Add options to only allow whitelisted IP's

Author: ivanvermeyen

config/stagefront.php

@@ -77,6 +77,32 @@
     'database_login_field' => env('STAGEFRONT_DATABASE_LOGIN_FIELD', 'email'),
     'database_password_field' => env('STAGEFRONT_DATABASE_PASSWORD_FIELD', 'password'),
 
+    /**
+     * Allow access from whitelisted IP's.
+     * Enter a string of comma separated IP's or null to allow all IP's.
+     * For example: '1.2.3.4,1.2.3.4'
+     * If empty, all IP's are allowed.
+     *
+     * Default: ''
+     */
+    'ip_whitelist' => env('STAGEFRONT_IP_WHITELIST', ''),
+
+    /**
+     * Should only whitelisted IP's get access?
+     * If set to false, non whitelisted IP's will be presented with the login form.
+     * If set to true, non whitelisted IP's will get a 403 Forbidden error.
+     *
+     * Default: false
+     */
+    'ip_whitelist_only' => env('STAGEFRONT_IP_WHITELIST_ONLY', false),
+
+    /**
+     * Require users with whitelisted IP's to also login.
+     *
+     * Default: false
+     */
+    'ip_whitelist_require_login' => env('STAGEFRONT_IP_WHITELIST_REQUIRE_LOGIN', false),
+
     /**
      * The URL to use for the StageFront login route.
      * This URL will be used for a GET and POST request.

src/Middleware/RedirectIfStageFrontIsEnabled.php

@@ -37,6 +37,10 @@ public function handle($request, Closure $next)
     {
         $stageFrontUrl = Config::get('stagefront.url');
 
+        if ($this->shield->shouldDenyAccess()) {
+            return abort(403);
+        }
+
         if ($this->shield->requiresLogin()) {
             return redirect($stageFrontUrl);
         }

src/Shield.php

@@ -8,12 +8,39 @@
 
 class Shield
 {
+    /**
+     * Check if StageFront should deny access to the user
+     * with a 403 Forbidden HTTP status.
+     *
+     * @return bool
+     */
+    public function shouldDenyAccess()
+    {
+        return $this->isActive()
+            && ($this->hasIpWhitelist() && ! $this->clientIpIsWhitelisted() && $this->allowWhitelistedIpsOnly());
+    }
+
     /**
      * Check if StageFront requires the user to log in.
      *
      * @return bool
      */
     public function requiresLogin()
+    {
+        return $this->isActive()
+            && ( ! $this->hasIpWhitelist()
+                || ($this->clientIpIsWhitelisted() && $this->whitelistRequiresLogin())
+                || ( ! $this->clientIpIsWhitelisted() && ! $this->allowWhitelistedIpsOnly())
+            );
+    }
+
+    /**
+     * Check if StageFront is active.
+     * Once a user logs in, the shield is considered inactive.
+     *
+     * @return bool
+     */
+    protected function isActive()
     {
         $enabled = Config::get('stagefront.enabled', false);
         $unlocked = Session::get('stagefront.unlocked', false);
@@ -41,4 +68,58 @@ protected function currentUrlIsIgnored()
 
         return false;
     }
+
+    /**
+     * Check if the client IP is whitelisted.
+     *
+     * @return bool
+     */
+    protected function clientIpIsWhitelisted()
+    {
+        $clientIp = Request::ip();
+        $whitelist = explode(',', $this->getIpWhitelist());
+        $ips = array_map('trim', $whitelist);
+
+        return in_array($clientIp, $ips);
+    }
+
+    /**
+     * Check if a IP whitelist is configured.
+     *
+     * @return bool
+     */
+    protected function hasIpWhitelist()
+    {
+        return ! empty(trim($this->getIpWhitelist()));
+    }
+
+    /**
+     * Get the IP whitelist from the config file.
+     *
+     * @return string
+     */
+    protected function getIpWhitelist()
+    {
+        return Config::get('stagefront.ip_whitelist', '');
+    }
+
+    /**
+     * Get the option to grant access to whitelisted IP's only.
+     *
+     * @return bool
+     */
+    protected function allowWhitelistedIpsOnly()
+    {
+        return Config::get('stagefront.ip_whitelist_only', false);
+    }
+
+    /**
+     * Get the option to require users with whitelisted IP's to login.
+     *
+     * @return bool
+     */
+    public function whitelistRequiresLogin()
+    {
+        return Config::get('stagefront.ip_whitelist_require_login', false);
+    }
 }

tests/StageFrontTest.php

@@ -250,6 +250,77 @@ public function you_can_limit_which_database_users_have_access_using_an_array()
         ])->assertRedirect($this->url)->assertSessionHasErrors('password');
     }
 
+    /** @test */
+    public function it_allows_access_to_whitelisted_ips_only()
+    {
+        $this->url = Config::get('stagefront.url');
+        $this->registerRoute('/page', 'Some Page');
+
+        $this->enableStageFront();
+        $this->setIntendedUrl('/page');
+
+        Config::set('stagefront.ip_whitelist', ' 0.0.0.0 , 1.1.1.1 ');
+        Config::set('stagefront.ip_whitelist_only', true);
+        Config::set('stagefront.ip_whitelist_require_login', false);
+
+        $this->get('/page', ['REMOTE_ADDR' => '1.2.3.4'])
+            ->assertStatus(403);
+
+        $this->get('/page', ['REMOTE_ADDR' => '1.1.1.1'])
+            ->assertOk();
+    }
+
+    /** @test */
+    public function it_allows_access_to_whitelisted_ips_only_with_required_login()
+    {
+        $this->url = Config::get('stagefront.url');
+        $this->registerRoute('/page', 'Some Page');
+
+        $this->enableStageFront();
+        $this->setIntendedUrl('/page');
+
+        Config::set('stagefront.login', 'tester');
+        Config::set('stagefront.password', 'p4ssw0rd');
+        Config::set('stagefront.ip_whitelist', ' 0.0.0.0 , 1.1.1.1 ');
+        Config::set('stagefront.ip_whitelist_only', true);
+        Config::set('stagefront.ip_whitelist_require_login', true);
+
+        $this->get('/page', ['REMOTE_ADDR' => '1.2.3.4'])
+            ->assertStatus(403);
+
+        $this->get('/page', ['REMOTE_ADDR' => '1.1.1.1'])
+            ->assertRedirect($this->url);
+
+        $response = $this->submitForm([
+            'login' => 'tester',
+            'password' => 'p4ssw0rd',
+        ], ['REMOTE_ADDR' => '1.1.1.1']);
+
+        $response->assertRedirect('/page');
+    }
+
+    /** @test */
+    public function it_allows_instant_access_to_whitelisted_ips_and_password_access_to_other_ips()
+    {
+        $this->url = Config::get('stagefront.url');
+        $this->registerRoute('/page', 'Some Page');
+
+        $this->enableStageFront();
+        $this->setIntendedUrl('/page');
+
+        Config::set('stagefront.login', 'tester');
+        Config::set('stagefront.password', 'p4ssw0rd');
+        Config::set('stagefront.ip_whitelist', ' 0.0.0.0 , 1.1.1.1 ');
+        Config::set('stagefront.ip_whitelist_only', false);
+        Config::set('stagefront.ip_whitelist_require_login', false);
+
+        $this->get('/page', ['REMOTE_ADDR' => '1.2.3.4'])
+            ->assertRedirect($this->url);
+
+        $this->get('/page', ['REMOTE_ADDR' => '1.1.1.1'])
+            ->assertOk();
+    }
+
     /** @test */
     public function urls_can_be_ignored_so_access_is_not_denied_by_stagefront()
     {
@@ -267,6 +338,26 @@ public function urls_can_be_ignored_so_access_is_not_denied_by_stagefront()
         $this->get('/public/route')->assertStatus(200)->assertSee('Route');
     }
 
+    /** @test */
+    public function ignored_urls_can_be_accessed_by_non_whitelisted_ips()
+    {
+        $this->url = Config::get('stagefront.url');
+        $this->registerRoute('/page', 'Some Page');
+
+        $this->registerRoute('/public', 'Public');
+        $this->registerRoute('/public/route', 'Route');
+
+        Config::set('stagefront.ignore_urls', ['/public/*']);
+        Config::set('stagefront.ip_whitelist', '0.0.0.0');
+        Config::set('stagefront.ip_whitelist_only', true);
+        Config::set('stagefront.ip_whitelist_require_login', false);
+
+        $this->enableStageFront();
+
+        $this->get('/public', ['REMOTE_ADDR' => '1.2.3.4'])->assertStatus(403);
+        $this->get('/public/route', ['REMOTE_ADDR' => '1.2.3.4'])->assertStatus(200)->assertSee('Route');
+    }
+
     /** @test */
     public function it_throttles_login_attempts()
     {
@@ -334,16 +425,16 @@ protected function setIntendedUrl($url)
      *
      * @return \Illuminate\Foundation\Testing\TestResponse
      */
-    protected function submitForm(array $credentials)
+    protected function submitForm(array $credentials, $headers = [])
     {
-        $response = $this->post($this->url, $credentials, [
+        $headers += [
             // Since we're calling routes directly,
             // we need to fake the referring page
             // so that redirect()->back() will work.
-            'HTTP_REFERER' => $this->url
-        ]);
+            'HTTP_REFERER' => $this->url,
+        ];
 
-        return $response;
+        return $this->post($this->url, $credentials, $headers);
     }
 
     /**