mirror/moodle-auth_outage
1
0
Fork 0
mirror of https://github.com/catalyst/moodle-auth_outage.git synced 2026-05-17 05:48:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix: make access key and allowed ips OR conditional

Browse Source 
Access keys and allowed IPs should be indpendant of each other and when
at least one of them is satisfied the user should be allowed in.
This commit is contained in:
Rossco Hellmans
2024-09-27 12:34:36 +10:00
parent cba55cdc69
commit c5485849d5
3 changed files with 20 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -192,6 +192,8 @@ Note: these restrictions build on each other; If both are enabled, users must me
Only allow users from a certain IP or range of ips to enter.
## Access key
Users provide an access key in the URL params on first page load, which is then stored as a cookie for 24 hours. If the access key matches the one setup for the outage, they are allowed in.
## Using IP restriction with access key
Users will be allowed if they are from the configured allowed ips OR if they provide the correct access key.
Feedback and issues

12
classes/local/outagelib.php
View File

@@ -321,10 +321,10 @@ if ((time() >= {{STARTTIME}}) && (time() < {{STOPTIME}})) {
$ipblocked = !remoteip_in_list('{{ALLOWEDIPS}}');
$accesskeyblocked = $useraccesskey != '{{ACCESSKEY}}';
$blocked = ({{USEACCESSKEY}} && $accesskeyblocked) || ({{USEALLOWEDIPS}} && $ipblocked);
$allowed = ({{USEACCESSKEY}} && !$accesskeyblocked) || ({{USEALLOWEDIPS}} && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -347,19 +347,11 @@ if ((time() >= {{STARTTIME}}) && (time() < {{STOPTIME}})) {
if ({{USEALLOWEDIPS}} && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if ({{USEALLOWEDIPS}} && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if ({{USEACCESSKEY}} && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if ({{USEACCESSKEY}} && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');

40
tests/local/outagelib_test.php
View File

@@ -335,10 +335,10 @@ if ((time() >= 123) && (time() < 456)) {
a.b.c.d
e.e.e.e/20');
$accesskeyblocked = $useraccesskey != '12345';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -361,19 +361,11 @@ e.e.e.e/20');
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
@@ -422,10 +414,10 @@ if ((time() >= 123) && (time() < 456)) {
$ipblocked = !remoteip_in_list('127.0.0.1');
$accesskeyblocked = $useraccesskey != '5678';
$blocked = (true && $accesskeyblocked) || (true && $ipblocked);
$allowed = (true && !$accesskeyblocked) || (true && !$ipblocked);
$isphpunit = defined('PHPUNIT_TEST');
if ($blocked) {
if (!$allowed) {
if (!$isphpunit) {
header($_SERVER['SERVER_PROTOCOL'] . ' 503 Moodle under maintenance');
header('Status: 503 Moodle under maintenance');
@@ -448,19 +440,11 @@ if ((time() >= 123) && (time() < 456)) {
if (true && $ipblocked) {
echo '<!-- Blocked by ip, your ip: '.getremoteaddr('n/a').' -->';
}
if (true && !$ipblocked) {
echo '<!-- Your IP is allowed: '.getremoteaddr('n/a').' -->';
}
if (true && $accesskeyblocked) {
echo '<!-- Blocked by missing or incorrect access key, access key given: '. $useraccesskey .' -->';
}
if (true && !$accesskeyblocked) {
echo '<!-- Your access key is allowed: '. $useraccesskey .' -->';
}
if (!$isphpunit) {
if (file_exists($CFG->dataroot.'/climaintenance.template.html')) {
require($CFG->dataroot.'/climaintenance.template.html');
@@ -679,12 +663,11 @@ EOT;
* @return array
*/
public static function evaluation_maintenancepage_provider(): array {
$allowedipout = '<!-- Your IP is allowed:';
$blockedipout = '<!-- Blocked by ip, your ip:';
$allowedaccesskeyout = '<!-- Your access key is allowed:';
$blockedaccesskeyout = '<!-- Blocked by missing or incorrect access key, access key given:';
return [
// IP set up, access key not set up.
'ip allowed, no access key setup' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
@@ -699,6 +682,7 @@ EOT;
'accesskeytouse' => null,
'expectedoutputs' => [$blockedipout],
],
// IP not set up, access key set up.
'access key incorrect, no ip setup' => [
'allowedips' => null,
'iptouse' => null,
@@ -713,19 +697,27 @@ EOT;
'accesskeytouse' => '12345',
'expectedoutputs' => [],
],
// Both IP and access key set up.
'access key incorrect, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedipout, $blockedaccesskeyout],
],
'access key correct, ip incorrect' => [
'allowedips' => '127.0.0.1',
'iptouse' => '5.5.5.5',
'accesskey' => '12345',
'accesskeytouse' => '12345',
'expectedoutputs' => [$allowedaccesskeyout, $blockedipout],
'expectedoutputs' => [],
],
'access key incorrect, ip correct' => [
'allowedips' => '127.0.0.1',
'iptouse' => '127.0.0.1',
'accesskey' => '12345',
'accesskeytouse' => 'wrong',
'expectedoutputs' => [$blockedaccesskeyout, $allowedipout],
'expectedoutputs' => [],
],
'access key correct, ip correct' => [
'allowedips' => '127.0.0.1',