PATCH 4/5] completed alternative 1 for issue 12 --- proxy/rest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxy/rest.php b/proxy/rest.php index 8b5e062..5a80389 100644 --- a/proxy/rest.php +++ b/proxy/rest.php @@ -49,7 +49,7 @@ if (!isset($action['version']) || $action['version'] != 3) { // in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility, // the previous test is still used when no 'all' key is found in the array -if (isset($relst_allowed_actions['all'] { +if (isset($rest_allowed_actions['all'])) { // get valid key for the rest_allowed_actions $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action); From 2c4c12cb561ad8cf1ce3e6115c84be91e82e32e4 Mon Sep 17 00:00:00 2001 From: Erik Hommel Date: Thu, 20 Jul 2017 11:11:06 +0200 Subject: [PATCH 5/5] fix issues from testing with #12 --- proxy/proxy.php | 3 ++- proxy/rest.php | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/proxy/proxy.php b/proxy/proxy.php index b4cd504..e6bbee9 100644 --- a/proxy/proxy.php +++ b/proxy/proxy.php @@ -259,9 +259,10 @@ function civicrm_api3($entity, $action, $data) { * Function to get the valid rest_allowed_actions key * * @param $action + * @param $rest_allowed_actions * @return bool */ -function civiproxy_get_valid_allowed_actions_key($action) { +function civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions) { $remote_addr = $_SERVER['REMOTE_ADDR']; // check IP specific whitelisting if specified for this address if (isset($rest_allowed_actions[$remote_addr])) { diff --git a/proxy/rest.php b/proxy/rest.php index 5a80389..e5b587b 100644 --- a/proxy/rest.php +++ b/proxy/rest.php @@ -51,7 +51,7 @@ if (!isset($action['version']) || $action['version'] != 3) { // the previous test is still used when no 'all' key is found in the array if (isset($rest_allowed_actions['all'])) { // get valid key for the rest_allowed_actions - $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action); + $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions); if (isset($rest_allowed_actions[$valid_allowed_key][$action['entity']]) && isset($rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']])) { $valid_parameters = $rest_allowed_actions[$valid_allowed_key][$action['entity']][$action['action']];