Skip to content

Commit

Permalink
Fix: make access key and allowed ips OR conditional
Browse files Browse the repository at this point in the history
Access keys and allowed IPs should be indpendant of each other and when
at least one of them is satisfied the user should be allowed in.
  • Loading branch information
rhell4 committed Sep 27, 2024
1 parent cba55cd commit c548584
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 34 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,8 @@ Note: these restrictions build on each other; If both are enabled, users must me
Only allow users from a certain IP or range of ips to enter.
## Access key
Users provide an access key in the URL params on first page load, which is then stored as a cookie for 24 hours. If the access key matches the one setup for the outage, they are allowed in.
## Using IP restriction with access key
Users will be allowed if they are from the configured allowed ips OR if they provide the correct access key.


Feedback and issues
Expand Down
12 changes: 2 additions & 10 deletions classes/local/outagelib.php
Original file line number Diff line number Diff line change
Expand Up @@ -321,10 +321,10 @@ public static function create_climaintenancephp_code($starttime, $stoptime, $all
$ipblocked = !remoteip_in_list('{{ALLOWEDIPS}}');
$accesskeyblocked = $useraccesskey != '{{ACCESSKEY}}';
$blocked = ({{USEACCESSKEY}} && $accesskeyblocked) || ({{USEALLOWEDIPS}} && $ipblocked);
$allowed = ({{USEACCESSKEY}} && !$accesskeyblocked) || ({{USEALLOWEDIPS}} && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
Expand All @@ -347,19 +347,11 @@ public static function create_climaintenancephp_code($starttime, $stoptime, $all
if ({{USEALLOWEDIPS}} && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if ({{USEALLOWEDIPS}} && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if ({{USEACCESSKEY}} && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if ({{USEACCESSKEY}} && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
Expand Down
40 changes: 16 additions & 24 deletions tests/local/outagelib_test.php
Original file line number Diff line number Diff line change
Expand Up @@ -335,10 +335,10 @@ public function test_createmaintenancephpcode() {
a.b.c.d
e.e.e.e/20');
$accesskeyblocked = $useraccesskey != '12345';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
Expand All @@ -361,19 +361,11 @@ public function test_createmaintenancephpcode() {
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
Expand Down Expand Up @@ -422,10 +414,10 @@ public function test_createmaintenancephpcode_withoutage($configkey) {
$ipblocked = !remoteip_in_list('127.0.0.1');
$accesskeyblocked = $useraccesskey != '5678';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
Expand All @@ -448,19 +440,11 @@ public function test_createmaintenancephpcode_withoutage($configkey) {
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
Expand Down Expand Up @@ -679,12 +663,11 @@ private function create_outage() {
* @return array
*/
public static function evaluation_maintenancepage_provider(): array {
$allowedipout = '<!-- Your IP is allowed:';
$blockedipout = '<!-- Blocked by ip, your ip:';
$allowedaccesskeyout = '<!-- Your access key is allowed:';
$blockedaccesskeyout = '<!-- Blocked by missing or incorrect access key, access key given:';

return [
// IP set up, access key not set up.
'ip allowed, no access key setup' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
Expand All @@ -699,6 +682,7 @@ public static function evaluation_maintenancepage_provider(): array {
'accesskeytouse' => null,
'expectedoutputs' => [$blockedipout],
],
// IP not set up, access key set up.
'access key incorrect, no ip setup' => [
'allowedips' => null,
'iptouse' => null,
Expand All @@ -713,19 +697,27 @@ public static function evaluation_maintenancepage_provider(): array {
'accesskeytouse' => '12345',
'expectedoutputs' => [],
],
// Both IP and access key set up.
'access key incorrect, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedipout, $blockedaccesskeyout],
],
'access key correct, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => '12345',
'expectedoutputs' => [$allowedaccesskeyout, $blockedipout],
'expectedoutputs' => [],
],
'access key incorrect, ip correct' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedaccesskeyout, $allowedipout],
'expectedoutputs' => [],
],
'access key correct, ip correct' => [
'allowedips' => '127.0.0.1',
Expand Down

0 comments on commit c548584

Please sign in to comment.