chore: convert from IP to range of IP

vitormattos · vitormattos · commit f40d29b7bb01 · 2025-02-17T12:43:27.000-03:00
Signed-off-by: Vitor Mattos &lt;vitor@php.rio&gt;
diff --git a/README.md b/README.md
@@ -16,18 +16,17 @@ Available features:
 	occ app:enable admin_group_manager
 	occ app:enable groupquota
 	```
-- Allowed IP
+- Allowed IP range
 
-	By security, this API only receive requests from a specific IP.
-	- Run a tail with grep to watch by the word "Unauthorized access".
+	By security, this API only receive requests from a specific IP range. This could be enabled or not. To enable you will need to run the follow command:
+	```bash
+	occ config:system:set admin_group_manager_allowed_range 0 --value <theWordPressIp>
+	```
+
+	To test if your setting is working fine, use a IP range that don't match with WordPressIP and tun a tail with grep to watch by the word "Unauthorized access".
 		```bash
 		tail -f data/nextcloud.log|grep "Unauthorized access"
 		```
-	- Do a request to API endpoint and go back to terminal to check the logs and get the IP.
-	- With the IP, run the follow command:
-		```bash
-		occ config:system:set admin_group_manager_allowed_ip --value <theIdentifiedIp>
-		```
 
 ## Performance improving
 Systemd service
diff --git a/lib/Middleware/InjectionMiddleware.php b/lib/Middleware/InjectionMiddleware.php
@@ -8,6 +8,8 @@
 
 namespace OCA\AdminGroupManager\Middleware;
 
+use OC\Security\Ip\Address;
+use OC\Security\Ip\Range;
 use OCA\AdminGroupManager\Controller\AEnvironmentAwareOCSController;
 use OCA\AdminGroupManager\Controller\Attribute\RestrictIp;
 use OCP\AppFramework\Controller;
@@ -48,11 +50,19 @@ public function beforeController(Controller $controller, string $methodName) {
 	}
 
 	private function restrictIp(): void {
-		$ip = $this->request->getRemoteAddress();
-		$allowed = $this->config->getSystemValue('admin_group_manager_allowed_ip');
-		if ($allowed !== $ip) {
-			$this->logger->error('Unauthorized access to API', ['IP' => $ip]);
-			throw new OCSException('', Http::STATUS_UNAUTHORIZED);
+		$ip = new Address(
+			$this->request->getRemoteAddress()
+		);
+		$ranges = $this->config->getSystemValue('admin_group_manager_allowed_range');
+		if (!is_array($ranges) || empty($ranges)) {
+			return;
 		}
+		foreach ($ranges as $range) {
+			if ((new Range($range))->contains($ip)) {
+				return;
+			}
+		}
+		$this->logger->error('Unauthorized access to API', ['IP' => $ip]);
+		throw new OCSException('', Http::STATUS_UNAUTHORIZED);
 	}
 }
