public function testItAddsRequestTrustedProxiesSubscriberOnBoot() { $app = new Application(); $app['root.path'] = __DIR__ . '/../../../../../..'; $app->register(new ConfigurationServiceProvider()); $app['phraseanet.configuration.config-path'] = __DIR__ . '/fixtures/config-proxies.yml'; $app['phraseanet.configuration.config-compiled-path'] = __DIR__ . '/fixtures/config-proxies.php'; $app->boot(); /** @var EventDispatcherInterface $dispatcher */ $dispatcher = $app['dispatcher']; $listener = null; $method = null; foreach ($dispatcher->getListeners(KernelEvents::REQUEST) as $callable) { // Only look for TrustedProxySubscriber instances if (!is_array($callable)) { continue; } list($listener, $method) = $callable; if ($listener instanceof TrustedProxySubscriber) { break; } } $this->assertInstanceOf('Alchemy\\Phrasea\\Core\\Event\\Subscriber\\TrustedProxySubscriber', $listener, 'TrustedProxySubscriber was not properly registered'); $this->assertEquals('setProxyConf', $method); $this->assertSame([], Request::getTrustedProxies()); $listener->setProxyConf(); $this->assertSame(['127.0.0.1', '66.6.66.6'], Request::getTrustedProxies()); unlink($app['phraseanet.configuration.config-compiled-path']); }
/** * Load config test. */ public function testLoadConfig() { $logFile = $this->makeFile($this->baseTempDir, 'hook.log'); $logger = new Logger('git-web-hook'); $logger->pushHandler(new StreamHandler($logFile, Logger::WARNING)); $hook = new Hook(__DIR__, array(), $logger); $reposDir = $this->makeTempDir('repos.d'); $testFile = $this->makeFile($reposDir, 'test3.yml'); $this->generateRepoConfigFile($testFile, 3); $mainConfigFile = $this->makeFile($this->baseTempDir, 'main_config.yml'); file_put_contents($mainConfigFile, $this->configTemplates->render('config1.php', array('reposDir' => $reposDir))); $hook->loadConfig($mainConfigFile); $options = $hook->getOptions(); $this->assertFalse($options['sendEmails'], 'Wrong loaded configuration option sendEmails '); $this->assertFalse($options['sendEmailAuthor'], 'Wrong loaded configuration option sendEmailAuthor'); $repository = $hook->getRepository('git@github.com:amaxlab/git-web-hook-test.git'); $this->assertNotNull($repository, 'Repository was not loaded through config.yml '); $this->assertInstanceOf('AmaxLab\\GitWebHook\\Repository', $repository, 'It is not a repository object'); $masterBranch = $repository->getBranch('master'); $productionBranch = $repository->getBranch('production'); $this->assertInstanceOf('AmaxLab\\GitWebHook\\Branch', $masterBranch, 'There is not a branch master'); $this->assertInstanceOf('AmaxLab\\GitWebHook\\Branch', $productionBranch, 'There is not a branch master'); $this->assertContains('*****@*****.**', $masterBranch->getOptions()['mailRecipients']); $this->assertContains('192.168.0.2', Request::getTrustedProxies(), 'There is error in configuring trusted proxies'); $this->assertContains('192.168.0.3', Request::getTrustedProxies(), 'There is error in configuring trusted proxies'); $this->assertNotContains('192.168.0.4', Request::getTrustedProxies(), 'There is error in configuring trusted proxies'); $content = file_get_contents($logFile); $this->assertEmpty($content, sprintf('Log file is not empty: %s', $content)); }
/** * @param array $config * @param Session $session * @param string $prefix */ public function __construct($config, Session $session, $prefix = self::PREFIX) { $this->session = $session; $this->prefix = $prefix; $this->setAppId($config['appId']); $this->setAppSecret($config['secret']); if (isset($config['fileUpload'])) { $this->setFileUploadSupport($config['fileUpload']); } // Add trustProxy configuration $this->trustForwarded = isset($config['trustForwarded']) ? $config['trustForwarded'] : Request::getTrustedProxies(); }
public function testAllowedIpsAreSetWhenEmpty() { $configuration = $this->getConfigurationMock(); $configuration->expects($this->once())->method('isSetup')->will($this->returnValue(true)); $configuration->expects($this->once())->method('offsetExists')->with('trusted-proxies')->will($this->returnValue(false)); $app = new Application(); $app['dispatcher']->addSubscriber(new TrustedProxySubscriber($configuration)); $app->get('/', function () { return 'data'; }); $client = new Client($app); $client->request('GET', '/'); $this->assertEquals(200, $client->getResponse()->getStatusCode()); $this->assertEquals([], Request::getTrustedProxies()); }
public function testRequestTrustedProxiesAreSetOnRequest() { $app = $this->loadApp(); $app['root.path'] = __DIR__ . '/../../../../../..'; $app->register(new ConfigurationServiceProvider()); $app['phraseanet.configuration.config-path'] = __DIR__ . '/fixtures/config-proxies.yml'; $app['phraseanet.configuration.config-compiled-path'] = __DIR__ . '/fixtures/config-proxies.php'; $this->assertSame([], Request::getTrustedProxies()); $app->boot(); $app->get('/', function () { return 'data'; }); $client = new Client($app); $client->request('GET', '/'); $this->assertSame(['127.0.0.1', '66.6.66.6'], Request::getTrustedProxies()); unlink($app['phraseanet.configuration.config-compiled-path']); }
protected function validateRequest(Request $request) { // is the Request safe? if (!$request->isMethodSafe()) { throw new AccessDeniedHttpException(); } // does the Request come from a trusted IP? $trustedIps = array_merge($this->getLocalIpAddresses(), $request->getTrustedProxies()); $remoteAddress = $request->server->get('REMOTE_ADDR'); if (IpUtils::checkIp($remoteAddress, $trustedIps)) { return; } // is the Request signed? // we cannot use $request->getUri() here as we want to work with the original URI (no query string reordering) if ($this->signer->check($request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo() . (null !== ($qs = $request->server->get('QUERY_STRING')) ? '?' . $qs : ''))) { return; } throw new AccessDeniedHttpException(); }
/** * @dataProvider getTrustedProxyData */ public function testHttpCacheIsSetAsATrustedProxy(array $existing, array $expected) { Request::setTrustedProxies($existing); $this->setNextResponse(); $this->request('GET', '/', array('REMOTE_ADDR' => '10.0.0.1')); $this->assertEquals($expected, Request::getTrustedProxies()); }
/** * Forwards the Request to the backend and returns the Response. * * @param Request $request A Request instance * @param bool $catch Whether to catch exceptions or not * @param Response $entry A Response instance (the stale entry if present, null otherwise) * * @return Response A Response instance */ protected function forward(Request $request, $catch = false, Response $entry = null) { if ($this->surrogate) { $this->surrogate->addSurrogateCapability($request); } // modify the X-Forwarded-For header if needed $forwardedFor = $request->headers->get('X-Forwarded-For'); if ($forwardedFor) { $request->headers->set('X-Forwarded-For', $forwardedFor . ', ' . $request->server->get('REMOTE_ADDR')); } else { $request->headers->set('X-Forwarded-For', $request->server->get('REMOTE_ADDR')); } // fix the client IP address by setting it to 127.0.0.1 as HttpCache // is always called from the same process as the backend. $request->server->set('REMOTE_ADDR', '127.0.0.1'); // make sure HttpCache is a trusted proxy if (!in_array('127.0.0.1', $trustedProxies = Request::getTrustedProxies())) { $trustedProxies[] = '127.0.0.1'; Request::setTrustedProxies($trustedProxies); } // always a "master" request (as the real master request can be in cache) $response = $this->kernel->handle($request, HttpKernelInterface::MASTER_REQUEST, $catch); // FIXME: we probably need to also catch exceptions if raw === true // we don't implement the stale-if-error on Requests, which is nonetheless part of the RFC if (null !== $entry && in_array($response->getStatusCode(), array(500, 502, 503, 504))) { if (null === ($age = $entry->headers->getCacheControlDirective('stale-if-error'))) { $age = $this->options['stale_if_error']; } if (abs($entry->getTtl()) < $age) { $this->record($request, 'stale-if-error'); return $entry; } } $this->processResponseBody($request, $response); if ($this->isPrivateRequest($request) && !$response->headers->hasCacheControlDirective('public')) { $response->setPrivate(true); } elseif ($this->options['default_ttl'] > 0 && null === $response->getTtl() && !$response->headers->getCacheControlDirective('must-revalidate')) { $response->setTtl($this->options['default_ttl']); } return $response; }
/** * Checks if current request is allowed to generate the user hash. * Default behavior is to accept values set in TRUSTED_PROXIES env variable and local IP addresses: * - 127.0.0.1 * - ::1 * - fe80::1 * * @param Request $request * * @return bool */ protected function canGenerateUserHash(Request $request) { $trustedProxies = array_unique(array_merge(Request::getTrustedProxies(), array('127.0.0.1', '::1', 'fe80::1'))); return $request->attributes->get('internalRequest') || in_array($request->getClientIp(), $trustedProxies); }