mirror/moodle-auth_outage
1
0
Fork 0
mirror of https://github.com/catalyst/moodle-auth_outage.git synced 2026-05-17 05:48:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #345 from catalyst/access-key-fix

Browse Source 
Fix: make access key and allowed ips OR conditional
This commit is contained in:
Matthew Hilton
2024-09-30 10:44:32 +10:00
committed by GitHub
parent cba55cdc69 c5485849d5
commit a40e198d3e
3 changed files with 20 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -192,6 +192,8 @@ Note: these restrictions build on each other; If both are enabled, users must me
Only allow users from a certain IP or range of ips to enter.
## Access key
Users provide an access key in the URL params on first page load, which is then stored as a cookie for 24 hours. If the access key matches the one setup for the outage, they are allowed in.
## Using IP restriction with access key
Users will be allowed if they are from the configured allowed ips OR if they provide the correct access key.
Feedback and issues

12
classes/local/outagelib.php
View File

@@ -321,10 +321,10 @@ if ((time() >= {{STARTTIME}}) && (time() < {{STOPTIME}})) {
$ipblocked = !remoteip_in_list('{{ALLOWEDIPS}}');
$accesskeyblocked = $useraccesskey != '{{ACCESSKEY}}';
$blocked = ({{USEACCESSKEY}} && $accesskeyblocked) || ({{USEALLOWEDIPS}} && $ipblocked);
$allowed = ({{USEACCESSKEY}} && !$accesskeyblocked) || ({{USEALLOWEDIPS}} && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -347,19 +347,11 @@ if ((time() >= {{STARTTIME}}) && (time() < {{STOPTIME}})) {
if ({{USEALLOWEDIPS}} && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if ({{USEALLOWEDIPS}} && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if ({{USEACCESSKEY}} && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if ({{USEACCESSKEY}} && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');

40
tests/local/outagelib_test.php
View File

@@ -335,10 +335,10 @@ if ((time() >= 123) && (time() < 456)) {
a.b.c.d
e.e.e.e/20');
$accesskeyblocked = $useraccesskey != '12345';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -361,19 +361,11 @@ e.e.e.e/20');
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
@@ -422,10 +414,10 @@ if ((time() >= 123) && (time() < 456)) {
$ipblocked = !remoteip_in_list('127.0.0.1');
$accesskeyblocked = $useraccesskey != '5678';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -448,19 +440,11 @@ if ((time() >= 123) && (time() < 456)) {
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
@@ -679,12 +663,11 @@ EOT;
* @return array
*/
public static function evaluation_maintenancepage_provider(): array {
$allowedipout = '<!-- Your IP is allowed:';
$blockedipout = '<!-- Blocked by ip, your ip:';
$allowedaccesskeyout = '<!-- Your access key is allowed:';
$blockedaccesskeyout = '<!-- Blocked by missing or incorrect access key, access key given:';
return [
// IP set up, access key not set up.
'ip allowed, no access key setup' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
@@ -699,6 +682,7 @@ EOT;
'accesskeytouse' => null,
'expectedoutputs' => [$blockedipout],
],
// IP not set up, access key set up.
'access key incorrect, no ip setup' => [
'allowedips' => null,
'iptouse' => null,
@@ -713,19 +697,27 @@ EOT;
'accesskeytouse' => '12345',
'expectedoutputs' => [],
],
// Both IP and access key set up.
'access key incorrect, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedipout, $blockedaccesskeyout],
],
'access key correct, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => '12345',
'expectedoutputs' => [$allowedaccesskeyout, $blockedipout],
'expectedoutputs' => [],
],
'access key incorrect, ip correct' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedaccesskeyout, $allowedipout],
'expectedoutputs' => [],
],
'access key correct, ip correct' => [
'allowedips' => '127.0.0.1',