Gets the list of trusted proxies.
| public static getTrustedProxies ( ) : array | ||
| Résultat | array | An array of trusted proxies |
public function testItAddsRequestTrustedProxiesSubscriberOnBoot()
{
$app = new Application();
$app['root.path'] = __DIR__ . '/../../../../../..';
$app->register(new ConfigurationServiceProvider());
$app['phraseanet.configuration.config-path'] = __DIR__ . '/fixtures/config-proxies.yml';
$app['phraseanet.configuration.config-compiled-path'] = __DIR__ . '/fixtures/config-proxies.php';
$app->boot();
/** @var EventDispatcherInterface $dispatcher */
$dispatcher = $app['dispatcher'];
$listener = null;
$method = null;
foreach ($dispatcher->getListeners(KernelEvents::REQUEST) as $callable) {
// Only look for TrustedProxySubscriber instances
if (!is_array($callable)) {
continue;
}
list($listener, $method) = $callable;
if ($listener instanceof TrustedProxySubscriber) {
break;
}
}
$this->assertInstanceOf('Alchemy\\Phrasea\\Core\\Event\\Subscriber\\TrustedProxySubscriber', $listener, 'TrustedProxySubscriber was not properly registered');
$this->assertEquals('setProxyConf', $method);
$this->assertSame([], Request::getTrustedProxies());
$listener->setProxyConf();
$this->assertSame(['127.0.0.1', '66.6.66.6'], Request::getTrustedProxies());
unlink($app['phraseanet.configuration.config-compiled-path']);
}
/**
* Load config test.
*/
public function testLoadConfig()
{
$logFile = $this->makeFile($this->baseTempDir, 'hook.log');
$logger = new Logger('git-web-hook');
$logger->pushHandler(new StreamHandler($logFile, Logger::WARNING));
$hook = new Hook(__DIR__, array(), $logger);
$reposDir = $this->makeTempDir('repos.d');
$testFile = $this->makeFile($reposDir, 'test3.yml');
$this->generateRepoConfigFile($testFile, 3);
$mainConfigFile = $this->makeFile($this->baseTempDir, 'main_config.yml');
file_put_contents($mainConfigFile, $this->configTemplates->render('config1.php', array('reposDir' => $reposDir)));
$hook->loadConfig($mainConfigFile);
$options = $hook->getOptions();
$this->assertFalse($options['sendEmails'], 'Wrong loaded configuration option sendEmails ');
$this->assertFalse($options['sendEmailAuthor'], 'Wrong loaded configuration option sendEmailAuthor');
$repository = $hook->getRepository('git@github.com:amaxlab/git-web-hook-test.git');
$this->assertNotNull($repository, 'Repository was not loaded through config.yml ');
$this->assertInstanceOf('AmaxLab\\GitWebHook\\Repository', $repository, 'It is not a repository object');
$masterBranch = $repository->getBranch('master');
$productionBranch = $repository->getBranch('production');
$this->assertInstanceOf('AmaxLab\\GitWebHook\\Branch', $masterBranch, 'There is not a branch master');
$this->assertInstanceOf('AmaxLab\\GitWebHook\\Branch', $productionBranch, 'There is not a branch master');
$this->assertContains('*****@*****.**', $masterBranch->getOptions()['mailRecipients']);
$this->assertContains('192.168.0.2', Request::getTrustedProxies(), 'There is error in configuring trusted proxies');
$this->assertContains('192.168.0.3', Request::getTrustedProxies(), 'There is error in configuring trusted proxies');
$this->assertNotContains('192.168.0.4', Request::getTrustedProxies(), 'There is error in configuring trusted proxies');
$content = file_get_contents($logFile);
$this->assertEmpty($content, sprintf('Log file is not empty: %s', $content));
}
/**
* @param array $config
* @param Session $session
* @param string $prefix
*/
public function __construct($config, Session $session, $prefix = self::PREFIX)
{
$this->session = $session;
$this->prefix = $prefix;
$this->setAppId($config['appId']);
$this->setAppSecret($config['secret']);
if (isset($config['fileUpload'])) {
$this->setFileUploadSupport($config['fileUpload']);
}
// Add trustProxy configuration
$this->trustForwarded = isset($config['trustForwarded']) ? $config['trustForwarded'] : Request::getTrustedProxies();
}
public function testAllowedIpsAreSetWhenEmpty()
{
$configuration = $this->getConfigurationMock();
$configuration->expects($this->once())->method('isSetup')->will($this->returnValue(true));
$configuration->expects($this->once())->method('offsetExists')->with('trusted-proxies')->will($this->returnValue(false));
$app = new Application();
$app['dispatcher']->addSubscriber(new TrustedProxySubscriber($configuration));
$app->get('/', function () {
return 'data';
});
$client = new Client($app);
$client->request('GET', '/');
$this->assertEquals(200, $client->getResponse()->getStatusCode());
$this->assertEquals([], Request::getTrustedProxies());
}
public function testRequestTrustedProxiesAreSetOnRequest()
{
$app = $this->loadApp();
$app['root.path'] = __DIR__ . '/../../../../../..';
$app->register(new ConfigurationServiceProvider());
$app['phraseanet.configuration.config-path'] = __DIR__ . '/fixtures/config-proxies.yml';
$app['phraseanet.configuration.config-compiled-path'] = __DIR__ . '/fixtures/config-proxies.php';
$this->assertSame([], Request::getTrustedProxies());
$app->boot();
$app->get('/', function () {
return 'data';
});
$client = new Client($app);
$client->request('GET', '/');
$this->assertSame(['127.0.0.1', '66.6.66.6'], Request::getTrustedProxies());
unlink($app['phraseanet.configuration.config-compiled-path']);
}
protected function validateRequest(Request $request)
{
// is the Request safe?
if (!$request->isMethodSafe()) {
throw new AccessDeniedHttpException();
}
// does the Request come from a trusted IP?
$trustedIps = array_merge($this->getLocalIpAddresses(), $request->getTrustedProxies());
$remoteAddress = $request->server->get('REMOTE_ADDR');
if (IpUtils::checkIp($remoteAddress, $trustedIps)) {
return;
}
// is the Request signed?
// we cannot use $request->getUri() here as we want to work with the original URI (no query string reordering)
if ($this->signer->check($request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo() . (null !== ($qs = $request->server->get('QUERY_STRING')) ? '?' . $qs : ''))) {
return;
}
throw new AccessDeniedHttpException();
}
/**
* @dataProvider getTrustedProxyData
*/
public function testHttpCacheIsSetAsATrustedProxy(array $existing, array $expected)
{
Request::setTrustedProxies($existing);
$this->setNextResponse();
$this->request('GET', '/', array('REMOTE_ADDR' => '10.0.0.1'));
$this->assertEquals($expected, Request::getTrustedProxies());
}
/**
* Forwards the Request to the backend and returns the Response.
*
* @param Request $request A Request instance
* @param bool $catch Whether to catch exceptions or not
* @param Response $entry A Response instance (the stale entry if present, null otherwise)
*
* @return Response A Response instance
*/
protected function forward(Request $request, $catch = false, Response $entry = null)
{
if ($this->surrogate) {
$this->surrogate->addSurrogateCapability($request);
}
// modify the X-Forwarded-For header if needed
$forwardedFor = $request->headers->get('X-Forwarded-For');
if ($forwardedFor) {
$request->headers->set('X-Forwarded-For', $forwardedFor . ', ' . $request->server->get('REMOTE_ADDR'));
} else {
$request->headers->set('X-Forwarded-For', $request->server->get('REMOTE_ADDR'));
}
// fix the client IP address by setting it to 127.0.0.1 as HttpCache
// is always called from the same process as the backend.
$request->server->set('REMOTE_ADDR', '127.0.0.1');
// make sure HttpCache is a trusted proxy
if (!in_array('127.0.0.1', $trustedProxies = Request::getTrustedProxies())) {
$trustedProxies[] = '127.0.0.1';
Request::setTrustedProxies($trustedProxies);
}
// always a "master" request (as the real master request can be in cache)
$response = $this->kernel->handle($request, HttpKernelInterface::MASTER_REQUEST, $catch);
// FIXME: we probably need to also catch exceptions if raw === true
// we don't implement the stale-if-error on Requests, which is nonetheless part of the RFC
if (null !== $entry && in_array($response->getStatusCode(), array(500, 502, 503, 504))) {
if (null === ($age = $entry->headers->getCacheControlDirective('stale-if-error'))) {
$age = $this->options['stale_if_error'];
}
if (abs($entry->getTtl()) < $age) {
$this->record($request, 'stale-if-error');
return $entry;
}
}
$this->processResponseBody($request, $response);
if ($this->isPrivateRequest($request) && !$response->headers->hasCacheControlDirective('public')) {
$response->setPrivate(true);
} elseif ($this->options['default_ttl'] > 0 && null === $response->getTtl() && !$response->headers->getCacheControlDirective('must-revalidate')) {
$response->setTtl($this->options['default_ttl']);
}
return $response;
}
/**
* Checks if current request is allowed to generate the user hash.
* Default behavior is to accept values set in TRUSTED_PROXIES env variable and local IP addresses:
* - 127.0.0.1
* - ::1
* - fe80::1
*
* @param Request $request
*
* @return bool
*/
protected function canGenerateUserHash(Request $request)
{
$trustedProxies = array_unique(array_merge(Request::getTrustedProxies(), array('127.0.0.1', '::1', 'fe80::1')));
return $request->attributes->get('internalRequest') || in_array($request->getClientIp(), $trustedProxies);
}