Skip to content

feat(security): restrict admin actions to IP ranges #46473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AndyScherzinger merged 3 commits into from
Jul 22, 2024
Merged

feat(security): restrict admin actions to IP ranges #46473

AndyScherzinger merged 3 commits into from
Jul 22, 2024

Conversation

@Altahrim
Copy link
Collaborator

@Altahrim Altahrim commented Jul 12, 2024
edited
Loading

Summary

Restrict admin actions to IP ranges
When administrator IP address is not in specified range, all admin actions are hidden/forbidden.

Checklist

@Altahrim Altahrim added 2. developing Work in progress security php Pull requests that update Php code labels Jul 12, 2024
@Altahrim Altahrim self-assigned this Jul 12, 2024
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from 71c789d to 5fff029 Compare July 12, 2024 14:33
@AndyScherzinger AndyScherzinger added this to the Nextcloud 30 milestone Jul 12, 2024
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from 5fff029 to 741dca0 Compare July 12, 2024 14:47
nickvergessen
nickvergessen requested changes Jul 15, 2024
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No in-if assignments please

@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch 4 times, most recently from 90da5d8 to 8b24270 Compare July 16, 2024 10:00
@Altahrim Altahrim marked this pull request as ready for review July 16, 2024 10:01
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 16, 2024
View reviewed changes
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch 5 times, most recently from f534588 to da6dd95 Compare July 17, 2024 07:20
@Altahrim Altahrim added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Jul 17, 2024
nickvergessen
nickvergessen approved these changes Jul 17, 2024
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely needs documentation, so that other "admin alike endpoints" are aware and can integrate it and use IGroupManager::isAdmin() instead of checking for the admin group.

@Altahrim Altahrim added the pending documentation This pull request needs an associated documentation update label Jul 17, 2024
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from da6dd95 to d1007db Compare July 17, 2024 12:35
@nickvergessen nickvergessen force-pushed the feat/restrict_admin_to_ips branch from 3391801 to 791b066 Compare July 17, 2024 13:33
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch 3 times, most recently from 17a6845 to fb9866d Compare July 19, 2024 09:08
@Altahrim Altahrim mentioned this pull request Jul 19, 2024
Merged
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from 6682c99 to 6cdb1c7 Compare July 19, 2024 13:30
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 19, 2024
View reviewed changes
lib/public/Security/Ip/IFactory.php Outdated
* Creates a range from string
*
* @since 30.0.0
* @throws on invalid range

Check failure

Code scanning / Psalm

UndefinedDocblockClass

Docblock-defined class, interface or enum named OCP\Security\Ip\on does not exist
lib/public/Security/Ip/IFactory.php Outdated
* Creates a address from string
*
* @since 30.0.0
* @throws on invalid IP

Check failure

Code scanning / Psalm

UndefinedDocblockClass

Docblock-defined class, interface or enum named OCP\Security\Ip\on does not exist
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from 6cdb1c7 to e511bab Compare July 19, 2024 13:54
@joshtrichards
Copy link
Member

joshtrichards commented Jul 19, 2024

Related open issues this PR may close: #29294 & #38609

This was referenced Jul 19, 2024
Closed
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 19, 2024
View reviewed changes
lib/private/Server.php Outdated

$this->registerAlias(IRemoteAddress::class, RemoteAddress::class);

$this->registerAlias(\OCP\Security\Ip\Factory::class, \OC\Security\Ip\Factory::class);

Check failure

Code scanning / Psalm

UndefinedClass

Class, interface or enum named OCP\Security\Ip\Factory does not exist
nickvergessen
nickvergessen requested changes Jul 19, 2024
View reviewed changes
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from e511bab to 07264dd Compare July 19, 2024 14:27
Altahrim and others added 3 commits July 19, 2024 16:28
@Altahrim
feat(security): restrict admin actions to IP ranges
202e5b1 
Signed-off-by: Benjamin Gaussorgues <[email protected]>
@nickvergessen @Altahrim
feat(security): Add public API to allow validating IP Ranges and chec…
047479c 
…king for "in range"

Signed-off-by: Joas Schilling <[email protected]>
Signed-off-by: Benjamin Gaussorgues <[email protected]>
@Altahrim
feat(Security): add Factory for IP addresses and ranges
f1d97a3 
Signed-off-by: Benjamin Gaussorgues <[email protected]>
@Altahrim Altahrim force-pushed the feat/restrict_admin_to_ips branch from 07264dd to f1d97a3 Compare July 19, 2024 14:28
@nickvergessen nickvergessen requested a review from kesselb July 22, 2024 06:40
@AndyScherzinger AndyScherzinger merged commit c2a571e into master Jul 22, 2024
@AndyScherzinger AndyScherzinger deleted the feat/restrict_admin_to_ips branch July 22, 2024 08:10
@szaimen szaimen mentioned this pull request Jul 22, 2024
Open
@szaimen
Copy link
Contributor

szaimen commented Jul 22, 2024
edited
Loading

Cool feature 🎉🎉🎉🎉🎉

I wonder, would it make sense to document this under https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html?

@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jul 22, 2024

I wonder, would it make sense to document this under https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html?

Yes, exactly there. I think @sorbaugh already discusses this with @Altahrim - we talked about this 30 minutes ago 😁

@Altahrim Altahrim mentioned this pull request Jul 24, 2024
Merged
@Altahrim
Copy link
Collaborator Author

Altahrim commented Jul 24, 2024

Added here: nextcloud/documentation#12059

@Altahrim Altahrim removed 3. to review Waiting for reviews pending documentation This pull request needs an associated documentation update labels Jul 24, 2024
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@sorbaugh sorbaugh sorbaugh approved these changes

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@kesselb kesselb Awaiting requested review from kesselb

Assignees

@Altahrim Altahrim

Labels

php Pull requests that update Php code security 🍂 2024-Autumn

Projects

None yet

Milestone

Nextcloud 30

Development

Successfully merging this pull request may close these issues.

8 participants

@Altahrim @joshtrichards @szaimen @AndyScherzinger @nickvergessen @kesselb @sorbaugh