Added ability to use comma separated ip address list for security.access_control[].ips option

a-menshchikov · a-menshchikov · commit bf95e64d085c · 2020-09-10T23:05:27.000+03:00
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -7,6 +7,7 @@ CHANGELOG
  * Added `FirewallListenerFactoryInterface`, which can be implemented by security factories to add firewall listeners
  * Added `SortFirewallListenersPass` to make the execution order of firewall listeners configurable by
    leveraging `Symfony\Component\Security\Http\Firewall\FirewallListenerInterface`
+ * Added ability to use comma separated ip address list for `security.access_control`
 
 5.1.0
 -----
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -142,7 +142,7 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode)
                             ->scalarNode('host')->defaultNull()->end()
                             ->integerNode('port')->defaultNull()->end()
                             ->arrayNode('ips')
-                                ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
+                                ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/', $v); })->end()
                                 ->prototype('scalar')->end()
                             ->end()
                             ->arrayNode('methods')
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php
@@ -112,4 +112,22 @@ public function testUserCheckers()
 
         $this->assertEquals('app.henk_checker', $processedConfig['firewalls']['stub']['user_checker']);
     }
+
+    public function testCommaSeparatedIps()
+    {
+        $config = [
+            'access_control' => [
+                [
+                    'ips' => '127.0.0.1, ::1',
+                ],
+            ],
+        ];
+        $config = array_merge(static::$minimalConfig, $config);
+
+        $processor = new Processor();
+        $configuration = new MainConfiguration([], []);
+        $processedConfig = $processor->processConfiguration($configuration, [$config]);
+
+        $this->assertEquals(['127.0.0.1', '::1'], $processedConfig['access_control'][0]['ips']);
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml
@@ -3,6 +3,7 @@ imports:
 
 parameters:
     env(APP_IP): '127.0.0.1'
+    env(APP_IPS): '127.0.0.1, ::1'
 
 security:
     encoders:
@@ -47,7 +48,9 @@ security:
         - { path: ^/secured-by-one-real-ip-with-mask$, ips: '203.0.113.0/24', roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/secured-by-one-real-ipv6$, ips: 0:0:0:0:0:ffff:c633:6400, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/secured-by-one-env-placeholder$, ips: '%env(APP_IP)%', roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/secured-by-one-env-placeholder-multiple-ips$, ips: '%env(APP_IPS)%', roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/secured-by-one-env-placeholder-and-one-real-ip$, ips: ['%env(APP_IP)%', 198.51.100.0], roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/secured-by-one-env-placeholder-multiple-ips-and-one-real-ip$, ips: ['%env(APP_IPS)%', 198.51.100.0], roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/highly_protected_resource$, roles: IS_ADMIN }
         - { path: ^/protected-via-expression$, allow_if: "(is_anonymous() and request.headers.get('user-agent') matches '/Firefox/i') or is_granted('ROLE_USER')" }
         - { path: .*, roles: IS_AUTHENTICATED_FULLY }
diff --git a/src/Symfony/Component/HttpFoundation/CHANGELOG.md b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
@@ -4,9 +4,10 @@ CHANGELOG
 5.2.0
 -----
 
-* added support for `X-Forwarded-Prefix` header
+ * added support for `X-Forwarded-Prefix` header
  * added `HeaderUtils::parseQuery()`: it does the same as `parse_str()` but preserves dots in variable names
  * added `File::getContent()`
+ * added ability to use comma separated ip address for `RequestMatcher::matchIps()`
 
 5.1.0
 -----
diff --git a/src/Symfony/Component/HttpFoundation/RequestMatcher.php b/src/Symfony/Component/HttpFoundation/RequestMatcher.php
@@ -125,7 +125,11 @@ public function matchIp(string $ip)
      */
     public function matchIps($ips)
     {
-        $this->ips = null !== $ips ? (array) $ips : [];
+        $ips = null !== $ips ? (array)$ips : [];
+
+        $this->ips = array_reduce($ips, static function (array $ips, string $ip) {
+            return array_merge($ips, preg_split('/\s*,\s*/', $ip));
+        }, []);
     }
 
     /**
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestMatcherTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestMatcherTest.php
@@ -163,4 +163,38 @@ public function testAttributes()
         $matcher->matchAttribute('foo', 'babar');
         $this->assertFalse($matcher->matches($request));
     }
+
+    public function testIps()
+    {
+        $matcher = new RequestMatcher();
+
+        $request = Request::create('', 'GET', [], [], [], ['REMOTE_ADDR' => '127.0.0.1']);
+
+        $matcher->matchIp('127.0.0.1');
+        $this->assertTrue($matcher->matches($request));
+
+        $matcher->matchIp('192.168.0.1');
+        $this->assertFalse($matcher->matches($request));
+
+        $matcher->matchIps('127.0.0.1');
+        $this->assertTrue($matcher->matches($request));
+
+        $matcher->matchIps('127.0.0.1, ::1');
+        $this->assertTrue($matcher->matches($request));
+
+        $matcher->matchIps('192.168.0.1, ::1');
+        $this->assertFalse($matcher->matches($request));
+
+        $matcher->matchIps(['127.0.0.1', '::1']);
+        $this->assertTrue($matcher->matches($request));
+
+        $matcher->matchIps(['192.168.0.1', '::1']);
+        $this->assertFalse($matcher->matches($request));
+
+        $matcher->matchIps(['1.1.1.1', '2.2.2.2', '127.0.0.1, ::1']);
+        $this->assertTrue($matcher->matches($request));
+
+        $matcher->matchIps(['1.1.1.1', '2.2.2.2', '192.168.0.1, ::1']);
+        $this->assertFalse($matcher->matches($request));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,11 @@ public function matchIp(string $ip)`
`125`	`125`	`*/`
`126`	`126`	`public function matchIps($ips)`
`127`	`127`	`{`
`128`		`- $this->ips = null !== $ips ? (array) $ips : [];`
	`128`	`+ $ips = null !== $ips ? (array)$ips : [];`
	`129`	`+`
	`130`	`+ $this->ips = array_reduce($ips, static function (array $ips, string $ip) {`
	`131`	`+ return array_merge($ips, preg_split('/\s,\s/', $ip));`
	`132`	`+ }, []);`
`129`	`133`	`}`
`130`	`134`
`131`	`135`	`/**`