public function testIpv6CIDRcheck()
{
// check CIDR w/o mask
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::', '2001:0DB8::1'));
// check wrong CIDR w/ mask
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/128', '2001:0DB8::1'));
// check wrong IP
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/128', '2001:0DB8::Z'));
// check limits for standard classes
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/128', '2001:0DB8:0000:0000:0000:0000:0000:0000'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/128', '2001:0DB8::0'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/128', '2001:0DB8::1'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/112', '2001:0DB8::1'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/112', '2001:0DB8::1:1'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/112', '2001:0DB8::FFFF'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/112', '2001:0DB8::1:FFFF'));
// check limits for non-standard classes
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/108', '2001:0DB8::1:1'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/108', '2001:0DB8::F:1'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/108', '2001:0DB8::FF:1'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/108', '2001:0DB8::1FF:1'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/108', '2001:0DB8::FFFF:1'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/104', '2001:0DB8::1:1'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/104', '2001:0DB8::F:1'));
$this->assertTrue(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/104', '2001:0DB8::FF:1'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/104', '2001:0DB8::1FF:1'));
$this->assertFalse(SimpleSAML\Utils\Net::ipCIDRcheck('2001:0DB8::/104', '2001:0DB8::FFFF:1'));
}
/**
* @deprecated This method will be removed in version 2.0. Use SimpleSAML\Utils\Net::ipCIDRcheck() instead.
*/
static function ipCIDRcheck($cidr, $ip = null)
{
return SimpleSAML\Utils\Net::ipCIDRcheck($cidr, $ip);
}
/**
* This function will go through all the metadata, and check the hint.cidr
* parameter, which defines a network space (ip range) for each remote entry.
* This function returns the entityID for any of the entities that have an
* IP range which the IP falls within.
*
* @param string $set Which set of metadata we are looking it up in.
* @param string $ip IP address
* @param string $type Do you want to return the metaindex or the entityID. [entityid|metaindex]
*
* @return string The entity id of a entity which have a CIDR hint where the provided
* IP address match.
*/
public function getPreferredEntityIdFromCIDRhint($set, $ip, $type = 'entityid')
{
$metadataSet = $this->getMetadataSet($set);
foreach ($metadataSet as $index => $entry) {
if (!array_key_exists('hint.cidr', $entry)) {
continue;
}
if (!is_array($entry['hint.cidr'])) {
continue;
}
foreach ($entry['hint.cidr'] as $hint_entry) {
if (SimpleSAML\Utils\Net::ipCIDRcheck($hint_entry, $ip)) {
if ($type === 'entityid') {
return $entry['entityid'];
} else {
return $index;
}
}
}
}
// no entries matched, we should return null
return null;
}
/**
* checkMask() looks up the subnet config option and verifies
* that the client is within that range.
*
* Will return TRUE if no subnet option is configured.
*
* @return boolean
*/
public function checkMask()
{
// No subnet means all clients are accepted.
if ($this->subnet === null) {
return true;
}
$ip = $_SERVER['REMOTE_ADDR'];
foreach ($this->subnet as $cidr) {
$ret = SimpleSAML\Utils\Net::ipCIDRcheck($cidr);
if ($ret) {
SimpleSAML_Logger::debug('Negotiate: Client "' . $ip . '" matched subnet.');
return true;
}
}
SimpleSAML_Logger::debug('Negotiate: Client "' . $ip . '" did not match subnet.');
return false;
}
public function checkClientSubnet()
{
// Accept all clients when no subnets are configured
if (empty($this->subnets) && empty($this->subnets_exclude)) {
return true;
}
$ip = $_SERVER['REMOTE_ADDR'];
// "Allow by default" when only exclusion subnets are configured
if (empty($this->subnets) && !empty($this->subnets_exclude)) {
$allow = true;
} else {
$allow = false;
}
// Check if client's IP address belongs to an allowed subnet
if ($this->subnets != null) {
foreach ($this->subnets as $cidr) {
if (SimpleSAML\Utils\Net::ipCIDRcheck($cidr)) {
SimpleSAML\Logger::debug('Negotiate Server: Client "' . $ip . '" matched allowed subnet "' . $cidr . '".');
$allow = true;
}
}
if (!$allow) {
SimpleSAML\Logger::debug('Negotiate Server: Client "' . $ip . '" did not match an allowed subnet.');
}
}
// Check if client's IP address belongs to an excluded subnet
if ($this->subnets_exclude != null) {
foreach ($this->subnets_exclude as $cidr) {
if (SimpleSAML\Utils\Net::ipCIDRcheck($cidr)) {
SimpleSAML\Logger::debug('Negotiate Server: Client "' . $ip . '" matched excluded subnet "' . $cidr . '".');
$allow = false;
}
}
if ($allow) {
SimpleSAML\Logger::debug('Negotiate Server: Client "' . $ip . '" did not match an excluded subnet.');
}
}
return $allow;
}
