Merge pull request #46473 from nextcloud/feat/restrict_admin_to_ips

feat(security): restrict admin actions to IP ranges
author: Andy Scherzinger <info@andy-scherzinger.de> 2024-07-22 10:10:42 +0200
committer: GitHub <noreply@github.com> 2024-07-22 10:10:42 +0200
commit: c2a571e435bebb08a4b6429eea343c350d3ccaf6 (patch)
tree: 9c1c4912147beb66b13d442e57cd8614451fa44e /apps
parent: 800dffec31b76a1c6b371d57d41ea9f5085a4a6e (diff)
parent: f1d97a318818860d3fff9fccffbab5a1faba752b (diff)
download: nextcloud-server-c2a571e435bebb08a4b6429eea343c350d3ccaf6.tar.gz
nextcloud-server-c2a571e435bebb08a4b6429eea343c350d3ccaf6.zip
5 files changed, 69 insertions, 2 deletions
diff --git a/apps/settings/composer/composer/autoload_classmap.php b/apps/settings/composer/composer/autoload_classmap.php
index 488aaee264d..27c1496008e 100644
--- a/apps/settings/composer/composer/autoload_classmap.php
+++ b/apps/settings/composer/composer/autoload_classmap.php
@@ -78,6 +78,7 @@ return array(
     'OCA\\Settings\\Settings\\Personal\\Security\\TwoFactor' => $baseDir . '/../lib/Settings/Personal/Security/TwoFactor.php',
     'OCA\\Settings\\Settings\\Personal\\Security\\WebAuthn' => $baseDir . '/../lib/Settings/Personal/Security/WebAuthn.php',
     'OCA\\Settings\\Settings\\Personal\\ServerDevNotice' => $baseDir . '/../lib/Settings/Personal/ServerDevNotice.php',
+    'OCA\\Settings\\SetupChecks\\AllowedAdminRanges' => $baseDir . '/../lib/SetupChecks/AllowedAdminRanges.php',
     'OCA\\Settings\\SetupChecks\\AppDirsWithDifferentOwner' => $baseDir . '/../lib/SetupChecks/AppDirsWithDifferentOwner.php',
     'OCA\\Settings\\SetupChecks\\BruteForceThrottler' => $baseDir . '/../lib/SetupChecks/BruteForceThrottler.php',
     'OCA\\Settings\\SetupChecks\\CheckServerResponseTrait' => $baseDir . '/../lib/SetupChecks/CheckServerResponseTrait.php',
diff --git a/apps/settings/composer/composer/autoload_static.php b/apps/settings/composer/composer/autoload_static.php
index ac2e4645239..14e4c362887 100644
--- a/apps/settings/composer/composer/autoload_static.php
+++ b/apps/settings/composer/composer/autoload_static.php
@@ -93,6 +93,7 @@ class ComposerStaticInitSettings
         'OCA\\Settings\\Settings\\Personal\\Security\\TwoFactor' => __DIR__ . '/..' . '/../lib/Settings/Personal/Security/TwoFactor.php',
         'OCA\\Settings\\Settings\\Personal\\Security\\WebAuthn' => __DIR__ . '/..' . '/../lib/Settings/Personal/Security/WebAuthn.php',
         'OCA\\Settings\\Settings\\Personal\\ServerDevNotice' => __DIR__ . '/..' . '/../lib/Settings/Personal/ServerDevNotice.php',
+        'OCA\\Settings\\SetupChecks\\AllowedAdminRanges' => __DIR__ . '/..' . '/../lib/SetupChecks/AllowedAdminRanges.php',
         'OCA\\Settings\\SetupChecks\\AppDirsWithDifferentOwner' => __DIR__ . '/..' . '/../lib/SetupChecks/AppDirsWithDifferentOwner.php',
         'OCA\\Settings\\SetupChecks\\BruteForceThrottler' => __DIR__ . '/..' . '/../lib/SetupChecks/BruteForceThrottler.php',
         'OCA\\Settings\\SetupChecks\\CheckServerResponseTrait' => __DIR__ . '/..' . '/../lib/SetupChecks/CheckServerResponseTrait.php',
diff --git a/apps/settings/composer/composer/installed.php b/apps/settings/composer/composer/installed.php
index d2b87e1bdfd..651d70adcf8 100644
--- a/apps/settings/composer/composer/installed.php
+++ b/apps/settings/composer/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '4ff660ca2e0baa02440ba07296ed7e75fa544c0e',
+        'reference' => '071fe73d0a28f44c6e24cc87fbd00e54a3b92b57',
         'type' => 'library',
         'install_path' => __DIR__ . '/../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '4ff660ca2e0baa02440ba07296ed7e75fa544c0e',
+            'reference' => '071fe73d0a28f44c6e24cc87fbd00e54a3b92b57',
             'type' => 'library',
             'install_path' => __DIR__ . '/../',
             'aliases' => array(),
diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php
index f62555f0cdb..80420cb3335 100644
--- a/apps/settings/lib/AppInfo/Application.php
+++ b/apps/settings/lib/AppInfo/Application.php
@@ -22,6 +22,7 @@ use OCA\Settings\Middleware\SubadminMiddleware;
 use OCA\Settings\Search\AppSearch;
 use OCA\Settings\Search\SectionSearch;
 use OCA\Settings\Search\UserSearch;
+use OCA\Settings\SetupChecks\AllowedAdminRanges;
 use OCA\Settings\SetupChecks\AppDirsWithDifferentOwner;
 use OCA\Settings\SetupChecks\BruteForceThrottler;
 use OCA\Settings\SetupChecks\CheckUserCertificates;
@@ -154,6 +155,7 @@ class Application extends App implements IBootstrap {
 				Util::getDefaultEmailAddress('no-reply')
 			);
 		});
+		$context->registerSetupCheck(AllowedAdminRanges::class);
 		$context->registerSetupCheck(AppDirsWithDifferentOwner::class);
 		$context->registerSetupCheck(BruteForceThrottler::class);
 		$context->registerSetupCheck(CheckUserCertificates::class);
diff --git a/apps/settings/lib/SetupChecks/AllowedAdminRanges.php b/apps/settings/lib/SetupChecks/AllowedAdminRanges.php
new file mode 100644
index 00000000000..87e11b06be7
--- /dev/null
+++ b/apps/settings/lib/SetupChecks/AllowedAdminRanges.php
@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\Settings\SetupChecks;
+
+use OC\Security\Ip\Range;
+use OC\Security\Ip\RemoteAddress;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\SetupCheck\ISetupCheck;
+use OCP\SetupCheck\SetupResult;
+
+class AllowedAdminRanges implements ISetupCheck {
+	public function __construct(
+		private IConfig $config,
+		private IL10N $l10n,
+	) {
+	}
+
+	public function getCategory(): string {
+		return 'system';
+	}
+
+	public function getName(): string {
+		return $this->l10n->t('Allowed admin IP ranges');
+	}
+
+	public function run(): SetupResult {
+		$allowedAdminRanges = $this->config->getSystemValue(RemoteAddress::SETTING_NAME, false);
+		if (
+			$allowedAdminRanges === false
+			|| (is_array($allowedAdminRanges) && empty($allowedAdminRanges))
+		) {
+			return SetupResult::success($this->l10n->t('Admin IP filtering isn’t applied.'));
+		}
+
+		if (!is_array($allowedAdminRanges)) {
+			return SetupResult::error(
+				$this->l10n->t(
+					'Configuration key "%1$s" expects an array (%2$s found). Admin IP range validation will not be applied.',
+					[RemoteAddress::SETTING_NAME, gettype($allowedAdminRanges)],
+				)
+			);
+		}
+
+		$invalidRanges = array_filter($allowedAdminRanges, static fn (mixed $range): bool => !is_string($range) || !Range::isValid($range));
+		if (!empty($invalidRanges)) {
+			return SetupResult::warning(
+				$this->l10n->t(
+					'Configuration key "%1$s" contains invalid IP range(s): "%2$s"',
+					[RemoteAddress::SETTING_NAME, implode('", "', $invalidRanges)],
+				),
+			);
+		}
+
+		return SetupResult::success($this->l10n->t('Admin IP filtering is correctly configured.'));
+	}
+}
author	Andy Scherzinger <info@andy-scherzinger.de>	2024-07-22 10:10:42 +0200
committer	GitHub <noreply@github.com>	2024-07-22 10:10:42 +0200
commit	c2a571e435bebb08a4b6429eea343c350d3ccaf6 (patch)
tree	9c1c4912147beb66b13d442e57cd8614451fa44e /apps
parent	800dffec31b76a1c6b371d57d41ea9f5085a4a6e (diff)
parent	f1d97a318818860d3fff9fccffbab5a1faba752b (diff)
download	nextcloud-server-c2a571e435bebb08a4b6429eea343c350d3ccaf6.tar.gz nextcloud-server-c2a571e435bebb08a4b6429eea343c350d3ccaf6.zip