From 202e5b1e957a7692165a313710e38406ca4f6ff3 Mon Sep 17 00:00:00 2001
From: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
Date: Fri, 12 Jul 2024 16:25:49 +0200
Subject: feat(security): restrict admin actions to IP ranges

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
---
 .../Exceptions/AdminIpNotAllowedException.php      | 23 ++++++
 .../Middleware/Security/SecurityMiddleware.php     | 83 ++++++++--------------
 2 files changed, 53 insertions(+), 53 deletions(-)
 create mode 100644 lib/private/AppFramework/Middleware/Security/Exceptions/AdminIpNotAllowedException.php

(limited to 'lib/private/AppFramework/Middleware')

diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/AdminIpNotAllowedException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/AdminIpNotAllowedException.php
new file mode 100644
index 00000000000..36eb8f18928
--- /dev/null
+++ b/lib/private/AppFramework/Middleware/Security/Exceptions/AdminIpNotAllowedException.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+namespace OC\AppFramework\Middleware\Security\Exceptions;
+
+use OCP\AppFramework\Http;
+
+/**
+ * Class AdminIpNotAllowed is thrown when a resource has been requested by a
+ * an admin user connecting from an unauthorized IP address
+ * See configuration `allowed_admin_ranges`
+ *
+ * @package OC\AppFramework\Middleware\Security\Exceptions
+ */
+class AdminIpNotAllowedException extends SecurityException {
+	public function __construct(string $message) {
+		parent::__construct($message, Http::STATUS_FORBIDDEN);
+	}
+}
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index d7479f674d9..df20c131e03 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -8,6 +8,7 @@ declare(strict_types=1);
  */
 namespace OC\AppFramework\Middleware\Security;
 
+use OC\AppFramework\Middleware\Security\Exceptions\AdminIpNotAllowedException;
 use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
 use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
 use OC\AppFramework\Middleware\Security\Exceptions\ExAppRequiredException;
@@ -16,6 +17,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
 use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
 use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
+use OC\Security\RemoteIpAddress;
 use OC\Settings\AuthorizedGroupMapper;
 use OC\User\Session;
 use OCP\App\AppPathNotFoundException;
@@ -51,60 +53,22 @@ use ReflectionMethod;
  * check fails
  */
 class SecurityMiddleware extends Middleware {
-	/** @var INavigationManager */
-	private $navigationManager;
-	/** @var IRequest */
-	private $request;
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var string */
-	private $appName;
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var LoggerInterface */
-	private $logger;
-	/** @var bool */
-	private $isLoggedIn;
-	/** @var bool */
-	private $isAdminUser;
-	/** @var bool */
-	private $isSubAdmin;
-	/** @var IAppManager */
-	private $appManager;
-	/** @var IL10N */
-	private $l10n;
-	/** @var AuthorizedGroupMapper */
-	private $groupAuthorizationMapper;
-	/** @var IUserSession */
-	private $userSession;
-
-	public function __construct(IRequest $request,
-		ControllerMethodReflector $reflector,
-		INavigationManager $navigationManager,
-		IURLGenerator $urlGenerator,
-		LoggerInterface $logger,
-		string $appName,
-		bool $isLoggedIn,
-		bool $isAdminUser,
-		bool $isSubAdmin,
-		IAppManager $appManager,
-		IL10N $l10n,
-		AuthorizedGroupMapper $mapper,
-		IUserSession $userSession
+	public function __construct(
+		private IRequest $request,
+		private ControllerMethodReflector $reflector,
+		private INavigationManager $navigationManager,
+		private IURLGenerator $urlGenerator,
+		private LoggerInterface $logger,
+		private string $appName,
+		private bool $isLoggedIn,
+		private bool $isAdminUser,
+		private bool $isSubAdmin,
+		private IAppManager $appManager,
+		private IL10N $l10n,
+		private AuthorizedGroupMapper $groupAuthorizationMapper,
+		private IUserSession $userSession,
+		private RemoteIpAddress $remoteIpAddress,
 	) {
-		$this->navigationManager = $navigationManager;
-		$this->request = $request;
-		$this->reflector = $reflector;
-		$this->appName = $appName;
-		$this->urlGenerator = $urlGenerator;
-		$this->logger = $logger;
-		$this->isLoggedIn = $isLoggedIn;
-		$this->isAdminUser = $isAdminUser;
-		$this->isSubAdmin = $isSubAdmin;
-		$this->appManager = $appManager;
-		$this->l10n = $l10n;
-		$this->groupAuthorizationMapper = $mapper;
-		$this->userSession = $userSession;
 	}
 
 	/**
@@ -170,6 +134,9 @@ class SecurityMiddleware extends Middleware {
 				if (!$authorized) {
 					throw new NotAdminException($this->l10n->t('Logged in account must be an admin, a sub admin or gotten special right to access this setting'));
 				}
+				if (!$this->remoteIpAddress->allowsAdminActions()) {
+					throw new AdminIpNotAllowedException($this->l10n->t('Your current IP address doesn’t allow you to perform admin actions'));
+				}
 			}
 			if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
 				&& !$this->isSubAdmin
@@ -183,6 +150,16 @@ class SecurityMiddleware extends Middleware {
 				&& !$authorized) {
 				throw new NotAdminException($this->l10n->t('Logged in account must be an admin'));
 			}
+			if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
+				&& !$this->remoteIpAddress->allowsAdminActions()) {
+				throw new AdminIpNotAllowedException($this->l10n->t('Your current IP address doesn’t allow you to perform admin actions'));
+			}
+			if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
+				&& !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoAdminRequired', NoAdminRequired::class)
+				&& !$this->remoteIpAddress->allowsAdminActions()) {
+				throw new AdminIpNotAllowedException($this->l10n->t('Your current IP address doesn’t allow you to perform admin actions'));
+			}
+
 		}
 
 		// Check for strict cookie requirement
-- 
cgit v1.2.3