Implement optional IP and job class whitelists

Resolves #2
Resolves #3

Author: mzur

README.md

@@ -85,9 +85,21 @@ Environment: `REMOTE_QUEUE_CONNECTION`
 
 Use this queue connection to process received jobs. If `null`, the default connection is used.
 
-### remote-queue.accept-tokens
+### remote-queue.accept_tokens
 
 Default: `[]`
 Environment: `REMOTE_QUEUE_ACCEPT_TOKENS`
 
 Accept jobs only if they provide one of these tokens. Specify tokens as comma separated list if you use the environment variable. One way to generate tokens is this command: `head -c 32 /dev/urandom | base64`.
+
+### remote-queue.accept_ips
+
+Default: `[]`
+
+Accept requests only from the IP addresses of this whitelist. Leave empty to accept jobs from all IPs.
+
+### remote-queue.accept_jobs
+
+Default: `[]`
+
+Accept only jobs of this whitelist of class names. Leave empty to accept all job classes.

src/Http/Controllers/QueueController.php

@@ -34,19 +34,39 @@ public function store(Request $request, $queue)
 
         $job = @unserialize($request->input('job'));
 
-        if (is_object($job)) {
-            if ($job instanceof __PHP_Incomplete_Class) {
-                return response()->json(['errors' => ['job' => ['Unknown job class']]], 422);
-            }
-        } else {
-            $job = $request->input('job');
-
-            if (!class_exists($job)) {
-                return response()->json(['errors' => ['job' => ['Unknown job class']]], 422);
-            }
+        if ($this->isIncompleteClass($job)) {
+            return response()->json(['errors' => ['job' => ['Unknown job class']]], 422);
+        } elseif (!$this->isWhitelistedJob($job)) {
+            return response()->json(['errors' => ['job' => ['Job class not whitelisted']]], 422);
         }
 
         app('queue')->connection(config('remote-queue.connection'))
             ->push($job, $request->input('data', ''), $queue);
     }
+
+    /**
+     * Determine if the received job class exists.
+     *
+     * @param object $job Job class name
+     *
+     * @return boolean
+     */
+    protected function isIncompleteClass($job)
+    {
+        return !is_object($job) || $job instanceof __PHP_Incomplete_Class;
+    }
+
+    /**
+     * Determine if the received job is whitelisted.
+     *
+     * @param object $job Job class name
+     *
+     * @return boolean
+     */
+    protected function isWhitelistedJob($job)
+    {
+        $whitelist = config('remote-queue.accept_jobs');
+
+        return empty($whitelist) || in_array(get_class($job), $whitelist);
+    }
 }

src/Http/Middleware/Authenticate.php

@@ -17,7 +17,7 @@ class Authenticate
     public function handle($request, Closure $next, $guard = null)
     {
         $token = $request->bearerToken();
-        if ($token && in_array($token, config('remote-queue.accept-tokens'))) {
+        if ($token && in_array($token, config('remote-queue.accept_tokens'))) {
             return $next($request);
         }
 

src/Http/Middleware/WhitelistIps.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Biigle\RemoteQueue\Http\Middleware;
+
+use Closure;
+
+class WhitelistIps
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  string|null  $guard
+     * @return mixed
+     */
+    public function handle($request, Closure $next, $guard = null)
+    {
+        $whitelist = config('remote-queue.accept_ips');
+
+        $token = $request->bearerToken();
+        if (empty($whitelist) || in_array($request->ip(), $whitelist)) {
+            return $next($request);
+        }
+
+        return response('Unauthorized.', 401);
+    }
+}

src/RemoteQueueServiceProvider.php

@@ -4,6 +4,7 @@
 
 use Illuminate\Support\ServiceProvider;
 use Biigle\RemoteQueue\Http\Middleware\Authenticate;
+use Biigle\RemoteQueue\Http\Middleware\WhitelistIps;
 
 class RemoteQueueServiceProvider extends ServiceProvider
 {
@@ -22,7 +23,7 @@ public function boot()
             $this->app['router']->group([
                 'prefix' => config('remote-queue.endpoint'),
                 'namespace' => 'Biigle\RemoteQueue\Http\Controllers',
-                'middleware' => Authenticate::class,
+                'middleware' => [Authenticate::class, WhitelistIps::class],
             ], function ($router) {
                 $router->post('{queue}', 'QueueController@store');
                 $router->get('{queue}/size', 'QueueController@show');

src/config/remote-queue.php

@@ -25,6 +25,18 @@
     | Accept jobs only if they provide one of these tokens.
     */
 
-    'accept-tokens' => array_filter(explode(',', env('REMOTE_QUEUE_ACCEPT_TOKENS'))),
+    'accept_tokens' => array_filter(explode(',', env('REMOTE_QUEUE_ACCEPT_TOKENS'))),
+
+    /*
+    | Accept jobs only from the IP addresses of this whitelist. Leave empty to accept
+    | jobs from all IPs.
+    */
+    'accept_ips' => [],
+
+    /*
+    | Accept only jobs of this whitelist of class names. Leave empty to accept all job
+    | classes.
+    */
+    'accept_jobs' => [],
 
 ];

tests/Http/Controllers/QueueControllerTest.php

@@ -41,8 +41,34 @@ public function testStore()
             ->postJson('api/v1/remote-queue/myqueue', $payload)
             ->assertStatus(200);
     }
+
+    public function testStoreJobWhitelist()
+    {
+        config(['remote-queue.accept_jobs' => [TestJob::class]]);
+        $payload = ['job' => serialize(new TestJob2), 'data' => 'mydata'];
+
+        $mock = Mockery::mock();
+        $mock->shouldReceive('push')->once()
+            ->with(Mockery::type(TestJob::class), 'mydata', 'myqueue');
+        Queue::shouldReceive('connection')->once()->andReturn($mock);
+
+        $this->withoutMiddleware()
+            ->postJson('api/v1/remote-queue/myqueue', $payload)
+            // Job class is not whitelisted.
+            ->assertStatus(422);
+
+        $payload = ['job' => serialize(new TestJob), 'data' => 'mydata'];
+
+        $this->withoutMiddleware()
+            ->postJson('api/v1/remote-queue/myqueue', $payload)
+            ->assertStatus(200);
+    }
 }
 
 class TestJob
 {
 }
+
+class TestJob2
+{
+}

tests/Http/Middleware/AuthenticateTest.php

@@ -8,7 +8,7 @@ class AuthenticateTest extends TestCase
 {
     public function testHandle()
     {
-        config(['remote-queue.accept-tokens' => ['mytoken']]);
+        config(['remote-queue.accept_tokens' => ['mytoken']]);
 
         $this->get('api/v1/remote-queue/default/size')->assertStatus(401);
 

tests/Http/Middleware/WhitelistIpsTest.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Biigle\RemoteQueue\Tests\Http\Middleware;
+
+use Biigle\RemoteQueue\Tests\TestCase;
+
+class WhitelistIpsTest extends TestCase
+{
+    public function testHandle()
+    {
+        config(['remote-queue.accept_tokens' => ['mytoken']]);
+        config(['remote-queue.accept_ips' => ['192.168.100.1']]);
+
+        $this->get('api/v1/remote-queue/default/size', [
+                'Authorization' => 'Bearer mytoken',
+                'REMOTE_ADDR' => '192.168.100.2',
+            ])->assertStatus(401);
+
+        $this->get('api/v1/remote-queue/default/size', [
+                'Authorization' => 'Bearer mytoken',
+                'REMOTE_ADDR' => '192.168.100.1',
+            ])->assertStatus(200);
+    }
+}