MAGETWO-85134: IP resolving issue

Author: zakdma

lib/internal/Magento/Framework/HTTP/PhpEnvironment/RemoteAddress.php

@@ -5,20 +5,22 @@
  */
 namespace Magento\Framework\HTTP\PhpEnvironment;
 
+use Magento\Framework\App\RequestInterface;
+
 /**
- * Library for working with client ip address
+ * Library for working with client ip address.
  */
 class RemoteAddress
 {
     /**
-     * Request object
+     * Request object.
      *
-     * @var \Magento\Framework\App\RequestInterface
+     * @var RequestInterface
      */
     protected $request;
 
     /**
-     * Remote address cache
+     * Remote address cache.
      *
      * @var string
      */
@@ -30,46 +32,114 @@ class RemoteAddress
     protected $alternativeHeaders;
 
     /**
-     * @param \Magento\Framework\App\RequestInterface $httpRequest
+     * @var string[]|null
+     */
+    private $trustedProxies;
+
+    /**
+     * @param RequestInterface $httpRequest
      * @param array $alternativeHeaders
+     * @param string[]|null $trustedProxies
      */
-    public function __construct(\Magento\Framework\App\RequestInterface $httpRequest, array $alternativeHeaders = [])
-    {
+    public function __construct(
+        RequestInterface $httpRequest,
+        array $alternativeHeaders = [],
+        array $trustedProxies = null
+    ) {
         $this->request = $httpRequest;
         $this->alternativeHeaders = $alternativeHeaders;
+        $this->trustedProxies = $trustedProxies;
     }
 
     /**
-     * Retrieve Client Remote Address
+     * Read address based on settings.
      *
-     * @param bool $ipToLong converting IP to long format
-     * @return string IPv4|long
+     * @return string|null
      */
-    public function getRemoteAddress($ipToLong = false)
+    private function readAddress()
     {
-        if ($this->remoteAddress === null) {
-            foreach ($this->alternativeHeaders as $var) {
-                if ($this->request->getServer($var, false)) {
-                    $this->remoteAddress = $this->request->getServer($var);
-                    break;
-                }
+        $remoteAddress = null;
+        foreach ($this->alternativeHeaders as $var) {
+            if ($this->request->getServer($var, false)) {
+                $remoteAddress = $this->request->getServer($var);
+                break;
             }
+        }
 
-            if (!$this->remoteAddress) {
-                $this->remoteAddress = $this->request->getServer('REMOTE_ADDR');
+        if (!$remoteAddress) {
+            $remoteAddress = $this->request->getServer('REMOTE_ADDR');
+        }
+
+        return $remoteAddress;
+    }
+
+    /**
+     * Filter addresses by trusted proxies list.
+     *
+     * @param string $remoteAddress
+     * @return string|null
+     */
+    private function filterAddress(string $remoteAddress)
+    {
+        if (strpos($remoteAddress, ',') !== false) {
+            $ipList = explode(',', $remoteAddress);
+        } else {
+            $ipList = [$remoteAddress];
+        }
+        $ipList = array_filter(
+            $ipList,
+            function (string $ip) {
+                return filter_var(trim($ip), FILTER_VALIDATE_IP);
             }
+        );
+        if ($this->trustedProxies !== null) {
+            $ipList = array_filter(
+                $ipList,
+                function (string $ip) {
+                    return !in_array(trim($ip), $this->trustedProxies, true);
+                }
+            );
+            $remoteAddress = trim(array_pop($ipList));
+        } else {
+            $remoteAddress = trim(reset($ipList));
         }
 
-        if (!$this->remoteAddress) {
-            return false;
+        return $remoteAddress ?: null;
+    }
+
+    /**
+     * Retrieve Client Remote Address.
+     * If alternative headers are used and said headers allow multiple IPs
+     * it is suggested that trusted proxies is also used
+     * for more accurate IP recognition.
+     *
+     * @param bool $ipToLong converting IP to long format
+     *
+     * @return string IPv4|long
+     */
+    public function getRemoteAddress(bool $ipToLong = false)
+    {
+        if ($this->remoteAddress !== null) {
+            return $this->remoteAddress;
         }
 
-        if (strpos($this->remoteAddress, ',') !== false) {
-            $ipList = explode(',', $this->remoteAddress);
-            $this->remoteAddress = trim(reset($ipList));
+        $remoteAddress = $this->readAddress();
+        if (!$remoteAddress) {
+            $this->remoteAddress = false;
+
+            return false;
         }
+        $remoteAddress = $this->filterAddress($remoteAddress);
 
-        return $ipToLong ? ip2long($this->remoteAddress) : $this->remoteAddress;
+        if (!$remoteAddress) {
+            $this->remoteAddress = false;
+
+            return false;
+        } else {
+            $this->remoteAddress = $remoteAddress;
+
+            return $ipToLong ? ip2long($this->remoteAddress) : $this->remoteAddress;
+        }
     }
 
     /**

lib/internal/Magento/Framework/HTTP/Test/Unit/PhpEnvironment/RemoteAddressTest.php

@@ -5,44 +5,70 @@
  */
 namespace Magento\Framework\HTTP\Test\Unit\PhpEnvironment;
 
+use Magento\Framework\HTTP\PhpEnvironment\RemoteAddress;
+use Magento\Framework\App\Request\Http as HttpRequest;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+
 class RemoteAddressTest extends \PHPUnit\Framework\TestCase
 {
     /**
-     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\App\Request\Http
+     * @var \PHPUnit_Framework_MockObject_MockObject|\HttpRequest
      */
     protected $_request;
 
     /**
-     * @var \Magento\Framework\TestFramework\Unit\Helper\ObjectManager
+     * @var ObjectManager
      */
     protected $_objectManager;
 
+    /**
+     * @inheritdoc
+     */
     protected function setUp()
     {
-        $this->_request = $this->getMockBuilder(
-            \Magento\Framework\App\Request\Http::class
-        )->disableOriginalConstructor()->setMethods(
-            ['getServer']
-        )->getMock();
+        $this->_request = $this->getMockBuilder(HttpRequest::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getServer'])
+            ->getMock();
 
-        $this->_objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->_objectManager = new ObjectManager($this);
     }
 
     /**
+     * @param string[] $alternativeHeaders
+     * @param array $serverValueMap
+     * @param string|bool $expected
+     * @param bool $ipToLong
+     * @param string[]|null $trustedProxies
+     * @return void
      * @dataProvider getRemoteAddressProvider
      */
-    public function testGetRemoteAddress($alternativeHeaders, $serverValueMap, $expected, $ipToLong)
-    {
+    public function testGetRemoteAddress(
+        array $alternativeHeaders,
+        array $serverValueMap,
+        $expected,
+        bool $ipToLong,
+        array $trustedProxies = null
+    ): void {
         $remoteAddress = $this->_objectManager->getObject(
-            \Magento\Framework\HTTP\PhpEnvironment\RemoteAddress::class,
-            ['httpRequest' => $this->_request, 'alternativeHeaders' => $alternativeHeaders]
+            RemoteAddress::class,
+            [
+                'httpRequest' => $this->_request,
+                'alternativeHeaders' => $alternativeHeaders,
+                'trustedProxies' => $trustedProxies,
+            ]
         );
-        $this->_request->expects($this->any())->method('getServer')->will($this->returnValueMap($serverValueMap));
+        $this->_request->expects($this->any())
+            ->method('getServer')
+            ->will($this->returnValueMap($serverValueMap));
+
         $this->assertEquals($expected, $remoteAddress->getRemoteAddress($ipToLong));
     }
 
     /**
      * @return array
+     *
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
      */
     public function getRemoteAddressProvider()
     {
@@ -52,18 +78,21 @@ public function getRemoteAddressProvider()
                 'serverValueMap' => [['REMOTE_ADDR', null, null]],
                 'expected' => false,
                 'ipToLong' => false,
+                'trustedProxies' => null,
             ],
             [
                 'alternativeHeaders' => [],
                 'serverValueMap' => [['REMOTE_ADDR', null, '192.168.0.1']],
                 'expected' => '192.168.0.1',
-                'ipToLong' => false
+                'ipToLong' => false,
+                'trustedProxies' => null,
             ],
             [
                 'alternativeHeaders' => [],
                 'serverValueMap' => [['REMOTE_ADDR', null, '192.168.1.1']],
                 'expected' => ip2long('192.168.1.1'),
-                'ipToLong' => true
+                'ipToLong' => true,
+                'trustedProxies' => null,
             ],
             [
                 'alternativeHeaders' => ['TEST_HEADER'],
@@ -73,7 +102,8 @@ public function getRemoteAddressProvider()
                     ['TEST_HEADER', false, '192.168.0.1'],
                 ],
                 'expected' => '192.168.0.1',
-                'ipToLong' => false
+                'ipToLong' => false,
+                'trustedProxies' => null,
             ],
             [
                 'alternativeHeaders' => ['TEST_HEADER'],
@@ -83,8 +113,74 @@ public function getRemoteAddressProvider()
                     ['TEST_HEADER', false, '192.168.0.1'],
                 ],
                 'expected' => ip2long('192.168.0.1'),
-                'ipToLong' => true
-            ]
+                'ipToLong' => true,
+                'trustedProxies' => null,
+            ],
+            [
+                'alternativeHeaders' => [],
+                'serverValueMap' => [
+                    ['REMOTE_ADDR', null, 'NotValidIp'],
+                ],
+                'expected' => false,
+                'ipToLong' => false,
+                'trustedProxies' => ['127.0.0.1'],
+            ],
+            [
+                'alternativeHeaders' => ['TEST_HEADER'],
+                'serverValueMap' => [
+                    ['TEST_HEADER', null, 'NotValid, 192.168.0.1'],
+                    ['TEST_HEADER', false, 'NotValid, 192.168.0.1'],
+                ],
+                'expected' => '192.168.0.1',
+                'ipToLong' => false,
+                'trustedProxies' => ['127.0.0.1'],
+            ],
+            [
+                'alternativeHeaders' => ['TEST_HEADER'],
+                'serverValueMap' => [
+                    ['TEST_HEADER', null, '192.168.0.2, 192.168.0.1'],
+                    ['TEST_HEADER', false, '192.168.0.2, 192.168.0.1'],
+                ],
+                'expected' => '192.168.0.2',
+                'ipToLong' => false,
+                'trustedProxies' => null,
+            ],
+            [
+                'alternativeHeaders' => [],
+                'serverValueMap' => [
+                    [
+                        'REMOTE_ADDR',
+                        null,
+                        '192.168.0.2, 192.168.0.1, 192.168.0.3',
+                    ],
+                    [
+                        'REMOTE_ADDR',
+                        false,
+                        '192.168.0.2, 192.168.0.1, 192.168.0.3',
+                    ],
+                ],
+                'expected' => '192.168.0.1',
+                'ipToLong' => false,
+                'trustedProxies' => ['192.168.0.3'],
+            ],
+            [
+                'alternativeHeaders' => [],
+                'serverValueMap' => [
+                    [
+                        'REMOTE_ADDR',
+                        null,
+                        '192.168.0.2, 192.168.0.1, 192.168.0.3',
+                    ],
+                    [
+                        'REMOTE_ADDR',
+                        false,
+                        '192.168.0.2, 192.168.0.1, 192.168.0.3',
+                    ],
+                ],
+                'expected' => '192.168.0.3',
+                'ipToLong' => false,
+                'trustedProxies' => [],
+            ],
         ];
     }
 }