[SecurityBundle] Comma separated ips for security.access_control
This commit is contained in:
parent
be6146c566
commit
0412e91060
@ -7,6 +7,7 @@ CHANGELOG
|
|||||||
* Added `FirewallListenerFactoryInterface`, which can be implemented by security factories to add firewall listeners
|
* Added `FirewallListenerFactoryInterface`, which can be implemented by security factories to add firewall listeners
|
||||||
* Added `SortFirewallListenersPass` to make the execution order of firewall listeners configurable by
|
* Added `SortFirewallListenersPass` to make the execution order of firewall listeners configurable by
|
||||||
leveraging `Symfony\Component\Security\Http\Firewall\FirewallListenerInterface`
|
leveraging `Symfony\Component\Security\Http\Firewall\FirewallListenerInterface`
|
||||||
|
* Added ability to use comma separated ip address list for `security.access_control`
|
||||||
|
|
||||||
5.1.0
|
5.1.0
|
||||||
-----
|
-----
|
||||||
|
@ -3,6 +3,7 @@ imports:
|
|||||||
|
|
||||||
parameters:
|
parameters:
|
||||||
env(APP_IP): '127.0.0.1'
|
env(APP_IP): '127.0.0.1'
|
||||||
|
env(APP_IPS): '127.0.0.1, ::1'
|
||||||
|
|
||||||
security:
|
security:
|
||||||
encoders:
|
encoders:
|
||||||
@ -47,7 +48,9 @@ security:
|
|||||||
- { path: ^/secured-by-one-real-ip-with-mask$, ips: '203.0.113.0/24', roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
- { path: ^/secured-by-one-real-ip-with-mask$, ips: '203.0.113.0/24', roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||||
- { path: ^/secured-by-one-real-ipv6$, ips: 0:0:0:0:0:ffff:c633:6400, roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
- { path: ^/secured-by-one-real-ipv6$, ips: 0:0:0:0:0:ffff:c633:6400, roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||||
- { path: ^/secured-by-one-env-placeholder$, ips: '%env(APP_IP)%', roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
- { path: ^/secured-by-one-env-placeholder$, ips: '%env(APP_IP)%', roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||||
|
- { path: ^/secured-by-one-env-placeholder-multiple-ips$, ips: '%env(APP_IPS)%', roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||||
- { path: ^/secured-by-one-env-placeholder-and-one-real-ip$, ips: ['%env(APP_IP)%', 198.51.100.0], roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
- { path: ^/secured-by-one-env-placeholder-and-one-real-ip$, ips: ['%env(APP_IP)%', 198.51.100.0], roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||||
|
- { path: ^/secured-by-one-env-placeholder-multiple-ips-and-one-real-ip$, ips: ['%env(APP_IPS)%', 198.51.100.0], roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||||
- { path: ^/highly_protected_resource$, roles: IS_ADMIN }
|
- { path: ^/highly_protected_resource$, roles: IS_ADMIN }
|
||||||
- { path: ^/protected-via-expression$, allow_if: "(is_anonymous() and request.headers.get('user-agent') matches '/Firefox/i') or is_granted('ROLE_USER')" }
|
- { path: ^/protected-via-expression$, allow_if: "(is_anonymous() and request.headers.get('user-agent') matches '/Firefox/i') or is_granted('ROLE_USER')" }
|
||||||
- { path: .*, roles: IS_AUTHENTICATED_FULLY }
|
- { path: .*, roles: IS_AUTHENTICATED_FULLY }
|
||||||
|
@ -4,9 +4,10 @@ CHANGELOG
|
|||||||
5.2.0
|
5.2.0
|
||||||
-----
|
-----
|
||||||
|
|
||||||
* added support for `X-Forwarded-Prefix` header
|
* added support for `X-Forwarded-Prefix` header
|
||||||
* added `HeaderUtils::parseQuery()`: it does the same as `parse_str()` but preserves dots in variable names
|
* added `HeaderUtils::parseQuery()`: it does the same as `parse_str()` but preserves dots in variable names
|
||||||
* added `File::getContent()`
|
* added `File::getContent()`
|
||||||
|
* added ability to use comma separated ip addresses for `RequestMatcher::matchIps()`
|
||||||
|
|
||||||
5.1.0
|
5.1.0
|
||||||
-----
|
-----
|
||||||
|
@ -125,7 +125,11 @@ class RequestMatcher implements RequestMatcherInterface
|
|||||||
*/
|
*/
|
||||||
public function matchIps($ips)
|
public function matchIps($ips)
|
||||||
{
|
{
|
||||||
$this->ips = null !== $ips ? (array) $ips : [];
|
$ips = null !== $ips ? (array) $ips : [];
|
||||||
|
|
||||||
|
$this->ips = array_reduce($ips, static function (array $ips, string $ip) {
|
||||||
|
return array_merge($ips, preg_split('/\s*,\s*/', $ip));
|
||||||
|
}, []);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -163,4 +163,38 @@ class RequestMatcherTest extends TestCase
|
|||||||
$matcher->matchAttribute('foo', 'babar');
|
$matcher->matchAttribute('foo', 'babar');
|
||||||
$this->assertFalse($matcher->matches($request));
|
$this->assertFalse($matcher->matches($request));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testIps()
|
||||||
|
{
|
||||||
|
$matcher = new RequestMatcher();
|
||||||
|
|
||||||
|
$request = Request::create('', 'GET', [], [], [], ['REMOTE_ADDR' => '127.0.0.1']);
|
||||||
|
|
||||||
|
$matcher->matchIp('127.0.0.1');
|
||||||
|
$this->assertTrue($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIp('192.168.0.1');
|
||||||
|
$this->assertFalse($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps('127.0.0.1');
|
||||||
|
$this->assertTrue($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps('127.0.0.1, ::1');
|
||||||
|
$this->assertTrue($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps('192.168.0.1, ::1');
|
||||||
|
$this->assertFalse($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps(['127.0.0.1', '::1']);
|
||||||
|
$this->assertTrue($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps(['192.168.0.1', '::1']);
|
||||||
|
$this->assertFalse($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps(['1.1.1.1', '2.2.2.2', '127.0.0.1, ::1']);
|
||||||
|
$this->assertTrue($matcher->matches($request));
|
||||||
|
|
||||||
|
$matcher->matchIps(['1.1.1.1', '2.2.2.2', '192.168.0.1, ::1']);
|
||||||
|
$this->assertFalse($matcher->matches($request));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user